Designate - Use net_cidr_map for rndc_allowed_addresses
Change I68e064d23ec5d43f59146d974cae604d2c5fdb52 makes NetCidrMapValue a list of ip networks. The designate service configures the dns backend security to contol from wich addresses updates are allowed. We should use the list of cidr's associated with the DesignateApiNetwork to allow all nodes in the network to remotely control the nameserver. Partial: blueprint tripleo-routed-networks-templates Change-Id: I5c5cd51c8f127e8879c5528883c3abd261f4a5b3
This commit is contained in:
parent
da1de3aafc
commit
5666a4fe0d
@ -94,12 +94,10 @@ outputs:
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
tripleo::profile::base::designate::rndc_allowed_addresses:
|
||||
# TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
- str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK_subnet')}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
get_param:
|
||||
- ServiceData
|
||||
- net_cidr_map
|
||||
- {get_param: [ServiceNetMap, DesignateApiNetwork]}
|
||||
designate::backend::bind9::rndc_host:
|
||||
str_replace:
|
||||
template:
|
||||
|
@ -912,6 +912,10 @@ def validate_service_hiera_interpol(f, tpl):
|
||||
# Omit apache remoteip proxy_ips
|
||||
if 'apache::mod::remoteip::proxy_ips' in path:
|
||||
continue
|
||||
# Omit Designate rndc_allowed_addressses
|
||||
if ('tripleo::profile::base::designate::rndc_allowed_addresses' in
|
||||
path):
|
||||
continue
|
||||
|
||||
# Omit if not a part of {get_param: [ServiceNetMap ...
|
||||
if not enter_lists and path[-1] != 'get_param':
|
||||
|
Loading…
x
Reference in New Issue
Block a user