From 1bff2f9fca6db25a2e49c7eb3351736d56adc0a2 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Wed, 9 Sep 2020 15:31:47 -0700
Subject: [PATCH] Block port 2181 on zookeeper hosts

We keep port 2181 listening in zookeeper so that we can easily use the
zkshell tool to debug and navigate the database. But now that all zuul
and nodepool nodes are using tls we don't need to expose this insecure
port publicly.

Change-Id: I2a5ab8a9aee8f2739953e859ea52e6e9fd440790
---
 inventory/service/group_vars/zookeeper.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/inventory/service/group_vars/zookeeper.yaml b/inventory/service/group_vars/zookeeper.yaml
index 5816d2ff18..4f7d970419 100644
--- a/inventory/service/group_vars/zookeeper.yaml
+++ b/inventory/service/group_vars/zookeeper.yaml
@@ -3,9 +3,6 @@ zookeeper_group: zookeeper
 zookeeper_uid: 10001
 zookeeper_gid: 10001
 iptables_extra_allowed_groups:
-  # Insecure
-  - {'protocol': 'tcp', 'port': '2181', 'group': 'nodepool'}
-  - {'protocol': 'tcp', 'port': '2181', 'group': 'zuul'}
   # Secure
   - {'protocol': 'tcp', 'port': '2281', 'group': 'nodepool'}
   - {'protocol': 'tcp', 'port': '2281', 'group': 'zuul'}