diff --git a/group_vars/all/firewall.yml b/group_vars/all/firewall.yml index 1c17803..f07b746 100644 --- a/group_vars/all/firewall.yml +++ b/group_vars/all/firewall.yml @@ -112,9 +112,9 @@ hcloud_firewall_objects_awx: direction: in protocol: tcp port: '22' - source_ips: "{{ awx_source_ips }}" + source_ips: "{{ k8s_worker_node_ips }}" destination_ips: [] - description: null + description: "Allow access for kubernetes worker nodes" apply_to: - type: label_selector @@ -156,7 +156,7 @@ hcloud_firewall_objects_gitea: direction: in protocol: tcp port: '443' - source_ips: "{{ [shared_service_network] + awx_source_ips }}" + source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - @@ -188,7 +188,7 @@ hcloud_firewall_objects_keycloak: direction: in protocol: tcp port: '443' - source_ips: "{{ [shared_service_network] + awx_source_ips }}" + source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - @@ -220,7 +220,7 @@ hcloud_firewall_objects_kibana: direction: in protocol: tcp port: '443' - source_ips: "{{ [shared_service_network] + awx_source_ips }}" + source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - @@ -252,7 +252,7 @@ hcloud_firewall_objects_management: direction: in protocol: tcp port: '443' - source_ips: "{{ [shared_service_network] + awx_source_ips }}" + source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}" destination_ips: [] description: "Allow access for kubernetes worker nodes" - diff --git a/hcloud_firewall.yml b/hcloud_firewall.yml index 2e18366..27391c1 100644 --- a/hcloud_firewall.yml +++ b/hcloud_firewall.yml @@ -54,7 +54,7 @@ delegate_to: localhost hcloud_server_info: api_token: "{{ hetzner_authentication_ansible_vault }}" - label_selector: 'service=kube_node' + label_selector: "service=kube_node,stage={{ stage }}" register: found_servers - name: "Initial VAR(s)" @@ -70,8 +70,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_awx }}" loop_control: loop_var: firewall_object @@ -80,8 +78,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_backup }}" loop_control: loop_var: firewall_object @@ -90,8 +86,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_gitea }}" loop_control: loop_var: firewall_object @@ -100,8 +94,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_keycloak }}" loop_control: loop_var: firewall_object @@ -110,8 +102,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_kibana }}" loop_control: loop_var: firewall_object @@ -120,8 +110,6 @@ include_role: name: hcloud tasks_from: configure-firewall2 - vars: - awx_source_ips: '{{ k8s_worker_node_ips }}' loop: "{{ hcloud_firewall_objects_management }}" loop_control: loop_var: firewall_object diff --git a/roles/hcloud/tasks/configure-firewall.yml b/roles/hcloud/tasks/configure-firewall.yml deleted file mode 100644 index c60bcf4..0000000 --- a/roles/hcloud/tasks/configure-firewall.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -### tags: - -- name: "Reading firewall entry for <{{ current_firewall_name }}>" - set_fact: - firewall_record: "{{ firewall_records | selectattr('name', 'equalto', current_firewall_name) | list | first | default({'name': '-', 'id': '-'}) }}" - firewall_template: "firewall-{{ current_firewall_name }}.json.j2" - tags: - - update_networks - -- name: "Printing firewall entry for <{{ current_firewall_name }}>" - debug: - msg: "{{ firewall_record }}" - when: - - debug - tags: - - update_networks - -- name: "Creating new firewall entry <{{ current_firewall_name }}>" - uri: - method: POST - url: "https://api.hetzner.cloud/v1/firewalls" - body_format: json - body: "{{ lookup('template',firewall_template) }}" - headers: - accept: application/json - authorization: Bearer {{ hetzner_authentication_ansible }} - return_content: yes - status_code: 201 - when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 0 - delegate_to: 127.0.0.1 - become: false - tags: - - update_networks - -# TODO port changes are not written corectly -- name: "Updating firewall entry <{{ current_firewall_name }}>" - uri: - method: PUT - url: "https://api.hetzner.cloud/v1/firewalls/{{ firewall_record.id }}" - body_format: json - body: "{{ lookup('template',firewall_template) }}" - headers: - accept: application/json - authorization: Bearer {{ hetzner_authentication_ansible }} - return_content: yes - status_code: 200 - when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 1 - delegate_to: 127.0.0.1 - become: false - tags: - - update_networks diff --git a/roles/hcloud/tasks/main.yml b/roles/hcloud/tasks/main.yml index 338f064..a9f03f1 100644 --- a/roles/hcloud/tasks/main.yml +++ b/roles/hcloud/tasks/main.yml @@ -50,19 +50,6 @@ when: - debug -#- name: "Checking present state for firewalls" -# include_tasks: configure-firewall.yml -# vars: -# current_firewall_name: '{{ current_firewall }}' -# with_items: -# - 'default' -# - 'kibana' -# - 'monitoring' -# loop_control: -# loop_var: current_firewall -# tags: -# - update_networks - - name: "Checking present state for networks: {{ hetzner_networks }}" include_tasks: configure-network.yml vars: