From 6892e02a308c41d3319e6f6ae7fb7e390942f608 Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Wed, 18 Aug 2021 13:23:44 +0200 Subject: [PATCH] iscsi: don't set default value for trusted_ip_list It restricts access to the iSCSI API. It can be left empty if the API isn't going to be access from outside the gateway node Even though this seems to be a limited use case, it's better to leave it empty by default than having a meaningless default value. We could make this variable mandatory but that would be a breaking change. Let's just add a logic in the template in order to set this variable in the configuration file only if it was specified by users. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1994930 Signed-off-by: Guillaume Abrioux Co-authored-by: Dimitri Savineau (cherry picked from commit 6802b8dddd7f8d1f1c47f4eb3b7dd6a6a48820dc) --- group_vars/iscsigws.yml.sample | 4 +++- roles/ceph-iscsi-gw/defaults/main.yml | 4 +++- roles/ceph-iscsi-gw/tasks/common.yml | 4 ++-- roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 | 2 ++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample index 57aecc4211..67c63a9fa3 100644 --- a/group_vars/iscsigws.yml.sample +++ b/group_vars/iscsigws.yml.sample @@ -30,7 +30,9 @@ dummy: #api_port: 5000 #api_secure: false #loop_delay: 1 -#trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml index ce0fecc521..34707c9f13 100644 --- a/roles/ceph-iscsi-gw/defaults/main.yml +++ b/roles/ceph-iscsi-gw/defaults/main.yml @@ -22,7 +22,9 @@ api_password: admin api_port: 5000 api_secure: false loop_delay: 1 -trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index 600a80950a..c774c5955c 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -26,7 +26,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool @@ -34,7 +34,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv6 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool diff --git a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 index 59be8aaea9..82c564d0a0 100644 --- a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 +++ b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 @@ -25,4 +25,6 @@ api_user = {{ api_user }} api_password = {{ api_password }} api_port = {{ api_port }} loop_delay = {{ loop_delay }} +{% if trusted_ip_list is defined %} trusted_ip_list = {{ trusted_ip_list }} +{% endif %} \ No newline at end of file