diff options
| author | Kenny Woodson <kwoodson@redhat.com> | 2017-07-19 08:51:14 -0400 |
|---|---|---|
| committer | Kenny Woodson <kwoodson@redhat.com> | 2017-08-08 10:46:12 -0400 |
| commit | 4f9b26e8af5890b7960291497020586426e7f1fc (patch) | |
| tree | ba2dd554f739485a9c2e8654e6af626b54e7a520 /roles/etcd | |
| parent | 0569c5069dabeea9e2fe94cd097cb6f2b1540867 (diff) | |
| download | openshift-4f9b26e8af5890b7960291497020586426e7f1fc.tar.gz openshift-4f9b26e8af5890b7960291497020586426e7f1fc.tar.bz2 openshift-4f9b26e8af5890b7960291497020586426e7f1fc.tar.xz openshift-4f9b26e8af5890b7960291497020586426e7f1fc.zip | |
First attempt at refactor of os_firewall
Diffstat (limited to 'roles/etcd')
| -rw-r--r-- | roles/etcd/defaults/main.yaml | 11 | ||||
| -rw-r--r-- | roles/etcd/meta/main.yml | 7 | ||||
| -rw-r--r-- | roles/etcd/tasks/firewall.yml | 40 | ||||
| -rw-r--r-- | roles/etcd/tasks/main.yml | 4 |
4 files changed, 56 insertions, 6 deletions
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index c0d1d5946..4c8d63b4c 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -7,4 +7,15 @@ etcd_listen_peer_urls: "{{ etcd_peer_url_scheme }}://{{ etcd_ip }}:{{ etcd_peer_ etcd_advertise_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}" etcd_listen_client_urls: "{{ etcd_url_scheme }}://{{ etcd_ip }}:{{ etcd_client_port }}" +etcd_client_port: 2379 +etcd_peer_port: 2380 + etcd_systemd_dir: "/etc/systemd/system/{{ etcd_service }}.service.d" +r_etcd_os_firewall_deny: [] +r_etcd_os_firewall_allow: +- service: etcd + port: "{{etcd_client_port}}/tcp" + cond: true +- service: etcd peering + port: "{{ etcd_peer_port }}/tcp" + cond: true diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index 689c07a84..9a955c822 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -17,11 +17,6 @@ galaxy_info: - system dependencies: - role: lib_openshift -- role: os_firewall - os_firewall_allow: - - service: etcd - port: "{{etcd_client_port}}/tcp" - - service: etcd peering - port: "{{ etcd_peer_port }}/tcp" +- role: lib_os_firewall - role: etcd_server_certificates - role: etcd_common diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml new file mode 100644 index 000000000..6088b26ff --- /dev/null +++ b/roles/etcd/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_etcd_os_firewall_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond + with_items: "{{ r_etcd_os_firewall_deny }}" + +- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond + with_items: "{{ r_etcd_os_firewall_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond + with_items: "{{ r_etcd_os_firewall_deny }}" diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 8c2f392ee..78e543ef1 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,6 +6,10 @@ etcd_hostname: "{{ etcd_hostname }}" etcd_ip: "{{ etcd_ip }}" +- name: setup firewall + include: firewall.yml + static: yes + - name: Install etcd package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present when: not etcd_is_containerized | bool |