DEV-607: added missing ufw rules + added automationgit statusgit status

.gitlab-ci.yml

@@ -93,28 +93,6 @@ builder-job:
   except:
     - schedules
 
-run-setup-digitalocean:
-  extends: .run-ansible
-  stage: run-setup
-  before_script:
-    - export STAGE=dev
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-  script:
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-    - ssh-add -L
-    - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
-  only:
-    - main
-  except:
-    - schedules
-
 run-setup-dev:
   extends: .run-setup
   resource_group: dev
@@ -315,23 +293,12 @@ run-patchday-dev:
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
 
-run-patchday-dev-digitalocean:
+run-patchday-devscr:
-  extends: .run-ansible
+  extends: .run-patchday
-  stage: run-patchday
+  resource_group: devscr
   before_script:
-    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+    - export STAGE=devscr
-  script:
+    - echo "${ANSIBLE_VAULT_PASS_DEVSCR}" > /tmp/vault-pass
-    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
-    - eval $(ssh-agent -s)
-    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
-    - mkdir -p ~/.ssh
-    - chmod 0700 ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
-    - ssh-add -L
-    - ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
-  after_script:
-    - rm /tmp/vault-pass
-  timeout: 2h
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"
 
@@ -431,3 +398,59 @@ run-patchday-prodwork01:
 #    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
 #  only:
 #    - prodnso
+
+
+########
+###   http://patorjk.com/software/taag/#p=display&f=Doom&t=Digitialocean
+###
+###   ______ _       _ _   _       _                            
+###   |  _  (_)     (_) | (_)     | |                           
+###   | | | |_  __ _ _| |_ _  __ _| | ___   ___ ___  __ _ _ __  
+###   | | | | |/ _` | | __| |/ _` | |/ _ \ / __/ _ \/ _` | '_ \ 
+###   | |/ /| | (_| | | |_| | (_| | | (_) | (_|  __/ (_| | | | |
+###   |___/ |_|\__, |_|\__|_|\__,_|_|\___/ \___\___|\__,_|_| |_|
+###             __/ |                                           
+###            |___/                                            
+
+run-setup-digitalocean:
+  extends: .run-ansible
+  stage: run-setup
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  script:
+    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
+    - eval $(ssh-agent -s)
+    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
+    - mkdir -p ~/.ssh
+    - chmod 0700 ~/.ssh
+    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
+    - ssh-add -L
+    - ansible-playbook -i stage-digitalocean setup.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
+    - ansible-playbook -i stage-digitalocean external_monitoring.yml --vault-password-file /tmp/vault-pass -t common -u gitlabci
+  after_script:
+    - rm /tmp/vault-pass
+  only:
+    - main
+  except:
+    - schedules
+
+run-patchday-dev-digitalocean:
+  extends: .run-ansible
+  stage: run-patchday
+  before_script:
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  script:
+    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
+    - eval $(ssh-agent -s)
+    - 'echo "$GITLAB_SSH_KEY" | tr -d "\r" | ssh-add -'
+    - mkdir -p ~/.ssh
+    - chmod 0700 ~/.ssh
+    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" >> ~/.ssh/config'
+    - ssh-add -L
+    - ansible-playbook -i stage-digitalocean patchday.yml --vault-password-file=/tmp/vault-pass -u gitlabci
+  after_script:
+    - rm /tmp/vault-pass
+  timeout: 2h
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "main"

external_monitoring.yml

@@ -2,18 +2,26 @@
 - name: 'apply setup to {{ host | default("all") }}'
   hosts: '{{ host | default("all") }}'
   serial: "{{ serial_number | default(5) }}"
+  become: yes
   tasks:
-  - set_fact:
+  - name: "Set VARs"
-      promethues_endpoints_all_stages:
+    set_fact:
+      prometheus_endpoints_all_stages:
         - "{{ lookup('community.general.dig', 'dev-prometheus-01.' + domain ) }}"
         - "{{ lookup('community.general.dig', 'qa-prometheus-01.' + domain ) }}"
         - "{{ lookup('community.general.dig', 'prodnso-prometheus-01.' + domain ) }}"
+      k8s_nodes_mobene:
+        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-01.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-02.' + domain ) }}"
+        - "{{ lookup('community.general.dig', 'prodwork01-kube-node-03.' + domain ) }}"
 
   - name: "Allow SSH in UFW"
     ufw:
       rule: limit
       port: 22
       proto: tcp
+      src: "{{ item }}"
+    loop: "{{ ip_whitelist }}"
 
   - name: "Allow port 9100 for node-exporter in UFW"
     ufw:
@@ -21,7 +29,7 @@
       port: 9100
       proto: tcp
       src: "{{ item }}"
-    loop: "{{ promethues_endpoints_all_stages }}"
+    loop: "{{ prometheus_endpoints_all_stages }}"
 
   - name: "Allow port 9115 for blackbox-exporter in UFW"
     ufw:
@@ -29,7 +37,7 @@
       port: 9115
       proto: tcp
       src: "{{ item }}"
-    loop: "{{ promethues_endpoints_all_stages + ip_whitelist_admins}}"
+    loop: "{{ prometheus_endpoints_all_stages + ip_whitelist + ip_whitelist_admins + k8s_nodes_mobene }}"
 
   - name: "Set firewall default policy"
     ufw: