ASDPLNG-38 Add ncsa/puppet-profile_firewall to control_repo

Add v1.0.2 of ncsa/puppet-profile_firewall Update puppetlabs/firewall from 2.5.0 to 3.0.0 Add data/role/puppet-master.yaml to set profile_firewall::ignores heira data so that docker firewall rules are not removed from puppet masters Include profile_firewall in base.pp
2021-03-11 11:52:53 -07:00 · 2021-03-11 11:52:53 -07:00 · 5f67b1f0c8
commit 5f67b1f0c8
parent f092060060
3 changed files with 16 additions and 3 deletions
--- a/5
+++ b/5
@ -16,7 +16,7 @@ mod 'ncsa/profile_allow_ssh_from_bastion', tag: 'v0.2.1', git: 'https://github.c
 # mod 'ncsa/profile_chrony', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_chrony'
 mod 'ncsa/profile_dns_cache', tag: 'v1.0.0', git: 'https://github.com/ncsa/puppet-profile_dns_cache'
 # mod 'ncsa/profile_email', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_email'
-mod 'ncsa/profile_firewall', tag: 'v1.0.1', git: 'https://github.com/ncsa/puppet-profile_firewall'
+mod 'ncsa/profile_firewall', tag: 'v1.0.2', git: 'https://github.com/ncsa/puppet-profile_firewall'
 mod 'ncsa/profile_monitoring', tag: 'v0.1.5', git: 'https://github.com/ncsa/puppet-profile_monitoring'
 mod 'ncsa/profile_motd', tag: 'v0.1.0', git: 'https://github.com/ncsa/puppet-profile_motd'
 mod 'ncsa/profile_pam_access', tag: 'v0.0.4', git: 'https://github.com/ncsa/puppet-profile_pam_access'
@ -33,8 +33,7 @@ mod 'ncsa/telegraf', tag: 'v3.1.1', git: 'https://github.com/ncsa/puppet-telegra
 # mod 'puppet/rsyslog', '5.0.1'
 # mod 'puppetlabs/apt', '7.3.0'
 mod 'puppetlabs/concat', '6.4.0'
-mod 'puppetlabs/firewall', '2.5.0'
-#mod 'puppetlabs-firewall', '2.8.0'
+mod 'puppetlabs/firewall', '3.0.0'
 # mod 'puppetlabs/inifile', '4.1.0'
 # mod 'puppetlabs/mailalias_core', '1.0.6'
 mod 'puppetlabs/stdlib', '6.3.0'
--- a/data/role/puppet_master.yaml
+++ b/data/role/puppet_master.yaml
@ -0,0 +1,13 @@
+---
+profile_firewall::ignores:
+  DOCKER:filter:IPv4: "*"
+  DOCKER-ISOLATION-STAGE-1:filter:IPv4: "*"
+  DOCKER-ISOLATION-STAGE-2:filter:IPv4: "*"
+  DOCKER-USER:filter:IPv4: "*"
+  FORWARD:filter:IPv4: ["docker", "DOCKER", "-o"]
+  DOCKER:nat:IPv4: "*"
+  PREROUTING:nat:IPv4: "-m addrtype --dst-type LOCAL -j DOCKER"
+  POSTROUTING:nat:IPv4: ["172.17", "172.18", "172.19"]
+  OUTPUT:nat:IPv4: "-d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER"
+
+profile_firewall::purge_all: false
--- a/site-modules/profile/manifests/base.pp
+++ b/site-modules/profile/manifests/base.pp
@ -6,6 +6,7 @@ class profile::base {
  include ::profile_allow_ssh_from_bastion
  include ::profile_dns_cache
 #  include ::profile_email
+  include ::profile_firewall
  include ::profile_monitoring
  include ::profile_motd
  include ::profile_pam_access