Adding a default condition and removing unneeded defaults.

roles/cockpit/defaults/main.yml

@@ -3,4 +3,3 @@ r_cockpit_os_firewall_deny: []
 r_cockpit_os_firewall_allow:
 - service: cockpit-ws
   port: 9090/tcp
-  cond: true

roles/cockpit/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_cockpit_os_firewall_deny }}"

roles/etcd/defaults/main.yaml

@@ -15,7 +15,5 @@ r_etcd_os_firewall_deny: []
 r_etcd_os_firewall_allow:
 - service: etcd
   port: "{{etcd_client_port}}/tcp"
-  cond: true
 - service: etcd peering
   port: "{{ etcd_peer_port }}/tcp"
-  cond: true

roles/etcd/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_etcd_os_firewall_deny }}"

roles/nuage_master/defaults/main.yml

@@ -5,4 +5,3 @@ r_nuage_master_os_firewall_deny: []
 r_nuage_master_os_firewall_allow:
 - service: openshift-monitor
   port: "{{ nuage_mon_rest_server_port }}/tcp"
-  cond: true

roles/nuage_master/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_master_os_firewall_deny }}"

roles/nuage_node/defaults/main.yml

@@ -5,7 +5,5 @@ r_nuage_node_os_firewall_deny: []
 r_nuage_node_os_firewall_allow:
 - service: vxlan
   port: 4789/udp
-  cond: true
 - service: nuage-monitor
   port: "{{ nuage_mon_rest_server_port }}/tcp"
-  cond: true

roles/nuage_node/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_nuage_node_os_firewall_deny }}"

roles/openshift_hosted/tasks/registry/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}"

roles/openshift_hosted/tasks/router/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_hosted_router_os_firewall_deny }}"

roles/openshift_loadbalancer/defaults/main.yml

@@ -17,10 +17,8 @@ r_openshift_loadbalancer_os_firewall_deny: []
 r_openshift_loadbalancer_os_firewall_allow:
 - service: haproxy stats
   port: "9000/tcp"
-  cond: true
 - service: haproxy balance
   port: "{{ openshift_master_api_port | default(8443) }}/tcp"
-  cond: true
 - service: nuage mon
   port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
   cond: "{{ openshift_use_nuage | default(false) | bool }}"

roles/openshift_loadbalancer/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"

roles/openshift_master/defaults/main.yml

@@ -7,16 +7,12 @@ r_openshift_master_os_firewall_deny: []
 r_openshift_master_os_firewall_allow:
 - service: api server https
   port: "{{ openshift.master.api_port }}/tcp"
-  cond: true
 - service: api controllers https
   port: "{{ openshift.master.controllers_port }}/tcp"
-  cond: true
 - service: skydns tcp
   port: "{{ openshift.master.dns_port }}/tcp"
-  cond: true
 - service: skydns udp
   port: "{{ openshift.master.dns_port }}/udp"
-  cond: true
 - service: etcd embedded
   port: 4001/tcp
   cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}"

roles/openshift_master/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_master_os_firewall_deny }}"

roles/openshift_node/defaults/main.yml

@@ -3,16 +3,13 @@ r_openshift_node_os_firewall_deny: []
 r_openshift_node_os_firewall_allow:
 - service: Kubernetes kubelet
   port: 10250/tcp
-  cond: true
 - service: http
   port: 80/tcp
-  cond: true
 - service: https
   port: 443/tcp
-  cond: true
 - service: OpenShift OVS sdn
   port: 4789/udp
-  when: openshift.common.use_openshift_sdn | default(true) | bool
+  cond: openshift.common.use_openshift_sdn | default(true) | bool
 - service: Calico BGP Port
   port: 179/tcp
   cond: "{{ openshift.common.use_calico | bool }}"

roles/openshift_node/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_node_os_firewall_deny }}"

roles/openshift_storage_nfs/defaults/main.yml

@@ -3,7 +3,6 @@ r_openshift_storage_nfs_os_firewall_deny: []
 r_openshift_storage_nfs_os_firewall_allow:
 - service: nfs
   port: "2049/tcp"
-  cond: true
 
 openshift:
   hosted:

roles/openshift_storage_nfs/tasks/firewall.yml

@@ -7,7 +7,7 @@
       action: add
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
 
   - name: Remove iptables rules
@@ -16,7 +16,7 @@
       action: remove
       protocol: "{{ item.port.split('/')[1] }}"
       port: "{{ item.port.split('/')[0] }}"
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"
 
 - when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
@@ -27,7 +27,7 @@
       permanent: true
       immediate: true
       state: enabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_allow }}"
 
   - name: Remove firewalld allow rules
@@ -36,5 +36,5 @@
       permanent: true
       immediate: true
       state: disabled
-    when: item.cond
+    when: item.cond | default(True)
     with_items: "{{ r_openshift_storage_nfs_os_firewall_deny }}"