MOB-28: added firewall whitelist for mobene - keycloak

4 years ago · fec11415bc
parent 7d7dbcf622
commit fec11415bc
4 changed files with 213 additions and 188 deletions
--- a/group_vars/all/firewall.yml
+++ b/group_vars/all/firewall.yml
@ -0,0 +1,202 @@
+---
+hcloud_firewall_objects:
+   -
+     name: "{{ stage }}-default"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: icmp
+        port: ''
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: ICMP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: SSH allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: HTTP allowed
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: HTTPS allowed
+     -
+        direction: in
+        protocol: tcp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: TCP - allow work from home without VPN
+     -
+        direction: in
+        protocol: udp
+        port: 'any'
+        source_ips: '{{ ip_whitelist_admins }}'
+        destination_ips: []
+        description: UDP - allow work from home without VPN
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '9080-9085'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: 'Server/Service Monitoring'
+     -
+        direction: in
+        protocol: tcp
+        port: '9001'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: 'PgAdmin'
+     -
+        direction: in
+        protocol: tcp
+        port: '9187'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: 'Postgres-Exporter'
+     -
+        direction: in
+        protocol: tcp
+        port: '80'
+        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
+        destination_ips: []
+        description: 'AWX'
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-monitoring-extern-https"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips:
+         - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=connect'
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=keycloak'
+
+hcloud_firewall_objects_awx:
+   -
+     name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips: "{{ src_ips }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'stage={{ stage }}'
+   -
+     name: "{{ stage }}-awx-access-SMA-mgmt-instance"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ src_ips }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=connect,tenant=management'
+   -
+     name: "{{ stage }}-awx-access-443-SMA-peripheral-instances"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ src_ips }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=gitea'
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=kibana'
+
+hcloud_firewall_objects_backup:
+   -
+     name: "{{ stage }}-backup-ssh-access"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '22'
+        source_ips:
+          - "{{ offsite_storage_server_ip }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=backup'
+
+hcloud_firewall_objects_keycloak:
+   -
+     name: "{{ stage }}-access-to-keycloak"
+     state: present
+     rules:
+     -
+        direction: in
+        protocol: tcp
+        port: '443'
+        source_ips: "{{ ip_whitelist + (keycloak_https_whitelisted_ips | default([])) }}"
+        destination_ips: []
+        description: null
+     apply_to:
+     -
+       type: label_selector
+       label_selector:
+         selector: 'service=keycloak'
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -200,117 +200,6 @@ kubernetes_prometheus_endpoint: "{{ stage }}-kube-prometheus.{{ domain }}"
 get_current_date: "{{ lookup('pipe','date +%Y-%m-%d') }}"
 get_current_date_time: "{{ lookup('pipe','date +%Y-%m-%d_%H:%M') }}"

-hcloud_firewall_objects:
-   -
-     name: "{{ stage }}-default"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: icmp
-        port: ''
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: ICMP allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: SSH allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '80'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: HTTP allowed
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: HTTPS allowed
-     -
-        direction: in
-        protocol: tcp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: TCP - allow work from home without VPN
-     -
-        direction: in
-        protocol: udp
-        port: 'any'
-        source_ips: '{{ ip_whitelist_admins }}'
-        destination_ips: []
-        description: UDP - allow work from home without VPN
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-monitoring"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '9080-9085'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'Server/Service Monitoring'
-     -
-        direction: in
-        protocol: tcp
-        port: '9001'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'PgAdmin'
-     -
-        direction: in
-        protocol: tcp
-        port: '9187'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'Postgres-Exporter'
-     -
-        direction: in
-        protocol: tcp
-        port: '80'
-        source_ips: '{{ ip_whitelist + ip_whitelist_admins }}'
-        destination_ips: []
-        description: 'AWX'
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-monitoring-extern-https"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips:
-         - "{{ lookup('community.general.dig', 'dev-blackbox-01.smardigo.digital' ) }}/32"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=connect'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=keycloak'
-
 hetzner_authentication_ansible: "{{ hetzner_authentication_ansible_vault }}"
 hetzner_authentication_ccm: "{{ hetzner_authentication_ccm_vault }}"
 hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}"
@ -318,80 +207,3 @@ hetzner_authentication_csi: "{{ hetzner_authentication_csi_vault }}"
 k8s_basic_services:
  - kubelet
  - containerd
-
-hcloud_firewall_objects_awx:
-   -
-     name: "{{ stage }}-awx-ssh-access-for-k8s-nodes"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'stage={{ stage }}'
-   -
-     name: "{{ stage }}-awx-access-SMA-mgmt-instance"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=connect,tenant=management'
-   -
-     name: "{{ stage }}-awx-access-443-SMA-peripheral-instances"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '443'
-        source_ips: "{{ src_ips }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=gitea'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=keycloak'
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=kibana'
-
-hcloud_firewall_objects_backup:
-   -
-     name: "{{ stage }}-backup-ssh-access"
-     state: present
-     rules:
-     -
-        direction: in
-        protocol: tcp
-        port: '22'
-        source_ips:
-          - "{{ offsite_storage_server_ip }}"
-        destination_ips: []
-        description: null
-     apply_to:
-     -
-       type: label_selector
-       label_selector:
-         selector: 'service=backup'
--- a/group_vars/stage_prodnso/keycloak.yml
+++ b/group_vars/stage_prodnso/keycloak.yml
@ -0,0 +1,3 @@
+keycloak_https_whitelisted_ips:
+  - 92.42.192.157/32
+  - 80.128.167.83/32
--- a/hcloud_firewall.yml
+++ b/hcloud_firewall.yml
@ -88,3 +88,11 @@
      loop: "{{ hcloud_firewall_objects_backup }}"
      loop_control:
        loop_var: firewall_object
+
+    - name: "Setup hcloud firewalls for keycloak"
+      include_role:
+        name: hcloud
+        tasks_from: configure-firewall2
+      loop: "{{ hcloud_firewall_objects_keycloak }}"
+      loop_control:
+        loop_var: firewall_object