Let openshift-ansible configure the firewall

Openshift-ansible already sets the right firewall rules on the provisioned nodes, there is no need to set up (some of) the rules by ourselves. Add the 'OS::TripleO::Services::TripleoFirewall' to all the OpenShift roles so that the operator can still set additional rules if desired. Change-Id: I1e8ca10069c3f1017207abfebb803cb7aa3835a8
2018-09-28 08:49:22 +02:00 · 2018-09-28 08:49:22 +02:00 · 26c108b174
commit 26c108b174
parent e2f7392c4a
5 changed files with 3 additions and 32 deletions
--- a/extraconfig/services/openshift-cns.yaml
+++ b/extraconfig/services/openshift-cns.yaml
@ -84,18 +84,6 @@ outputs:
      # as cns. The actual installation is performed in
      # openshift-master service template.
      service_name: openshift_glusterfs
-      config_settings:
-        tripleo.openshift_glusterfs.firewall_rules:
-          '200 openshift-glusterfs kubelet':
-            dport:
-              - 2222
-              - 3260
-              - 10250
-              - 24008
-              - 24010
-            proto: tcp
-          '200 openshift-glusterfs external services':
-            dport: '49152-49251'
      host_prep_tasks:
        - name: Wipe the configured disks
          shell: |
--- a/extraconfig/services/openshift-master.yaml
+++ b/extraconfig/services/openshift-master.yaml
@ -127,15 +127,6 @@ outputs:
        map_merge:
          - get_attr: [OpenShiftNode, role_data, config_settings]
          - tripleo::keepalived::virtual_router_id_base: 100
-            tripleo.openshift_master.firewall_rules:
-              '200 openshift-master api':
-                dport: 6443
-                proto: tcp
-              '200 openshift-master etcd':
-                dport:
-                  - 2379
-                  - 2380
-                proto: tcp
      upgrade_tasks: []
      step_config: ''
      external_deploy_tasks:
--- a/extraconfig/services/openshift-worker.yaml
+++ b/extraconfig/services/openshift-worker.yaml
@ -54,17 +54,7 @@ outputs:
    description: Role data for the Openshift Service
    value:
      service_name: openshift_worker
-      config_settings:
-        map_merge:
-          - get_attr: [OpenShiftNode, role_data, config_settings]
-          - tripleo.openshift_worker.firewall_rules:
-              '200 openshift-worker kubelet':
-                dport:
-                  - 10250
-                  - 10255
-                proto: tcp
-              '200 openshift-worker external services':
-                dport: '30000-32767'
+      config_settings: {get_attr: [OpenShiftNode, role_data, config_settings]}
      upgrade_tasks: []
      step_config: ''
      external_deploy_tasks:
--- a/roles/OpenShiftInfra.yaml
+++ b/roles/OpenShiftInfra.yaml
@ -25,3 +25,4 @@
    - OS::TripleO::Services::Rhsm
    - OS::TripleO::Services::Sshd
    - OS::TripleO::Services::Timesync
+    - OS::TripleO::Services::TripleoFirewall
--- a/roles/OpenShiftWorker.yaml
+++ b/roles/OpenShiftWorker.yaml
@ -25,3 +25,4 @@
    - OS::TripleO::Services::Rhsm
    - OS::TripleO::Services::Sshd
    - OS::TripleO::Services::Timesync
+    - OS::TripleO::Services::TripleoFirewall