From c7cd688f2e98b4c20dae05ec9f1c235a70bdbd0a Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Wed, 18 Aug 2021 13:23:44 +0200 Subject: [PATCH] iscsi: don't set default value for trusted_ip_list It restricts access to the iSCSI API. It can be left empty if the API isn't going to be access from outside the gateway node Even though this seems to be a limited use case, it's better to leave it empty by default than having a meaningless default value. We could make this variable mandatory but that would be a breaking change. Let's just add a logic in the template in order to set this variable in the configuration file only if it was specified by users. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1994930 Signed-off-by: Guillaume Abrioux Co-authored-by: Dimitri Savineau (cherry picked from commit 6802b8dddd7f8d1f1c47f4eb3b7dd6a6a48820dc) --- group_vars/iscsigws.yml.sample | 4 +++- roles/ceph-iscsi-gw/defaults/main.yml | 4 +++- roles/ceph-iscsi-gw/tasks/common.yml | 4 ++-- roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 | 2 ++ 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample index 67c1bb26e..4b504126f 100644 --- a/group_vars/iscsigws.yml.sample +++ b/group_vars/iscsigws.yml.sample @@ -30,7 +30,9 @@ dummy: #api_port: 5000 #api_secure: false #loop_delay: 1 -#trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml index c161e3647..865b28670 100644 --- a/roles/ceph-iscsi-gw/defaults/main.yml +++ b/roles/ceph-iscsi-gw/defaults/main.yml @@ -22,7 +22,9 @@ api_password: admin api_port: 5000 api_secure: false loop_delay: 1 -trusted_ip_list: 192.168.122.1 +# set the variable below with a comma separated list of IPs +# in order to restrict the access to the iSCSI API +# trusted_ip_list: 192.168.122.1 ########## diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index 4517f535b..81d769a9a 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -26,7 +26,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool @@ -34,7 +34,7 @@ - name: add mgr ip address to trusted list with dashboard - ipv6 set_fact: - trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' + trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' when: - dashboard_enabled | bool diff --git a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 index 59be8aaea..82c564d0a 100644 --- a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 +++ b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 @@ -25,4 +25,6 @@ api_user = {{ api_user }} api_password = {{ api_password }} api_port = {{ api_port }} loop_delay = {{ loop_delay }} +{% if trusted_ip_list is defined %} trusted_ip_list = {{ trusted_ip_list }} +{% endif %} \ No newline at end of file