Updated README to reflect refactor. Moved firewall initialize into separate file.

playbooks/common/openshift-cluster/config.yml

@@ -26,21 +26,6 @@
   tags:
   - always
 
-- name: Setup firewall
-  hosts: oo_all_hosts
-  tags:
-  - always
-  tasks:
-  # This should move to intialize_facts
-  - name: set os_firewall_enabled
-    set_fact:
-      os_firewall_enabled: true
-      os_firewall_use_firewalld: false
-
-  - name: Set proper firewall settings
-    include_role:
-      name: os_firewall
-
 - name: Disable excluders
   hosts: oo_masters_to_config:oo_nodes_to_config
   tags:

playbooks/common/openshift-cluster/initialize_firewall.yml

@@ -0,0 +1,7 @@
+---
+- name: Initialize host facts
+  hosts: oo_all_hosts
+  tasks:
+  - name: install and configure the proper firewall settings
+    include_role:
+      name: os_firewall

playbooks/common/openshift-cluster/std_include.yml

@@ -14,3 +14,7 @@
 - include: initialize_openshift_version.yml
   tags:
   - always
+
+- include: initialize_firewall.yml
+  tags:
+  - always

roles/cockpit/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_cockpit_firewall_enabled: True
+r_cockpit_use_firewalld: False
+
 r_cockpit_os_firewall_deny: []
 r_cockpit_os_firewall_allow:
 - service: cockpit-ws

roles/cockpit/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and not r_cockpit_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_cockpit_firewall_enabled | bool and r_cockpit_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/etcd/defaults/main.yaml

@@ -1,4 +1,7 @@
 ---
+r_etcd_firewall_enabled: True
+r_etcd_use_firewalld: False
+
 etcd_initial_cluster_state: new
 etcd_initial_cluster_token: etcd-cluster-1
 

roles/etcd/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/nuage_master/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_nuage_master_firewall_enabled: True
+r_nuage_master_use_firewalld: False
+
 nuage_mon_rest_server_port: '9443'
 
 r_nuage_master_os_firewall_deny: []

roles/nuage_master/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and not r_nuage_master_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_master_firewall_enabled | bool and r_nuage_master_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/nuage_node/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_nuage_node_firewall_enabled: True
+r_nuage_node_use_firewalld: False
+
 nuage_mon_rest_server_port: '9443'
 
 r_nuage_node_os_firewall_deny: []

roles/nuage_node/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and not r_nuage_node_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_nuage_node_firewall_enabled | bool and r_nuage_node_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_hosted/defaults/main.yml

@@ -1,4 +1,10 @@
 ---
+r_openshift_hosted_router_firewall_enabled: True
+r_openshift_hosted_router_use_firewalld: False
+
+r_openshift_hosted_registry_firewall_enabled: True
+r_openshift_hosted_registry_use_firewalld: False
+
 registry_volume_claim: 'registry-claim'
 
 openshift_hosted_router_edits:

roles/openshift_hosted/tasks/registry/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_hosted/tasks/router/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_hosted_router_firewall_enabled | bool and r_openshift_hosted_router_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_loadbalancer/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_openshift_loadbalancer_firewall_enabled: True
+r_openshift_loadbalancer_use_firewalld: False
+
 haproxy_frontends:
 - name: main
   binds:

roles/openshift_loadbalancer/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_master/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+
 openshift_node_ips: []
 r_openshift_master_clean_install: false
 r_openshift_master_etcd3_storage: false

roles/openshift_master/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and not r_openshift_master_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_master_firewall_enabled | bool and r_openshift_master_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_node/defaults/main.yml

@@ -1,4 +1,6 @@
 ---
+r_openshift_node_firewall_enabled: True
+r_openshift_node_use_firewalld: False
 r_openshift_node_os_firewall_deny: []
 r_openshift_node_os_firewall_allow:
 - service: Kubernetes kubelet

roles/openshift_node/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and not r_openshift_node_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_node_firewall_enabled | bool and r_openshift_node_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/openshift_storage_nfs/defaults/main.yml

@@ -1,4 +1,7 @@
 ---
+r_openshift_storage_nfs_firewall_enabled: True
+r_openshift_storage_nfs_use_firewalld: False
+
 r_openshift_storage_nfs_os_firewall_deny: []
 r_openshift_storage_nfs_os_firewall_allow:
 - service: nfs

roles/openshift_storage_nfs/tasks/firewall.yml

@@ -1,5 +1,5 @@
 ---
-- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and not r_openshift_storage_nfs_use_firewalld | bool
   block:
   - name: Add iptables allow rules
     os_firewall_manage_iptables:
@@ -19,7 +19,7 @@
     when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
 
-- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- when: r_openshift_storage_nfs_firewall_enabled | bool and r_openshift_storage_nfs_use_firewalld | bool
   block:
   - name: Add firewalld allow rules
     firewalld:

roles/os_firewall/README.md

@@ -1,8 +1,8 @@
 OS Firewall
 ===========
 
-OS Firewall manages firewalld and iptables firewall settings for a minimal use
-case (Adding/Removing rules based on protocol and port number).
+OS Firewall manages firewalld and iptables installation.
+case.
 
 Note: firewalld is not supported on Atomic Host
 https://bugzilla.redhat.com/show_bug.cgi?id=1403331
@@ -18,8 +18,6 @@ Role Variables
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
 | os_firewall_use_firewalld | False   | If false, use iptables                 |
-| os_firewall_allow         | []      | List of service,port mappings to allow |
-| os_firewall_deny          | []      | List of service, port mappings to deny |
 
 Dependencies
 ------------
@@ -29,34 +27,27 @@ None.
 Example Playbook
 ----------------
 
-Use iptables and open tcp ports 80 and 443:
+Use iptables:
 ```
 ---
 - hosts: servers
-  vars:
-    os_firewall_use_firewalld: false
-    os_firewall_allow:
-    - service: httpd
-      port: 80/tcp
-    - service: https
-      port: 443/tcp
-  roles:
-  - os_firewall
+  task:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: false
 ```
 
-Use firewalld and open tcp port 443 and close previously open tcp port 80:
+Use firewalld:
 ```
 ---
 - hosts: servers
   vars:
-    os_firewall_allow:
-    - service: https
-      port: 443/tcp
-    os_firewall_deny:
-    - service: httpd
-      port: 80/tcp
-  roles:
-  - os_firewall
+  tasks:
+  - include_role:
+      name: os_firewall
+    vars:
+      os_firewall_use_firewalld: true
 ```
 
 License

roles/os_firewall/defaults/main.yml

@@ -3,5 +3,3 @@ os_firewall_enabled: True
 # firewalld is not supported on Atomic Host
 # https://bugzilla.redhat.com/show_bug.cgi?id=1403331
 os_firewall_use_firewalld: "{{ False }}"
-os_firewall_allow: []
-os_firewall_deny: []