proxies: open ocp4 api port in both stg and prod
This fixes ticket 10521. Basically we want to just open the api. It requires auth to do anything and other openshift instances have it available, so it shouldn't hopefully expose us to too much risk. With ocp3 the api was part of the normal port/web flow, but with ocp4 it's a seperate port. This also adds new workers to haproxy. I can drop that part if it's controversal, but it should be fine I would think. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi
parent
d1230db516
commit
9eed96e3d6
3 changed files with 14 additions and 6 deletions
|
|
@ -26,9 +26,7 @@ custom_rules: [
|
|||
# For Zanata
|
||||
# See files/httpd/website_id_fp_o_zanata.conf for info
|
||||
'-A INPUT -p tcp -m tcp --dport 44342 -s 209.132.183.252 -j ACCEPT',
|
||||
# Allow ocp control plane hosts
|
||||
'-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01
|
||||
'-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.129 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
|
||||
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
|
||||
ipa_client_shell_groups:
|
||||
- fi-apprentice
|
||||
- sysadmin-noc
|
||||
|
|
@ -82,6 +80,8 @@ tcp_ports: [
|
|||
1088,
|
||||
# This is for RabbitMQ public access
|
||||
5671,
|
||||
# openshift 4 api
|
||||
6443,
|
||||
# This is for RabbitMQ internal-public access
|
||||
15671,
|
||||
# This is for the haproxy HTML stats page
|
||||
|
|
|
|||
|
|
@ -27,9 +27,7 @@ custom_rules: [
|
|||
'-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.72 -j ACCEPT',
|
||||
# Allow happinesspackets-stg.fedorainfracloud.org to talk to the inbound fedmsg relay
|
||||
'-A INPUT -p tcp -m tcp --dport 9941 -s 209.132.184.123 -j ACCEPT',
|
||||
# Allow ocp control plane hosts
|
||||
'-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.163.35 -j ACCEPT', # batcave01
|
||||
'-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 6443 -s 10.3.166.50 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
|
||||
'-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
|
||||
ipa_client_shell_groups:
|
||||
- fi-apprentice
|
||||
- sysadmin-noc
|
||||
|
|
@ -73,6 +71,8 @@ tcp_ports: [
|
|||
1088,
|
||||
# This is for RabbitMQ public access
|
||||
5671,
|
||||
# openshift 4 api
|
||||
6443,
|
||||
# This is for RabbitMQ internal-public access
|
||||
15671,
|
||||
# This is for the haproxy HTML stats page
|
||||
|
|
|
|||
|
|
@ -48,6 +48,9 @@ backend ocp-masters-backend-kapi
|
|||
server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
# temp bootstrap node
|
||||
# server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
|
||||
|
|
@ -61,6 +64,9 @@ backend ocp-masters-backend-machineconfig
|
|||
server ocp01.ocp.iad2.fedoraproject.org ocp01.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp02.ocp.iad2.fedoraproject.org ocp02.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp03.ocp.iad2.fedoraproject.org ocp03.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp04.ocp.iad2.fedoraproject.org ocp04.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp05.ocp.iad2.fedoraproject.org ocp05.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp06.ocp.iad2.fedoraproject.org ocp06.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
# temp bootstrap node
|
||||
# server bootstrap.ocp.iad2.fedoraproject.org bootstrap.ocp.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
{% endif %}
|
||||
|
|
@ -76,6 +82,7 @@ backend ocp-masters-backend-kapi
|
|||
server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
# temp bootstrap node
|
||||
# server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:6443 weight 1 maxconn 16384 check
|
||||
|
||||
|
|
@ -89,6 +96,7 @@ backend ocp-masters-backend-machineconfig
|
|||
server ocp01.ocp.stg.iad2.fedoraproject.org ocp01.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp02.ocp.stg.iad2.fedoraproject.org ocp02.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp03.ocp.stg.iad2.fedoraproject.org ocp03.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
server ocp04.ocp.stg.iad2.fedoraproject.org ocp04.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
# temp bootstrap node
|
||||
# server bootstrap.ocp.stg.iad2.fedoraproject.org bootstrap.ocp.stg.iad2.fedoraproject.org:22623 weight 1 maxconn 16384 check
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue