summaryrefslogtreecommitdiffstats
path: root/roles/openstack-stack
diff options
context:
space:
mode:
authorBogdan Dobrelya <bdobreli@redhat.com>2017-10-18 12:53:31 +0200
committerGitHub <noreply@github.com>2017-10-18 12:53:31 +0200
commitd2ff422b284f04b8a19ad4c6aa388ba397d915e1 (patch)
tree18435f866cd081dfad3f0b37117ccd329afef09b /roles/openstack-stack
parent0d2c1802e6e880030c64946691b0d9cad2c24b43 (diff)
downloadopenshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.gz
openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.bz2
openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.tar.xz
openshift-d2ff422b284f04b8a19ad4c6aa388ba397d915e1.zip
Add Flannel support (#814)
* Add flannel support * Document Flannel SDN use case for a separate data network. * Add post install step for flannel SDN * Configure iptables rules as described for OCP 3.4 refarch https://access.redhat.com/documentation/en-us/reference_architectures/2017/html/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/emphasis_manual_deployment_emphasis#run_ansible_installer * Configure flannel interface options Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> * Use os_firewall from galaxy for required flannel rules For flannel SDN: * Add openshift-ansible as a galaxy dependency module. * Use openshift-ansible/roles/os_firewall to apply DNS rules for flanel SDN. * Apply the remaining advanced rules with direct iptables commands as os_firewall do not support advanced rules. * Persist only iptables rules w/o dynamic KUBe rules. Those are added runtime and need restoration after reboot or iptables restart. * Configure and enable the masked iptables service on the app nodes. Enable it to allow the in-memory rules to be persisted. Disable firewalld, which is the expected default behavior of the os_firewall module. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com> * Allow access from nodes to masters' port 2379 when using flannel Flannel requires to gather information from etcd to configure and assign the subnets in the nodes, therefore, allow access from nodes to port 2379/tcp to the master security group. Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
Diffstat (limited to 'roles/openstack-stack')
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j26
1 files changed, 6 insertions, 0 deletions
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index a69b7fc00..2359842a5 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -341,6 +341,12 @@ resources:
protocol: tcp
port_range_min: 9090
port_range_max: 9090
+{% if openshift_use_flannel|default(False)|bool %}
+ - direction: ingress
+ protocol: tcp
+ port_range_min: 2379
+ port_range_max: 2379
+{% endif %}
etcd-secgrp:
type: OS::Neutron::SecurityGroup