diff --git a/security_groups.yaml b/security_groups.yaml index 6e151d7..7739046 100644 --- a/security_groups.yaml +++ b/security_groups.yaml @@ -173,6 +173,17 @@ resources: port_range_min: <%port%> port_range_max: <%port%> + controlplane_certbot_secgroup: + type: OS::Neutron::SecurityGroup + properties: + name: controlplane_certbot_sg + rules: + - direction: ingress + protocol: tcp + remote_ip_prefix: 0.0.0.0/0 + port_range_min: 80 + port_range_max: 80 + proxy_controlplane_secgroup: type: OS::Neutron::SecurityGroup properties: @@ -529,7 +540,6 @@ outputs: vrrp_nodes_security_group: description: VRRP access between tenant and net2 nodes value: { get_resource: vrrp_nodes_secgroup } - bastion_external_security_group: description: Bastion external security group value: { get_resource: bastion_external_secgroup } @@ -587,3 +597,6 @@ outputs: proxy_security_group: description: Net2 LB VRRP security group value: { get_resource: proxy_controlplane_secgroup } + controlplane_certbot_security_group: + description: Security group allowing http-01 challenge + value: { get_resource: controlplane_certbot_secgroup } \ No newline at end of file diff --git a/top-level-template.yaml b/top-level-template.yaml index 1fbd2f4..d8fa065 100644 --- a/top-level-template.yaml +++ b/top-level-template.yaml @@ -172,7 +172,7 @@ resources: properties: template: { get_file: security_groups.yaml } parameters: - control_plane_ports: "80,443,8443" + control_plane_ports: "443,8443" data_plane_ports: "80,443" control_plane_sources: { get_param: control_plane_allowed_sources } data_plane_sources: { get_param: data_plane_allowed_sources } @@ -224,6 +224,7 @@ resources: - { get_attr: [ security_groups, outputs, dns_forwarder_security_group ] } - { get_attr: [ security_groups, outputs, vrrp_controlplane_security_group ] } - { get_attr: [ security_groups, outputs, proxy_security_group ] } + - { get_attr: [ security_groups, outputs, controlplane_certbot_security_group ] } master_nodes_deployment: type: OS::Heat::Stack