Post-review changes 2

Author: Alex-Welsh

doc/source/configuration/firewall.rst

@@ -39,3 +39,15 @@ sets exist for the following groups:
 * Ansible Control host Infrastructure VM - ``stackhpc_ansible_control_infra_vm_firewalld_rules``
 * Seed - ``stackhpc_seed_firewalld_rules``
 * Seed Hypervisor - ``stackhpc_seed_hypervisor_firewalld_rules``
+
+The ``kayobe configuration dump`` command can be used to view all the rules
+that will be applied to a host.
+
+.. code-block:: bash
+
+   kayobe configuration dump --var-name stackhpc_firewalld_rules --limit <host>
+
+If the command above prints a template, rather than a clean list of rules, the
+configuration is invalid. The kayobe configuration dump command can be used on
+other variables such as ``stackhpc_firewalld_rules_unverified`` or
+``stackhpc_*_firewalld_rules`` to debug the configuration.

etc/kayobe/environments/ci-aio/kolla/globals.yml

@@ -14,3 +14,6 @@ opensearch_heap_size: 200m
 
 # Increase Grafana timeout
 grafana_start_first_node_retries: 20
+
+# Open up ports in firewalld for services on the public API network.
+enable_external_api_firewalld: true

etc/kayobe/environments/ci-multinode/kolla/globals.yml

@@ -44,3 +44,6 @@ designate_ns_record:
 designate_backend: "bind9"
 designate_recursion: "yes"
 designate_forwarders_addresses: "1.1.1.1; 8.8.8.8"
+
+# Open up ports in firewalld for services on the public API network.
+enable_external_api_firewalld: true

etc/kayobe/inventory/group_vars/all/firewall

@@ -89,7 +89,7 @@ stackhpc_controller_firewalld_rules_template:
       - service: ssh
         network: "{{ public_net_name }}"
         state: disabled
-    enabled: "{{ public_net_name | net_zone != provision_oc_net_name | net_zone }}"
+    enabled: "{{ public_net_name | net_zone != admin_oc_net_name | net_zone }}"
   # Designate
   - rules:
       - port: 53/tcp
@@ -128,7 +128,7 @@ stackhpc_controller_firewalld_rules_template:
       - port: 8089/tcp
         network: "{{ provision_wl_net_name }}"
         state: enabled
-    enabled: "{{ kolla_enable_octavia | bool }}"
+    enabled: "{{ kolla_enable_ironic | bool }}"
 
 stackhpc_controller_firewalld_rules_extra: []
 
@@ -164,7 +164,7 @@ stackhpc_compute_firewalld_rules_template:
       - service: ssh
         network: "{{ public_net_name }}"
         state: disabled
-    enabled: "{{ public_net_name | net_zone != provision_oc_net_name | net_zone }}"
+    enabled: "{{ public_net_name | net_zone != admin_oc_net_name | net_zone }}"
   # GENEVE
   - rules:
       - port: 6081/udp
@@ -204,24 +204,25 @@ stackhpc_storage_firewalld_rules_template:
       - service: ssh
         network: "{{ admin_oc_net_name }}"
         state: enabled
+    enabled: true
+  # Ceph Prometheus exporter
+  - rules:
       - port: 9283/tcp
         network: "{{ provision_oc_net_name }}"
         state: enabled
-    enabled: true
-  - rules:
-      - service: ssh
-        network: "{{ storage_net_name }}"
-        state: disabled
-    enabled: "{{ storage_net_name | net_zone != provision_oc_net_name | net_zone }}"
+    enabled: "{{ kolla_enable_prometheus_ceph_mgr_exporter and 'mgrs' in group_names }}"
   # Ceph
   - rules:
       - service: ceph
         network: "{{ storage_net_name }}"
         state: enabled
+      - service: ceph
+        network: "{{ storage_mgmt_net_name }}"
+        state: enabled
       - service: ceph-mon
         network: "{{ storage_net_name }}"
         state: "{{ 'enabled' if 'mons' in group_names else 'disabled' }}"
-    enabled: "{{ stackhpc_enable_ceph | default(false) | bool }}"
+    enabled: "{{ 'ceph' in group_names }}"
 
 stackhpc_storage_firewalld_rules_extra: []
 
@@ -369,14 +370,10 @@ stackhpc_seed_firewalld_rules_template:
       - service: ssh
         state: disabled
         network: "{{ public_net_name }}"
-    enabled: "{{ public_net_name | net_zone != provision_oc_net_name | net_zone }}"
+    enabled: "{{ public_net_name | net_zone != admin_oc_net_name | net_zone }}"
   # Pulp server
   - rules:
-      - service: http
-        network: "{{ provision_oc_net_name }}"
-        state: enabled
-      # nginx
-      - port: 8080/tcp
+      - service: "{{ pulp_port }}/tcp"
         network: "{{ provision_oc_net_name }}"
         state: enabled
     enabled: "{{ seed_pulp_container_enabled | bool }}"
@@ -388,6 +385,10 @@ stackhpc_seed_firewalld_rules_template:
     enabled: "{{ seed_squid_container_enabled | bool }}"
   # Ironic
   - rules:
+      # nginx
+      - port: 8080/tcp
+        network: "{{ provision_oc_net_name }}"
+        state: enabled
       # Ironic inspector API
       - port: 5050/tcp
         network: "{{ provision_oc_net_name }}"

etc/kayobe/kolla/globals.yml

@@ -53,6 +53,3 @@ prometheus_instance_label: "{% raw %}{{ ansible_facts.hostname }}{% endraw %}"
 # in Yoga. This is required to include a valid value for the flavor_id label on
 # openstack_nova_server_status metrics.
 prometheus_openstack_exporter_compute_api_version: "2.1"
-
-# Open up ports in firewalld for services on the public API network.
-enable_external_api_firewalld: true