Skip to content

Instantly share code, notes, and snippets.

@d34dh0r53
Created February 15, 2017 15:54
Show Gist options
  • Save d34dh0r53/cf18c952a9f9c90335f6e98b9bc4adbd to your computer and use it in GitHub Desktop.
Save d34dh0r53/cf18c952a9f9c90335f6e98b9bc4adbd to your computer and use it in GitHub Desktop.
F5 Config Newton
~/S/rpc-openstack git:master ❯❯❯ diff ./scripts/f5-config.py ../dpham-rpc-openstack/scripts/f5-config-newton.py ✭
diff --git 1/./scripts/f5-config.py 2/../dpham-rpc-openstack/scripts/f5-config-newton.py
old mode 100755
new mode 100644
index 6ad18ed..ada22c0
--- 1/./scripts/f5-config.py
+++ 2/../dpham-rpc-openstack/scripts/f5-config-newton.py
@@ -1,5 +1,5 @@
#!/usr/bin/env python
-# Copyright 2014-2016, Rackspace US, Inc.
+# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,29 +12,18 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-#
+
# (c) 2014, Kevin Carter <[email protected]>
-from __future__ import print_function
+# Fork by David Pham <[email protected]>
+# Yet again, completely buchered by Jonathan <[email protected]>
+
import argparse
import json
import os
-import sys
-
import netaddr
-IS_LEM = True
-
-LAB_DATA_DIR = os.environ.get('LAB_DATA_DIR')
-LAB_NAME = os.environ.get('LAB_NAME')
-if LAB_DATA_DIR is None or LAB_NAME is None:
- IS_LEM = False
-
-LAB_NAME_URL = None
PART = 'RPC'
PREFIX_NAME = 'RPC'
-if IS_LEM:
- LAB_NAME_URL = LAB_NAME.lower() + '.rpc.rackspace.com'
- PREFIX_NAME = PART = LAB_NAME.upper()
SNAT_POOL = (
'### CREATE SNATPOOL ###\n'
@@ -42,8 +31,8 @@ SNAT_POOL = (
' %(snat_pool_addresses)s } }'
)
-# Persistence Profile:
-PERSISTENCE = [
+#Persistance Profile:
+PERSISTANCE = [
r'create ltm persistence source-addr /' + PART + '/' + PREFIX_NAME + '_PROF_PERSIST_IP {'
r' app-service none defaults-from /Common/source_addr'
r' match-across-services enabled timeout 3600 }',
@@ -63,17 +52,17 @@ MONITORS = [
r' defaults-from http destination *:8775 recv "200 OK" send "HEAD /'
r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON { defaults-from http'
- r' destination *:80 recv "302 Found" send "HEAD / HTTP/1.1\r\nHost:'
+ r' destination *:80 recv "302 Found" send "HEAD /auth/login/ HTTP/1.1\r\nHost:'
r' rpc\r\n\r\n" }',
r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_SPICE_CONSOLE {'
r' defaults-from http destination *:6082 recv "200 OK" send "HEAD /spice_auto.html'
r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
- r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_NOVNC_CONSOLE {'
- r' defaults-from http destination *:6080 recv "200 OK" send "HEAD /novnc_auto.html'
- r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
- r'create ltm monitor https /' + PART + '/' + PREFIX_NAME + '_MON_HTTPS_HORIZON_SSL { defaults-from'
- r' https destination *:443 recv "302 FOUND" send "HEAD / HTTP/1.1\r\nHost:'
+ r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON_443 { defaults-from'
+ r' http destination *:443 recv "200 OK" send "HEAD /auth/login/ HTTP/1.1\r\nHost:'
r' rpc\r\n\r\n" }',
+ r'create ltm monitor https /' + PART + '/' + PREFIX_NAME + '_MON_HTTPS_NOVA_SPICE_CONSOLE {'
+ r' defaults-from https destination *:6082 recv "200 OK" send "HEAD /'
+ r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CFN { defaults-from tcp'
r' destination *:8000 }',
r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CLOUDWATCH {'
@@ -86,12 +75,7 @@ MONITORS = [
r' tcp destination *:9200 }',
r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO {'
r' defaults-from http destination *:8181 recv "200 OK" send "HEAD /'
- r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
- r' create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO_CACHE {'
- r' defaults-from http destination *:3142 recv "200 OK" send "HEAD /acng-report.html'
- r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }',
- r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_REPO_GIT {'
- r' defaults-from tcp destination *:9418 }',
+ r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }'
'\n'
]
@@ -99,11 +83,15 @@ NODES = (
'create ltm node /' + PART + '/%(node_name)s { address %(container_address)s }'
)
+SNAT_IDLE = (
+ 'modify ltm snat-translation /' + PART + '/%s { ip-idle-timeout 3600 }'
+)
+
PRIORITY_ENTRY = '{ priority-group %(priority_int)s }'
POOL_NODE = {
'beginning': 'create ltm pool /' + PART + '/%(pool_name)s {'
- ' load-balancing-mode fastest-node members replace-all-with'
+ ' load-balancing-mode least-connections-node members replace-all-with'
' { %(nodes)s }',
'priority': 'min-active-members 1',
'end': 'monitor %(mon_type)s }'
@@ -137,7 +125,7 @@ PUB_SSL_VIRTUAL_ENTRIES = (
'create ltm virtual /' + PART + '/%(vs_name)s {'
' destination %(ssl_public_ip)s:%(port)s ip-protocol tcp'
' pool /' + PART + '/%(pool_name)s'
- r' profiles replace-all-with { /Common/tcp { } %(ssl_profiles)s }'
+ r' profiles replace-all-with { /Common/tcp { } %(ltm_profiles)s }'
' %(persist)s'
' source-address-translation { pool /' + PART + '/' + PREFIX_NAME + '_SNATPOOL type snat }'
' }'
@@ -163,6 +151,42 @@ SEC_HOSTNET_VIRTUAL_ENTRIES = (
' }'
)
+SEC_AFM_RULES = (
+ '\n### CREATE AFM LIST AND RULES ###\n'
+ #Port Lists
+ 'create security firewall port-list RPC_VIP_PORTS '
+ '{ ports add { 80 { } 443 { } 3306 { } 3307 { } 5000 { } 6082 { } 8000 { } 8003 { } 8004 { } 8080 { } '
+ '8181 { } 8443 { } 8774 { } 8775 { } 8776 { } 8888 { } 9191 { } 9200 { } 9292 { } 9696 { } 35357 { } } }\n'
+ '\n'
+ #Addr Lists
+ 'create security firewall address-list RPC_PUB_VIP_ALLOW_IPS { addresses add { 0.0.0.0/0 } }\n'
+ 'create security firewall address-list RPC_PRI_VIP_ALLOW_IPS { addresses add { 0.0.0.0/0 } }\n'
+ 'create security firewall address-list RPC-HOST-NET { addresses replace-all-with { %(sec_host_net)s { } } }\n'
+ '\n'
+ #Rule Lists
+ 'create security firewall rule-list RPC_PUB_VIP_RULELIST '
+ '{ rules replace-all-with { RPC_PUB_VIP_ALLOW { action accept-decisively '
+ 'ip-protocol tcp source { address-lists replace-all-with { RPC_PUB_VIP_ALLOW_IPS } } '
+ 'destination { addresses replace-all-with { %(ssl_public_ip)s { } } '
+ 'port-lists replace-all-with { RPC_VIP_PORTS } } } } }\n'
+ #
+ 'create security firewall rule-list RPC_PRI_VIP_RULELIST '
+ '{ rules replace-all-with { RPC_PRI_VIP_ALLOW { action accept-decisively '
+ 'ip-protocol tcp source { address-lists replace-all-with { RPC_PRI_VIP_ALLOW_IPS } } '
+ 'destination { addresses replace-all-with { %(private_ip)s { } } '
+ 'port-lists replace-all-with { RPC_VIP_PORTS } } } } }\n'
+ #
+ 'create security firewall rule-list RPC_SECURITY_RULES '
+ 'rules add { RPC_PROTECT_HOST { action drop '
+ 'source { vlans add { RPC_GATEWAY_NET } } '
+ 'destination { address-lists replace-all-with { RPC-HOST-NET } } place-before first } }\n'
+ '\n'
+ #Apply to Global Policy
+ 'modify security firewall policy GLOBAL-POLICY rules add { RPC_PUB_VIP_RULE { rule-list RPC_PUB_VIP_RULELIST place-after RACKNEST } }\n'
+ 'modify security firewall policy GLOBAL-POLICY rules add { RPC_PRI_VIP_RULE { rule-list RPC_PRI_VIP_RULELIST place-after RACKNEST } }\n'
+ 'modify security firewall policy GLOBAL-POLICY rules add { RPC_SECURITY { place-after ICMP-ALLOW rule-list RPC_SECURITY_RULES } }\n'
+)
+
SEC_CONTAINER_VIRTUAL_ENTRIES = (
'create ltm virtual /' + PART + '/' + PREFIX_NAME + '_LIMIT_ACCESS_TO_CONTAINER_NET {'
' connection-limit 1 destination %(sec_container_net)s:0 ip-forward mask'
@@ -188,6 +212,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'glance_api',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'glance_registry': {
@@ -203,6 +228,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CFN',
'group': 'heat_api_cfn',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'heat_api_cloudwatch': {
@@ -211,6 +237,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CLOUDWATCH',
'group': 'heat_api_cloudwatch',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'heat_api': {
@@ -219,6 +246,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'heat_api',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'keystone_admin': {
@@ -234,6 +262,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'keystone',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'neutron_server': {
@@ -242,6 +271,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'neutron_server',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'nova_api_metadata': {
@@ -257,6 +287,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'nova_api_os_compute',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'nova_spice_console': {
@@ -269,22 +300,13 @@ POOL_PARTS = {
'make_public': True,
'persist': True
},
- 'nova_novnc_console': {
- 'port': 6080,
- 'backend_port': 6080,
- 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_NOVNC_CONSOLE',
- 'group': 'nova_console',
- 'hosts': [],
- 'ssl_impossible': True,
- 'make_public': True,
- 'persist': True
- },
'cinder_api': {
'port': 8776,
'backend_port': 8776,
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'cinder_api',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'horizon': {
@@ -296,12 +318,12 @@ POOL_PARTS = {
},
'horizon_ssl': {
'port': 443,
- 'backend_port': 80,
- 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON',
+ 'backend_port': 443,
+ 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON_443',
'group': 'horizon',
'hosts': [],
'make_public': True,
- 'persist': True,
+ 'persist': True
},
'elasticsearch': {
'port': 9200,
@@ -335,6 +357,7 @@ POOL_PARTS = {
'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT',
'group': 'swift_proxy',
'make_public': True,
+ 'x-forwarded-proto': True,
'hosts': []
},
'repo': {
@@ -342,26 +365,11 @@ POOL_PARTS = {
'backend_port': 8181,
'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO',
'group': 'pkg_repo',
- 'hosts': []
- },
- 'repo_cache':{
- 'port': 3142,
- 'backend_port': 3142,
- 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO_CACHE',
- 'group': 'repo_all',
'priority': True,
'hosts': []
- },
- 'repo_git': {
- 'port': 9418,
- 'backend_port': 9418,
- 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_REPO_GIT',
- 'group': 'pkg_repo',
- 'hosts': []
}
}
-
def recursive_host_get(inventory, group_name, host_dict=None):
if host_dict is None:
host_dict = {}
@@ -391,7 +399,7 @@ def recursive_host_get(inventory, group_name, host_dict=None):
def build_pool_parts(inventory):
- for key, value in POOL_PARTS.items():
+ for key, value in POOL_PARTS.iteritems():
recursive_host_get(
inventory, group_name=value['group'], host_dict=value
)
@@ -409,8 +417,7 @@ def file_find(filename, user_file=None, pass_exception=False):
$(pwd)/openstack_deploy/
:param filename: ``str`` Name of the file to find
- :param user_file: ``str`` Additional location to look in FIRST for a file
- :param pass_exception: ``bool`` sys.exit if the file is not there and false
+ :param user_file: ``str`` Additional localtion to look in FIRST for a file
"""
file_check = [
os.path.join(
@@ -482,21 +489,21 @@ def args():
'--ssl-domain-name',
help='Name of the domain that will have an ssl cert.',
required=False,
- default=LAB_NAME_URL
+ default=None
)
parser.add_argument(
'--sec-host-network',
- help='Security host network address and netmask.'
- ' EXAMPLE: "192.168.1.1:255.255.255.0"',
+ help='Security host network in CIDR format.'
+ ' EXAMPLE: "192.168.1.0/24"',
required=False,
default=None
)
parser.add_argument(
'--sec-container-network',
- help='Security container network address and netmask.'
- ' EXAMPLE: "192.168.1.1:255.255.255.0"',
+ help='Security container network in CIDR format.'
+ ' EXAMPLE: "192.168.2.1/24',
required=False,
default=None
)
@@ -504,7 +511,7 @@ def args():
parser.add_argument(
'--sec-public-vlan-name',
help='Security container network address and netmask.'
- ' EXAMPLE: "192.168.1.1:255.255.255.0"',
+ ' EXAMPLE: "FW-LB"',
required=False,
default=None
)
@@ -537,6 +544,16 @@ def args():
)
parser.add_argument(
+ '--afm',
+ help='Pass this argument if the f5 environment is using the Advanced Firewall Module.'
+ 'Adding this flag will create the required rules to open up the API to ALL SOURCES.'
+ 'It will also create a rule to block communication from the Provider Network to the Host network.',
+ required=False,
+ default=False,
+ action='store_true'
+ )
+
+ parser.add_argument(
'-S',
'--Superman',
help='Yes, its Superman ... strange visitor from another planet,'
@@ -548,6 +565,8 @@ def args():
default=False,
action='store_true'
)
+
+
return vars(parser.parse_args())
@@ -562,76 +581,65 @@ def main():
inventory_json = json.loads(f.read())
commands = []
- nodes = []
+ nodes = set()
pools = []
virts = []
sslvirts = []
pubvirts = []
-
- if IS_LEM is True:
- SEC_RULE=[
- 'create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL',
- ' --> Copy and Paste the following between pre-included curly brackets <--',
- 'when CLIENT_ACCEPTED { discard }\n']
- else:
- SEC_RULE=[
- 'run util bash',
- 'tmsh create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL when CLIENT_ACCEPTED { discard }',
- 'exit'
- ]
+ afmrules = []
commands.extend([
- '### CREATE SECURITY iRULE ###'
- ] + SEC_RULE + [
+ '### CREATE SECURITY iRULE ###',
+ 'run util bash',
+ 'tmsh create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL when CLIENT_ACCEPTED { discard }',
+ 'exit',
+ '### CREATE HTTP PROFILE ###',
+ 'create ltm profile http /' + PART + '/' + PREFIX_NAME + '_X-FORWARDED-PROTO { header-insert "X-Forwarded-Proto: https" }\n',
'### CREATE EXTERNAL MONITOR ###',
' --> Upload External monitor file to disk <--',
' run util bash',
- ' cd /config/monitors/',
- ' vi RPC-MON-EXT-ENDPOINT.monitor',
- ' --> Copy and Paste the External monitor into vi <--',
- (' create sys file external-monitor /' + PART +
- '/RPC-MON-EXT-ENDPOINT { source-path file:///config/monitors/RPC-MON-EXT-ENDPOINT.monitor }'),
+ ' curl -k -o /config/monitors/RPC-MON-EXT-ENDPOINT.monitor https://raw.githubusercontent.com/dpham-rs/rpc-openstack/master/scripts/f5-monitor.sh',
+ ' exit',
+
+ ' create sys file external-monitor /' + PART + '/RPC-MON-EXT-ENDPOINT { source-path file:///config/monitors/RPC-MON-EXT-ENDPOINT.monitor }',
' save sys config',
- (' create ltm monitor external /' + PART + '/RPC-MON-EXT-ENDPOINT { interval 20 timeout 61 run /' +
- PART + '/RPC-MON-EXT-ENDPOINT }\n')
+ ' create ltm monitor external /' + PART + '/RPC-MON-EXT-ENDPOINT { interval 20 timeout 61 run /' + PART + '/RPC-MON-EXT-ENDPOINT }\n'
])
if user_args['ssl_domain_name']:
commands.extend([
'### UPLOAD SSL CERT KEY PAIR ###',
'cd /RPC',
- 'install sys crypto cert /' + PART + '/%(ssl_domain_name)s.crt from-editor'
+ 'create sys crypto key /' + PART + '/%(ssl_domain_name)s.key'
% user_args,
- ' --> Copy and Paste provided domain cert for public api endpoint <--',
- 'install sys crypto key /' + PART + '/%(ssl_domain_name)s.key from-editor'
+ 'create sys crypto cert /' + PART + '/%(ssl_domain_name)s.crt key /' % user_args + PART + '/%(ssl_domain_name)s.key common-name %(ssl_domain_name)s lifetime 3650'
% user_args,
- ' --> Copy and Paste provided domain key for public api endpoint <--',
'cd /Common\n',
'### CREATE SSL PROFILES ###',
('create ltm profile client-ssl'
- ' /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s'
- ' { cert /' + PART + '/%(ssl_domain_name)s.crt key'
- ' /' + PART + '/%(ssl_domain_name)s.key defaults-from clientssl }')
+ ' /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s'
+ ' { cert /' + PART + '/%(ssl_domain_name)s.crt key'
+ ' /' + PART + '/%(ssl_domain_name)s.key defaults-from clientssl }')
% user_args,
- ('create ltm profile server-ssl /' + PART + '/' + PREFIX_NAME +
- '_PROF_SSL_SERVER { defaults-from /Common/serverssl }\n')
+ 'create ltm profile server-ssl /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { defaults-from /Common/serverssl }\n'
% user_args,
])
+
if user_args['Superman']:
- print(' ************************** ')
- print(' .*##*:*####***:::**###*:######*. ')
- print(' *##: .###* *######:,##* ')
- print(' *##: :####: *####*. :##: ')
- print(' *##,:########**********:, :##: ')
- print(' .#########################*, *#* ')
- print(' *#########################*##: ')
- print(' *##, ..,,::**#####: ')
- print(' ,##*,*****, *##* ')
- print(' *#########*########: ')
- print(' *##*:*******###* ')
- print(' .##*. ,##* ')
- print(' :##* *##, ')
- print(' *####: ')
- print(' :, ')
+ print " ************************** "
+ print " .*##*:*####***:::**###*:######*. "
+ print " *##: .###* *######:,##* "
+ print " *##: :####: *####*. :##: "
+ print " *##,:########**********:, :##: "
+ print " .#########################*, *#* "
+ print " *#########################*##: "
+ print " *##, ..,,::**#####: "
+ print " ,##*,*****, *##* "
+ print " *#########*########: "
+ print " *##*:*******###* "
+ print " .##*. ,##* "
+ print " :##* *##, "
+ print " *####: "
+ print " :, "
# Kal-El
# SUPERMAN
# JNA
@@ -639,10 +647,7 @@ def main():
pool_parts = build_pool_parts(inventory=inventory_json)
lb_vip_address = inventory_json['all']['vars']['internal_lb_vip_address']
- if user_args['ssl_public_ip'] is None:
- user_args['ssl_public_ip'] = inventory_json['all']['vars']['external_lb_vip_address']
-
- for key, value in pool_parts.items():
+ for key, value in pool_parts.iteritems():
value['group_name'] = key.upper()
value['vs_name'] = '%s_VS_%s' % (
PREFIX_NAME, value['group_name']
@@ -655,7 +660,7 @@ def main():
priority = 100
for node in value['hosts']:
node['node_name'] = '%s_NODE_%s' % (PREFIX_NAME, node['hostname'])
- nodes.append(NODES % node)
+ nodes.add(NODES % node)
if value.get('persist'):
persist = PERSIST_OPTION
else:
@@ -676,16 +681,15 @@ def main():
virts.append(virt)
if user_args['ssl_public_ip']:
if not value.get('backend_ssl'):
- virtual_dict['ssl_profiles'] = (
+ virtual_dict['ltm_profiles'] = (
'/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }'
) % user_args
+ if value.get ('x-forwarded-proto'):
+ virtual_dict['ltm_profiles'] = '/' + PART + '/' + PREFIX_NAME + '_X-FORWARDED-PROTO { }/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }'% user_args
else:
- virtual_dict['ssl_profiles'] = (
- '/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { context serverside } /' + PART + '/' +
- PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }' % user_args
- )
+ virtual_dict['ltm_profiles'] = '/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { context serverside } /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }'% user_args
if value.get('make_public'):
- if value.get('ssl_impossible'):
+ if value.get ('ssl_impossible'):
virtual_dict['vs_name'] = '%s_VS_%s' % (
'RPC_PUB', value['group_name']
)
@@ -696,7 +700,7 @@ def main():
pubvirts.append(pubvirt)
else:
virtual_dict['vs_name'] = '%s_VS_%s' % (
- 'RPC_PUB_SSL', value['group_name']
+ 'RPC_PUB_SSL', value['group_name']
)
sslvirt = '%s' % PUB_SSL_VIRTUAL_ENTRIES % virtual_dict
if sslvirt not in sslvirts:
@@ -738,23 +742,28 @@ def main():
snat_pool = '%s\n' % SNAT_POOL % {
'snat_pool_addresses': snat_pool_addresses
}
+ snat_translations = []
+ for snat_ip in snat_pool_adds.split(","):
+ snat_translations.append( SNAT_IDLE % snat_ip)
script = [
'#!/usr/bin/bash\n',
+ r'### F5 Build Script -- Newton ###',
r'### CREATE RPC PARTITION ###',
'create auth partition %s\n' % PART,
r'### SET DISPLAY PORT NUMBERS ###',
'modify cli global-settings service number\n',
snat_pool
]
+ script.extend(['%s' % i for i in snat_translations])
- script.extend(['### CREATE MONITORS ###'])
+ script.extend(['\n### CREATE MONITORS ###'])
script.extend(['%s' % i % user_args for i in MONITORS])
script.extend(['%s' % i for i in commands])
script.extend(['### CREATE PERSISTENCE PROFILES ###'])
- script.extend(['%s' % i % user_args for i in PERSISTENCE])
+ script.extend(['%s' % i % user_args for i in PERSISTANCE])
script.extend(['### CREATE NODES ###'])
- script.extend(['%s' % i % user_args for i in nodes])
+ script.extend(['%s' % i % user_args for i in sorted(nodes)])
script.extend(['\n### CREATE POOLS ###'])
script.extend(pools)
script.extend(['\n### CREATE VIRTUAL SERVERS ###'])
@@ -765,23 +774,38 @@ def main():
script.extend(pubvirts)
if user_args['sec_host_network']:
- hostnet, netmask = user_args['sec_host_network'].split(':')
+ hostnet = netaddr.IPNetwork(user_args['sec_host_network'])
if not user_args['sec_public_vlan_name']:
raise SystemExit('Please set the [ --sec-public-vlan-name ] value')
script.append(
SEC_HOSTNET_VIRTUAL_ENTRIES % {
- 'sec_host_net': hostnet,
- 'sec_host_netmask': netmask,
+ 'sec_host_net': str(hostnet.ip),
+ 'sec_host_netmask': str(hostnet.netmask),
'sec_public_vlan_name': user_args['sec_public_vlan_name']
}
)
if user_args['sec_container_network']:
- hostnet, netmask = user_args['sec_container_network'].split(':')
+ containernet = netaddr.IPNetwork(user_args['sec_container_network'])
script.append(
SEC_CONTAINER_VIRTUAL_ENTRIES % {
- 'sec_container_net': hostnet,
- 'sec_container_netmask': netmask
+ 'sec_container_net': str(containernet.ip),
+ 'sec_container_netmask': str(containernet.netmask)
+ }
+ )
+
+
+ script.extend(afmrules)
+ if user_args['afm']:
+ if not user_args['ssl_public_ip']:
+ raise SystemExit('Please set the [ --ssl_public_ip ] value')
+ if not user_args['sec_host_network']:
+ raise SystemExit('Please set the [ --sec_host_network ] value')
+ script.append(
+ SEC_AFM_RULES % {
+ 'ssl_public_ip': user_args['ssl_public_ip'],
+ 'private_ip': lb_vip_address,
+ 'sec_host_net': user_args['sec_host_network']
}
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment