gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-677 update hetzner firewall rules for new k8s worker node on dev

Browse Source
qa
Sven Ketelsen 3 years ago committed by Görz, Friedrich
parent f80341254a
commit c9c09828bb
4 changed files with 7 additions and 85 deletions
Show Stats Download Patch File Download Diff File

12
group_vars/all/firewall.yml
Unescape Escape View File

@ -112,9 +112,9 @@ hcloud_firewall_objects_awx:
direction: in direction: in
protocol: tcp protocol: tcp
port: '22' port: '22'
source_ips: "{{ awx_source_ips }}" source_ips: "{{ k8s_worker_node_ips }}"
destination_ips: [] destination_ips: []
description: null description: "Allow access for kubernetes worker nodes"
apply_to: apply_to:
- -
type: label_selector type: label_selector
@ -156,7 +156,7 @@ hcloud_firewall_objects_gitea:
direction: in direction: in
protocol: tcp protocol: tcp
port: '443' port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}" source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
destination_ips: [] destination_ips: []
description: "Allow access for kubernetes worker nodes" description: "Allow access for kubernetes worker nodes"
- -
@ -188,7 +188,7 @@ hcloud_firewall_objects_keycloak:
direction: in direction: in
protocol: tcp protocol: tcp
port: '443' port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}" source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
destination_ips: [] destination_ips: []
description: "Allow access for kubernetes worker nodes" description: "Allow access for kubernetes worker nodes"
- -
@ -220,7 +220,7 @@ hcloud_firewall_objects_kibana:
direction: in direction: in
protocol: tcp protocol: tcp
port: '443' port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}" source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
destination_ips: [] destination_ips: []
description: "Allow access for kubernetes worker nodes" description: "Allow access for kubernetes worker nodes"
- -
@ -252,7 +252,7 @@ hcloud_firewall_objects_management:
direction: in direction: in
protocol: tcp protocol: tcp
port: '443' port: '443'
source_ips: "{{ [shared_service_network] + awx_source_ips }}" source_ips: "{{ [shared_service_network] + k8s_worker_node_ips }}"
destination_ips: [] destination_ips: []
description: "Allow access for kubernetes worker nodes" description: "Allow access for kubernetes worker nodes"
- -

14
hcloud_firewall.yml
Unescape Escape View File

@ -54,7 +54,7 @@
delegate_to: localhost delegate_to: localhost
hcloud_server_info: hcloud_server_info:
api_token: "{{ hetzner_authentication_ansible_vault }}" api_token: "{{ hetzner_authentication_ansible_vault }}"
label_selector: 'service=kube_node' label_selector: "service=kube_node,stage={{ stage }}"
register: found_servers register: found_servers
- name: "Initial VAR(s)" - name: "Initial VAR(s)"
@ -70,8 +70,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_awx }}" loop: "{{ hcloud_firewall_objects_awx }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object
@ -80,8 +78,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_backup }}" loop: "{{ hcloud_firewall_objects_backup }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object
@ -90,8 +86,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_gitea }}" loop: "{{ hcloud_firewall_objects_gitea }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object
@ -100,8 +94,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_keycloak }}" loop: "{{ hcloud_firewall_objects_keycloak }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object
@ -110,8 +102,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_kibana }}" loop: "{{ hcloud_firewall_objects_kibana }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object
@ -120,8 +110,6 @@
include_role: include_role:
name: hcloud name: hcloud
tasks_from: configure-firewall2 tasks_from: configure-firewall2
vars:
awx_source_ips: '{{ k8s_worker_node_ips }}'
loop: "{{ hcloud_firewall_objects_management }}" loop: "{{ hcloud_firewall_objects_management }}"
loop_control: loop_control:
loop_var: firewall_object loop_var: firewall_object

53
roles/hcloud/tasks/configure-firewall.yml
Unescape Escape View File

@ -1,53 +0,0 @@
---
### tags:
- name: "Reading firewall entry for <{{ current_firewall_name }}>"
set_fact:
firewall_record: "{{ firewall_records | selectattr('name', 'equalto', current_firewall_name) | list | first | default({'name': '-', 'id': '-'}) }}"
firewall_template: "firewall-{{ current_firewall_name }}.json.j2"
tags:
- update_networks
- name: "Printing firewall entry for <{{ current_firewall_name }}>"
debug:
msg: "{{ firewall_record }}"
when:
- debug
tags:
- update_networks
- name: "Creating new firewall entry <{{ current_firewall_name }}>"
uri:
method: POST
url: "https://api.hetzner.cloud/v1/firewalls"
body_format: json
body: "{{ lookup('template',firewall_template) }}"
headers:
accept: application/json
authorization: Bearer {{ hetzner_authentication_ansible }}
return_content: yes
status_code: 201
when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 0
delegate_to: 127.0.0.1
become: false
tags:
- update_networks
# TODO port changes are not written corectly
- name: "Updating firewall entry <{{ current_firewall_name }}>"
uri:
method: PUT
url: "https://api.hetzner.cloud/v1/firewalls/{{ firewall_record.id }}"
body_format: json
body: "{{ lookup('template',firewall_template) }}"
headers:
accept: application/json
authorization: Bearer {{ hetzner_authentication_ansible }}
return_content: yes
status_code: 200
when: firewall_records | selectattr("name", "equalto", current_firewall_name) | list | length == 1
delegate_to: 127.0.0.1
become: false
tags:
- update_networks

13
roles/hcloud/tasks/main.yml
Unescape Escape View File

@ -50,19 +50,6 @@
when: when:
- debug - debug
#- name: "Checking present state for firewalls"
# include_tasks: configure-firewall.yml
# vars:
# current_firewall_name: '{{ current_firewall }}'
# with_items:
# - 'default'
# - 'kibana'
# - 'monitoring'
# loop_control:
# loop_var: current_firewall
# tags:
# - update_networks
- name: "Checking present state for networks: {{ hetzner_networks }}" - name: "Checking present state for networks: {{ hetzner_networks }}"
include_tasks: configure-network.yml include_tasks: configure-network.yml
vars: vars:

Write Preview
Loading…
Cancel
Save