Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix some lints and firewalld policies #323

Closed
wants to merge 1 commit into from
Closed

Fix some lints and firewalld policies #323

wants to merge 1 commit into from

Conversation

psztoch
Copy link

@psztoch psztoch commented Apr 4, 2024

Linked Issues

Partially close #321

@dereknola
Copy link
Member

You will need to sign all commits submitted. See https://github.com/k3s-io/k3s-ansible/pull/323/checks?check_run_id=23445098776

dereknola
dereknola requested changes Apr 4, 2024
View reviewed changes
roles/prereq/tasks/main.yml Outdated Show resolved Hide resolved
vrsarin
vrsarin suggested changes Apr 4, 2024
View reviewed changes
Copy link
Contributor

@vrsarin vrsarin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look at my suggestions. We can default them but allow the end user to modify them.

roles/prereq/tasks/main.yml Outdated
@@ -73,7 +73,7 @@
- name: If firewalld enabled, open api port
ansible.posix.firewalld:
port: "{{ api_port }}/tcp"
zone: trusted
zone: internal
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it not be a variable that is managed by the user?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vrsarin Do you mean fw zone for inter-node traffic?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I am right, Linux allows the creation of a custom zone, which could be different from an OS-defined zone.

Do you know if hardcoding will benefit you here?

Today, you want to change it to internal. Tomorrow, I may want to revert back to trusted or my custom zone.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New ansible role config option is added.

roles/prereq/tasks/main.yml
state: enabled
permanent: true
immediate: true
with_items:
- 8472/udp
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be left for the user to provide?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the internal zone, only the nodes would be added. It is not a big risk to open ports to different network backends. I believe this will generate less hassle for users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, agreed, The user can manage adding or removing ports in a separate task.

@psztoch
Fix some ansible-lints and firewalld
c5a5b9e 
Fix playbooks folder name according to the ansible collection scheme...
Refactor firewalld policy

Signed-off-by: Przemyslaw Sztoch <[email protected]>
@psztoch psztoch requested a review from dereknola April 5, 2024 08:33
dereknola
dereknola requested changes Apr 8, 2024
View reviewed changes
roles/prereq/defaults/main.yml
Comment on lines +8 to +11
# List of public services
k3s_firewalld_public_ports:
- 80/tcp
- 443/tcp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

K3s does not require any public ports to function, so we should not have any set as default. Only user provided ports will be opened.

Suggested change
# List of public services
k3s_firewalld_public_ports:
- 80/tcp
- 443/tcp
# List of public services
k3s_firewalld_public_ports: []

@dereknola
Copy link
Member

@psztoch Did you still want to handle this PR, or are you going to just carry patches in your fork?

@laszlojau laszlojau mentioned this pull request May 27, 2024
Merged
@dereknola
Copy link
Member

Closing in favor of #329 and #326

@dereknola dereknola closed this May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vrsarin vrsarin vrsarin requested changes

@dereknola dereknola dereknola requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ansible lint, playbooks folder, and firewalld
3 participants
@psztoch @dereknola @vrsarin