Certain ports were incorrectly configured by default.

In response to https://bugzilla.redhat.com/show_bug.cgi?id=1613489

playbooks/openstack/configuration.md

@@ -1017,3 +1017,81 @@ $ ansible-playbook --user openshift \
   -i inventory \
   openshift-ansible/playbooks/openstack/openshift-cluster/install.yml
 ```
+
+
+## Opening Optional Ports
+
+Certain features of Openshift that are not part of the default configuration may require ports to be opened. The following changes to openshift-ansible/roles/openshift_openstack/defaults/main.yml are needed to enable these features. This section assumes that these services were already properly enabled and configured in OSEv3.yml or all.yml, and will not include details pertaining to them.
+
+### Metrics
+If you want to enable metrics in your openshift cluster, then port 10255 must be open on all nodes in the cluster. The following code should be added to openshift_openstack_node_secgroup_rules in main.yml.
+
+```
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 10255
+    port_range_max: 10255
+  - direction: ingress
+    protocol: udp
+    port_range_min: 10255
+    port_range_max: 10255
+```
+
+### Prometheus
+The following code to open ports for prometheus should also be added to the openshift_openstack_node_secgroup_rules section of main.yml.
+
+```
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 9100
+    port_range_max: 9100
+```
+    
+### Elastic Search
+Add this to the openshift_openstack_node_secgroup_rules section of main.yml to enable elastic search.
+
+```
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 9200
+    port_range_max: 9200
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 9300
+    port_range_max: 9300
+```
+
+### Using Pacemaker HA
+If you choose to use Pacemaker to manage the HA system on the master nodes, the following changes should be made to the openshift_openstack_master_secgroup_rules section.
+
+```
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 2224
+    port_range_max: 2224
+  - direction: ingress
+    protocol: udp
+    port_range_min: 5404
+    port_range_max: 5405
+```
+
+The following Documentation may prove helpful as well:
+- https://docs.openshift.com/enterprise/3.1/architecture/infrastructure_components/kubernetes_infrastructure.html#high-availability-masters
+- https://docs.openshift.com/enterprise/3.1/install_config/upgrading/pacemaker_to_native_ha.html
+
+### Template Router
+If you are running a template router to expose your statistics, there are a few changes you need to make. First, add this to main.yml.
+
+```
+  - direction: ingress
+    protocol: tcp
+    port_range_min: 1936
+    port_range_max: 1936
+```
+
+You may have to update your iptable rules to make this work with the following command:
+
+```
+iptables -A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp \
+    --dport 1936 -j ACCEPT
+```

roles/openshift_openstack/defaults/main.yml

@@ -147,14 +147,6 @@ openshift_openstack_master_secgroup_rules:
     port_range_max: 24224
   - direction: ingress
     protocol: tcp
-    port_range_min: 2224
-    port_range_max: 2224
-  - direction: ingress
-    protocol: udp
-    port_range_min: 5404
-    port_range_max: 5405
-  - direction: ingress
-    protocol: tcp
     port_range_min: 9090
     port_range_max: 9090
 openshift_openstack_etcd_secgroup_rules:
@@ -167,47 +159,14 @@ openshift_openstack_node_secgroup_rules:
   # NOTE(shadower): the 53 rules are needed for Kuryr
   - direction: ingress
     protocol: tcp
-    port_range_min: 53
-    port_range_max: 53
-  - direction: ingress
-    protocol: udp
-    port_range_min: 53
-    port_range_max: 53
-  - direction: ingress
-    protocol: tcp
-    port_range_min: 10250
-    port_range_max: 10250
-    remote_mode: remote_group_id
-  - direction: ingress
-    protocol: udp
     port_range_min: 10250
     port_range_max: 10250
     remote_mode: remote_group_id
   - direction: ingress
-    protocol: tcp
-    port_range_min: 10255
-    port_range_max: 10255
-    remote_mode: remote_group_id
-  - direction: ingress
-    protocol: udp
-    port_range_min: 10255
-    port_range_max: 10255
-    remote_mode: remote_group_id
-  - direction: ingress
     protocol: udp
     port_range_min: 4789
     port_range_max: 4789
     remote_mode: remote_group_id
-  - direction: ingress
-    protocol: tcp
-    port_range_min: 30000
-    port_range_max: 32767
-    remote_ip_prefix: "{{ openshift_openstack_node_ingress_cidr }}"
-  - direction: ingress
-    protocol: tcp
-    port_range_min: 30000
-    port_range_max: 32767
-    remote_ip_prefix: "{{ openshift_openstack_subnet_cidr }}"
 openshift_openstack_infra_secgroup_rules:
   - direction: ingress
     protocol: tcp
@@ -216,11 +175,7 @@ openshift_openstack_infra_secgroup_rules:
   - direction: ingress
     protocol: tcp
     port_range_min: 443
-    port_range_max: 443
-  - direction: ingress
-    protocol: tcp
-    port_range_min: 1936
-    port_range_max: 1936
+    port_range_max: 443 
 openshift_openstack_cns_secgroup_rules:
   # rpcbind
   - direction: ingress