58a8d1a119
This adds names to blocks and includes for consistency. We've done this before (e.g. Ia7e490aaba99da9694a6f3fdb1bca9838221b30a) but I guess 6.12.0 is finding more... Change-Id: Ib451f6d3c5a18047873e63aa0a1aa2b425846fec
45 lines
1.5 KiB
YAML
45 lines
1.5 KiB
YAML
- name: Test the multi-node-firewall role
|
|
hosts: all
|
|
roles:
|
|
- multi-node-firewall
|
|
post_tasks:
|
|
- name: switch and peer nodes should be in the ipv4 firewall
|
|
become: yes
|
|
command: iptables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: iptables_rules
|
|
|
|
- name: Validate ipv4 private firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['private_ipv4']
|
|
|
|
- name: Validate ipv4 public firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item]['nodepool']['public_ipv4']
|
|
|
|
# ipv6_addresses is set by the multi-node-firewall role
|
|
- name: check ipv6_addresses
|
|
when: ipv6_addresses | length > 0
|
|
block:
|
|
- name: switch and peer nodes should be in the ipv6 firewall
|
|
become: yes
|
|
command: ip6tables-save
|
|
changed_when: false
|
|
failed_when: false
|
|
register: ip6tables_rules
|
|
|
|
- name: Validate ipv6 firewall configuration
|
|
assert:
|
|
that:
|
|
- "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout"
|
|
with_items: "{{ groups['all'] }}"
|