infra: refact dashboard firewall rules

- There is no need to open ports 3000, 8234, 9283 on all nodes.
- Add missing rule for alertmanager (port 9093)

Closes: #4023

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 14f5fc3c86)
pull/4169/head
Guillaume Abrioux 2019-05-22 16:31:21 +02:00 committed by Dimitri Savineau
parent 28e1ce0d8c
commit df0d146166
1 changed files with 35 additions and 11 deletions

View File

@ -155,18 +155,19 @@
- iscsi_gw_group_name in group_names
tags: firewall
- block:
- name: open grafana port
firewalld:
port: "3000/tcp"
zone: "{{ ceph_dashboard_firewall_zone }}"
permanent: true
immediate: true
state: enabled
- name: open node_exporter port
firewalld:
port: "9100/tcp"
zone: "{{ ceph_dashboard_firewall_zone }}"
permanent: true
immediate: true
state: enabled
when: dashboard_enabled | bool
- name: open node_exporter port
- block:
- name: open dashboard port
firewalld:
port: "9100/tcp"
port: "{{ dashboard_port }}/tcp"
zone: "{{ ceph_dashboard_firewall_zone }}"
permanent: true
immediate: true
@ -179,6 +180,19 @@
permanent: true
immediate: true
state: enabled
when:
- dashboard_enabled | bool
- mgr_group_name is defined
- mgr_group_name in group_names
- block:
- name: open grafana port
firewalld:
port: "3000/tcp"
zone: "{{ ceph_dashboard_firewall_zone }}"
permanent: true
immediate: true
state: enabled
- name: open dashboard port
firewalld:
@ -187,7 +201,17 @@
permanent: true
immediate: true
state: enabled
when: dashboard_enabled
- name: open alertmanager port
firewalld:
port: "9093/tcp"
zone: "{{ ceph_dashboard_firewall_zone }}"
permanent: true
immediate: true
state: enabled
when:
- dashboard_enabled | bool
- inventory_hostname in groups.get('grafana-server', [])
- name: open haproxy ports
firewalld: