diff --git a/group_vars/all/firewall.yml b/group_vars/all/firewall.yml index 1d5e6c9..008e32d 100644 --- a/group_vars/all/firewall.yml +++ b/group_vars/all/firewall.yml @@ -76,13 +76,6 @@ hcloud_firewall_objects: source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' destination_ips: [] description: 'Postgres-Exporter' - - - direction: in - protocol: tcp - port: '80' - source_ips: '{{ ip_whitelist + ip_whitelist_admins }}' - destination_ips: [] - description: 'AWX' apply_to: - type: label_selector @@ -119,7 +112,7 @@ hcloud_firewall_objects_awx: direction: in protocol: tcp port: '22' - source_ips: "{{ src_ips }}" + source_ips: "{{ awx_source_ips }}" destination_ips: [] description: null apply_to: @@ -127,76 +120,151 @@ hcloud_firewall_objects_awx: type: label_selector label_selector: selector: 'stage={{ stage }}' + +hcloud_firewall_objects_backup: - - name: "{{ stage }}-awx-access-SMA-mgmt-instance" + name: "{{ stage }}-backup-ssh-access" state: present rules: - direction: in protocol: tcp - port: '443' - source_ips: "{{ src_ips }}" + port: '22' + source_ips: + - "{{ offsite_storage_server_ip }}" destination_ips: [] description: null apply_to: - type: label_selector label_selector: - selector: 'service=connect,tenant=management' + selector: 'service=backup' + +hcloud_firewall_objects_gitea: - - name: "{{ stage }}-awx-access-443-SMA-peripheral-instances" + name: "{{ stage }}-access-to-gitea" state: present rules: - direction: in protocol: tcp port: '443' - source_ips: "{{ src_ips }}" + source_ips: "{{ ip_whitelist }}" destination_ips: [] - description: null + description: "Allow access for whitelisted ips" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + awx_source_ips }}" + destination_ips: [] + description: "Allow access for kubernetes worker nodes" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + (gitea_https_whitelisted_ips | default([])) }}" + destination_ips: [] + description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: selector: 'service=gitea' + +hcloud_firewall_objects_keycloak: + - + name: "{{ stage }}-access-to-keycloak" + state: present + rules: + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ ip_whitelist }}" + destination_ips: [] + description: "Allow access for whitelisted ips" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + awx_source_ips }}" + destination_ips: [] + description: "Allow access for kubernetes worker nodes" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + (keycloak_https_whitelisted_ips | default([])) }}" + destination_ips: [] + description: "Allow access for custom whitelisted ips" + apply_to: - type: label_selector label_selector: - selector: 'service=kibana' + selector: 'service=keycloak' -hcloud_firewall_objects_backup: +hcloud_firewall_objects_kibana: - - name: "{{ stage }}-backup-ssh-access" + name: "{{ stage }}-access-to-kibana" state: present rules: - direction: in protocol: tcp - port: '22' - source_ips: - - "{{ offsite_storage_server_ip }}" + port: '443' + source_ips: "{{ ip_whitelist }}" destination_ips: [] - description: null + description: "Allow access for whitelisted ips" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + awx_source_ips }}" + destination_ips: [] + description: "Allow access for kubernetes worker nodes" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + (kibana_https_whitelisted_ips | default([])) }}" + destination_ips: [] + description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: - selector: 'service=backup' + selector: 'service=kibana' -hcloud_firewall_objects_keycloak: + +hcloud_firewall_objects_management: - - name: "{{ stage }}-access-to-keycloak" + name: "{{ stage }}-access-to-management" state: present rules: - direction: in protocol: tcp port: '443' - source_ips: "{{ ip_whitelist + (keycloak_https_whitelisted_ips | default([])) }}" + source_ips: "{{ ip_whitelist }}" destination_ips: [] - description: null + description: "Allow access for whitelisted ips" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + awx_source_ips }}" + destination_ips: [] + description: "Allow access for kubernetes worker nodes" + - + direction: in + protocol: tcp + port: '443' + source_ips: "{{ [shared_service_network] + (management_https_whitelisted_ips | default([])) }}" + destination_ips: [] + description: "Allow access for custom whitelisted ips" apply_to: - type: label_selector label_selector: - selector: 'service=keycloak' + selector: 'service=connect,tenant=management' \ No newline at end of file diff --git a/hcloud_firewall.yml b/hcloud_firewall.yml index e91c7f3..a029c6e 100644 --- a/hcloud_firewall.yml +++ b/hcloud_firewall.yml @@ -47,11 +47,6 @@ loop: "{{ hcloud_firewall_objects }}" loop_control: loop_var: firewall_object - -# set ENVvar awx_related=True to trigger playbook part -# -# needs to be implemented via switch due to potentially missing nodes at first time -# when playbook was executed # - name: "Generate awx-related hcloud firewall rules" block: @@ -76,23 +71,57 @@ name: hcloud tasks_from: configure-firewall2 vars: - src_ips: '{{ k8s_worker_node_ips }}' + awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_awx }}" loop_control: loop_var: firewall_object - - name: "Setup hcloud firewalls for database backup stuff..." - include_role: - name: hcloud - tasks_from: configure-firewall2 - loop: "{{ hcloud_firewall_objects_backup }}" - loop_control: - loop_var: firewall_object - - - name: "Setup hcloud firewalls for keycloak" - include_role: - name: hcloud - tasks_from: configure-firewall2 - loop: "{{ hcloud_firewall_objects_keycloak }}" - loop_control: - loop_var: firewall_object + - name: "Setup hcloud firewalls for database backup..." + include_role: + name: hcloud + tasks_from: configure-firewall2 + vars: + awx_source_ips: '{{ k8s_worker_node_ips }}' + loop: "{{ hcloud_firewall_objects_backup }}" + loop_control: + loop_var: firewall_object + + - name: "Setup hcloud firewalls for gitea..." + include_role: + name: hcloud + tasks_from: configure-firewall2 + vars: + awx_source_ips: '{{ k8s_worker_node_ips }}' + loop: "{{ hcloud_firewall_objects_gitea }}" + loop_control: + loop_var: firewall_object + + - name: "Setup hcloud firewalls for keycloak..." + include_role: + name: hcloud + tasks_from: configure-firewall2 + vars: + awx_source_ips: '{{ k8s_worker_node_ips }}' + loop: "{{ hcloud_firewall_objects_keycloak }}" + loop_control: + loop_var: firewall_object + + - name: "Setup hcloud firewalls for kibana..." + include_role: + name: hcloud + tasks_from: configure-firewall2 + vars: + awx_source_ips: '{{ k8s_worker_node_ips }}' + loop: "{{ hcloud_firewall_objects_kibana }}" + loop_control: + loop_var: firewall_object + + - name: "Setup hcloud firewalls for management..." + include_role: + name: hcloud + tasks_from: configure-firewall2 + vars: + awx_source_ips: '{{ k8s_worker_node_ips }}' + loop: "{{ hcloud_firewall_objects_management }}" + loop_control: + loop_var: firewall_object