From 26c108b1746bf4d6e0199e6a13bb121a835c5a96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Andr=C3=A9?= <m.andre@redhat.com>
Date: Fri, 28 Sep 2018 08:49:22 +0200
Subject: [PATCH] Let openshift-ansible configure the firewall
Openshift-ansible already sets the right firewall rules on the
provisioned nodes, there is no need to set up (some of) the rules by
ourselves.
Add the 'OS::TripleO::Services::TripleoFirewall' to all the OpenShift
roles so that the operator can still set additional rules if desired.
Change-Id: I1e8ca10069c3f1017207abfebb803cb7aa3835a8
---
extraconfig/services/openshift-cns.yaml | 12 ------------
extraconfig/services/openshift-master.yaml | 9 ---------
extraconfig/services/openshift-worker.yaml | 12 +-----------
roles/OpenShiftInfra.yaml | 1 +
roles/OpenShiftWorker.yaml | 1 +
5 files changed, 3 insertions(+), 32 deletions(-)
diff --git a/extraconfig/services/openshift-cns.yaml b/extraconfig/services/openshift-cns.yaml
index 669f93424e..d6eca2abe3 100644
--- a/extraconfig/services/openshift-cns.yaml
+++ b/extraconfig/services/openshift-cns.yaml
@@ -84,18 +84,6 @@ outputs:
# as cns. The actual installation is performed in
# openshift-master service template.
service_name: openshift_glusterfs
- config_settings:
- tripleo.openshift_glusterfs.firewall_rules:
- '200 openshift-glusterfs kubelet':
- dport:
- - 2222
- - 3260
- - 10250
- - 24008
- - 24010
- proto: tcp
- '200 openshift-glusterfs external services':
- dport: '49152-49251'
host_prep_tasks:
- name: Wipe the configured disks
shell: |
diff --git a/extraconfig/services/openshift-master.yaml b/extraconfig/services/openshift-master.yaml
index aeb75b8edd..4d439809f5 100644
--- a/extraconfig/services/openshift-master.yaml
+++ b/extraconfig/services/openshift-master.yaml
@@ -127,15 +127,6 @@ outputs:
map_merge:
- get_attr: [OpenShiftNode, role_data, config_settings]
- tripleo::keepalived::virtual_router_id_base: 100
- tripleo.openshift_master.firewall_rules:
- '200 openshift-master api':
- dport: 6443
- proto: tcp
- '200 openshift-master etcd':
- dport:
- - 2379
- - 2380
- proto: tcp
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
diff --git a/extraconfig/services/openshift-worker.yaml b/extraconfig/services/openshift-worker.yaml
index 3ff17501f4..83604c2e2b 100644
--- a/extraconfig/services/openshift-worker.yaml
+++ b/extraconfig/services/openshift-worker.yaml
@@ -54,17 +54,7 @@ outputs:
description: Role data for the Openshift Service
value:
service_name: openshift_worker
- config_settings:
- map_merge:
- - get_attr: [OpenShiftNode, role_data, config_settings]
- - tripleo.openshift_worker.firewall_rules:
- '200 openshift-worker kubelet':
- dport:
- - 10250
- - 10255
- proto: tcp
- '200 openshift-worker external services':
- dport: '30000-32767'
+ config_settings: {get_attr: [OpenShiftNode, role_data, config_settings]}
upgrade_tasks: []
step_config: ''
external_deploy_tasks:
diff --git a/roles/OpenShiftInfra.yaml b/roles/OpenShiftInfra.yaml
index de52d6ec36..7018925327 100644
--- a/roles/OpenShiftInfra.yaml
+++ b/roles/OpenShiftInfra.yaml
@@ -25,3 +25,4 @@
- OS::TripleO::Services::Rhsm
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Timesync
+ - OS::TripleO::Services::TripleoFirewall
diff --git a/roles/OpenShiftWorker.yaml b/roles/OpenShiftWorker.yaml
index 01d4ca187a..4d2c3a4856 100644
--- a/roles/OpenShiftWorker.yaml
+++ b/roles/OpenShiftWorker.yaml
@@ -25,3 +25,4 @@
- OS::TripleO::Services::Rhsm
- OS::TripleO::Services::Sshd
- OS::TripleO::Services::Timesync
+ - OS::TripleO::Services::TripleoFirewall