Address firewall config review comments

Author: Alex-Welsh

doc/source/configuration/firewall.rst

@@ -239,6 +239,9 @@ API network:
    enable_external_api_firewalld: true
    external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
 
+Network configuration
+---------------------
+
 Ensure every network in ``networks.yml`` has a zone defined. The standard
 configuration is to set the internal network zone to ``trusted`` and every
 other zone to the name of the network. See
@@ -253,20 +256,29 @@ The variable is a list of firewall rules to apply. Each item is a dictionary
 containing arguments to pass to the firewalld module. The variable can be
 defined as a group var or host var in the kayobe inventory.
 
-The example below would enable SSH on the ``provision_oc`` network, and disable
-UDP port 1000 on the ``admin_oc`` network for the Wazuh manager Infrastructure
+The structure of custom rules is different from the default rules. Custom rules
+use the firewalld Ansible module format. Arguments are omitted if not provided,
+with the following exceptions:
+
+* ``offline: true``
+* ``permanent: true``
+* ``state: enabled``
+
+The main differences are that the ``zone`` argument is mandatory, and the
+``network`` argument is not.
+
+The example below would enable SSH in the ``provision_oc`` zone, and disable
+UDP port 1000 in the ``admin_oc`` zone for the Wazuh manager Infrastructure
 VM:
 
 .. code-block:: yaml
    :caption: ``etc/kayobe/inventory/group_vars/wazuh_manager/firewall``
 
    stackhpc_firewalld_rules_extra:
      -  service: ssh
-        network: "{{ provision_oc_net_name }}"
         zone: "{{ provision_oc_net_name | net_zone }}"
         state: enabled
      -  port: 1000/udp
-        network: "{{ admin_oc_net_name }}"
         zone: "{{ admin_oc_net_name | net_zone }}"
         state: disabled
 
@@ -275,23 +287,6 @@ validated before being applied. Use with caution. If you need to add a custom
 rule, consider adding it to the default rule list with an appropriate boolean
 condition, and where possible merge your changes back into upstream SKC.
 
-Kolla-Ansible configuration
----------------------------
-
-Ensure Kolla Ansible opens up ports in firewalld for services on the public
-API network:
-
-.. code-block:: yaml
-   :caption: ``etc/kayobe/kolla/globals.yml``
-
-   enable_external_api_firewalld: true
-   external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
-
-Ensure every network in ``networks.yml`` has a zone defined. The standard
-configuration is to set the internal network zone to ``trusted`` and every
-other zone to the name of the network. See
-``etc/kayobe/environments/ci-multinode/networks.yml`` for a practical example.
-
 Validation
 ----------
 

doc/source/configuration/index.rst

@@ -8,17 +8,17 @@ the various features provided.
 .. toctree::
    :maxdepth: 1
 
-   walled-garden
    release-train
    host-images
    lvm
    swap
    cephadm
    monitoring
-   wazuh
    vault
+   wazuh
+   walled-garden
+   security-hardening
+   firewall
    magnum-capi
    ci-cd
-   security-hardening
    cloudkitty
-   firewall

etc/kayobe/inventory/group_vars/all/firewall

@@ -66,7 +66,7 @@ stackhpc_firewalld_rules_template: |
   {{ stackhpc_common_firewalld_rules_template +
      (stackhpc_controller_firewalld_rules_template if 'controllers' in group_names else []) +
      (stackhpc_compute_firewalld_rules_template if 'compute' in group_names else []) +
-     (stackhpc_storage_firewalld_rules_template if 'storage' in group_names else []) +
+     (stackhpc_ceph_firewalld_rules_template if 'ceph' in group_names else []) +
      (stackhpc_monitoring_firewalld_rules_template if 'monitoring' in group_names else []) +
      (stackhpc_seed_firewalld_rules_template if 'seed' in group_names else []) +
      (stackhpc_seed_hypervisor_firewalld_rules_template if 'seed-hypervisor' in group_names else []) +
@@ -209,9 +209,9 @@ stackhpc_compute_firewalld_rules_template:
     enabled: "{{ ('vxlan' in (kolla_neutron_ml2_type_drivers + kolla_neutron_ml2_tenant_network_types)) | bool }}"
 
 ###############################################################################
-# Storage firewalld rules
+# Ceph firewalld rules
 
-stackhpc_storage_firewalld_rules_template:
+stackhpc_ceph_firewalld_rules_template:
   # Ceph Prometheus exporter
   - rules:
       - port: 9283/tcp
@@ -251,7 +251,7 @@ stackhpc_wazuh_manager_infra_vm_firewalld_rules_template:
         network: "{{ provision_oc_net_name }}"
         state: enabled
       - port: 443/tcp
-        network: "{{ public_net_name }}"
+        network: "{{ wazuh_dashboard_net_name | default(provision_oc_net_name) }}"
         state: enabled
       - port: 9200/tcp
         network: "{{ provision_oc_net_name }}"