infra: refact dashboard firewall rules

- There is no need to open ports 3000, 8234, 9283 on all nodes. - Add missing rule for alertmanager (port 9093) Closes: #4023 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
2019-05-22 16:31:21 +02:00 · 2019-05-22 16:31:21 +02:00 · 14f5fc3c86
parent a2b6f44665
commit 14f5fc3c86
1 changed files with 35 additions and 11 deletions
--- a/roles/ceph-infra/tasks/configure_firewall.yml
+++ b/roles/ceph-infra/tasks/configure_firewall.yml
@ -155,18 +155,19 @@
      - iscsi_gw_group_name in group_names
    tags: firewall
-  - block:
+  - name: open node_exporter port
-      - name: open grafana port
+    firewalld:
-        firewalld:
+      port: "9100/tcp"
-          port: "3000/tcp"
+      zone: "{{ ceph_dashboard_firewall_zone }}"
-          zone: "{{ ceph_dashboard_firewall_zone }}"
+      permanent: true
-          permanent: true
+      immediate: true
-          immediate: true
+      state: enabled
-          state: enabled
+    when: dashboard_enabled | bool
-      - name: open node_exporter port
+  - block:
      - name: open dashboard port
        firewalld:
-          port: "9100/tcp"
+          port: "{{ dashboard_port }}/tcp"
          zone: "{{ ceph_dashboard_firewall_zone }}"
          permanent: true
          immediate: true
@ -179,6 +180,19 @@
          permanent: true
          immediate: true
          state: enabled
    when:
      - dashboard_enabled | bool
      - mgr_group_name is defined
      - mgr_group_name in group_names
  - block:
      - name: open grafana port
        firewalld:
          port: "3000/tcp"
          zone: "{{ ceph_dashboard_firewall_zone }}"
          permanent: true
          immediate: true
          state: enabled
      - name: open dashboard port
        firewalld:
@ -187,6 +201,16 @@
          permanent: true
          immediate: true
          state: enabled
-    when: dashboard_enabled
+
      - name: open alertmanager port
        firewalld:
          port: "9093/tcp"
          zone: "{{ ceph_dashboard_firewall_zone }}"
          permanent: true
          immediate: true
          state: enabled
    when:
      - dashboard_enabled | bool
      - inventory_hostname in groups.get('grafana-server', [])
 - meta: flush_handlers