From 6802b8dddd7f8d1f1c47f4eb3b7dd6a6a48820dc Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Wed, 18 Aug 2021 13:23:44 +0200 Subject: [PATCH] iscsi: don't set default value for trusted_ip_list It restricts access to the iSCSI API. It can be left empty if the API isn't going to be access from outside the gateway node Even though this seems to be a limited use case, it's better to leave it empty by default than having a meaningless default value. We could make this variable mandatory but that would be a breaking change. Let's just add a logic in the template in order to set this variable in the configuration file only if it was specified by users. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1994930 Signed-off-by: Guillaume Abrioux Co-authored-by: Dimitri Savineau --- group_vars/iscsigws.yml.sample | 4 +++- roles/ceph-iscsi-gw/defaults/main.yml | 4 +++- roles/ceph-iscsi-gw/tasks/common.yml | 4 ++-- roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 | 2 ++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample index 57aecc421..67c63a9fa 100644 --- a/group_vars/iscsigws.yml.sample +++ b/group_vars/iscsigws.yml.sample @@ -30,7 +30,9 @@ dummy: #api_port: 5000 #api_secure: false #loop_delay: 1 -#trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml index ce0fecc52..34707c9f1 100644 --- a/roles/ceph-iscsi-gw/defaults/main.yml +++ b/roles/ceph-iscsi-gw/defaults/main.yml @@ -22,7 +22,9 @@ api_password: admin api_port: 5000 api_secure: false loop_delay: 1 -trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index 3e9ff1ef9..8355f6990 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -30,7 +30,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool @@ -38,7 +38,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv6 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool diff --git a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 index 59be8aaea..82c564d0a 100644 --- a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 +++ b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 @@ -25,4 +25,6 @@ api_user = {{ api_user }} api_password = {{ api_password }} api_port = {{ api_port }} loop_delay = {{ loop_delay }} +{% if trusted_ip_list is defined %} trusted_ip_list = {{ trusted_ip_list }} +{% endif %} \ No newline at end of file