From 6ff354437718584783589c3403cefe9d1b75ee52 Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Fri, 11 Aug 2017 14:44:25 -0400
Subject: Moving firewall rules under the role to work with refactor.

---
 .../openshift_storage_glusterfs/defaults/main.yml  | 12 +++++++
 roles/openshift_storage_glusterfs/meta/main.yml    |  1 +
 .../openshift_storage_glusterfs/tasks/firewall.yml | 40 ++++++++++++++++++++++
 3 files changed, 53 insertions(+)
 create mode 100644 roles/openshift_storage_glusterfs/tasks/firewall.yml

(limited to 'roles')

diff --git a/roles/openshift_storage_glusterfs/defaults/main.yml b/roles/openshift_storage_glusterfs/defaults/main.yml
index ff2c18812..a5887465e 100644
--- a/roles/openshift_storage_glusterfs/defaults/main.yml
+++ b/roles/openshift_storage_glusterfs/defaults/main.yml
@@ -52,3 +52,15 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus
 openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
 openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
 openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+r_openshift_storage_glusterfs_os_firewall_deny: []
+r_openshift_storage_glusterfs_os_firewall_allow:
+- service: glusterfs_sshd
+  port: "2222/tcp"
+- service: glusterfs_daemon
+  port: "24007/tcp"
+- service: glusterfs_management
+  port: "24008/tcp"
+- service: glusterfs_bricks
+  port: "49152-49251/tcp"
diff --git a/roles/openshift_storage_glusterfs/meta/main.yml b/roles/openshift_storage_glusterfs/meta/main.yml
index aab9851f9..28f076fd1 100644
--- a/roles/openshift_storage_glusterfs/meta/main.yml
+++ b/roles/openshift_storage_glusterfs/meta/main.yml
@@ -13,3 +13,4 @@ dependencies:
 - role: openshift_hosted_facts
 - role: openshift_repos
 - role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/openshift_storage_glusterfs/tasks/firewall.yml b/roles/openshift_storage_glusterfs/tasks/firewall.yml
new file mode 100644
index 000000000..09dcf1ef9
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and not r_openshift_storage_glusterfs_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and r_openshift_storage_glusterfs_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
-- 
cgit v1.2.3