iscsi: don't set default value for trusted_ip_list

It restricts access to the iSCSI API.
It can be left empty if the API isn't going to be access from outside the
gateway node

Even though this seems to be a limited use case, it's better to leave it
empty by default than having a meaningless default value.

We could make this variable mandatory but that would be a breaking
change. Let's just add a logic in the template in order to set this
variable in the configuration file only if it was specified by users.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1994930
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
Co-authored-by: Dimitri Savineau <dsavinea@redhat.com>
(cherry picked from commit 6802b8dddd7f8d1f1c47f4eb3b7dd6a6a48820dc)

diff --git a/group_vars/iscsigws.yml.sample b/group_vars/iscsigws.yml.sample
index 67c1bb26e73563acdbb8152d953e0a9764c199ae..4b504126f544dd70c2bea26ee0f44eb9f1a6d9fe 100644 (file)
--- a/group_vars/iscsigws.yml.sample
+++ b/group_vars/iscsigws.yml.sample
@@ -30,7 +30,9 @@ dummy:
 #api_port: 5000
 #api_secure: false
 #loop_delay: 1
-#trusted_ip_list: 192.168.122.1
+# set the variable below with a comma separated list of IPs
+# in order to restrict the access to the iSCSI API
+# trusted_ip_list: 192.168.122.1
 
 
 ##########

diff --git a/roles/ceph-iscsi-gw/defaults/main.yml b/roles/ceph-iscsi-gw/defaults/main.yml
index c161e3647c37dc67c6c569abe0df33323605d7cf..865b286708abc92ec75ffda138fd50d9c213b9fa 100644 (file)
--- a/roles/ceph-iscsi-gw/defaults/main.yml
+++ b/roles/ceph-iscsi-gw/defaults/main.yml
@@ -22,7 +22,9 @@ api_password: admin
 api_port: 5000
 api_secure: false
 loop_delay: 1
-trusted_ip_list: 192.168.122.1
+# set the variable below with a comma separated list of IPs
+# in order to restrict the access to the iSCSI API
+# trusted_ip_list: 192.168.122.1
 
 
 ##########

diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml
index 4517f535b44657f003d32b6718767a065d40087f..81d769a9a94ca502b9e71df366cd2582d7276576 100644 (file)
--- a/roles/ceph-iscsi-gw/tasks/common.yml
+++ b/roles/ceph-iscsi-gw/tasks/common.yml
@@ -26,7 +26,7 @@
 
 - name: add mgr ip address to trusted list with dashboard - ipv4
   set_fact:
-    trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}'
+    trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv4_addresses"] | ips_in_ranges(public_network.split(",")) | first }}'
   with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
   when:
     - dashboard_enabled | bool
@@ -34,7 +34,7 @@
 
 - name: add mgr ip address to trusted list with dashboard - ipv6
   set_fact:
-    trusted_ip_list: '{{ trusted_ip_list }},{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}'
+    trusted_ip_list: '{{ trusted_ip_list | default("") }}{{ "," if trusted_ip_list is defined else "" }}{{ hostvars[item]["ansible_facts"]["all_ipv6_addresses"] | ips_in_ranges(public_network.split(",")) | last }}'
   with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
   when:
     - dashboard_enabled | bool

diff --git a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2 b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
index 59be8aaea97b8cef89ae5fa12ce7186ba448d52f..82c564d0a05b2db761cfc075faf6bd631195c86a 100644 (file)
--- a/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
+++ b/roles/ceph-iscsi-gw/templates/iscsi-gateway.cfg.j2
@@ -25,4 +25,6 @@ api_user = {{ api_user }}
 api_password = {{ api_password }}
 api_port = {{ api_port }}
 loop_delay = {{ loop_delay }}
+{% if trusted_ip_list is defined %}
 trusted_ip_list = {{ trusted_ip_list }}
+{% endif %}
\ No newline at end of file