@@ -28,7 +28,7 @@ stackhpc_firewalld_rules: |
2828 {% set stackhpc_firewalld_rules_verified = [] %}
2929 {% for rule in stackhpc_firewalld_rules_unverified | unique %}
3030 {% if rule | ansible.utils.remove_keys('state') in stackhpc_firewalld_rules_verified | map('ansible.utils.remove_keys', 'state') %}
31- {% set stackhpc_firewalld_rules_verified = 'Invalid configuration! Two matching firewalld rules exist with different states' + 1 %}
31+ {% set stackhpc_firewalld_rules_verified = 'Invalid configuration! Two matching firewalld rules probably exist with different states' + 1 %}
3232 {% elif rule.network in network_interfaces and rule.network | net_zone is not none %}
3333 {% set _ = stackhpc_firewalld_rules_verified.append(rule) %}
3434 {% endif %}
@@ -78,17 +78,17 @@ stackhpc_common_firewalld_rules_template:
7878 - service: dhcpv6-client
7979 network: "{{ public_net_name }}"
8080 state: disabled
81- enabled: "{{ 'public' in stackhpc_firewalld_zones }}"
81+ enabled: "{{ public_net_name | net_zone in stackhpc_firewalld_zones }}"
8282 - rules:
8383 - service: ssh
8484 network: "{{ public_net_name }}"
8585 state: disabled
86- enabled: "{{ 'public' in stackhpc_firewalld_zones && admin_oc_net_name | net_zone != 'public' }}"
86+ enabled: "{{ public_net_name | net_zone in stackhpc_firewalld_zones and admin_oc_net_name | net_zone != public_net_name | net_zone }}"
8787
8888stackhpc_common_firewalld_rules_extra: []
8989
9090###############################################################################
91- # Common firewalld rules
91+ # Controller firewalld rules
9292
9393stackhpc_controller_firewalld_rules: "{{ stackhpc_controller_firewalld_rules_default + stackhpc_controller_firewalld_rules_extra }}"
9494
@@ -142,6 +142,39 @@ stackhpc_controller_firewalld_rules_template:
142142 network: "{{ public_net_name }}"
143143 state: enabled
144144 enabled: "{{ kolla_enable_designate | bool }}"
145+ # Vault & Consul
146+ - rules:
147+ - port: 8200/tcp
148+ network: "{{ internal_net_name }}"
149+ state: enabled
150+ - port: 8300/tcp
151+ network: "{{ internal_net_name }}"
152+ state: enabled
153+ - port: 8301/tcp
154+ network: "{{ internal_net_name }}"
155+ state: enabled
156+ - port: 8301/udp
157+ network: "{{ internal_net_name }}"
158+ state: enabled
159+ - port: 8302/tcp
160+ network: "{{ internal_net_name }}"
161+ state: enabled
162+ - port: 8302/udp
163+ network: "{{ internal_net_name }}"
164+ state: enabled
165+ - port: 8500/tcp
166+ network: "{{ internal_net_name }}"
167+ state: enabled
168+ - port: 8501/tcp
169+ network: "{{ internal_net_name }}"
170+ state: enabled
171+ - port: 8600/tcp
172+ network: "{{ internal_net_name }}"
173+ state: enabled
174+ - port: 8600/udp
175+ network: "{{ internal_net_name }}"
176+ state: enabled
177+ enabled: true # FIXME add condition
145178 # GENEVE
146179 - rules:
147180 - port: 6081/udp
@@ -386,7 +419,7 @@ stackhpc_seed_firewalld_rules_template:
386419 - port: 9610/tcp
387420 network: "{{ provision_oc_net_name }}"
388421 state: enabled
389- enabled: "{{ stackhpc_enable_redfish_exporter }}"
422+ enabled: "{{ stackhpc_enable_redfish_exporter | default(false) }}"
390423
391424stackhpc_seed_firewalld_rules_extra: []
392425
0 commit comments