USHIFT-6681: Ansible: Unmask and enable firewalld on host setup

[sjug]

Needed for CI compatibility

Summary by CodeRabbit

• Bug Fixes
  • More reliable firewall startup by ensuring firewalld is unmasked, started, and enabled during host setup.
• Improvements
  • Simplified firewall configuration flow: public-zone service and port rules are applied consistently rather than depending on prior status checks or conditional paths.

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6681 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Needed for CI compatibility

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Unconditional firewalld unmask/start is applied and firewall configuration tasks simplified to always apply public-zone service and port rules, removing previous masked-state checks and trusted-CIDR conditional branches.

Changes

Cohort / File(s)	Summary
Firewalld management ansible/roles/setup-microshift-host/tasks/main.yml	Renamed the status-check task to "unmask firewalld if masked", replaced earlier status/register/ignore_errors pattern with masked: no, and removed the conditional guard so start/enable runs unconditionally.
Firewall rule application ansible/roles/configure-firewall/tasks/main.yml	Removed masked-state and trusted-CIDR conditional branches; consolidated service rules into public-zone service tasks and moved port rules into a dedicated public-zone port task, making rule application unconditional.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: unmasking and enabling firewalld during microshift host setup, which aligns with the core modifications in both task files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Ansible task files lack testing framework constructs; check targets test files only and is not applicable here.
Test Structure And Quality	✅ Passed	Pull request contains only Ansible role YAML configuration files, not test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6681 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Needed for CI compatibility

Summary by CodeRabbit

• Bug Fixes
• Improved firewalld service reliability during microshift host setup configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ansible/roles/setup-microshift-host/tasks/main.yml`:
- Around line 35-44: The unmask+enable systemd tasks ("unmask firewalld if
masked" and "start and enable firewalld") currently run unconditionally and can
override intentional masked state; make both ansible.builtin.systemd tasks
conditional by adding a boolean gate variable (e.g., firewalld_force_enable) and
a when: clause (use firewalld_force_enable | default(false) so CI can set true
while other environments keep the masked state), applying the same condition to
both the masked: no call and the state/enabled call so masking remains respected
unless explicitly forced.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 0ed6fcb5-98df-4b1b-8fee-480b6d884c3d

📥 Commits

Reviewing files that changed from the base of the PR and between cd593c9 and f946bb4.

📒 Files selected for processing (1)

• ansible/roles/setup-microshift-host/tasks/main.yml

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6681 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Needed for CI compatibility

Summary by CodeRabbit

• Bug Fixes
• More reliable firewall startup by ensuring firewalld is unmasked, started, and enabled during host setup.
• Improvements
• Simplified firewall configuration flow: public-zone service and port rules are applied consistently rather than depending on prior status checks or conditional paths.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

♻️ Duplicate comments (1)

ansible/roles/setup-microshift-host/tasks/main.yml (1)

35-44: ⚠️ Potential issue | 🟠 Major

Add an opt-in gate for force-enabling firewalld.

These tasks still unconditionally unmask and enable firewalld, which can override an intentionally masked host policy. Please gate both tasks behind a boolean variable so CI can force-enable while other environments can opt out.

Proposed patch

 - name: unmask firewalld if masked
   ansible.builtin.systemd:
     name: firewalld
     masked: no
+  when: firewalld_force_enable | default(false) | bool
 
 - name: start and enable firewalld
   ansible.builtin.systemd:
     name: firewalld
     state: started
     enabled: yes
+  when: firewalld_force_enable | default(false) | bool

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ansible/roles/setup-microshift-host/tasks/main.yml` around lines 35 - 44, The
unmask/start-and-enable tasks for firewalld ("unmask firewalld if masked" and
"start and enable firewalld" using ansible.builtin.systemd) must be made opt-in;
add a boolean gate (e.g., force_enable_firewalld) and add when:
force_enable_firewalld | default(false) to both tasks so they only run when
CI/consumer sets the variable, and add a default false for
force_enable_firewalld in the role defaults to preserve current host policies
unless explicitly overridden.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@ansible/roles/setup-microshift-host/tasks/main.yml`:
- Around line 35-44: The unmask/start-and-enable tasks for firewalld ("unmask
firewalld if masked" and "start and enable firewalld" using
ansible.builtin.systemd) must be made opt-in; add a boolean gate (e.g.,
force_enable_firewalld) and add when: force_enable_firewalld | default(false) to
both tasks so they only run when CI/consumer sets the variable, and add a
default false for force_enable_firewalld in the role defaults to preserve
current host policies unless explicitly overridden.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 879c7040-99bb-4de4-8b10-b915bc0eda10

📥 Commits

Reviewing files that changed from the base of the PR and between f946bb4 and 9aea5fa.

📒 Files selected for processing (2)

• ansible/roles/configure-firewall/tasks/main.yml
• ansible/roles/setup-microshift-host/tasks/main.yml

[openshift-ci]

@sjug: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[copejon]

/verified by ci

[copejon]

/lgtm

[openshift-ci-robot]

@copejon: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon, sjug

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [copejon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment