From 4f9b26e8af5890b7960291497020586426e7f1fc Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Wed, 19 Jul 2017 08:51:14 -0400
Subject: First attempt at refactor of os_firewall

---
 roles/openshift_node/tasks/firewall.yml | 40 +++++++++++++++++++++++++++++++++
 roles/openshift_node/tasks/main.yml     | 32 ++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 roles/openshift_node/tasks/firewall.yml

(limited to 'roles/openshift_node/tasks')

diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
new file mode 100644
index 000000000..323eaae70
--- /dev/null
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond
+    with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond
+    with_items: "{{ r_openshift_node_os_firewall_deny }}"
+
+- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond
+    with_items: "{{ r_openshift_node_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond
+    with_items: "{{ r_openshift_node_os_firewall_deny }}"
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index ca4fef360..3353a22e3 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -6,6 +6,38 @@
     - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
     - not openshift_docker_use_crio | default(false)
 
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
+- name: Set node facts
+  openshift_facts:
+    role: "{{ item.role }}"
+    local_facts: "{{ item.local_facts }}"
+  with_items:
+    # Reset node labels to an empty dictionary.
+    - role: node
+      local_facts:
+        labels: {}
+    - role: node
+      local_facts:
+        annotations: "{{ openshift_node_annotations | default(none) }}"
+        debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
+        iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}"
+        kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
+        labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}"
+        registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}"
+        schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+        sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
+        storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}"
+        set_node_ip: "{{ openshift_set_node_ip | default(None) }}"
+        node_image: "{{ osn_image | default(None) }}"
+        ovs_image: "{{ osn_ovs_image | default(None) }}"
+        proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}"
+        local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}"
+        dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}"
+        env_vars: "{{ openshift_node_env_vars | default(None) }}"
+
 # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
 - name: Check for swap usage
   command: grep "^[^#].*swap" /etc/fstab
-- 
cgit v1.2.3


From ba96f5eaf876f6b7568ac73794a08cbe759dceee Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Wed, 9 Aug 2017 10:45:55 -0400
Subject: Adding a default condition and removing unneeded defaults.

---
 roles/openshift_node/tasks/firewall.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'roles/openshift_node/tasks')

diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
index 323eaae70..492dcee1d 100644
--- a/roles/openshift_node/tasks/firewall.yml
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
-- 
cgit v1.2.3


From 7d50ffe98dfa17e3fb72627699c794843ed5295d Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Thu, 10 Aug 2017 21:13:54 -0400
Subject: Updated README to reflect refactor.  Moved firewall initialize into
 separate file.

---
 roles/openshift_node/tasks/firewall.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'roles/openshift_node/tasks')

diff --git a/roles/openshift_node/tasks/firewall.yml b/roles/openshift_node/tasks/firewall.yml
index 492dcee1d..255aa886a 100644
--- a/roles/openshift_node/tasks/firewall.yml
+++ b/roles/openshift_node/tasks/firewall.yml
@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:
-- 
cgit v1.2.3