summaryrefslogtreecommitdiffstats
path: root/roles/openshift_loadbalancer
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openshift_loadbalancer')
-rw-r--r--roles/openshift_loadbalancer/README.md2
-rw-r--r--roles/openshift_loadbalancer/defaults/main.yml13
-rw-r--r--roles/openshift_loadbalancer/meta/main.yml13
-rw-r--r--roles/openshift_loadbalancer/tasks/firewall.yml40
-rw-r--r--roles/openshift_loadbalancer/tasks/main.yml4
5 files changed, 60 insertions, 12 deletions
diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md
index bea4c509b..330895f20 100644
--- a/roles/openshift_loadbalancer/README.md
+++ b/roles/openshift_loadbalancer/README.md
@@ -25,6 +25,7 @@ From this role:
| openshift_loadbalancer_default_maxconn | 20000 | Maximum per-process number of concurrent connections. |
| openshift_loadbalancer_frontends | none | List of frontends. See example below. |
| openshift_loadbalancer_backends | none | List of backends. See example below. |
+| openshift_image_tag | none | Image tag for containerized haproxy image. |
Dependencies
------------
@@ -64,6 +65,7 @@ Example Playbook
- name: master3
address: "192.168.122.223:8443"
opts: check
+ openshift_image_tag: v3.6.153
```
License
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 6190383b6..3f6409233 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -1,4 +1,7 @@
---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
haproxy_frontends:
- name: main
binds:
@@ -12,3 +15,13 @@ haproxy_backends:
- name: web01
address: 127.0.0.1:9000
opts: check
+
+r_openshift_loadbalancer_os_firewall_deny: []
+r_openshift_loadbalancer_os_firewall_allow:
+- service: haproxy stats
+ port: "9000/tcp"
+- service: haproxy balance
+ port: "{{ openshift_master_api_port | default(8443) }}/tcp"
+- service: nuage mon
+ port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
+ cond: "{{ openshift_use_nuage | default(false) | bool }}"
diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml
index 0dffb545f..72298b599 100644
--- a/roles/openshift_loadbalancer/meta/main.yml
+++ b/roles/openshift_loadbalancer/meta/main.yml
@@ -10,16 +10,5 @@ galaxy_info:
versions:
- 7
dependencies:
+- role: lib_os_firewall
- role: openshift_facts
-- role: os_firewall
- os_firewall_allow:
- - service: haproxy stats
- port: "9000/tcp"
- - service: haproxy balance
- port: "{{ openshift_master_api_port | default(8443) }}/tcp"
-- role: os_firewall
- os_firewall_allow:
- - service: nuage mon
- port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
- when: openshift_use_nuage | default(false) | bool
-- role: openshift_repos
diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml
new file mode 100644
index 000000000..7d6e8ff36
--- /dev/null
+++ b/roles/openshift_loadbalancer/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
+
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
index 68bb4ace8..69b061fc5 100644
--- a/roles/openshift_loadbalancer/tasks/main.yml
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -1,4 +1,8 @@
---
+- name: setup firewall
+ include: firewall.yml
+ static: yes
+
- name: Install haproxy
package: name=haproxy state=present
when: not openshift.common.is_containerized | bool
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 22:25:35 +0000