More MN testing changes, more PR review changes

Alex-Welsh · Alex-Welsh · commit 73f06d167367 · 2024-04-24T10:18:03.000+01:00
diff --git a/doc/source/configuration/firewall.rst b/doc/source/configuration/firewall.rst
@@ -27,12 +27,6 @@ follows:
    # Unset to leave the default zone unchanged
    controller_firewalld_default_zone: drop
 
-.. code-block:: yaml
-   :caption: ``etc/kayobe/kolla/globals.yml``
-
-   # Open up ports in firewalld for services on the public API network.
-   enable_external_api_firewalld: true
-
 This will configure the standard set of firewalld rules on controller hosts.
 Rule definitions are automatically added according to group membership. Rule
 sets exist for the following groups:
@@ -57,3 +51,17 @@ If the command above prints a template, rather than a clean list of rules, the
 configuration is invalid. The kayobe configuration dump command can be used on
 other variables such as ``stackhpc_firewalld_rules_unverified`` or
 ``stackhpc_*_firewalld_rules`` to debug the configuration.
+
+Ensure Kolla Ansible opens up ports in firewalld for services on the public
+API network:
+
+.. code-block:: yaml
+   :caption: ``etc/kayobe/kolla/globals.yml``
+
+   enable_external_api_firewalld: true
+   external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
+
+Ensure every network in ``networks.yml`` has a zone defined. The standard
+configuration is to set the internal network zone to ``trusted`` and every
+other zone to the name of the network. See
+``etc/kayobe/environments/ci-multinode/networks.yml`` for a practical example.
diff --git a/etc/kayobe/environments/ci-multinode/kolla/globals.yml b/etc/kayobe/environments/ci-multinode/kolla/globals.yml
@@ -47,3 +47,4 @@ designate_forwarders_addresses: "1.1.1.1; 8.8.8.8"
 
 # Open up ports in firewalld for services on the public API network.
 enable_external_api_firewalld: true
+external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
diff --git a/etc/kayobe/environments/ci-multinode/networks.yml b/etc/kayobe/environments/ci-multinode/networks.yml
@@ -71,61 +71,64 @@ storage_mgmt_net_name: storage_mgmt
 ###############################################################################
 # Network definitions.
 
+# Admin overcloud network
+admin_oc_zone: "admin_oc"
+
 # Internal network
 internal_cidr: 192.168.37.0/24
 internal_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 internal_allocation_pool_start: 192.168.37.3
 internal_allocation_pool_end: 192.168.37.254
 internal_vlan: 101
-internal_zone: "internal_net_zone" 
+internal_zone: "trusted"
 
 # External network
 external_cidr: 192.168.38.0/24
 external_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 external_allocation_pool_start: 192.168.38.3
 external_allocation_pool_end: 192.168.38.128
 external_vlan: 102
-external_zone: "external_net_zone" 
+external_zone: "external"
 
 # Public network
 public_cidr: 192.168.39.0/24
 public_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 public_allocation_pool_start: 192.168.39.3
 public_allocation_pool_end: 192.168.39.254
 public_vlan: 103
-public_zone: "public_net_zone" 
+public_zone: "public"
 
 # Tunnel network
 tunnel_cidr: 192.168.40.0/24
 tunnel_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 tunnel_allocation_pool_start: 192.168.40.3
 tunnel_allocation_pool_end: 192.168.40.254
 tunnel_vlan: 104
-tunnel_zone: "tunnel_net_zone" 
+tunnel_zone: "tunnel"
 
 # Storage network
 storage_cidr: 192.168.41.0/24
 storage_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 storage_allocation_pool_start: 192.168.41.3
 storage_allocation_pool_end: 192.168.41.254
 storage_vlan: 105
-storage_zone: "storage_net_zone" 
+storage_zone: "storage"
 
 # Storage management network
 storage_mgmt_cidr: 192.168.42.0/24
 storage_mgmt_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 storage_mgmt_allocation_pool_start: 192.168.42.3
 storage_mgmt_allocation_pool_end: 192.168.42.254
 storage_mgmt_vlan: 106
-storage_mgmt_zone: "storage_mgmt_net_zone" 
+storage_mgmt_zone: "storage_mgmt"
 
 # Provision overcloud network
 provision_oc_cidr: 192.168.33.0/24
 provision_oc_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 provision_oc_allocation_pool_start: 192.168.33.128
 provision_oc_allocation_pool_end: 192.168.33.254
 provision_oc_vlan: 107
-provision_oc_zone: "provision_oc_net_zone" 
+provision_oc_zone: "provision_oc"
 
 ###############################################################################
 # Network virtual patch link configuration.
diff --git a/etc/kayobe/inventory/group_vars/all/firewall b/etc/kayobe/inventory/group_vars/all/firewall
@@ -18,7 +18,7 @@ stackhpc_firewalld_zones: |
   {% set _ = network_zones.append({'zone': network | net_zone }) %}
   {% endif %}
   {% endfor %}
-  {{ network_zones }}
+  {{ network_zones | unique }}
 
 # A templated list of firewalld rules, according to the enabled services,
 # host's group membership, and host's network configuration.
@@ -29,7 +29,7 @@ stackhpc_firewalld_rules: |
   {% for rule in stackhpc_firewalld_rules_unverified | unique %}
   {% if rule | ansible.utils.remove_keys('state') in stackhpc_firewalld_rules_verified | map('ansible.utils.remove_keys', 'state') %}
   {% set stackhpc_firewalld_rules_verified = 'Invalid configuration! Two matching firewalld rules probably exist with different states' + 1 %}
-  {% elif rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% elif rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_firewalld_rules_verified.append(rule) %}
   {% endif %}
   {% endfor %}
@@ -56,7 +56,7 @@ stackhpc_common_firewalld_rules: "{{ stackhpc_common_firewalld_rules_default + s
 stackhpc_common_firewalld_rules_default: |
   {% set stackhpc_common_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_common_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
   {% set _ = stackhpc_common_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endfor %}
@@ -78,12 +78,12 @@ stackhpc_common_firewalld_rules_template:
       - service: dhcpv6-client
         network: "{{ public_net_name }}"
         state: disabled
-    enabled: "{{ public_net_name | net_zone in stackhpc_firewalld_zones }}"
+    enabled: "{{ {'zone': public_net_name | net_zone} in firewalld_zones }}"
   - rules:
       - service: ssh
         network: "{{ public_net_name }}"
         state: disabled
-    enabled: "{{ public_net_name | net_zone in stackhpc_firewalld_zones and admin_oc_net_name | net_zone != public_net_name | net_zone }}"
+    enabled: "{{ {'zone': 'public' | net_zone} in firewalld_zones and admin_oc_net_name | net_zone != public_net_name | net_zone }}"
 
 stackhpc_common_firewalld_rules_extra: []
 
@@ -95,7 +95,7 @@ stackhpc_controller_firewalld_rules: "{{ stackhpc_controller_firewalld_rules_def
 stackhpc_controller_firewalld_rules_default: |
   {% set stackhpc_controller_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_controller_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
   {% set _ = stackhpc_controller_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endfor %}
@@ -126,7 +126,7 @@ stackhpc_controller_firewalld_rules_template:
       - service: tftp
         network: "{{ provision_wl_net_name }}"
         state: enabled
-    enabled: "{{ kolla_enable_ironic }}"
+    enabled: "{{ kolla_enable_ironic | bool }}"
   # Designate
   - rules:
       - port: 53/tcp
@@ -142,39 +142,6 @@ stackhpc_controller_firewalld_rules_template:
         network: "{{ public_net_name }}"
         state: enabled
     enabled: "{{ kolla_enable_designate | bool }}"
-  # Vault & Consul
-  - rules:
-      - port: 8200/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8300/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8301/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8301/udp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8302/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8302/udp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8500/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8501/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8600/tcp
-        network: "{{ internal_net_name }}"
-        state: enabled
-      - port: 8600/udp
-        network: "{{ internal_net_name }}"
-        state: enabled
-    enabled: true # FIXME add condition
   # GENEVE
   - rules:
       - port: 6081/udp
@@ -190,7 +157,7 @@ stackhpc_controller_firewalld_rules_template:
   # Octavia
   - rules:
       - port: 5555/udp
-        network: "{{ octavia_net_name }}"
+        network: "{{ octavia_net_name | default(public_net_name) }}"
         state: enabled
     enabled: "{{ kolla_enable_octavia | bool }}"
 
@@ -204,9 +171,9 @@ stackhpc_compute_firewalld_rules: "{{ stackhpc_compute_firewalld_rules_default +
 stackhpc_compute_firewalld_rules_default: |
   {% set stackhpc_compute_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_compute_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_compute_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -238,9 +205,9 @@ stackhpc_storage_firewalld_rules: "{{ stackhpc_storage_firewalld_rules_default +
 stackhpc_storage_firewalld_rules_default: |
   {% set stackhpc_storage_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_storage_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_storage_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -254,7 +221,7 @@ stackhpc_storage_firewalld_rules_template:
       - port: 9283/tcp
         network: "{{ provision_oc_net_name }}"
         state: enabled
-    enabled: "{{ kolla_enable_prometheus_ceph_mgr_exporter and 'mgrs' in group_names }}"
+    enabled: "{{ kolla_enable_prometheus_ceph_mgr_exporter | bool | default(false) and 'mgrs' in group_names }}"
   # Ceph
   - rules:
       - service: ceph
@@ -278,9 +245,9 @@ stackhpc_monitoring_firewalld_rules: "{{ stackhpc_monitoring_firewalld_rules_def
 stackhpc_monitoring_firewalld_rules_default: |
   {% set stackhpc_monitoring_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_monitoring_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_monitoring_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -300,9 +267,9 @@ stackhpc_wazuh_manager_infra_vm_firewalld_rules: "{{ stackhpc_wazuh_manager_infr
 stackhpc_wazuh_manager_infra_vm_firewalld_rules_default: |
   {% set stackhpc_wazuh_manager_infra_vm_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_wazuh_manager_infra_vm_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_wazuh_manager_infra_vm_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -345,9 +312,9 @@ stackhpc_ansible_control_infra_vm_firewalld_rules: "{{ stackhpc_ansible_control_
 stackhpc_ansible_control_infra_vm_firewalld_rules_default: |
   {% set stackhpc_ansible_control_infra_vm_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_ansible_control_infra_vm_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_ansible_control_infra_vm_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -367,9 +334,9 @@ stackhpc_seed_firewalld_rules: "{{ stackhpc_seed_firewalld_rules_default + stack
 stackhpc_seed_firewalld_rules_default: |
   {% set stackhpc_seed_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_seed_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_seed_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
@@ -380,7 +347,7 @@ stackhpc_seed_firewalld_rules_default: |
 stackhpc_seed_firewalld_rules_template:
   # Pulp server
   - rules:
-      - service: "{{ pulp_port }}/tcp"
+      - port: "{{ pulp_port }}/tcp"
         network: "{{ provision_oc_net_name }}"
         state: enabled
     enabled: "{{ seed_pulp_container_enabled | bool }}"
@@ -420,6 +387,7 @@ stackhpc_seed_firewalld_rules_template:
         network: "{{ provision_oc_net_name }}"
         state: enabled
     enabled: "{{ stackhpc_enable_redfish_exporter | default(false) }}"
+  # TODO: Rules if SNAT enabled on seed
 
 stackhpc_seed_firewalld_rules_extra: []
 
@@ -431,9 +399,9 @@ stackhpc_seed_hypervisor_firewalld_rules: "{{ stackhpc_seed_hypervisor_firewalld
 stackhpc_seed_hypervisor_firewalld_rules_default: |
   {% set stackhpc_seed_hypervisor_firewalld_rules_formatted = [] %}
   {% for ruleset in stackhpc_seed_hypervisor_firewalld_rules_template %}
-  {% if ruleset.enabled %}
+  {% if ruleset.enabled | bool %}
   {% for rule in ruleset.rules %}
-  {% if rule.network in network_interfaces and rule.network | net_zone is not none %}
+  {% if rule.network in network_interfaces and rule.network | net_zone %}
   {% set _ = stackhpc_seed_hypervisor_firewalld_rules_formatted.append(rule | combine({'zone': rule.network | net_zone })) %}
   {% endif %}
   {% endfor %}
diff --git a/etc/kayobe/networks.yml b/etc/kayobe/networks.yml
@@ -60,7 +60,7 @@
 #cleaning_net_name:
 
 # Name of the network used to manage octavia loadbalancers
-octavia_net_name: ""
+#octavia_net_name:
 
 ###############################################################################
 # Network definitions.

Original file line number	Diff line number	Diff line change
`@@ -47,3 +47,4 @@ designate_forwarders_addresses: "1.1.1.1; 8.8.8.8"`
`47`	`47`
`48`	`48`	`# Open up ports in firewalld for services on the public API network.`
`49`	`49`	`enable_external_api_firewalld: true`
	`50`	`+external_api_firewalld_zone: "{{ public_net_name \| net_zone }}"`