Add openshift_node_open_ports to allow arbitrary firewall exposure
#5345
Conversation
openshift-ci-robot
added
the
size/XS
|
@kwoodson needs to be easier to expose more ports internally for the use of the cluster (for things like node exporter or haproxy metrics stats, for example). |
|
@smarterclayton, let's chat about this. |
|
Discussed in person - we seem to be in sync now. |
| port: "{{ openshift_node_port_range | default('') }}/udp" | ||
| cond: "{{ openshift_node_port_range is defined }}" | ||
| # Allow multiple port ranges to be added to the role | ||
| r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow + (openshift_node_open_ports | default([])) }}" |
There was a problem hiding this comment.
I think the ansible filter for this is union: http://docs.ansible.com/ansible/latest/playbooks_filters.html#set-theory-filters
r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow | union((openshift_node_open_ports | default([]))) }}"
There was a problem hiding this comment.
Union would remove duplicates if they exist, although that wouldn't actually help for this if the condition values were different. I can't think of any place where we would want duplicates though.
kwoodson
left a comment
kwoodson
left a comment
There was a problem hiding this comment.
Consider union instead of list + list.
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>})
which is the same format accepted by the firewall role.
smarterclayton
force-pushed
the
firewall
branch
from
4daa3d2 to
3f10259
Compare
|
Fixed to use union (tested locally) |
|
aos-ci-test |
|
[merge] |
|
looks like a temporary issue because of an image / code mismatch with master. retrying once [merge] |
|
Upstream test is allegedly fixed [merge] |
|
Evaluated for openshift ansible merge up to 3f10259 |
|
continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/1035/) (Base Commit: 5183792) (PR Branch Commit: 3f10259) |
|
/retest |
1 similar comment
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
Documented openshift/origin#21520 |
5 participants
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
which is the same format accepted by the firewall role.
@sdodson as discussed, open to alternatives. I used this from origin-gce with
Which then allows me to set firewall rules appropriately.
Alternatives considered: