DEV-695: fixing buggy firewall stuff

3 years ago · 982ec72f28
parent 2ef6773ed3
commit 982ec72f28
7 changed files with 60 additions and 60 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -18,7 +18,7 @@ stages:
  - run-kubernetes
  - run-management-update
  - run-patchday
-#  - run-hcloud-firewall
+  - run-hcloud-firewall

 lint-job:
  stage: lint
@ -330,7 +330,6 @@ run-patchday-prodwork01:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $CI_COMMIT_BRANCH == "prodnso"


-
 ########
 ###   http://patorjk.com/software/taag/#p=display&f=Doom&t=patchday.yml
 ###
@ -344,60 +343,60 @@ run-patchday-prodwork01:
 ###                               |______|                                |___/
 ###

-#.run-hcloud-firewall:
-#  extends: .run-ansible
-#  stage: run-hcloud-firewall
-#  script:
-#    - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass
-#  after_script:
-#    - rm /tmp/vault-pass
-#  except:
-#    - schedules
-#
-#run-hcloud-firewall-dev:
-#  extends: .run-hcloud-firewall
-#  resource_group: dev
-#  before_script:
-#    - export STAGE=dev
-#    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-#  only:
-#    - main
-#
-#run-hcloud-firewall-devscr:
-#  extends: .run-hcloud-firewall
-#  resource_group: devscr
-#  before_script:
-#    - export STAGE=devscr
-#    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
-#  only:
-#    - main
-#
-#run-hcloud-firewall-qa:
-#  extends: .run-hcloud-firewall
-#  resource_group: qa
-#  before_script:
-#    - export STAGE=qa
-#    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
-#  only:
-#    - qa
-#
-#run-hcloud-firewall-prodnso:
-#  extends: .run-hcloud-firewall
-#  resource_group: prodnso
-#  before_script:
-#    - export STAGE=prodnso
-#    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
-#  only:
-#    - prodnso
-#
-#run-hcloud-firewall-prodwork01:
-#  extends: .run-hcloud-firewall
-#  resource_group: prodwork01
-#  before_script:
-#    - export STAGE=prodwork01
-#    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
-#  only:
-#    - prodnso
+.run-hcloud-firewall:
+  extends: .run-ansible
+  stage: run-hcloud-firewall
+  script:
+    - ansible-playbook -e "stage=${STAGE}" hcloud_firewall.yml --vault-password-file /tmp/vault-pass
+  after_script:
+    - rm /tmp/vault-pass
+  except:
+    - schedules
+
+run-hcloud-firewall-dev:
+  extends: .run-hcloud-firewall
+  resource_group: dev
+  before_script:
+    - export STAGE=dev
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-hcloud-firewall-devscr:
+  extends: .run-hcloud-firewall
+  resource_group: devscr
+  before_script:
+    - export STAGE=devscr
+    - echo "${ANSIBLE_VAULT_PASS_DEV}" > /tmp/vault-pass
+  only:
+    - main
+
+run-hcloud-firewall-qa:
+  extends: .run-hcloud-firewall
+  resource_group: qa
+  before_script:
+    - export STAGE=qa
+    - echo "${ANSIBLE_VAULT_PASS_QA}" > /tmp/vault-pass
+  only:
+    - qa
+
+run-hcloud-firewall-prodnso:
+  extends: .run-hcloud-firewall
+  resource_group: prodnso
+  before_script:
+    - export STAGE=prodnso
+    - echo "${ANSIBLE_VAULT_PASS_PRODNSO}" > /tmp/vault-pass
+  only:
+    - prodnso
+
+run-hcloud-firewall-prodwork01:
+  extends: .run-hcloud-firewall
+  resource_group: prodwork01
+  before_script:
+    - export STAGE=prodwork01
+    - echo "${ANSIBLE_VAULT_PASS_PRODWORK01}" > /tmp/vault-pass
+  only:
+    - prodnso


 ########
--- a/group_vars/all/firewall.yml
+++ b/group_vars/all/firewall.yml
@ -59,7 +59,7 @@ hcloud_firewall_objects:
        direction: in
        protocol: tcp
        port: '9080-9085'
-        source_ips: '{{ ip_whitelist }}'
+        source_ips: '{{ ip_whitelist + [ lookup("community.general.dig", stage + "-prometheus-01." + domain ) + "/32"]  }}'
        destination_ips: []
        description: 'Server/Service Monitoring'
     -
--- a/group_vars/stage_devscr/hcloud_firewall.yml
+++ b/group_vars/stage_devscr/hcloud_firewall.yml
@ -1,4 +1,5 @@
 ---
+hcloud_firewall_app_specific_stuff: False
 hcloud_firewall_objects:
   -
     name: "{{ stage }}-default"
--- a/group_vars/stage_prodnso/backup.yml
+++ b/group_vars/stage_prodnso/backup.yml
@ -1,2 +1,2 @@
 backup_lvm_hcloudvol_size: 30
-backup_lvm_hcloudvol_count: 2
+backup_lvm_hcloudvol_count: 3
--- a/group_vars/stage_prodwork01/firewall.yml
+++ b/group_vars/stage_prodwork01/firewall.yml
@ -1,4 +1,5 @@
 ---
+hcloud_firewall_app_specific_stuff: False
 hcloud_firewall_objects:
   -
     name: "{{ stage }}-default"
--- a/group_vars/stage_prodwork01/plain.yml
+++ b/group_vars/stage_prodwork01/plain.yml
@ -1,7 +1,6 @@
 ---

 stage: "prodwork01"
-hcloud_firewall_app_specific_stuff: False

 default_plattform_users:
  - 'friedrich.goerz'
--- a/templates/prometheus/config/prometheus/alert.rules.j2
+++ b/templates/prometheus/config/prometheus/alert.rules.j2
@ -94,7 +94,7 @@ groups:
    expr: 100.0 - 100 * (node_filesystem_free_bytes{env="{{ stage }}",device=~"/dev/mapper/.*"} / node_filesystem_size_bytes{device!="/dev/loop1",env="{{ stage }}",device=~"/dev/mapper/.*"}) > {{ prometheus_alert_diskspaceusage_warning }}
    for: 10m
    labels:
-      severity: warning
+      severity: critical
    annotations:
      summary: "Disk Space Usage (instance {{ '{{' }} $labels.instance {{ '}}' }})"
      description: "Disk Space on Drive is used more than {{ prometheus_alert_diskspaceusage_warning }}%\n  VALUE = {{ '{{' }} $value {{ '}}' }}\n  LABELS: {{ '{{' }} $labels {{ '}}' }}"