use firewall 8

- remove `firewall6-` prefix from Firewall collectors - add datacenter prefix for haproxy Firewall collector - delete all `firewall6-` `@@firewall` exports
mlibrary · Nov 6, 2024 · d5eaf52 · d5eaf52
1 parent e36efdf
commit d5eaf52
Show file tree

Hide file tree

Showing 9 changed files with 9 additions and 85 deletions.
diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp
@@ -139,15 +139,6 @@
     tag    => "${::datacenter}_haproxy"
   }
 
-  @@firewall { "200 HTTP firewall6: HAProxy ${::hostname}":
-    proto  => 'tcp',
-    dport  => [80, 443],
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-    tag    => 'firewall6-haproxy'
-  }
-
   # HAProxy should listen for kubernetes connections.
   nebula::exposed_port { '200 kubectl':
     port  => 6443,

diff --git a/manifests/profile/networking/firewall/http.pp b/manifests/profile/networking/firewall/http.pp
@@ -14,7 +14,7 @@
 # @example
 #   include nebula::profile::networking::firewall::http
 class nebula::profile::networking::firewall::http () {
-  Firewall <<| tag == 'firewall6-haproxy' |>>
+  Firewall <<| tag == "${::datacenter}_haproxy" |>>
 }
 
 
diff --git a/manifests/profile/prometheus.pp b/manifests/profile/prometheus.pp
@@ -243,18 +243,6 @@
         tag   => "${::datacenter}_prometheus_public_ipmi_exporter",
         dport => 9290,
       ;
-
-      "010 prometheus public node exporter firewall6 ${::hostname} ${address}":
-        tag    => "firewall6-${::datacenter}_prometheus_public_node_exporter",
-        dport  => 9100,
-        action => 'accept',
-      ;
-
-      "010 prometheus public ipmi exporter firewall6 ${::hostname} ${address}":
-        tag    => "firewall6-${::datacenter}_prometheus_public_ipmi_exporter",
-        dport  => 9290,
-        action => 'accept',
-      ;
     }
   }
 
@@ -277,25 +265,6 @@
         dport => 9290,
       ;
     }
-
-    @@firewall {
-      default:
-        proto  => 'tcp',
-        source => $address,
-        state  => 'NEW',
-        action => 'accept',
-      ;
-
-      "010 prometheus firewall6 private node exporter ${::hostname} ${address}":
-        tag   => "firewall6-${::datacenter}_prometheus_private_node_exporter",
-        dport => 9100,
-      ;
-
-      "010 prometheus firewall6 private ipmi exporter ${::hostname} ${address}":
-        tag   => "firewall6-${::datacenter}_prometheus_private_ipmi_exporter",
-        dport => 9290,
-      ;
-    }
   }
 
   @@firewall { "010 prometheus haproxy exporter ${::hostname}":
@@ -307,15 +276,6 @@
     jump   => 'accept',
   }
 
-  @@firewall { "010 prometheus firewall6 haproxy exporter ${::hostname}":
-    tag    => "firewall6-${::datacenter}_prometheus_haproxy_exporter",
-    proto  => 'tcp',
-    dport  => 9101,
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-  }
-
   @@firewall { "010 prometheus mysql exporter ${::hostname}":
     tag    => "${::datacenter}_prometheus_mysql_exporter",
     proto  => 'tcp',
@@ -325,14 +285,5 @@
     jump   => 'accept',
   }
 
-  @@firewall { "010 prometheus firewall6 mysql exporter ${::hostname}":
-    tag    => "firewall6-${::datacenter}_prometheus_mysql_exporter",
-    proto  => 'tcp',
-    dport  => 9104,
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-  }
-
-  Firewall <<| tag == "firewall6-${::datacenter}_pushgateway_node" |>>
+  Firewall <<| tag == "${::datacenter}_pushgateway_node" |>>
 }
diff --git a/manifests/profile/prometheus/exporter/haproxy.pp b/manifests/profile/prometheus/exporter/haproxy.pp
@@ -32,6 +32,6 @@
     content => template('nebula/profile/prometheus/exporter/haproxy/target.yaml.erb')
   }
 
-  Firewall <<| tag == "firewall6-${::datacenter}_prometheus_haproxy_exporter" |>>
+  Firewall <<| tag == "${::datacenter}_prometheus_haproxy_exporter" |>>
 
 }
diff --git a/manifests/profile/prometheus/exporter/ipmi.pp b/manifests/profile/prometheus/exporter/ipmi.pp
@@ -33,10 +33,10 @@
       fail('Host cannot be scraped without a public or private IP address')
     } elsif $all_private_addresses != [] {
       $ipaddress = $all_private_addresses[0]
-      Firewall <<| tag == "firewall6-${::datacenter}_prometheus_private_ipmi_exporter" |>>
+      Firewall <<| tag == "${::datacenter}_prometheus_private_ipmi_exporter" |>>
     } else {
       $ipaddress = $all_public_addresses[0]
-      Firewall <<| tag == "firewall6-${::datacenter}_prometheus_public_ipmi_exporter" |>>
+      Firewall <<| tag == "${::datacenter}_prometheus_public_ipmi_exporter" |>>
     }
 
     @@concat_fragment { "prometheus ipmi scrape config ${::hostname}":

diff --git a/manifests/profile/prometheus/exporter/mysql.pp b/manifests/profile/prometheus/exporter/mysql.pp
@@ -30,7 +30,7 @@
     content => template('nebula/profile/prometheus/exporter/mysql/target.yaml.erb')
   }
 
-  Firewall <<| tag == "firewall6-${::datacenter}_prometheus_mysql_exporter" |>>
+  Firewall <<| tag == "${::datacenter}_prometheus_mysql_exporter" |>>
 
   $role = lookup_role()
 

diff --git a/manifests/profile/prometheus/exporter/node.pp b/manifests/profile/prometheus/exporter/node.pp
@@ -139,11 +139,11 @@
     fail("${datacenter} host cannot be scraped by ${monitoring_datacenter} prometheus server without a public IP address")
   } elsif $all_private_addresses != [] and $monitoring_datacenter == $datacenter {
     $ipaddresses = $all_private_addresses
-    Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_private_node_exporter" |>>
+    Firewall <<| tag == "${monitoring_datacenter}_prometheus_private_node_exporter" |>>
     Concat_fragment <<| title == "02 pushgateway advanced private url ${monitoring_datacenter}" |>>
   } else {
     $ipaddresses = $all_public_addresses
-    Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_public_node_exporter" |>>
+    Firewall <<| tag == "${monitoring_datacenter}_prometheus_public_node_exporter" |>>
     Concat_fragment <<| title == "02 pushgateway advanced public url ${monitoring_datacenter}" |>>
   }
 
@@ -157,15 +157,6 @@
       state  => 'NEW',
       jump   => 'accept',
     }
-
-    @@firewall { "300 pushgateway firewall6 ${::hostname} ${address}":
-      tag    => "firewall6-${monitoring_datacenter}_pushgateway_node",
-      proto  => 'tcp',
-      dport  => 9091,
-      source => $address,
-      state  => 'NEW',
-      action => 'accept',
-    }
   }
 
   ensure_packages(['curl', 'jq'])

diff --git a/manifests/unison/client.pp b/manifests/unison/client.pp
@@ -42,13 +42,4 @@
     jump   => 'accept',
     tag    =>  "unison-client-${title}"
   }
-
-  @@firewall { "200 Unison firewall6: ${title} ${::hostname}":
-    proto  => 'tcp',
-    dport  => [$port],
-    source => $::ipaddress,
-    state  => 'NEW',
-    action => 'accept',
-    tag    =>  "firewall6-unison-client-${title}"
-  }
 }
diff --git a/manifests/unison/server.pp b/manifests/unison/server.pp
@@ -33,6 +33,6 @@
     filesystems => $filesystems
   }
 
-  Firewall <<| tag == "firewall6-unison-client-${title}" |>>
+  Firewall <<| tag == "unison-client-${title}" |>>
 
 }