Add openshift_node_open_ports to allow arbitrary firewall exposure
#5345
Conversation
openshift-ci-robot
added
the
size/XS
|
@kwoodson needs to be easier to expose more ports internally for the use of the cluster (for things like node exporter or haproxy metrics stats, for example). |
|
@smarterclayton, let's chat about this. |
|
Discussed in person - we seem to be in sync now. |
| @@ -79,6 +79,8 @@ r_openshift_node_os_firewall_allow: | |||
| - service: Kubernetes service NodePort UDP | |||
| port: "{{ openshift_node_port_range | default('') }}/udp" | |||
| cond: "{{ openshift_node_port_range is defined }}" | |||
| # Allow multiple port ranges to be added to the role | |||
| r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow + (openshift_node_open_ports | default([])) }}" | |||
There was a problem hiding this comment.
I think the ansible filter for this is union: http://docs.ansible.com/ansible/latest/playbooks_filters.html#set-theory-filters
r_openshift_node_os_firewall_allow: "{{ default_r_openshift_node_os_firewall_allow | union((openshift_node_open_ports | default([]))) }}"
There was a problem hiding this comment.
Union would remove duplicates if they exist, although that wouldn't actually help for this if the condition values were different. I can't think of any place where we would want duplicates though.
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>})
which is the same format accepted by the firewall role.
smarterclayton
force-pushed
the
firewall
branch
from
4daa3d2
to
3f10259
Compare
|
Fixed to use union (tested locally) |
|
aos-ci-test |
|
[merge] |
|
looks like a temporary issue because of an image / code mismatch with master. retrying once [merge] |
|
Upstream test is allegedly fixed [merge] |
|
Evaluated for openshift ansible merge up to 3f10259 |
|
continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/1035/) (Base Commit: 5183792) (PR Branch Commit: 3f10259) |
|
/retest |
1 similar comment
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
Documented openshift/origin#21520 |
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
which is the same format accepted by the firewall role.
@sdodson as discussed, open to alternatives. I used this from origin-gce with
Which then allows me to set firewall rules appropriately.
Alternatives considered: