Refactor multinode firewall config

Author: Alex-Welsh

etc/kayobe/environments/ci-multinode/compute.yml

@@ -4,3 +4,26 @@ compute_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' else
 # format.
 compute_lvm_groups:
   - "{{ stackhpc_lvm_group_rootvg }}"
+
+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+compute_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+compute_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+compute_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+compute_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/controllers.yml

@@ -4,3 +4,27 @@ controller_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' el
 # format.
 controller_lvm_groups:
   - "{{ stackhpc_lvm_group_rootvg }}"
+
+
+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+controller_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+controller_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+controller_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/firewalld.yml

@@ -4,3 +4,26 @@ infra_vm_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' else
 # format.
 infra_vm_lvm_groups:
   - "{{ stackhpc_lvm_group_rootvg }}"
+
+###############################################################################
+# Infrastructure VM node firewalld configuration
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+infra_vm_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/infra-vms.yml

@@ -0,0 +1,23 @@
+---
+###############################################################################
+# monitoring node firewalld configuration.
+
+# Whether to install and enable firewalld.
+monitoring_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+monitoring_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+monitoring_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+monitoring_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/monitoring.yml

@@ -0,0 +1,23 @@
+---
+###############################################################################
+# seed_hypervisor node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_hypervisor_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_hypervisor_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+seed_hypervisor_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_hypervisor_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/seed-hypervisor.yml

@@ -27,3 +27,26 @@ snat_rules_manila:
     source_ip: "{{ ansible_facts[storage_interface].ipv4.address | default }}"
 # Only add the storage snat rule if we are using manila-cephfs.
 snat_rules: "{{ snat_rules_default + snat_rules_manila if (kolla_enable_manila | bool and kolla_enable_manila_backend_cephfs_native | bool) else snat_rules_default }}"
+
+###############################################################################
+# seed node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+seed_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_firewalld_rules: "{{ stackhpc_firewalld_rules }}"

etc/kayobe/environments/ci-multinode/seed.yml

@@ -4,3 +4,26 @@ storage_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' else
 # format.
 storage_lvm_groups:
   - "{{ stackhpc_lvm_group_rootvg }}"
+
+###############################################################################
+# storage node firewalld configuration.
+
+# Whether to install and enable firewalld.
+storage_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+storage_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+storage_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+storage_firewalld_rules: "{{ stackhpc_firewalld_rules }}"