Enable firewalld in the multinode environment

Author: Alex-Welsh

etc/kayobe/environments/ci-multinode/firewalld.yml

@@ -0,0 +1,36 @@
+---
+# Enable firewalld on all hosts, and use the standard StackHPC firewalld
+# configuration
+
+seed_hypervisor_firewalld_enabled: true
+seed_firewalld_enabled: true
+infra_vm_firewalld_enabled: true
+compute_firewalld_enabled: true
+controller_firewalld_enabled: true
+monitoring_firewalld_enabled: true
+storage_firewalld_enabled: true
+
+seed_hypervisor_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+seed_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+infra_vm_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+compute_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+controller_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+monitoring_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+storage_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+
+seed_hypervisor_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+seed_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+infra_vm_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+compute_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+monitoring_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+storage_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# TODO: Add more rules until drop is possible
+seed_hypervisor_firewalld_default_zone: "trusted"
+seed_firewalld_default_zone: "trusted"
+infra_vm_firewalld_default_zone: "trusted"
+compute_firewalld_default_zone: "trusted"
+controller_firewalld_default_zone: "trusted"
+monitoring_firewalld_default_zone: "trusted"
+storage_firewalld_default_zone: "trusted"

etc/kayobe/environments/ci-multinode/networks.yml

@@ -77,48 +77,55 @@ internal_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 internal_allocation_pool_start: 192.168.37.3
 internal_allocation_pool_end: 192.168.37.254
 internal_vlan: 101
+internal_zone: "internal" 
 
 # External network
 external_cidr: 192.168.38.0/24
 external_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 external_allocation_pool_start: 192.168.38.3
 external_allocation_pool_end: 192.168.38.128
 external_vlan: 102
+external_zone: "external" 
 
 # Public network
 public_cidr: 192.168.39.0/24
 public_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 public_allocation_pool_start: 192.168.39.3
 public_allocation_pool_end: 192.168.39.254
 public_vlan: 103
+public_zone: "public" 
 
 # Tunnel network
 tunnel_cidr: 192.168.40.0/24
 tunnel_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 tunnel_allocation_pool_start: 192.168.40.3
 tunnel_allocation_pool_end: 192.168.40.254
 tunnel_vlan: 104
+tunnel_zone: "tunnel" 
 
 # Storage network
 storage_cidr: 192.168.41.0/24
 storage_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 storage_allocation_pool_start: 192.168.41.3
 storage_allocation_pool_end: 192.168.41.254
 storage_vlan: 105
+storage_zone: "storage" 
 
 # Storage management network
 storage_mgmt_cidr: 192.168.42.0/24
 storage_mgmt_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 storage_mgmt_allocation_pool_start: 192.168.42.3
 storage_mgmt_allocation_pool_end: 192.168.42.254
 storage_mgmt_vlan: 106
+storage_mgmt_zone: "storage_mgmt" 
 
 # Provision overcloud network
 provision_oc_cidr: 192.168.33.0/24
 provision_oc_mtu: "{{ ansible_facts.default_ipv4.mtu - 50 }}"
 provision_oc_allocation_pool_start: 192.168.33.128
 provision_oc_allocation_pool_end: 192.168.33.254
 provision_oc_vlan: 107
+provision_oc_zone: "provision_oc" 
 
 ###############################################################################
 # Network virtual patch link configuration.