diff options
| author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-12 19:27:50 +0100 |
|---|---|---|
| committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2017-07-13 16:57:36 +0100 |
| commit | c87270a48f7fe97bb26b538215e7ad96ffd449e2 (patch) | |
| tree | e007a278e2c124505d6429880266fa45d61d4026 /firewall.yaml | |
| parent | 37d25cfe74687c5529fd43f0010eda8363682cbc (diff) | |
| download | infrastructure-c87270a48f7fe97bb26b538215e7ad96ffd449e2.tar.gz | |
Add ostree.baserock.org system
This is a new instance that can be used as an artifact cache by the
BuildStream build tool. Anyone can download artifacts over HTTPS.
Those given SSH access to the machine can write to the artifact cache
(this will likely be limited to automated build machines).
DNS is now set to point cache.baserock.org and ostree.baserock.org to
the HAProxy frontend.
The SSL certificate for the frontend-haproxy system has been regenerated
to include the cache.baserock.org and ostree.baserock.org domains.
Diffstat (limited to 'firewall.yaml')
| -rw-r--r-- | firewall.yaml | 35 |
1 files changed, 7 insertions, 28 deletions
diff --git a/firewall.yaml b/firewall.yaml index 800e7390..c468755b 100644 --- a/firewall.yaml +++ b/firewall.yaml @@ -235,10 +235,10 @@ - name: shared-artifact-cache security group os_security_group: name: shared-artifact-cache - description: Allow inbound HTTP, HTTPS and read-only Morph artifact cache access. Allow writable Morph artifact cache access from internal IPs. + description: Allow inbound HTTP, HTTPS and ostree-over-SSH (which I've assigned to port 22200) state: present - - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for cache server web frontend + - name: shared-artifact-cache security group -- allow incoming TCP on port 80 for ostree-over-HTTP os_security_group_rule: security_group: shared-artifact-cache direction: ingress @@ -248,7 +248,7 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 - - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for cache server web frontend + - name: shared-artifact-cache security group -- allow incoming TCP on port 443 for ostree-over-HTTP os_security_group_rule: security_group: shared-artifact-cache direction: ingress @@ -258,38 +258,17 @@ protocol: tcp remote_ip_prefix: 0.0.0.0/0 - - name: shared-artifact-cache security group -- allow incoming TCP on port 8080 for cache server read access + # The port number here was chosen arbitrarily. + - name: shared-artifact-cache security group -- allow incoming TCP on port 22200 for ostree-over-SSH os_security_group_rule: security_group: shared-artifact-cache direction: ingress - port_range_min: 8080 - port_range_max: 8080 + port_range_min: 22200 + port_range_max: 22200 ethertype: IPv4 protocol: tcp remote_ip_prefix: 0.0.0.0/0 - # 8081: 'writable cache server' port. Anyone who can connect - # to this port can delete or overwrite cached artifacts. - # - # FIXME: because the Masons use cache.baserock.org instead of - # 192.168.0.16 to access the shared artifact cache, we need to - # permit traffic from our public IP range. This provides a - # theoritical attack vector from other tenancies, so we should - # fix the Masons and remove this rule. - - name: shared-artifact-cache security group -- allow incoming internal-only TCP on port 8081 for cache server write access - os_security_group_rule: - security_group: shared-artifact-cache - direction: ingress - port_range_min: 8081 - port_range_max: 8081 - ethertype: IPv4 - protocol: tcp - remote_ip_prefix: 185.43.218.0/0 - # It'd be nice to limit access by security group, but it doesn't - # seem to actually work. Perhaps because we use external IP to - # access instead of internal IP. - #remote_group_id: "{{ default_group.sec_group.id }}" - - name: web-server security group os_security_group: name: web-server |