From df0d146166e3bfa25e1b3de2e6fbd6c2472aee95 Mon Sep 17 00:00:00 2001
From: Guillaume Abrioux <gabrioux@redhat.com>
Date: Wed, 22 May 2019 16:31:21 +0200
Subject: [PATCH] infra: refact dashboard firewall rules

- There is no need to open ports 3000, 8234, 9283 on all nodes.
- Add missing rule for alertmanager (port 9093)

Closes: #4023

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 14f5fc3c86bcda875a1b3a989efca4cc9188d93e)
---
 roles/ceph-infra/tasks/configure_firewall.yml | 46 ++++++++++++++-----
 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/roles/ceph-infra/tasks/configure_firewall.yml b/roles/ceph-infra/tasks/configure_firewall.yml
index 48a8eb3a1..6a5b855c1 100644
--- a/roles/ceph-infra/tasks/configure_firewall.yml
+++ b/roles/ceph-infra/tasks/configure_firewall.yml
@@ -155,18 +155,19 @@
       - iscsi_gw_group_name in group_names
     tags: firewall
 
-  - block:
-      - name: open grafana port
-        firewalld:
-          port: "3000/tcp"
-          zone: "{{ ceph_dashboard_firewall_zone }}"
-          permanent: true
-          immediate: true
-          state: enabled
+  - name: open node_exporter port
+    firewalld:
+      port: "9100/tcp"
+      zone: "{{ ceph_dashboard_firewall_zone }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: dashboard_enabled | bool
 
-      - name: open node_exporter port
+  - block:
+      - name: open dashboard port
         firewalld:
-          port: "9100/tcp"
+          port: "{{ dashboard_port }}/tcp"
           zone: "{{ ceph_dashboard_firewall_zone }}"
           permanent: true
           immediate: true
@@ -179,6 +180,19 @@
           permanent: true
           immediate: true
           state: enabled
+    when:
+      - dashboard_enabled | bool
+      - mgr_group_name is defined
+      - mgr_group_name in group_names
+
+  - block:
+      - name: open grafana port
+        firewalld:
+          port: "3000/tcp"
+          zone: "{{ ceph_dashboard_firewall_zone }}"
+          permanent: true
+          immediate: true
+          state: enabled
 
       - name: open dashboard port
         firewalld:
@@ -187,7 +201,17 @@
           permanent: true
           immediate: true
           state: enabled
-    when: dashboard_enabled
+
+      - name: open alertmanager port
+        firewalld:
+          port: "9093/tcp"
+          zone: "{{ ceph_dashboard_firewall_zone }}"
+          permanent: true
+          immediate: true
+          state: enabled
+    when:
+      - dashboard_enabled | bool
+      - inventory_hostname in groups.get('grafana-server', [])
 
   - name: open haproxy ports
     firewalld: