Created
February 15, 2017 15:54
-
-
Save d34dh0r53/cf18c952a9f9c90335f6e98b9bc4adbd to your computer and use it in GitHub Desktop.
F5 Config Newton
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ~/S/rpc-openstack git:master ❯❯❯ diff ./scripts/f5-config.py ../dpham-rpc-openstack/scripts/f5-config-newton.py ✭ | |
| diff --git 1/./scripts/f5-config.py 2/../dpham-rpc-openstack/scripts/f5-config-newton.py | |
| old mode 100755 | |
| new mode 100644 | |
| index 6ad18ed..ada22c0 | |
| --- 1/./scripts/f5-config.py | |
| +++ 2/../dpham-rpc-openstack/scripts/f5-config-newton.py | |
| @@ -1,5 +1,5 @@ | |
| #!/usr/bin/env python | |
| -# Copyright 2014-2016, Rackspace US, Inc. | |
| +# Copyright 2014, Rackspace US, Inc. | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| @@ -12,29 +12,18 @@ | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| -# | |
| + | |
| # (c) 2014, Kevin Carter <[email protected]> | |
| -from __future__ import print_function | |
| +# Fork by David Pham <[email protected]> | |
| +# Yet again, completely buchered by Jonathan <[email protected]> | |
| + | |
| import argparse | |
| import json | |
| import os | |
| -import sys | |
| - | |
| import netaddr | |
| -IS_LEM = True | |
| - | |
| -LAB_DATA_DIR = os.environ.get('LAB_DATA_DIR') | |
| -LAB_NAME = os.environ.get('LAB_NAME') | |
| -if LAB_DATA_DIR is None or LAB_NAME is None: | |
| - IS_LEM = False | |
| - | |
| -LAB_NAME_URL = None | |
| PART = 'RPC' | |
| PREFIX_NAME = 'RPC' | |
| -if IS_LEM: | |
| - LAB_NAME_URL = LAB_NAME.lower() + '.rpc.rackspace.com' | |
| - PREFIX_NAME = PART = LAB_NAME.upper() | |
| SNAT_POOL = ( | |
| '### CREATE SNATPOOL ###\n' | |
| @@ -42,8 +31,8 @@ SNAT_POOL = ( | |
| ' %(snat_pool_addresses)s } }' | |
| ) | |
| -# Persistence Profile: | |
| -PERSISTENCE = [ | |
| +#Persistance Profile: | |
| +PERSISTANCE = [ | |
| r'create ltm persistence source-addr /' + PART + '/' + PREFIX_NAME + '_PROF_PERSIST_IP {' | |
| r' app-service none defaults-from /Common/source_addr' | |
| r' match-across-services enabled timeout 3600 }', | |
| @@ -63,17 +52,17 @@ MONITORS = [ | |
| r' defaults-from http destination *:8775 recv "200 OK" send "HEAD /' | |
| r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON { defaults-from http' | |
| - r' destination *:80 recv "302 Found" send "HEAD / HTTP/1.1\r\nHost:' | |
| + r' destination *:80 recv "302 Found" send "HEAD /auth/login/ HTTP/1.1\r\nHost:' | |
| r' rpc\r\n\r\n" }', | |
| r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_SPICE_CONSOLE {' | |
| r' defaults-from http destination *:6082 recv "200 OK" send "HEAD /spice_auto.html' | |
| r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| - r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_NOVNC_CONSOLE {' | |
| - r' defaults-from http destination *:6080 recv "200 OK" send "HEAD /novnc_auto.html' | |
| - r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| - r'create ltm monitor https /' + PART + '/' + PREFIX_NAME + '_MON_HTTPS_HORIZON_SSL { defaults-from' | |
| - r' https destination *:443 recv "302 FOUND" send "HEAD / HTTP/1.1\r\nHost:' | |
| + r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON_443 { defaults-from' | |
| + r' http destination *:443 recv "200 OK" send "HEAD /auth/login/ HTTP/1.1\r\nHost:' | |
| r' rpc\r\n\r\n" }', | |
| + r'create ltm monitor https /' + PART + '/' + PREFIX_NAME + '_MON_HTTPS_NOVA_SPICE_CONSOLE {' | |
| + r' defaults-from https destination *:6082 recv "200 OK" send "HEAD /' | |
| + r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CFN { defaults-from tcp' | |
| r' destination *:8000 }', | |
| r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CLOUDWATCH {' | |
| @@ -86,12 +75,7 @@ MONITORS = [ | |
| r' tcp destination *:9200 }', | |
| r'create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO {' | |
| r' defaults-from http destination *:8181 recv "200 OK" send "HEAD /' | |
| - r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| - r' create ltm monitor http /' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO_CACHE {' | |
| - r' defaults-from http destination *:3142 recv "200 OK" send "HEAD /acng-report.html' | |
| - r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }', | |
| - r'create ltm monitor tcp /' + PART + '/' + PREFIX_NAME + '_MON_TCP_REPO_GIT {' | |
| - r' defaults-from tcp destination *:9418 }', | |
| + r' HTTP/1.1\r\nHost: rpc\r\n\r\n" }' | |
| '\n' | |
| ] | |
| @@ -99,11 +83,15 @@ NODES = ( | |
| 'create ltm node /' + PART + '/%(node_name)s { address %(container_address)s }' | |
| ) | |
| +SNAT_IDLE = ( | |
| + 'modify ltm snat-translation /' + PART + '/%s { ip-idle-timeout 3600 }' | |
| +) | |
| + | |
| PRIORITY_ENTRY = '{ priority-group %(priority_int)s }' | |
| POOL_NODE = { | |
| 'beginning': 'create ltm pool /' + PART + '/%(pool_name)s {' | |
| - ' load-balancing-mode fastest-node members replace-all-with' | |
| + ' load-balancing-mode least-connections-node members replace-all-with' | |
| ' { %(nodes)s }', | |
| 'priority': 'min-active-members 1', | |
| 'end': 'monitor %(mon_type)s }' | |
| @@ -137,7 +125,7 @@ PUB_SSL_VIRTUAL_ENTRIES = ( | |
| 'create ltm virtual /' + PART + '/%(vs_name)s {' | |
| ' destination %(ssl_public_ip)s:%(port)s ip-protocol tcp' | |
| ' pool /' + PART + '/%(pool_name)s' | |
| - r' profiles replace-all-with { /Common/tcp { } %(ssl_profiles)s }' | |
| + r' profiles replace-all-with { /Common/tcp { } %(ltm_profiles)s }' | |
| ' %(persist)s' | |
| ' source-address-translation { pool /' + PART + '/' + PREFIX_NAME + '_SNATPOOL type snat }' | |
| ' }' | |
| @@ -163,6 +151,42 @@ SEC_HOSTNET_VIRTUAL_ENTRIES = ( | |
| ' }' | |
| ) | |
| +SEC_AFM_RULES = ( | |
| + '\n### CREATE AFM LIST AND RULES ###\n' | |
| + #Port Lists | |
| + 'create security firewall port-list RPC_VIP_PORTS ' | |
| + '{ ports add { 80 { } 443 { } 3306 { } 3307 { } 5000 { } 6082 { } 8000 { } 8003 { } 8004 { } 8080 { } ' | |
| + '8181 { } 8443 { } 8774 { } 8775 { } 8776 { } 8888 { } 9191 { } 9200 { } 9292 { } 9696 { } 35357 { } } }\n' | |
| + '\n' | |
| + #Addr Lists | |
| + 'create security firewall address-list RPC_PUB_VIP_ALLOW_IPS { addresses add { 0.0.0.0/0 } }\n' | |
| + 'create security firewall address-list RPC_PRI_VIP_ALLOW_IPS { addresses add { 0.0.0.0/0 } }\n' | |
| + 'create security firewall address-list RPC-HOST-NET { addresses replace-all-with { %(sec_host_net)s { } } }\n' | |
| + '\n' | |
| + #Rule Lists | |
| + 'create security firewall rule-list RPC_PUB_VIP_RULELIST ' | |
| + '{ rules replace-all-with { RPC_PUB_VIP_ALLOW { action accept-decisively ' | |
| + 'ip-protocol tcp source { address-lists replace-all-with { RPC_PUB_VIP_ALLOW_IPS } } ' | |
| + 'destination { addresses replace-all-with { %(ssl_public_ip)s { } } ' | |
| + 'port-lists replace-all-with { RPC_VIP_PORTS } } } } }\n' | |
| + # | |
| + 'create security firewall rule-list RPC_PRI_VIP_RULELIST ' | |
| + '{ rules replace-all-with { RPC_PRI_VIP_ALLOW { action accept-decisively ' | |
| + 'ip-protocol tcp source { address-lists replace-all-with { RPC_PRI_VIP_ALLOW_IPS } } ' | |
| + 'destination { addresses replace-all-with { %(private_ip)s { } } ' | |
| + 'port-lists replace-all-with { RPC_VIP_PORTS } } } } }\n' | |
| + # | |
| + 'create security firewall rule-list RPC_SECURITY_RULES ' | |
| + 'rules add { RPC_PROTECT_HOST { action drop ' | |
| + 'source { vlans add { RPC_GATEWAY_NET } } ' | |
| + 'destination { address-lists replace-all-with { RPC-HOST-NET } } place-before first } }\n' | |
| + '\n' | |
| + #Apply to Global Policy | |
| + 'modify security firewall policy GLOBAL-POLICY rules add { RPC_PUB_VIP_RULE { rule-list RPC_PUB_VIP_RULELIST place-after RACKNEST } }\n' | |
| + 'modify security firewall policy GLOBAL-POLICY rules add { RPC_PRI_VIP_RULE { rule-list RPC_PRI_VIP_RULELIST place-after RACKNEST } }\n' | |
| + 'modify security firewall policy GLOBAL-POLICY rules add { RPC_SECURITY { place-after ICMP-ALLOW rule-list RPC_SECURITY_RULES } }\n' | |
| +) | |
| + | |
| SEC_CONTAINER_VIRTUAL_ENTRIES = ( | |
| 'create ltm virtual /' + PART + '/' + PREFIX_NAME + '_LIMIT_ACCESS_TO_CONTAINER_NET {' | |
| ' connection-limit 1 destination %(sec_container_net)s:0 ip-forward mask' | |
| @@ -188,6 +212,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'glance_api', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'glance_registry': { | |
| @@ -203,6 +228,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CFN', | |
| 'group': 'heat_api_cfn', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'heat_api_cloudwatch': { | |
| @@ -211,6 +237,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_HEAT_API_CLOUDWATCH', | |
| 'group': 'heat_api_cloudwatch', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'heat_api': { | |
| @@ -219,6 +246,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'heat_api', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'keystone_admin': { | |
| @@ -234,6 +262,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'keystone', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'neutron_server': { | |
| @@ -242,6 +271,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'neutron_server', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'nova_api_metadata': { | |
| @@ -257,6 +287,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'nova_api_os_compute', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'nova_spice_console': { | |
| @@ -269,22 +300,13 @@ POOL_PARTS = { | |
| 'make_public': True, | |
| 'persist': True | |
| }, | |
| - 'nova_novnc_console': { | |
| - 'port': 6080, | |
| - 'backend_port': 6080, | |
| - 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_NOVA_NOVNC_CONSOLE', | |
| - 'group': 'nova_console', | |
| - 'hosts': [], | |
| - 'ssl_impossible': True, | |
| - 'make_public': True, | |
| - 'persist': True | |
| - }, | |
| 'cinder_api': { | |
| 'port': 8776, | |
| 'backend_port': 8776, | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'cinder_api', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'horizon': { | |
| @@ -296,12 +318,12 @@ POOL_PARTS = { | |
| }, | |
| 'horizon_ssl': { | |
| 'port': 443, | |
| - 'backend_port': 80, | |
| - 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON', | |
| + 'backend_port': 443, | |
| + 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_HORIZON_443', | |
| 'group': 'horizon', | |
| 'hosts': [], | |
| 'make_public': True, | |
| - 'persist': True, | |
| + 'persist': True | |
| }, | |
| 'elasticsearch': { | |
| 'port': 9200, | |
| @@ -335,6 +357,7 @@ POOL_PARTS = { | |
| 'mon_type': '/' + PART + '/RPC-MON-EXT-ENDPOINT', | |
| 'group': 'swift_proxy', | |
| 'make_public': True, | |
| + 'x-forwarded-proto': True, | |
| 'hosts': [] | |
| }, | |
| 'repo': { | |
| @@ -342,26 +365,11 @@ POOL_PARTS = { | |
| 'backend_port': 8181, | |
| 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO', | |
| 'group': 'pkg_repo', | |
| - 'hosts': [] | |
| - }, | |
| - 'repo_cache':{ | |
| - 'port': 3142, | |
| - 'backend_port': 3142, | |
| - 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_HTTP_REPO_CACHE', | |
| - 'group': 'repo_all', | |
| 'priority': True, | |
| 'hosts': [] | |
| - }, | |
| - 'repo_git': { | |
| - 'port': 9418, | |
| - 'backend_port': 9418, | |
| - 'mon_type': '/' + PART + '/' + PREFIX_NAME + '_MON_TCP_REPO_GIT', | |
| - 'group': 'pkg_repo', | |
| - 'hosts': [] | |
| } | |
| } | |
| - | |
| def recursive_host_get(inventory, group_name, host_dict=None): | |
| if host_dict is None: | |
| host_dict = {} | |
| @@ -391,7 +399,7 @@ def recursive_host_get(inventory, group_name, host_dict=None): | |
| def build_pool_parts(inventory): | |
| - for key, value in POOL_PARTS.items(): | |
| + for key, value in POOL_PARTS.iteritems(): | |
| recursive_host_get( | |
| inventory, group_name=value['group'], host_dict=value | |
| ) | |
| @@ -409,8 +417,7 @@ def file_find(filename, user_file=None, pass_exception=False): | |
| $(pwd)/openstack_deploy/ | |
| :param filename: ``str`` Name of the file to find | |
| - :param user_file: ``str`` Additional location to look in FIRST for a file | |
| - :param pass_exception: ``bool`` sys.exit if the file is not there and false | |
| + :param user_file: ``str`` Additional localtion to look in FIRST for a file | |
| """ | |
| file_check = [ | |
| os.path.join( | |
| @@ -482,21 +489,21 @@ def args(): | |
| '--ssl-domain-name', | |
| help='Name of the domain that will have an ssl cert.', | |
| required=False, | |
| - default=LAB_NAME_URL | |
| + default=None | |
| ) | |
| parser.add_argument( | |
| '--sec-host-network', | |
| - help='Security host network address and netmask.' | |
| - ' EXAMPLE: "192.168.1.1:255.255.255.0"', | |
| + help='Security host network in CIDR format.' | |
| + ' EXAMPLE: "192.168.1.0/24"', | |
| required=False, | |
| default=None | |
| ) | |
| parser.add_argument( | |
| '--sec-container-network', | |
| - help='Security container network address and netmask.' | |
| - ' EXAMPLE: "192.168.1.1:255.255.255.0"', | |
| + help='Security container network in CIDR format.' | |
| + ' EXAMPLE: "192.168.2.1/24', | |
| required=False, | |
| default=None | |
| ) | |
| @@ -504,7 +511,7 @@ def args(): | |
| parser.add_argument( | |
| '--sec-public-vlan-name', | |
| help='Security container network address and netmask.' | |
| - ' EXAMPLE: "192.168.1.1:255.255.255.0"', | |
| + ' EXAMPLE: "FW-LB"', | |
| required=False, | |
| default=None | |
| ) | |
| @@ -537,6 +544,16 @@ def args(): | |
| ) | |
| parser.add_argument( | |
| + '--afm', | |
| + help='Pass this argument if the f5 environment is using the Advanced Firewall Module.' | |
| + 'Adding this flag will create the required rules to open up the API to ALL SOURCES.' | |
| + 'It will also create a rule to block communication from the Provider Network to the Host network.', | |
| + required=False, | |
| + default=False, | |
| + action='store_true' | |
| + ) | |
| + | |
| + parser.add_argument( | |
| '-S', | |
| '--Superman', | |
| help='Yes, its Superman ... strange visitor from another planet,' | |
| @@ -548,6 +565,8 @@ def args(): | |
| default=False, | |
| action='store_true' | |
| ) | |
| + | |
| + | |
| return vars(parser.parse_args()) | |
| @@ -562,76 +581,65 @@ def main(): | |
| inventory_json = json.loads(f.read()) | |
| commands = [] | |
| - nodes = [] | |
| + nodes = set() | |
| pools = [] | |
| virts = [] | |
| sslvirts = [] | |
| pubvirts = [] | |
| - | |
| - if IS_LEM is True: | |
| - SEC_RULE=[ | |
| - 'create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL', | |
| - ' --> Copy and Paste the following between pre-included curly brackets <--', | |
| - 'when CLIENT_ACCEPTED { discard }\n'] | |
| - else: | |
| - SEC_RULE=[ | |
| - 'run util bash', | |
| - 'tmsh create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL when CLIENT_ACCEPTED { discard }', | |
| - 'exit' | |
| - ] | |
| + afmrules = [] | |
| commands.extend([ | |
| - '### CREATE SECURITY iRULE ###' | |
| - ] + SEC_RULE + [ | |
| + '### CREATE SECURITY iRULE ###', | |
| + 'run util bash', | |
| + 'tmsh create ltm rule /' + PART + '/' + PREFIX_NAME + '_DISCARD_ALL when CLIENT_ACCEPTED { discard }', | |
| + 'exit', | |
| + '### CREATE HTTP PROFILE ###', | |
| + 'create ltm profile http /' + PART + '/' + PREFIX_NAME + '_X-FORWARDED-PROTO { header-insert "X-Forwarded-Proto: https" }\n', | |
| '### CREATE EXTERNAL MONITOR ###', | |
| ' --> Upload External monitor file to disk <--', | |
| ' run util bash', | |
| - ' cd /config/monitors/', | |
| - ' vi RPC-MON-EXT-ENDPOINT.monitor', | |
| - ' --> Copy and Paste the External monitor into vi <--', | |
| - (' create sys file external-monitor /' + PART + | |
| - '/RPC-MON-EXT-ENDPOINT { source-path file:///config/monitors/RPC-MON-EXT-ENDPOINT.monitor }'), | |
| + ' curl -k -o /config/monitors/RPC-MON-EXT-ENDPOINT.monitor https://raw.githubusercontent.com/dpham-rs/rpc-openstack/master/scripts/f5-monitor.sh', | |
| + ' exit', | |
| + | |
| + ' create sys file external-monitor /' + PART + '/RPC-MON-EXT-ENDPOINT { source-path file:///config/monitors/RPC-MON-EXT-ENDPOINT.monitor }', | |
| ' save sys config', | |
| - (' create ltm monitor external /' + PART + '/RPC-MON-EXT-ENDPOINT { interval 20 timeout 61 run /' + | |
| - PART + '/RPC-MON-EXT-ENDPOINT }\n') | |
| + ' create ltm monitor external /' + PART + '/RPC-MON-EXT-ENDPOINT { interval 20 timeout 61 run /' + PART + '/RPC-MON-EXT-ENDPOINT }\n' | |
| ]) | |
| if user_args['ssl_domain_name']: | |
| commands.extend([ | |
| '### UPLOAD SSL CERT KEY PAIR ###', | |
| 'cd /RPC', | |
| - 'install sys crypto cert /' + PART + '/%(ssl_domain_name)s.crt from-editor' | |
| + 'create sys crypto key /' + PART + '/%(ssl_domain_name)s.key' | |
| % user_args, | |
| - ' --> Copy and Paste provided domain cert for public api endpoint <--', | |
| - 'install sys crypto key /' + PART + '/%(ssl_domain_name)s.key from-editor' | |
| + 'create sys crypto cert /' + PART + '/%(ssl_domain_name)s.crt key /' % user_args + PART + '/%(ssl_domain_name)s.key common-name %(ssl_domain_name)s lifetime 3650' | |
| % user_args, | |
| - ' --> Copy and Paste provided domain key for public api endpoint <--', | |
| 'cd /Common\n', | |
| '### CREATE SSL PROFILES ###', | |
| ('create ltm profile client-ssl' | |
| - ' /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s' | |
| - ' { cert /' + PART + '/%(ssl_domain_name)s.crt key' | |
| - ' /' + PART + '/%(ssl_domain_name)s.key defaults-from clientssl }') | |
| + ' /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s' | |
| + ' { cert /' + PART + '/%(ssl_domain_name)s.crt key' | |
| + ' /' + PART + '/%(ssl_domain_name)s.key defaults-from clientssl }') | |
| % user_args, | |
| - ('create ltm profile server-ssl /' + PART + '/' + PREFIX_NAME + | |
| - '_PROF_SSL_SERVER { defaults-from /Common/serverssl }\n') | |
| + 'create ltm profile server-ssl /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { defaults-from /Common/serverssl }\n' | |
| % user_args, | |
| ]) | |
| + | |
| if user_args['Superman']: | |
| - print(' ************************** ') | |
| - print(' .*##*:*####***:::**###*:######*. ') | |
| - print(' *##: .###* *######:,##* ') | |
| - print(' *##: :####: *####*. :##: ') | |
| - print(' *##,:########**********:, :##: ') | |
| - print(' .#########################*, *#* ') | |
| - print(' *#########################*##: ') | |
| - print(' *##, ..,,::**#####: ') | |
| - print(' ,##*,*****, *##* ') | |
| - print(' *#########*########: ') | |
| - print(' *##*:*******###* ') | |
| - print(' .##*. ,##* ') | |
| - print(' :##* *##, ') | |
| - print(' *####: ') | |
| - print(' :, ') | |
| + print " ************************** " | |
| + print " .*##*:*####***:::**###*:######*. " | |
| + print " *##: .###* *######:,##* " | |
| + print " *##: :####: *####*. :##: " | |
| + print " *##,:########**********:, :##: " | |
| + print " .#########################*, *#* " | |
| + print " *#########################*##: " | |
| + print " *##, ..,,::**#####: " | |
| + print " ,##*,*****, *##* " | |
| + print " *#########*########: " | |
| + print " *##*:*******###* " | |
| + print " .##*. ,##* " | |
| + print " :##* *##, " | |
| + print " *####: " | |
| + print " :, " | |
| # Kal-El | |
| # SUPERMAN | |
| # JNA | |
| @@ -639,10 +647,7 @@ def main(): | |
| pool_parts = build_pool_parts(inventory=inventory_json) | |
| lb_vip_address = inventory_json['all']['vars']['internal_lb_vip_address'] | |
| - if user_args['ssl_public_ip'] is None: | |
| - user_args['ssl_public_ip'] = inventory_json['all']['vars']['external_lb_vip_address'] | |
| - | |
| - for key, value in pool_parts.items(): | |
| + for key, value in pool_parts.iteritems(): | |
| value['group_name'] = key.upper() | |
| value['vs_name'] = '%s_VS_%s' % ( | |
| PREFIX_NAME, value['group_name'] | |
| @@ -655,7 +660,7 @@ def main(): | |
| priority = 100 | |
| for node in value['hosts']: | |
| node['node_name'] = '%s_NODE_%s' % (PREFIX_NAME, node['hostname']) | |
| - nodes.append(NODES % node) | |
| + nodes.add(NODES % node) | |
| if value.get('persist'): | |
| persist = PERSIST_OPTION | |
| else: | |
| @@ -676,16 +681,15 @@ def main(): | |
| virts.append(virt) | |
| if user_args['ssl_public_ip']: | |
| if not value.get('backend_ssl'): | |
| - virtual_dict['ssl_profiles'] = ( | |
| + virtual_dict['ltm_profiles'] = ( | |
| '/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }' | |
| ) % user_args | |
| + if value.get ('x-forwarded-proto'): | |
| + virtual_dict['ltm_profiles'] = '/' + PART + '/' + PREFIX_NAME + '_X-FORWARDED-PROTO { }/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }'% user_args | |
| else: | |
| - virtual_dict['ssl_profiles'] = ( | |
| - '/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { context serverside } /' + PART + '/' + | |
| - PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }' % user_args | |
| - ) | |
| + virtual_dict['ltm_profiles'] = '/' + PART + '/' + PREFIX_NAME + '_PROF_SSL_SERVER { context serverside } /' + PART + '/' + PREFIX_NAME + '_PROF_SSL_%(ssl_domain_name)s { context clientside }'% user_args | |
| if value.get('make_public'): | |
| - if value.get('ssl_impossible'): | |
| + if value.get ('ssl_impossible'): | |
| virtual_dict['vs_name'] = '%s_VS_%s' % ( | |
| 'RPC_PUB', value['group_name'] | |
| ) | |
| @@ -696,7 +700,7 @@ def main(): | |
| pubvirts.append(pubvirt) | |
| else: | |
| virtual_dict['vs_name'] = '%s_VS_%s' % ( | |
| - 'RPC_PUB_SSL', value['group_name'] | |
| + 'RPC_PUB_SSL', value['group_name'] | |
| ) | |
| sslvirt = '%s' % PUB_SSL_VIRTUAL_ENTRIES % virtual_dict | |
| if sslvirt not in sslvirts: | |
| @@ -738,23 +742,28 @@ def main(): | |
| snat_pool = '%s\n' % SNAT_POOL % { | |
| 'snat_pool_addresses': snat_pool_addresses | |
| } | |
| + snat_translations = [] | |
| + for snat_ip in snat_pool_adds.split(","): | |
| + snat_translations.append( SNAT_IDLE % snat_ip) | |
| script = [ | |
| '#!/usr/bin/bash\n', | |
| + r'### F5 Build Script -- Newton ###', | |
| r'### CREATE RPC PARTITION ###', | |
| 'create auth partition %s\n' % PART, | |
| r'### SET DISPLAY PORT NUMBERS ###', | |
| 'modify cli global-settings service number\n', | |
| snat_pool | |
| ] | |
| + script.extend(['%s' % i for i in snat_translations]) | |
| - script.extend(['### CREATE MONITORS ###']) | |
| + script.extend(['\n### CREATE MONITORS ###']) | |
| script.extend(['%s' % i % user_args for i in MONITORS]) | |
| script.extend(['%s' % i for i in commands]) | |
| script.extend(['### CREATE PERSISTENCE PROFILES ###']) | |
| - script.extend(['%s' % i % user_args for i in PERSISTENCE]) | |
| + script.extend(['%s' % i % user_args for i in PERSISTANCE]) | |
| script.extend(['### CREATE NODES ###']) | |
| - script.extend(['%s' % i % user_args for i in nodes]) | |
| + script.extend(['%s' % i % user_args for i in sorted(nodes)]) | |
| script.extend(['\n### CREATE POOLS ###']) | |
| script.extend(pools) | |
| script.extend(['\n### CREATE VIRTUAL SERVERS ###']) | |
| @@ -765,23 +774,38 @@ def main(): | |
| script.extend(pubvirts) | |
| if user_args['sec_host_network']: | |
| - hostnet, netmask = user_args['sec_host_network'].split(':') | |
| + hostnet = netaddr.IPNetwork(user_args['sec_host_network']) | |
| if not user_args['sec_public_vlan_name']: | |
| raise SystemExit('Please set the [ --sec-public-vlan-name ] value') | |
| script.append( | |
| SEC_HOSTNET_VIRTUAL_ENTRIES % { | |
| - 'sec_host_net': hostnet, | |
| - 'sec_host_netmask': netmask, | |
| + 'sec_host_net': str(hostnet.ip), | |
| + 'sec_host_netmask': str(hostnet.netmask), | |
| 'sec_public_vlan_name': user_args['sec_public_vlan_name'] | |
| } | |
| ) | |
| if user_args['sec_container_network']: | |
| - hostnet, netmask = user_args['sec_container_network'].split(':') | |
| + containernet = netaddr.IPNetwork(user_args['sec_container_network']) | |
| script.append( | |
| SEC_CONTAINER_VIRTUAL_ENTRIES % { | |
| - 'sec_container_net': hostnet, | |
| - 'sec_container_netmask': netmask | |
| + 'sec_container_net': str(containernet.ip), | |
| + 'sec_container_netmask': str(containernet.netmask) | |
| + } | |
| + ) | |
| + | |
| + | |
| + script.extend(afmrules) | |
| + if user_args['afm']: | |
| + if not user_args['ssl_public_ip']: | |
| + raise SystemExit('Please set the [ --ssl_public_ip ] value') | |
| + if not user_args['sec_host_network']: | |
| + raise SystemExit('Please set the [ --sec_host_network ] value') | |
| + script.append( | |
| + SEC_AFM_RULES % { | |
| + 'ssl_public_ip': user_args['ssl_public_ip'], | |
| + 'private_ip': lb_vip_address, | |
| + 'sec_host_net': user_args['sec_host_network'] | |
| } | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment