Post-review changes

Author: Alex-Welsh

etc/kayobe/compute.yml

@@ -130,8 +130,17 @@ compute_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 compute_firewalld_zones: "{{ compute_firewalld_zones_default | union(compute_firewalld_zones_extra) | unique | select }}"
+
+compute_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 compute_firewalld_zones_extra: []
-compute_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -146,37 +155,41 @@ compute_firewalld_default_zone: trusted
 # - state: enabled
 
 compute_firewalld_rules: "{{ compute_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(compute_firewalld_rules_extra) | unique | select }}"
-compute_firewalld_rules_extra: []
+
 compute_firewalld_rules_default:
   # Common
   - rules:
       - service: ssh
         state: enabled
-        zone: "{{ provision_oc_net_name | net_zone}}"
+        zone: "{{ admin_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
       - service: dhcpv6-client
         state: disabled
-        zone: "{{ public_net_name | net_zone}}"
+        zone: "{{ public_net_name | net_zone }}"
         network: "{{ public_net_name }}"
+    enabled: true
+  - rules:
       - service: ssh
         state: disabled
-        zone: "{{ public_net_name | net_zone}}"
+        zone: "{{ public_net_name | net_zone }}"
         network: "{{ public_net_name }}"
-    enabled: true
+    enabled: "{{ public_net_name | net_zone != admin_oc_net_name | net_zone }}"
   # GENEVE
   - rules:
       - port: 6081/udp
         state: enabled
-        zone: "{{ tunnel_net_name | net_zone}}"
+        zone: "{{ tunnel_net_name | net_zone }}"
         network: "{{ tunnel_net_name }}"
-    enabled: "{{ ('geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types)) | bool }}"
+    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
   # VXLAN
   - rules:
       - port: 4789/udp
         state: enabled
-        zone: "{{ tunnel_net_name | net_zone}}"
+        zone: "{{ tunnel_net_name | net_zone }}"
         network: "{{ tunnel_net_name }}"
-    enabled: "{{ ('vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types)) | bool }}"
+    enabled: "{{ 'vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
+
+compute_firewalld_rules_extra: []
 
 ###############################################################################
 # Compute node host libvirt configuration.

etc/kayobe/controllers.yml

@@ -141,9 +141,18 @@
 controller_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
-controller_firewalld_zones: "{{ controller_firewalld_zones_default | union(controller_firewalld_zones_extra) | unique | select }}"
+controller_firewalld_zones: "{{ controller_firewalld_zones_default | union(controller_firewalld_zones_extra) | unique }}"
+
+controller_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 controller_firewalld_zones_extra: []
-controller_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -157,7 +166,7 @@ controller_firewalld_default_zone: trusted
 # - permanent: true
 # - state: enabled
 controller_firewalld_rules: "{{ controller_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(controller_firewalld_rules_extra) | unique | select }}"
-controller_firewalld_rules_extra: []
+
 controller_firewalld_rules_default:
   # Common
   - rules:
@@ -177,10 +186,6 @@ controller_firewalld_rules_default:
         zone: "{{ provision_wl_net_name | net_zone }}"
         network: "{{ provision_wl_net_name }}"
         state: enabled
-      - port: 8089/tcp
-        zone: "{{ provision_wl_net_name | net_zone }}"
-        network: "{{ provision_wl_net_name }}"
-        state: enabled
       - service: cockpit
         zone: "{{ public_net_name | net_zone }}"
         network: "{{ public_net_name }}"
@@ -219,21 +224,30 @@ controller_firewalld_rules_default:
         zone: "{{ tunnel_net_name | net_zone }}"
         network: "{{ tunnel_net_name }}"
         state: enabled
-    enabled: "{{ ('geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types)) | bool }}"
+    enabled: "{{ 'geneve' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
   # VXLAN
   - rules:
       - port: 4789/udp
         zone: "{{ tunnel_net_name | net_zone }}"
         network: "{{ tunnel_net_name }}"
         state: enabled
-    enabled: "{{ ('vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types)) | bool }}"
+    enabled: "{{ 'vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types) and 'network' in group_names }}"
   # Octavia
   - rules:
       - port: 5555/udp
         zone: "{{ octavia_net_name | net_zone }}"
         network: "{{ octavia_net_name }}"
         state: enabled
     enabled: "{{ kolla_enable_octavia | bool }}"
+  # Overcloud Ironic
+  - rules:
+      - port: 8089/tcp
+        zone: "{{ provision_wl_net_name | net_zone }}"
+        network: "{{ provision_wl_net_name }}"
+        state: enabled
+    enabled: "{{ kolla_enable_octavia | bool }}"
+
+controller_firewalld_rules_extra: []
 
 ###############################################################################
 # Controller node swap configuration.

etc/kayobe/inventory/group_vars/ansible-control/infra-vm

@@ -7,8 +7,17 @@ infra_vm_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 infra_vm_firewalld_zones: "{{ infra_vm_firewalld_zones_default | union(infra_vm_firewalld_zones_extra) | unique | select }}"
+
+infra_vm_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 infra_vm_firewalld_zones_extra: []
-infra_vm_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -21,15 +30,17 @@ infra_vm_firewalld_default_zone: drop
 # - permanent: true
 # - state: enabled
 infra_vm_firewalld_rules: "{{ infra_vm_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(infra_vm_firewalld_rules_extra) | unique | select }}"
-infra_vm_firewalld_rules_extra: []
+
 infra_vm_firewalld_rules_default:
   - rules:
     - service: ssh
-      zone: "{{ provision_oc_net_name | net_zone}}"
+      zone: "{{ provision_oc_net_name | net_zone }}"
       network: "{{ provision_oc_net_name }}"
       state: enabled
     - service: ssh
-      zone: "{{ switch_mgmt_net_name | net_zone}}"
+      zone: "{{ switch_mgmt_net_name | net_zone }}"
       network: "{{ switch_mgmt_net_name }}"
       state: enabled
     enabled: true
+
+infra_vm_firewalld_rules_extra: []

etc/kayobe/inventory/group_vars/wazuh-manager/infra-vm

@@ -2,16 +2,22 @@
 ###############################################################################
 # Infrastructure VM node firewalld configuration.
 
-# FIXME: Replace concrete names (provision_oc) with abstract net names ({{
-# provision_oc_net_name }}).
-
 # Whether to install and enable firewalld.
 infra_vm_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 infra_vm_firewalld_zones: "{{ infra_vm_firewalld_zones_default | union(infra_vm_firewalld_zones_extra) | unique | select }}"
+
+infra_vm_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 infra_vm_firewalld_zones_extra: []
-infra_vm_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -24,15 +30,15 @@ infra_vm_firewalld_default_zone: drop
 # - permanent: true
 # - state: enabled
 infra_vm_firewalld_rules: "{{ infra_vm_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(infra_vm_firewalld_rules_extra) | unique | select }}"
-infra_vm_firewalld_rules_extra: []
+
 infra_vm_firewalld_rules_default:
   - rules:
       - service: ssh
-        zone: "{{ provision_oc_net_name | net_zone}}"
+        zone: "{{ provision_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
         state: enabled
       - service: ssh
-        zone: "{{ switch_mgmt_net_name | net_zone}}"
+        zone: "{{ switch_mgmt_net_name | net_zone }}"
         network: "{{ switch_mgmt_net_name }}"
         state: enabled
       - port: 1514/tcp
@@ -64,3 +70,6 @@ infra_vm_firewalld_rules_default:
         network: "{{ provision_oc_net_name }}"
         state: enabled
     enabled: true
+
+infra_vm_firewalld_rules_extra: []
+

etc/kayobe/monitoring.yml

@@ -103,8 +103,17 @@ monitoring_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 monitoring_firewalld_zones: "{{ monitoring_firewalld_zones_default | union(monitoring_firewalld_zones_extra) | unique | select }}"
+
+monitoring_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 monitoring_firewalld_zones_extra: []
-monitoring_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -118,7 +127,7 @@ monitoring_firewalld_default_zone: trusted
 # - permanent: true
 # - state: enabled
 monitoring_firewalld_rules: "{{ monitoring_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(monitoring_firewalld_rules_extra) | unique | select }}"
-monitoring_firewalld_extra: []
+
 monitoring_firewalld_default:
   - rules:
       - service: ssh
@@ -127,6 +136,8 @@ monitoring_firewalld_default:
         state: enabled
     enabled: true
 
+monitoring_firewalld_extra: []
+
 ###############################################################################
 # Monitoring node swap configuration.
 

etc/kayobe/seed.yml

@@ -167,8 +167,17 @@ seed_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 seed_firewalld_zones: "{{ seed_firewalld_zones_default | union(seed_firewalld_zones_extra) | unique | select }}"
+
+seed_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 seed_firewalld_zones_extra: []
-seed_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -181,7 +190,7 @@ seed_firewalld_default_zone: drop
 # - permanent: true
 # - state: enabled
 seed_firewalld_rules: "{{ seed_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(seed_firewalld_rules_extra) | unique | select }}"
-seed_firewalld_rules_extra: []
+
 seed_firewalld_rules_default:
   # Common
   - rules:
@@ -201,20 +210,18 @@ seed_firewalld_rules_default:
         zone: "{{ provision_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
         state: enabled
-      - service: ntp
-        zone: "{{ switch_mgmt_net_name | net_zone }}"
-        network: "{{ switch_mgmt_net_name }}"
-        state: enabled
       # Disable default services in public zone
       - service: dhcpv6-client
         state: disabled
         zone: "{{ public_net_name | net_zone }}"
         network: "{{ public_net_name }}"
+    enabled: true
+  - rules:
       - service: ssh
         state: disabled
         zone: "{{ public_net_name | net_zone }}"
         network: "{{ public_net_name }}"
-    enabled: true
+    enabled: "{{ public_net_name | net_zone != provision_oc_net_name | net_zone}}"
   # Pulp server
   - rules:
       - service: http
@@ -255,6 +262,8 @@ seed_firewalld_rules_default:
         state: enabled
     enabled: true
 
+seed_firewalld_rules_extra: []
+
 ###############################################################################
 # Seed node swap configuration.
 

etc/kayobe/storage.yml

@@ -138,8 +138,17 @@ storage_firewalld_enabled: true
 
 # A list of zones to create. Each item is a dict containing a 'zone' item.
 storage_firewalld_zones: "{{ storage_firewalld_zones_default | union(storage_firewalld_zones_extra) | unique | select }}"
+
+storage_firewalld_zones_default: |
+  {% set network_zones = [] %}
+  {% for network in network_interfaces %}
+  {% if network | net_zone is not none %}
+  {% set _ = network_zones.append({'zone': network | net_zone }) %}
+  {% endif %}
+  {% endfor %}
+  {{ network_zones }}
+
 storage_firewalld_zones_extra: []
-storage_firewalld_zones_default: "{% set network_zones = [] %}{% for network in network_interfaces %}{% set _ = network_zones.append({'zone': network | net_zone}) %}{% endfor %}{{ network_zones }}"
 
 # A firewalld zone to set as the default. Default is unset, in which case the
 # default zone will not be changed.
@@ -153,7 +162,7 @@ storage_firewalld_default_zone: trusted
 # - permanent: true
 # - state: enabled
 storage_firewalld_rules: "{{ storage_firewalld_rules_default | selectattr('enabled', 'true') | map(attribute='rules') | flatten | selectattr('network', 'in', network_interfaces) | selectattr('zone') | union(storage_firewalld_rules_extra) | unique | select }}"
-storage_firewalld_extra: []
+
 storage_firewalld_default:
   # Common
   - rules:
@@ -165,10 +174,12 @@ storage_firewalld_default:
         zone: "{{ provision_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
         state: enabled
+    enabled: true
+  - rules:
       - service: ssh
         zone: "{{ storage_net_name | net_zone }}"
         network: "{{ storage_net_name }}"
-        state: disabled
+        state: "{{ storage_net_name | net_zone != provision_oc_net_name | net_zone}}"
     enabled: true
   # Ceph
   - rules:
@@ -182,6 +193,8 @@ storage_firewalld_default:
         state: "{{ 'enabled' if 'mons' in group_names else 'disabled' }}"
     enabled: "{{ stackhpc_enable_ceph | default(false) | bool }}"
 
+storage_firewalld_extra: []
+
 ###############################################################################
 # Storage node swap configuration.