gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

MOB-28: added custom whitelisted ips for services

Browse Source
feature/DEV-380
Sven Ketelsen 4 years ago
parent 62fa239b6f
commit 0b18fc9bc2
2 changed files with 146 additions and 49 deletions
Show Stats Download Patch File Download Diff File

124
group_vars/all/firewall.yml
Unescape Escape View File

@ -76,13 +76,6 @@ hcloud_firewall_objects:
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'Postgres-Exporter'
-
direction: in
protocol: tcp
port: '80'
source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
destination_ips: []
description: 'AWX'
apply_to:
-
type: label_selector
@ -119,7 +112,7 @@ hcloud_firewall_objects_awx:
direction: in
protocol: tcp
port: '22'
source_ips: "{{ src_ips }}"
source_ips: "{{ awx_source_ips }}"
destination_ips: []
description: null
apply_to:
@ -127,76 +120,151 @@ hcloud_firewall_objects_awx:
type: label_selector
label_selector:
selector: 'stage={{ stage }}'
hcloud_firewall_objects_backup:
-
name: "{{ stage }}-awx-access-SMA-mgmt-instance"
name: "{{ stage }}-backup-ssh-access"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ src_ips }}"
port: '22'
source_ips:
- "{{ offsite_storage_server_ip }}"
destination_ips: []
description: null
apply_to:
-
type: label_selector
label_selector:
selector: 'service=connect,tenant=management'
selector: 'service=backup'
hcloud_firewall_objects_gitea:
-
name: "{{ stage }}-awx-access-443-SMA-peripheral-instances"
name: "{{ stage }}-access-to-gitea"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ src_ips }}"
source_ips: "{{ ip_whitelist }}"
destination_ips: []
description: null
description: "Allow access for whitelisted ips"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}"
destination_ips: []
description: "Allow access for kubernetes worker nodes"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}"
destination_ips: []
description: "Allow access for custom whitelisted ips"
apply_to:
-
type: label_selector
label_selector:
selector: 'service=gitea'
hcloud_firewall_objects_keycloak:
-
name: "{{ stage }}-access-to-keycloak"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ ip_whitelist }}"
destination_ips: []
description: "Allow access for whitelisted ips"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}"
destination_ips: []
description: "Allow access for kubernetes worker nodes"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}"
destination_ips: []
description: "Allow access for custom whitelisted ips"
apply_to:
-
type: label_selector
label_selector:
selector: 'service=kibana'
selector: 'service=keycloak'
hcloud_firewall_objects_backup:
hcloud_firewall_objects_kibana:
-
name: "{{ stage }}-backup-ssh-access"
name: "{{ stage }}-access-to-kibana"
state: present
rules:
-
direction: in
protocol: tcp
port: '22'
source_ips:
- "{{ offsite_storage_server_ip }}"
port: '443'
source_ips: "{{ ip_whitelist }}"
destination_ips: []
description: null
description: "Allow access for whitelisted ips"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}"
destination_ips: []
description: "Allow access for kubernetes worker nodes"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}"
destination_ips: []
description: "Allow access for custom whitelisted ips"
apply_to:
-
type: label_selector
label_selector:
selector: 'service=backup'
selector: 'service=kibana'
hcloud_firewall_objects_keycloak:
hcloud_firewall_objects_management:
-
name: "{{ stage }}-access-to-keycloak"
name: "{{ stage }}-access-to-management"
state: present
rules:
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ ip_whitelist + (keycloak_https_whitelisted_ips | default([])) }}"
source_ips: "{{ ip_whitelist }}"
destination_ips: []
description: null
description: "Allow access for whitelisted ips"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}"
destination_ips: []
description: "Allow access for kubernetes worker nodes"
-
direction: in
protocol: tcp
port: '443'
source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}"
destination_ips: []
description: "Allow access for custom whitelisted ips"
apply_to:
-
type: label_selector
label_selector:
selector: 'service=keycloak'
selector: 'service=connect,tenant=management'

71
hcloud_firewall.yml
Unescape Escape View File

@ -47,11 +47,6 @@
loop: "{{ hcloud_firewall_objects }}"
loop_control:
loop_var: firewall_object
# set ENVvar awx_related=True to trigger playbook part
#
# needs to be implemented via switch due to potentially missing nodes at first time
# when playbook was executed
#
- name: "Generate awx-related hcloud firewall rules"
block:
@ -76,23 +71,57 @@
name: hcloud
tasks_from: configure-firewall2
vars:
src_ips: '{{ k8s_worker_node_ips }}'
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_awx }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for database backup stuff..."
include_role:
name: hcloud
tasks_from: configure-firewall2
loop: "{{ hcloud_firewall_objects_backup }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for keycloak"
include_role:
name: hcloud
tasks_from: configure-firewall2
loop: "{{ hcloud_firewall_objects_keycloak }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for database backup..."
include_role:
name: hcloud
tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_backup }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for gitea..."
include_role:
name: hcloud
tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_gitea }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for keycloak..."
include_role:
name: hcloud
tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_keycloak }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for kibana..."
include_role:
name: hcloud
tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_kibana }}"
loop_control:
loop_var: firewall_object
- name: "Setup hcloud firewalls for management..."
include_role:
name: hcloud
tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_management }}"
loop_control:
loop_var: firewall_object

Write Preview
Loading…
Cancel
Save