diff options
| author | Michael Gugino <mgugino@redhat.com> | 2017-08-31 18:01:56 -0400 |
|---|---|---|
| committer | Michael Gugino <mgugino@redhat.com> | 2017-09-25 09:40:01 -0400 |
| commit | 82d61ae9e23c2ae1f722ed3b458a6e39721e71fd (patch) | |
| tree | 54b79f1033aa3d210597e285e1346239ce7fad86 /roles/openshift_hosted/tasks/firewall.yml | |
| parent | c390d382a2c1783964179490eec810ee2206fa32 (diff) | |
| download | openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.gz openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.bz2 openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.xz openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.zip | |
Refactor openshift_hosted plays and role
Currently, openshift_hosted role duplicates some logic
across separate task chains. This commit cleans up
the openshift_hosted role and converts it to be
primarily used with include_role to give better
logic to the playbooks that utilize this role.
This commit also refactors the playbook that calls
various openshift_hosted roles into individual playbooks.
This allows more granularity for advanced users.
Diffstat (limited to 'roles/openshift_hosted/tasks/firewall.yml')
| -rw-r--r-- | roles/openshift_hosted/tasks/firewall.yml | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/roles/openshift_hosted/tasks/firewall.yml b/roles/openshift_hosted/tasks/firewall.yml new file mode 100644 index 000000000..1eb2c92c8 --- /dev/null +++ b/roles/openshift_hosted/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: r_openshift_hosted_router_firewall_enabled | bool and not r_openshift_hosted_router_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ l_openshift_hosted_fw_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ l_openshift_hosted_fw_deny }}" + +- when: l_openshift_hosted_firewall_enabled | bool and l_openshift_hosted_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond | default(True) + with_items: "{{ l_openshift_hosted_fw_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond | default(True) + with_items: "{{ l_openshift_hosted_fw_deny }}" |