/ - Diff - puppet nftables - Koumbit's Redmine

Révision 5dedf86c

ID	5dedf86cb36beb4043c7e2d34724d8439479dc48
Parent	4ee75698
Enfant	0f34454b

Ajouté par Steve Traylen il y a 3 mois

Add ruleset for a Nomad cluster

Nomad clusters typically have single public API
port as well as rpc and serf ports for inter cluster
communication.

Example:

```puppet
class{ 'nftables::rules::nomad':
cluster_elements = [
'10.0.0.1','10.0.0.2',
'::1', '::2'',
],
}
```

The default ports can be overridden with parameters `http`, `rpc` and
`surf`.

https://developer.hashicorp.com/nomad/docs/install/production/requirements#ports-used

     * [`nftables::rules::nfs`](#nftables--rules--nfs): manage in nfs4
     * [`nftables::rules::nfs3`](#nftables--rules--nfs3): manage in nfs3
     * [`nftables::rules::node_exporter`](#nftables--rules--node_exporter): manage in node exporter
     * [`nftables::rules::nomad`](#nftables--rules--nomad): manage port openings for a nomad cluster
     * [`nftables::rules::ospf`](#nftables--rules--ospf): manage in ospf
     * [`nftables::rules::ospf3`](#nftables--rules--ospf3): manage in ospf3
     * [`nftables::rules::out::active_directory`](#nftables--rules--out--active_directory): manage outgoing active diectory
-...
     Default value: `9100`
     ### <a name="nftables--rules--nomad"></a>`nftables::rules::nomad`
     manage port openings for a nomad cluster
     #### Examples
     ##### Simple two node nomad cluster
     ```puppet
     class{ 'nftables::rules::nomad':
       cluster_elements = [
         '10.0.0.1','10.0.0.2',
         '::1', '::2'',
       ],
+    }
     ```
     #### Parameters
     The following parameters are available in the `nftables::rules::nomad` class:
     * [`cluster_elements`](#-nftables--rules--nomad--cluster_elements)
     * [`http`](#-nftables--rules--nomad--http)
     * [`rpc`](#-nftables--rules--nomad--rpc)
     * [`serf`](#-nftables--rules--nomad--serf)
     ##### <a name="-nftables--rules--nomad--cluster_elements"></a>`cluster_elements`
     Data type: `Array[Stdlib::IP::Address,1]`
     IP addreses of nomad cluster nodes
     Default value: `['127.0.0.1','::1']`
     ##### <a name="-nftables--rules--nomad--http"></a>`http`
     Data type: `Stdlib::Port`
     Specify http api port to open to the world.
     Default value: `4646`
     ##### <a name="-nftables--rules--nomad--rpc"></a>`rpc`
     Data type: `Stdlib::Port`
     Specify rpc port to open within the nomad cluster
     Default value: `4647`
     ##### <a name="-nftables--rules--nomad--serf"></a>`serf`
     Data type: `Stdlib::Port`
     Specify serf port to open within the nomad cluster
     Default value: `4648`
     ### <a name="nftables--rules--ospf"></a>`nftables::rules::ospf`
     manage in ospf

     # @summary manage port openings for a nomad cluster
+    #
     # @param cluster_elements IP addreses of nomad cluster nodes
     # @param http Specify http api port to open to the world.
     # @param rpc Specify rpc port to open within the nomad cluster
     # @param serf Specify serf port to open within the nomad cluster
+    #
     # @example Simple two node nomad cluster
     #  class{ 'nftables::rules::nomad':
     #    cluster_elements = [
     #      '10.0.0.1','10.0.0.2',
     #      '::1', '::2'',
     #    ],
     #  }
+    #
     class nftables::rules::nomad (
       Stdlib::Port $http = 4646,
       Stdlib::Port $rpc  = 4647,
       Stdlib::Port $serf = 4648,
       Array[Stdlib::IP::Address,1] $cluster_elements = ['127.0.0.1','::1'],
     ) {
       # Open http api port to everything.
+      #
       nftables::rule { 'default_in-nomad_http':
         content => "tcp dport ${http}",
+      }
       ['ip','ip6'].each | $_family | {
         $_ip_type = $_family ? {
           'ip'    => Stdlib::IP::Address::V4,
           default => Stdlib::IP::Address::V6,
+        }
         $_set_type = $_family ? {
           'ip'    => 'ipv4_addr',
           default => 'ipv6_addr',
+        }
         $_elements = $cluster_elements.filter | $_ip | { $_ip =~ $_ip_type }
         if $_elements.length > 0 {
           nftables::set { "nomad_${_family}":
             elements => $_elements,
             type     => $_set_type,
+          }
           nftables::rule { "default_in-nomad_rpc_${_family}":
             content => "tcp dport ${rpc} ${_family} saddr @nomad_${_family} accept",
+          }
           nftables::rule { "default_in-nomad_serf_udp_${_family}":
             content => "udp dport ${serf} ${_family} saddr @nomad_${_family} accept",
+          }
           nftables::rule { "default_in-nomad_serf_tcp_${_family}":
             content => "tcp dport ${serf} ${_family} saddr @nomad_${_family} accept",
+          }
+        }
+      }
+    }

spec/acceptance/all_rules_spec.rb
48	48	include nftables::rules::smtp_submission
49	49	include nftables::rules::https
50	50	include nftables::rules::nfs
	51	include nftables::rules::nomad
51	52	include nftables::rules::smtps
52	53	include nftables::rules::smtp
53	54	include nftables::rules::ceph

     # frozen_string_literal: true
     require 'spec_helper'
     describe 'nftables::rules::nomad' do
       on_supported_os.each do |os, os_facts|
         context "on #{os}" do
           let(:facts) { os_facts }
           context 'default options' do
             it { is_expected.to compile }
             it {
               is_expected.to contain_nftables__set('nomad_ip').with(
+                {
                   type: 'ipv4_addr',
                   elements: ['127.0.0.1'],
+                }
+              )
+            }
             it {
               is_expected.to contain_nftables__set('nomad_ip6').with(
+                {
                   type: 'ipv6_addr',
                   elements: ['::1'],
+                }
+              )
+            }
             it {
               is_expected.to contain_nftables__rule('default_in-nomad_http').with_content('tcp dport 4646')
               is_expected.to contain_nftables__rule('default_in-nomad_rpc_ip6').with_content('tcp dport 4647 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_rpc_ip').with_content('tcp dport 4647 ip saddr @nomad_ip accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_tcp_ip6').with_content('tcp dport 4648 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_tcp_ip').with_content('tcp dport 4648 ip saddr @nomad_ip accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_udp_ip6').with_content('udp dport 4648 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_udp_ip').with_content('udp dport 4648 ip saddr @nomad_ip accept')
+            }
           end
           context 'with ports set' do
             let(:params) do
+              {
                 http: 1000,
                 rpc: 2000,
                 serf: 3000,
+              }
             end
             it { is_expected.to compile }
             it {
               is_expected.to contain_nftables__set('nomad_ip')
               is_expected.to contain_nftables__set('nomad_ip6')
+            }
             it {
               is_expected.to contain_nftables__rule('default_in-nomad_http').with_content('tcp dport 1000')
               is_expected.to contain_nftables__rule('default_in-nomad_rpc_ip6').with_content('tcp dport 2000 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_rpc_ip').with_content('tcp dport 2000 ip saddr @nomad_ip accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_tcp_ip6').with_content('tcp dport 3000 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_tcp_ip').with_content('tcp dport 3000 ip saddr @nomad_ip accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_udp_ip6').with_content('udp dport 3000 ip6 saddr @nomad_ip6 accept')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_udp_ip').with_content('udp dport 3000 ip saddr @nomad_ip accept')
+            }
           end
           context 'with ipv4 hosts only' do
             let(:params) do
+              {
                 cluster_elements: ['127.0.0.1', '127.0.0.2']
+              }
             end
             it {
               is_expected.to contain_nftables__set('nomad_ip').with(
+                {
                   type: 'ipv4_addr',
                   elements: ['127.0.0.1', '127.0.0.2'],
+                }
+              )
+            }
             it { is_expected.not_to contain_nftables__set('nomad_ip6') }
             it {
               is_expected.to contain_nftables__rule('default_in-nomad_http').with_content('tcp dport 4646')
               is_expected.not_to contain_nftables__rule('default_in-nomad_rpc_ip6')
               is_expected.to contain_nftables__rule('default_in-nomad_rpc_ip').with_content('tcp dport 4647 ip saddr @nomad_ip accept')
               is_expected.not_to contain_nftables__rule('default_in-nomad_serf_tcp_ip6')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_tcp_ip').with_content('tcp dport 4648 ip saddr @nomad_ip accept')
               is_expected.not_to contain_nftables__rule('default_in-nomad_serf_udp_ip6')
               is_expected.to contain_nftables__rule('default_in-nomad_serf_udp_ip').with_content('udp dport 4648 ip saddr @nomad_ip accept')
+            }
           end
         end
       end
     end

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision 5dedf86c