From 4b31079faed4dd2842bc68027f227f86b9165340 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 6 Oct 2021 12:53:30 +0100
Subject: [PATCH] firewalld: support infra VMs

Follow up to Id60e25e129e323f3c07e702bb81a11efc530fb3e, adds support for
firewalld configuration on Infra VMs.

Change-Id: Idd1ab982d4bca1cbdb0c4c6041cf3b6c17eae6cb
---
 ansible/firewall.yml                         |  2 +-
 ansible/group_vars/all/infra-vms             | 21 ++++++++++++++++++++
 ansible/group_vars/infra-vms/firewall        | 21 ++++++++++++++++++++
 doc/source/configuration/reference/hosts.rst |  4 ++++
 etc/kayobe/infra-vms.yml                     | 21 ++++++++++++++++++++
 kayobe/cli/commands.py                       |  3 ++-
 kayobe/tests/unit/cli/test_commands.py       |  1 +
 7 files changed, 71 insertions(+), 2 deletions(-)
 create mode 100644 ansible/group_vars/infra-vms/firewall

diff --git a/ansible/firewall.yml b/ansible/firewall.yml
index d099aaa7..c133fb01 100644
--- a/ansible/firewall.yml
+++ b/ansible/firewall.yml
@@ -1,6 +1,6 @@
 ---
 - name: Ensure firewall is configured
-  hosts: seed-hypervisor:seed:overcloud
+  hosts: seed-hypervisor:seed:overcloud:infra-vms
   tags:
     - config
     - firewall
diff --git a/ansible/group_vars/all/infra-vms b/ansible/group_vars/all/infra-vms
index 0d197791..aa9e19e1 100644
--- a/ansible/group_vars/all/infra-vms
+++ b/ansible/group_vars/all/infra-vms
@@ -171,3 +171,24 @@ infra_vm_sysctl_parameters: {}
 # List of users to create. This should be in a format accepted by the
 # singleplatform-eng.users role.
 infra_vm_users: "{{ users_default }}"
+
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: false
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones: []
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+infra_vm_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules: []
diff --git a/ansible/group_vars/infra-vms/firewall b/ansible/group_vars/infra-vms/firewall
new file mode 100644
index 00000000..089926ec
--- /dev/null
+++ b/ansible/group_vars/infra-vms/firewall
@@ -0,0 +1,21 @@
+---
+###############################################################################
+# Infra VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+firewalld_enabled: "{{ infra_vm_firewalld_enabled }}"
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+firewalld_zones: "{{ infra_vm_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+firewalld_default_zone: "{{ infra_vm_firewalld_default_zone }}"
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+firewalld_rules: "{{ infra_vm_firewalld_rules }}"
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
index de19ab63..1203e6fa 100644
--- a/doc/source/configuration/reference/hosts.rst
+++ b/doc/source/configuration/reference/hosts.rst
@@ -348,6 +348,7 @@ The following variables can be used to set whether to enable firewalld:
 
 * ``seed_hypervisor_firewalld_enabled``
 * ``seed_firewalld_enabled``
+* ``infra_vm_firewalld_enabled``
 * ``compute_firewalld_enabled``
 * ``controller_firewalld_enabled``
 * ``monitoring_firewalld_enabled``
@@ -358,6 +359,7 @@ list of zones to create. Each item is a dict containing a ``zone`` item:
 
 * ``seed_hypervisor_firewalld_zones``
 * ``seed_firewalld_zones``
+* ``infra_vm_firewalld_zones``
 * ``compute_firewalld_zones``
 * ``controller_firewalld_zones``
 * ``monitoring_firewalld_zones``
@@ -368,6 +370,7 @@ unset, in which case the default zone will not be changed:
 
 * ``seed_hypervisor_firewalld_default_zone``
 * ``seed_firewalld_default_zone``
+* ``infra_vm_firewalld_default_zone``
 * ``compute_firewalld_default_zone``
 * ``controller_firewalld_default_zone``
 * ``monitoring_firewalld_default_zone``
@@ -381,6 +384,7 @@ are omitted if not provided, with the following exceptions: ``offline``
 
 * ``seed_hypervisor_firewalld_rules``
 * ``seed_firewalld_rules``
+* ``infra_vm_firewalld_rules``
 * ``compute_firewalld_rules``
 * ``controller_firewalld_rules``
 * ``monitoring_firewalld_rules``
diff --git a/etc/kayobe/infra-vms.yml b/etc/kayobe/infra-vms.yml
index e5762b16..c4dedb8a 100644
--- a/etc/kayobe/infra-vms.yml
+++ b/etc/kayobe/infra-vms.yml
@@ -141,6 +141,27 @@
 # singleplatform-eng.users role.
 #infra_vm_users:
 
+###############################################################################
+# Infrastructure VM node firewalld configuration.
+
+# Whether to install and enable firewalld.
+#infra_vm_firewalld_enabled:
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+#infra_vm_firewalld_zones:
+
+# A firewalld zone to set as the default. Default is unset, in which case the
+# default zone will not be changed.
+#infra_vm_firewalld_default_zone:
+
+# A list of firewall rules to apply. Each item is a dict containing arguments
+# to pass to the firewalld module. Arguments are omitted if not provided, with
+# the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+#infra_vm_firewalld_rules:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py
index 71018d81..0ceeb39e 100644
--- a/kayobe/cli/commands.py
+++ b/kayobe/cli/commands.py
@@ -884,6 +884,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
     * Configure user accounts, group associations, and authorised SSH keys.
     * Disable SELinux.
     * Configure the host's network interfaces.
+    * Configure a firewall.
     * Set sysctl parameters.
     * Disable bootstrap interface configuration.
     * Configure timezone.
@@ -915,7 +916,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
         if parsed_args.wipe_disks:
             playbooks += _build_playbook_list("wipe-disks")
         playbooks += _build_playbook_list(
-            "users", "dev-tools", "disable-selinux", "network",
+            "users", "dev-tools", "disable-selinux", "network", "firewall",
             "sysctl", "disable-glean", "disable-cloud-init", "time",
             "mdadm", "luks", "lvm", "docker-devicemapper", "docker")
         self.run_kayobe_playbooks(parsed_args, playbooks, limit="infra-vms")
diff --git a/kayobe/tests/unit/cli/test_commands.py b/kayobe/tests/unit/cli/test_commands.py
index b600ce7a..fb207a56 100644
--- a/kayobe/tests/unit/cli/test_commands.py
+++ b/kayobe/tests/unit/cli/test_commands.py
@@ -1000,6 +1000,7 @@ class TestCase(unittest.TestCase):
                     utils.get_data_files_path(
                         "ansible", "disable-selinux.yml"),
                     utils.get_data_files_path("ansible", "network.yml"),
+                    utils.get_data_files_path("ansible", "firewall.yml"),
                     utils.get_data_files_path("ansible", "sysctl.yml"),
                     utils.get_data_files_path("ansible", "disable-glean.yml"),
                     utils.get_data_files_path(
-- 
GitLab