Merge pull request openstack-k8s-operators#800 from yadneshk/configure_kepler_firewall

Add firewall rule to include Kepler port

Author: openshift-merge-bot[bot]

roles/edpm_telemetry_power_monitoring/molecule/default/prepare.yml

@@ -67,6 +67,25 @@
       become: true
       command: groupadd libvirt
 
+    - name: Create firewall directory
+      become: true
+      ansible.builtin.file:
+        path: "/var/lib/edpm-config/firewall"
+        state: directory
+        owner: root
+        group: root
+        mode: '0750'
+
+    - name: open port 22 (edpm_nftables will active this later)
+      become: true
+      ansible.builtin.copy:
+        dest: /var/lib/edpm-config/firewall/sshd-networks.yaml
+        content: |
+          - rule_name: 003 Allow SSH
+            rule:
+              proto: tcp
+              dport: 22
+
     - name: Create ceilometer.conf
       become: true
       ansible.builtin.copy:

roles/edpm_telemetry_power_monitoring/molecule/default/test-helpers/kepler.yaml

@@ -0,0 +1,22 @@
+- name: kepler rule source file exists
+  become: true
+  ansible.builtin.stat:
+    path: "/var/lib/edpm-config/firewall/kepler.yaml"
+  register: kepler_rule_source_exists
+- name: Assert kepler rule source file exists
+  ansible.builtin.assert:
+    that:
+      - kepler_rule_source_exists.stat.exists
+    fail_msg: "kepler rule source file does not exist"
+
+- name: verify vnc nftables firewall rules
+  block:
+    - name: Run nft list command and grep for Kepler rule in EDPM_INPUT chain
+      become: true
+      ansible.builtin.shell: nft list table inet filter | awk '/chain EDPM_INPUT {/,/}/' | grep Kepler
+      register: kepler_chain_exists
+    - name: Assert that output from greping for VNC contains the correct rule
+      assert:
+        that:
+          - item | regex_search('\s+tcp dport 8888 ct state new counter packets \d+ bytes \d+ accept comment\s+')
+      loop: "{{ kepler_chain_exists.stdout_lines }}"

roles/edpm_telemetry_power_monitoring/molecule/default/verify.yml

@@ -50,3 +50,6 @@
         - "Copying /var/lib/openstack/config/polling.yaml to /etc/ceilometer/polling.yaml"
         - "/usr/bin/ceilometer-polling --polling-namespaces ipmi --logfile /dev/stdout"
         - "Copying /var/lib/openstack/config/ceilometer-host-specific.conf to /etc/ceilometer/ceilometer.conf.d/02-ceilometer-host-specific.conf"
+
+    - name: ensure firewall is configured
+      ansible.builtin.include_tasks: "test-helpers/kepler.yaml"

roles/edpm_telemetry_power_monitoring/tasks/main.yml

@@ -22,3 +22,6 @@
 
 - name: Install telemetry power monitoring services
   ansible.builtin.import_tasks: install.yml
+
+- name: Post-install
+  ansible.builtin.include_tasks: post-install.yml

roles/edpm_telemetry_power_monitoring/tasks/post-install.yml

@@ -0,0 +1,26 @@
+---
+- name: Ensure firewall directory is present
+  become: true
+  ansible.builtin.file:
+    path: "/var/lib/edpm-config/firewall/"
+    state: directory
+    owner: root
+    group: root
+    mode: '0750'
+
+- name: Copy kepler firewall config
+  become: true
+  ansible.builtin.template:
+    src: "firewall.yaml.j2"
+    dest: "/var/lib/edpm-config/firewall/kepler.yaml"
+    mode: "0640"
+
+- name: Configure firewall for kepler
+  ansible.builtin.include_role:
+    name: osp.edpm.edpm_nftables
+    tasks_from: "configure.yml"
+
+- name: Reload firewall for kepler
+  ansible.builtin.include_role:
+    name: osp.edpm.edpm_nftables
+    tasks_from: "run.yml"

roles/edpm_telemetry_power_monitoring/templates/firewall.yaml.j2

@@ -0,0 +1,7 @@
+---
+# Generated via edpm_telemetry_power_monitoring
+- rule_name: 000 Allow Kepler traffic
+  rule:
+    proto: tcp
+    dport:
+     - "8888"