firewalld: support infra VMs

Follow up to Id60e25e129e323f3c07e702bb81a11efc530fb3e, adds support for
firewalld configuration on Infra VMs.

Change-Id: Idd1ab982d4bca1cbdb0c4c6041cf3b6c17eae6cb

ansible/firewall.yml

@@ -1,6 +1,6 @@
 ---
 - name: Ensure firewall is configured
-  hosts: seed-hypervisor:seed:overcloud
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
   tags:
     - config
     - firewall

ansible/group_vars/all/infra-vms

@@ -171,3 +171,24 @@ infra_vm_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 infra_vm_users: "{{ users_default }}"
+
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+infra_vm_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules: []

ansible/group_vars/infra-vms/firewall

@@ -0,0 +1,21 @@
+---
+###############################################################################
+# Infra VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ infra_vm_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ infra_vm_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ infra_vm_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ infra_vm_firewalld_rules }}"

doc/source/configuration/reference/hosts.rst

@@ -348,6 +348,7 @@ The following variables can be used to set whether to enable firewalld:
 
 * ``seed_hypervisor_firewalld_enabled``
 * ``seed_firewalld_enabled``
+* ``infra_vm_firewalld_enabled``
 * ``compute_firewalld_enabled``
 * ``controller_firewalld_enabled``
 * ``monitoring_firewalld_enabled``
@@ -358,6 +359,7 @@ list of zones to create. Each item is a dict containing a ``zone`` item:
 
 * ``seed_hypervisor_firewalld_zones``
 * ``seed_firewalld_zones``
+* ``infra_vm_firewalld_zones``
 * ``compute_firewalld_zones``
 * ``controller_firewalld_zones``
 * ``monitoring_firewalld_zones``
@@ -368,6 +370,7 @@ unset, in which case the default zone will not be changed:
 
 * ``seed_hypervisor_firewalld_default_zone``
 * ``seed_firewalld_default_zone``
+* ``infra_vm_firewalld_default_zone``
 * ``compute_firewalld_default_zone``
 * ``controller_firewalld_default_zone``
 * ``monitoring_firewalld_default_zone``
@@ -381,6 +384,7 @@ are omitted if not provided, with the following exceptions: ``offline``
 
 * ``seed_hypervisor_firewalld_rules``
 * ``seed_firewalld_rules``
+* ``infra_vm_firewalld_rules``
 * ``compute_firewalld_rules``
 * ``controller_firewalld_rules``
 * ``monitoring_firewalld_rules``

etc/kayobe/infra-vms.yml

@@ -141,6 +141,27 @@
 # singleplatform-eng.users role.
 #infra_vm_users:
 
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#infra_vm_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#infra_vm_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#infra_vm_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#infra_vm_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

kayobe/cli/commands.py

@@ -884,6 +884,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
     * Configure user accounts, group associations, and authorised SSH keys.
     * Disable SELinux.
     * Configure the host's network interfaces.
+    * Configure a firewall.
     * Set sysctl parameters.
     * Disable bootstrap interface configuration.
     * Configure timezone.
@@ -915,7 +916,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
         if parsed_args.wipe_disks:
             playbooks += _build_playbook_list("wipe-disks")
         playbooks += _build_playbook_list(
-            "users", "dev-tools", "disable-selinux", "network",
+            "users", "dev-tools", "disable-selinux", "network", "firewall",
             "sysctl", "disable-glean", "disable-cloud-init", "time",
             "mdadm", "luks", "lvm", "docker-devicemapper", "docker")
         self.run_kayobe_playbooks(parsed_args, playbooks, limit="infra-vms")

kayobe/tests/unit/cli/test_commands.py

@@ -1000,6 +1000,7 @@ class TestCase(unittest.TestCase):
                     utils.get_data_files_path(
                         "ansible", "disable-selinux.yml"),
                     utils.get_data_files_path("ansible", "network.yml"),
+                    utils.get_data_files_path("ansible", "firewall.yml"),
                     utils.get_data_files_path("ansible", "sysctl.yml"),
                     utils.get_data_files_path("ansible", "disable-glean.yml"),
                     utils.get_data_files_path(