Skip to content

Commit

Permalink
Clean ip firewall configuration, bacause of operate-first#8
Browse files Browse the repository at this point in the history
  • Loading branch information
@rbo
rbo committed Jun 23, 2021
1 parent dc25d10 commit 0b3444a
Showing 1 changed file with 17 additions and 13 deletions.
30 changes: 17 additions & 13 deletions roles/hetzner-baremetal-openshift/tasks/configure-firewall.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,36 +8,39 @@
name: "{{cluster_name }}-lb-private"
register: output

- set_fact:
- name: Create inital rules_input
set_fact:
rules_input:
- name: Allow SSH
- name: Allow outgoing connections
ip_version: ipv4
dst_port: '22'
dst_port: '32768-65535'
protocol: tcp
tcp_flags: ack
action: accept
- name: Allow ICMP
ip_version: ipv4
protocol: icmp
action: accept
- name: Allow SSH
ip_version: ipv4
dst_port: '22'
protocol: tcp
action: accept
- name: Allow api and ingress
ip_version: ipv4
protocol: tcp
# Maximum 3 destination ports allowed.
dst_port: '6443,443,80'
action: accept
- name: Allow MachineConfig
- name: Allow MachineConfig from {{ cluster_name }}-lb-private
ip_version: ipv4
protocol: tcp
src_ip: "{{ output.hcloud_server_info[0].ipv4_address }}"
dst_port: '22623'
action: accept
- name: Allow outgoing connections
ip_version: ipv4
dst_port: '32768-65535'
protocol: tcp
tcp_flags: ack
action: accept

- set_fact:
- name: Add nodes to rules_input
set_fact:
rules_input: "{{ rules_input }} +
[
{
Expand All @@ -47,12 +50,13 @@
'action': 'accept'
}
]"
with_items: "{{ groups['masters'] + groups['bootstrap'] }}"
with_items: "{{ groups['nodes'] + groups['bootstrap'] }}"
when: item != inventory_hostname

# - debug: var=rules_input

- community.hrobot.firewall:
- name: Configure firewall
community.hrobot.firewall:
hetzner_user: "{{ hetzner_webservice_username }}"
hetzner_password: "{{ hetzner_webservice_password }}"
server_ip: "{{ hetzner_ip }}"
Expand Down

0 comments on commit 0b3444a

Please sign in to comment.