iscsi: don't set default value for trusted_ip_list

It restricts access to the iSCSI API.
It can be left empty if the API isn't going to be access from outside the
gateway node

Even though this seems to be a limited use case, it's better to leave it
empty by default than having a meaningless default value.

We could make this variable mandatory but that would be a breaking
change. Let's just add a logic in the template in order to set this
variable in the configuration file only if it was specified by users.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1994930
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
Co-authored-by: Dimitri Savineau <dsavinea@redhat.com>

diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample
index 57aecc421193293078ebac7a14815b790fe548d3..67c63a9fa3ae20f08e06619927c0e3b8fb3d4bed 100644 (file)
--- a/group_vars/iscsigws.yml.sample
+++ b/group_vars/iscsigws.yml.sample
@@ -30,7 +30,9 @@ dummy:
 #api_port: 5000
 #api_secure: false
 #loop_delay: 1
-#trusted_ip_list: 192.168.122.1
+# set the variable below with a comma separated list of IPs
+# in order to restrict the access to the iSCSI API
+# trusted_ip_list: 192.168.122.1
 
 
 ##########

diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml
index ce0fecc5211333db26b80c2f8bd21bf91f6f397b..34707c9f137a6d342a80e65e9be5d8e7c0ba3774 100644 (file)
--- a/roles/ceph-iscsi-gw/defaults/main.yml
+++ b/roles/ceph-iscsi-gw/defaults/main.yml
@@ -22,7 +22,9 @@ api_password: admin
 api_port: 5000
 api_secure: false
 loop_delay: 1
-trusted_ip_list: 192.168.122.1
+# set the variable below with a comma separated list of IPs
+# in order to restrict the access to the iSCSI API
+# trusted_ip_list: 192.168.122.1
 
 
 ##########

diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml
index 3e9ff1ef9fd94dd58c5067f799466ef6c045994e..8355f69909d2ed56a32e8525e4c6244cb3bb39b4 100644 (file)
--- a/roles/ceph-iscsi-gw/tasks/common.yml
+++ b/roles/ceph-iscsi-gw/tasks/common.yml
@@ -30,7 +30,7 @@
 
 - name: add mgr ip address to trusted list with dashboard - ipv4
   set_fact:
-    trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}'
+    trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}'
   with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
   when:
     - dashboard_enabled | bool
@@ -38,7 +38,7 @@
 
 - name: add mgr ip address to trusted list with dashboard - ipv6
   set_fact:
-    trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}'
+    trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}'
   with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
   when:
     - dashboard_enabled | bool

diff --git a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
index 59be8aaea97b8cef89ae5fa12ce7186ba448d52f..82c564d0a05b2db761cfc075faf6bd631195c86a 100644 (file)
--- a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
+++ b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
@@ -25,4 +25,6 @@ api_user = {{ api_user }}
 api_password = {{ api_password }}
 api_port = {{ api_port }}
 loop_delay = {{ loop_delay }}
+{% if trusted_ip_list is defined %}
 trusted_ip_list = {{ trusted_ip_list }}
+{% endif %}
\ No newline at end of file