From 1932b8d007792e29c609099708224c6a4e29288e Mon Sep 17 00:00:00 2001
From: Jason DeTiberus <jdetiber@redhat.com>
Date: Fri, 20 Feb 2015 11:43:19 -0500
Subject: Set and export KUBECONFIG in root user .bash_profile

- roles/base_os: Without this, the root user would need to manually configure
  this variable before attempting to run any osc commands
- roles/base_os: Cleanup the firewall service definition and only pause when
  the service
  state changes.
- roles/openshift_master: use Akram's suggestion of simplifying the firewall
  config
- roles/openshift_master: explicitly disable previously exposed ports that are
  no longer exposed (8080/tcp I'm looking at you).
---
 roles/base_os/tasks/main.yaml         | 23 ++++++++++++++---------
 roles/openshift_master/tasks/main.yml | 25 ++++++++++++++-----------
 2 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/roles/base_os/tasks/main.yaml b/roles/base_os/tasks/main.yaml
index 01d2898c5..b18f5c40d 100644
--- a/roles/base_os/tasks/main.yaml
+++ b/roles/base_os/tasks/main.yaml
@@ -11,21 +11,26 @@
     src: vimrc
     dest: /root/.vimrc
 
-- name: Ensure vimrc is installed for user root
-  copy:
-    src: vimrc
-    dest: /root/.vimrc
+- name: Add KUBECONFIG to .bash_profile for user root
+  lineinfile:
+    dest: /root/.bash_profile
+    regexp: "KUBECONFIG="
+    line: "export KUBECONFIG={{ openshift_master_credentials_dir }}.kubeconfig"
+    state: present
+    insertafter: EOF
 
 - name: Install firewalld
   yum:
     pkg: firewalld
     state: installed
 
-- name: enable firewalld service
-  command: /usr/bin/systemctl enable firewalld.service
-
-- name: start firewalld service
-  command: /usr/bin/systemctl start firewalld.service
+- name: start and enable firewalld service
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  register: result
 
 - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
   pause: seconds=10
+  when: result | changed
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index c92ca9c8f..96b889804 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -13,21 +13,24 @@
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
   with_items:
-    - { regex: '^OPTIONS=', line: 'OPTIONS=\"--public-master={{ oo_public_ip }} --nodes={{ oo_node_ips | join(",") }}  --loglevel=5\"' }
+    - { regex: '^OPTIONS=', line: "OPTIONS=\"--public-master={{ oo_public_ip }} --nodes={{ oo_node_ips | join(",") }}  --loglevel=5\"" }
   notify:
     - restart openshift-master
 
-- name: Open firewalld port for etcd embedded in OpenShift
-  firewalld: port=4001/tcp permanent=false state=enabled
+# Open etcd embedded, etcd embedded peer, openshift api, and
+# openshift client ports
+- name: Open firewalld ports for openshift-master
+  firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled
+  with_nested:
+  - [ 4001/tcp, 7001/tcp, 8443/tcp, 8444/tcp ]
+  - [ true, false ]
 
-- name: Save firewalld port for etcd embedded in
-  firewalld: port=4001/tcp permanent=true state=enabled
-
-- name: Open firewalld port for OpenShift
-  firewalld: port=8443/tcp permanent=false state=enabled
-
-- name: Save firewalld port for OpenShift
-  firewalld: port=8443/tcp permanent=true state=enabled
+# Disable previously exposed ports that are no longer needed
+- name: Close firewalld ports for openshift-master that are no longer needed
+  firewalld: port={{ item[0] }} permanent={{ item[1] }} state=enabled
+  with_nested:
+  - [ 8080/tcp ]
+  - [ true, false ]
 
 - name: Enable OpenShift
   service: name=openshift-master enabled=yes state=started
-- 
cgit v1.2.3