Add firewall config from another deployment

Author: markgoddard

etc/kayobe/compute.yml

@@ -160,6 +160,9 @@ compute_firewalld_rules:
   # GENEVE
   - port: 6081/udp
     zone: tunnel
+  # VXLAN
+  - port: 4789/udp
+    zone: tunnel
 
 ###############################################################################
 # Compute node host libvirt configuration.

etc/kayobe/controllers.yml

@@ -175,6 +175,9 @@ controller_firewalld_rules:
     zone: provision_wl
   - port: 8089/tcp
     zone: provision_wl
+  - service: cockpit
+    state: disabled
+    zone: public
   - service: dhcpv6-client
     state: disabled
     zone: public
@@ -194,6 +197,12 @@ controller_firewalld_rules:
   # GENEVE
   - port: 6081/udp
     zone: tunnel
+  # VXLAN
+  - port: 4789/udp
+    zone: tunnel
+  # Octavia
+  - port: 5555/udp
+    zone: lb_mgmt
 
 ###############################################################################
 # Controller node swap configuration.

etc/kayobe/monitoring.yml

@@ -99,22 +99,26 @@
 # Monitoring node firewalld configuration.
 
 # Whether to install and enable firewalld.
-#monitoring_firewalld_enabled:
+monitoring_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-#monitoring_firewalld_zones:
+monitoring_firewalld_zones:
+  - zone: admin_oc
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
-#monitoring_firewalld_default_zone:
+# FIXME: Try drop
+monitoring_firewalld_default_zone: trusted
 
 # A list of firewall rules to apply. Each item is a dict containing arguments
 # to pass to the firewalld module. Arguments are omitted if not provided, with
 # the following exceptions:
 # - offline: true
 # - permanent: true
 # - state: enabled
-#monitoring_firewalld_rules:
+monitoring_firewalld_rules:
+  - service: ssh
+    zone: admin_oc
 
 ###############################################################################
 # Monitoring node swap configuration.