mantl · ryane · Apr 27, 2016 · Apr 13, 2016 · Apr 27, 2016
diff --git a/roles/consul-template/tasks/main.yml b/roles/consul-template/tasks/main.yml
@@ -10,9 +10,9 @@
 
 - name: configure consul-template
   sudo: yes
-  copy:
-    src: consul.hcl
-    dest: /etc/consul-template/config.d
+  template:
+    src: consul.cfg.j2
+    dest: /etc/consul-template/config.d/consul.hcl
   notify:
     - reload consul-template
   tags:

diff --git a/roles/consul-template/templates/consul.cfg.j2 b/roles/consul-template/templates/consul.cfg.j2
@@ -1,5 +1,5 @@
 consul = "127.0.0.1:8500"
-log_level = "debug"
+log_level = "warn"
 token = "{{ consul_acl_master_token }}"
 
 syslog {

diff --git a/roles/marathon/files/marathon-iptables.tmpl b/roles/marathon/files/marathon-iptables.tmpl
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+{{ $marathonPort := key_or_default "secure/marathon/nginx/port" "18080" }}
+{{ $marathonIpTables := eq (toLower (key_or_default "secure/marathon/ip_tables" "false")) "true"}}
+
+iptables -F MARATHON
+iptables -D INPUT -p tcp --dport {{ $marathonPort }} -j MARATHON
+iptables -X MARATHON
+
+iptables -N MARATHON
+
+{{ if not $marathonIpTables }}exit 0 {{ end }}
+
+{{ range service "marathon" "any" }}
+iptables -A MARATHON -p tcp --dport {{ $marathonPort }} -s {{ .Address }} -j ACCEPT
+{{ end }}{{ range service "traefik" "any" }}
+iptables -A MARATHON -p tcp --dport {{ $marathonPort }} -s {{ .Address}} -j ACCEPT
+{{ end }}
+iptables -A MARATHON -p tcp --dport {{ $marathonPort }} -d 127.0.0.1 -j ACCEPT
+iptables -A MARATHON -p tcp --dport {{ $marathonPort }} -i docker0 -j ACCEPT
+iptables -A MARATHON -p tcp --dport {{ $marathonPort }} -j DROP
+
+iptables -A INPUT -p tcp --dport {{ $marathonPort }} -j MARATHON
diff --git a/roles/marathon/tasks/main.yml b/roles/marathon/tasks/main.yml
@@ -65,6 +65,12 @@
 
 - include: nginx-proxy.yml
 
+- name: write iptables configuration
+  run_once: true
+  command: consul-cli kv-write --token={{ consul_acl_secure_token }} secure/marathon/ip_tables {{ do_marathon_iptables }}
+  tags:
+    - marathon
+
 - name: deploy iptables configuration
   sudo: yes
   copy:
@@ -73,16 +79,8 @@
   with_items:
     - src: marathon-consul.cfg
       dest: /etc/consul-template/config.d
-  notify:
-    - reload consul-template
-  tags:
-    - marathon
-
-- name: deploy iptables template
-  sudo: yes
-  template:
-    src: marathon-iptables.tmpl.j2
-    dest: /etc/consul-template/templates/marathon-iptables.tmpl
+    - src: marathon-iptables.tmpl
+      dest: /etc/consul-template/templates
   notify:
     - reload consul-template
   tags:

diff --git a/roles/marathon/templates/marathon-iptables.tmpl.j2 b/roles/marathon/templates/marathon-iptables.tmpl.j2
diff --git a/roles/mesos/files/mesos-leader-iptables.tmpl b/roles/mesos/files/mesos-leader-iptables.tmpl
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+{{ $mesosLeaderPort := key_or_default "secure/mesos/leader/port" "15050" }}
+{{ $mesosLeaderIpTables := eq (toLower (key_or_default "secure/mesos/leader/ip_tables" "false")) "true"}}
+
+iptables -F MESOSLEADER
+iptables -D INPUT -p tcp --dport {{ $mesosLeaderPort }} -j MESOSLEADER
+iptables -X MESOSLEADER
+
+{{ if not $mesosLeaderIpTables }}exit 0{{ end }}
+
+{{ if or (eq 0 (len (service "master.mesos" "any"))) (eq 0 (len (service "follower.mesos" "any"))) }}exit 0
+{{ end }}
+
+iptables -N MESOSLEADER
+
+{{ range service "master.mesos" "any" }}
+iptables -A MESOSLEADER -p tcp --dport {{ $mesosLeaderPort }} -s {{ .Address }} -j ACCEPT
+{{ end }}
+{{ range service "follower.mesos" "any" }}
+iptables -A MESOSLEADER -p tcp --dport {{ $mesosLeaderPort }} -s {{ .Address }} -j ACCEPT
+{{ end }}
+iptables -A MESOSLEADER -p tcp --dport {{ $mesosLeaderPort }} -d 127.0.0.1 -j ACCEPT
+iptables -A MESOSLEADER -p tcp --dport {{ $mesosLeaderPort }} -i docker0 -j ACCEPT
+iptables -A MESOSLEADER -p tcp --dport {{ $mesosLeaderPort }} -j DROP
+
+iptables -A INPUT -p tcp --dport {{ $mesosLeaderPort }} -j MESOSLEADER
diff --git a/roles/mesos/tasks/leader.yml b/roles/mesos/tasks/leader.yml
@@ -79,6 +79,12 @@
   tags:
     - mesos
 
+- name: write iptables configuration
+  run_once: true
+  command: consul-cli kv-write --token={{ consul_acl_secure_token }} secure/mesos/leader/ip_tables {{ do_mesos_iptables }}
+  tags:
+    - mesos
+
 - name: deploy iptables configuration
   sudo: yes
   copy:
@@ -87,19 +93,11 @@
   with_items:
     - src: mesos-leader-consul.cfg
       dest: /etc/consul-template/config.d
+    - src: mesos-leader-iptables.tmpl
+      dest: /etc/consul-template/templates
   notify:
     - reload consul-template
   tags:
     - mesos
 
-- name: deploy iptables template
-  sudo: yes
-  template:
-    src: mesos-leader-iptables.tmpl.j2
-    dest: /etc/consul-template/templates/mesos-leader-iptables.tmpl
-  notify:
-    reload consul-template
-  tags:
-    - mesos
-
 - include: nginx-proxy.yml
diff --git a/roles/mesos/templates/mesos-leader-iptables.tmpl.j2 b/roles/mesos/templates/mesos-leader-iptables.tmpl.j2