Updated README to reflect refactor. Moved firewall initialize into separate file.

author: Kenny Woodson <kwoodson@redhat.com> 2017-08-10 21:13:54 -0400
committer: Kenny Woodson <kwoodson@redhat.com> 2017-08-10 22:59:48 -0400
commit: 7d50ffe98dfa17e3fb72627699c794843ed5295d (patch)
tree: 8292dff0a7ed50f79a728da44f40d3a08b397aaa
parent: ba96f5eaf876f6b7568ac73794a08cbe759dceee (diff)
24 files changed, 74 insertions, 60 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 423573540..7136f1c1f 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -26,21 +26,6 @@
   tags:
   - always
 
-- name: Setup firewall
-  hosts: oo_all_hosts
-  tags:
-  - always
-  tasks:
-  # This should move to intialize_facts
-  - name: set os_firewall_enabled
-    set_fact:
-      os_firewall_enabled: true
-      os_firewall_use_firewalld: false
-
-  - name: Set proper firewall settings
-    include_role:
-      name: os_firewall
-
 - name: Disable excluders
   hosts: oo_masters_to_config:oo_nodes_to_config
   tags:
diff --git a/playbooks/common/openshift-cluster/initialize_firewall.yml b/playbooks/common/openshift-cluster/initialize_firewall.yml
new file mode 100644
index 000000000..7d7a427d4
--- /dev/null
+++ b/playbooks/common/openshift-cluster/initialize_firewall.yml
@@ -0,0 +1,7 @@
+---
+- name: Initialize host facts
+  hosts: oo_all_hosts
+  tasks:
+  - name: install and configure the proper firewall settings
+    include_role:
+      name: os_firewall
diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml
index 6ed31a644..eab16aba0 100644
--- a/playbooks/common/openshift-cluster/std_include.yml
+++ b/playbooks/common/openshift-cluster/std_include.yml
@@ -14,3 +14,7 @@
 - include: initialize_openshift_version.yml
   tags:
   - always
+
+- include: initialize_firewall.yml
+  tags:
+  - always
diff --git a/roles/cockpit/defaults/main.yml b/roles/cockpit/defaults/main.yml
index 97b00db04..cbe5bb92b 100644
--- a/roles/cockpit/defaults/main.yml
+++ b/roles/cockpit/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_cockpit_firewall_enabled: True
+r_cockpit_use_firewalld: False
+
 r_cockpit_os_firewall_deny: []
 r_cockpit_os_firewall_allow:
 - service: cockpit-ws
diff --git a/roles/cockpit/tasks/firewall.yml b/roles/cockpit/tasks/firewall.yml
index 0e253a9f5..e597ac84d 100644
--- a/roles/cockpit/tasks/firewall.yml
+++ b/roles/cockpit/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index c14137d4e..d12d7a358 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -1,4 +1,7 @@
 ---
+r_etcd_firewall_enabled: True
+r_etcd_use_firewalld: False
+
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
 
diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml
index fcfdf5227..4d0f6290a 100644
--- a/roles/etcd/tasks/firewall.yml
+++ b/roles/etcd/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/nuage_master/defaults/main.yml b/roles/nuage_master/defaults/main.yml
index 2aed521da..ffab25775 100644
--- a/roles/nuage_master/defaults/main.yml
+++ b/roles/nuage_master/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_nuage_master_firewall_enabled: True
+r_nuage_master_use_firewalld: False
+
 nuage_mon_rest_server_port: '9443'
 
 r_nuage_master_os_firewall_deny: []
diff --git a/roles/nuage_master/tasks/firewall.yml b/roles/nuage_master/tasks/firewall.yml
index b4da2ac83..0057dc9ab 100644
--- a/roles/nuage_master/tasks/firewall.yml
+++ b/roles/nuage_master/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/nuage_node/defaults/main.yml b/roles/nuage_node/defaults/main.yml
index 7a71273e7..b3d2e3cec 100644
--- a/roles/nuage_node/defaults/main.yml
+++ b/roles/nuage_node/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_nuage_node_firewall_enabled: True
+r_nuage_node_use_firewalld: False
+
 nuage_mon_rest_server_port: '9443'
 
 r_nuage_node_os_firewall_deny: []
diff --git a/roles/nuage_node/tasks/firewall.yml b/roles/nuage_node/tasks/firewall.yml
index 008f3a95b..baf600d57 100644
--- a/roles/nuage_node/tasks/firewall.yml
+++ b/roles/nuage_node/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml
index f1fd0f4b7..13cbfb14e 100644
--- a/roles/openshift_hosted/defaults/main.yml
+++ b/roles/openshift_hosted/defaults/main.yml
@@ -1,4 +1,10 @@
 ---
+r_openshift_hosted_router_firewall_enabled: True
+r_openshift_hosted_router_use_firewalld: False
+
+r_openshift_hosted_registry_firewall_enabled: True
+r_openshift_hosted_registry_use_firewalld: False
+
 registry_volume_claim: 'registry-claim'
 
 openshift_hosted_router_edits:
diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml
index f48eb3b12..775b7d6d7 100644
--- a/roles/openshift_hosted/tasks/registry/firewall.yml
+++ b/roles/openshift_hosted/tasks/registry/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_hosted/tasks/router/firewall.yml b/roles/openshift_hosted/tasks/router/firewall.yml
index fd9a9c2e7..ff90f3372 100644
--- a/roles/openshift_hosted/tasks/router/firewall.yml
+++ b/roles/openshift_hosted/tasks/router/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 35a14b1a5..3f6409233 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
 haproxy_frontends:
 - name: main
   binds:
diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml
index def868134..7d6e8ff36 100644
--- a/roles/openshift_loadbalancer/tasks/firewall.yml
+++ b/roles/openshift_loadbalancer/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 0b35c180e..a4c178908 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+
 openshift_node_ips: []
 r_openshift_master_clean_install: false
 r_openshift_master_etcd3_storage: false
diff --git a/roles/openshift_master/tasks/firewall.yml b/roles/openshift_master/tasks/firewall.yml
index 80a91fa2e..e51eeb56e 100644
--- a/roles/openshift_master/tasks/firewall.yml
+++ b/roles/openshift_master/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 92237757c..973b3a619 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
+r_openshift_node_firewall_enabled: True
+r_openshift_node_use_firewalld: False
 r_openshift_node_os_firewall_deny: []
 r_openshift_node_os_firewall_allow:
 - service: Kubernetes kubelet
diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
index 492dcee1d..255aa886a 100644
--- a/roles/openshift_node/tasks/firewall.yml
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/openshift_storage_nfs/defaults/main.yml b/roles/openshift_storage_nfs/defaults/main.yml
index 1e9265b00..4a2bc6141 100644
--- a/roles/openshift_storage_nfs/defaults/main.yml
+++ b/roles/openshift_storage_nfs/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+r_openshift_storage_nfs_firewall_enabled: True
+r_openshift_storage_nfs_use_firewalld: False
+
 r_openshift_storage_nfs_os_firewall_deny: []
 r_openshift_storage_nfs_os_firewall_allow:
 - service: nfs
diff --git a/roles/openshift_storage_nfs/tasks/firewall.yml b/roles/openshift_storage_nfs/tasks/firewall.yml
index 9bca80b40..c1c318ff4 100644
--- a/roles/openshift_storage_nfs/tasks/firewall.yml
+++ b/roles/openshift_storage_nfs/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index e7ef544f4..be0b8291a 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -1,8 +1,8 @@
 OS Firewall
 ===========
 
-OS Firewall manages firewalld and iptables firewall settings for a minimal use
-case (Adding/Removing rules based on protocol and port number).
+OS Firewall manages firewalld and iptables installation.
+case.
 
 Note: firewalld is not supported on Atomic Host
 https://bugzilla.redhat.com/show_bug.cgi?id=1403331
@@ -18,8 +18,6 @@ Role Variables
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
 | os_firewall_use_firewalld | False   | If false, use iptables                 |
-| os_firewall_allow         | []      | List of service,port mappings to allow |
-| os_firewall_deny          | []      | List of service, port mappings to deny |
 
 Dependencies
 ------------
@@ -29,34 +27,27 @@ None.
 Example Playbook
 ----------------
 
-Use iptables and open tcp ports 80 and 443:
+Use iptables:
 ```
 ---
 - hosts: servers
-  vars:
-    os_firewall_use_firewalld: false
-    os_firewall_allow:
-    - service: httpd
-      port: 80/tcp
-    - service: https
-      port: 443/tcp
-  roles:
-  - os_firewall
+  task:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: false
 ```
 
-Use firewalld and open tcp port 443 and close previously open tcp port 80:
+Use firewalld:
 ```
 ---
 - hosts: servers
   vars:
-    os_firewall_allow:
-    - service: https
-      port: 443/tcp
-    os_firewall_deny:
-    - service: httpd
-      port: 80/tcp
-  roles:
-  - os_firewall
+  tasks:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: true
 ```
 
 License
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index 01859e5fc..f96a80f1c 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -3,5 +3,3 @@ os_firewall_enabled: True
 # firewalld is not supported on Atomic Host
 # https://bugzilla.redhat.com/show_bug.cgi?id=1403331
 os_firewall_use_firewalld: "{{ False }}"
-os_firewall_allow: []
-os_firewall_deny: []
author	Kenny Woodson <kwoodson@redhat.com>	2017-08-10 21:13:54 -0400
committer	Kenny Woodson <kwoodson@redhat.com>	2017-08-10 22:59:48 -0400
commit	7d50ffe98dfa17e3fb72627699c794843ed5295d (patch)
tree	8292dff0a7ed50f79a728da44f40d3a08b397aaa
parent	ba96f5eaf876f6b7568ac73794a08cbe759dceee (diff)