Merge pull request #2 from yakirgb/firewall

Add firewall manifest
yakirgb · May 11, 2017 · 2593305 · 2593305
2 parents 4f6d3af + 8464049
commit 2593305
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -22,8 +22,9 @@ class{ 'scylla':
   dc                        =>  'ScyllaUS',
   rack                      =>  'ScyllaTestRack',
   seeds                     =>  ['192.30.253.113','192.30.253.112'],
+  manage_firewall           =>  false
   scylla_setup_skip_options =>  '--no-raid-setup',
-  scylla_setup_nic_options  =>  '--setup-nic --nic bond0'
+  scylla_setup_nic_options  =>  '--setup-nic --nic bond0',
 }
 ```
 ## License

diff --git a/manifests/firewalld.pp b/manifests/firewalld.pp
@@ -0,0 +1,52 @@
+# Class scylla::firewalld
+#
+# Uses crayfishx/puppet-firewalld module to open scylla listen port
+#
+class scylla::firewalld {
+
+  if $::scylla::manage_firewall {
+    firewalld::custom_service{'scylla':
+      short => 'scylla',
+      port  => [
+        {
+          'port'     => $::scylla::native_transport_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::rpc_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::api_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::jmx_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::prometheus_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::storage_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::ssl_storage_port,
+          'protocol' => 'tcp',
+        },
+        {
+          'port'     => $::scylla::node_exporter_port,
+          'protocol' => 'tcp',
+        },
+      ]
+    }
+
+    -> firewalld_service{ 'Allow scylla access from the internal zone':
+      ensure  => 'present',
+      service => 'scylla',
+      zone    => 'internal'
+    }
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -36,13 +36,15 @@
   $scylla_setup_nic_options             = $scylla::params::scylla_setup_nic_options,
   $jmx_port                             = $scylla::params::jmx_port,
   $node_exporter_port                   = $scylla::params::node_exporter_port,
+  $manage_firewall                      = $scylla::params::manage_firewall,
 
   ) inherits scylla::params {
 
     anchor  { 'scylla::begin': }
     ->  class   { '::scylla::repo::yum': }
     ->  class   { '::scylla::packages': }
     ->  class   { '::scylla::config': }
+    ->  class   { '::scylla::firewalld': }
     ->  anchor  { 'scylla::end': }
 
 }
diff --git a/manifests/packages.pp b/manifests/packages.pp
@@ -4,10 +4,6 @@
 #
 class scylla::packages {
 
-  if $caller_module_name != $module_name {
-  fail("Use of private class ${name} by ${caller_module_name}")
-  }
-
   #ABRT conflict with Scylla coredump configuration
   package { 'abrt':
     ensure => absent,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -49,4 +49,7 @@
   # node_exporter
   $node_exporter_port                  = 9100
 
+  # Manage firewall
+  $manage_firewall                     = true
+
 }
diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "yakirg-scylla",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "author": "Yakir Gibraltar",
   "summary": "Scylla installation and configuration",
   "license": "MIT",
@@ -12,6 +12,10 @@
     {
       "name": "puppetlabs-stdlib",
       "version_requirement": "4.x"
+    },
+    {
+      "name": "crayfishx/puppet-firewalld",
+      "version_requirement":  ">= 2.2.0 < 3.3.1"
     }
   ],
   "tags": [