From d5eaf5243c99eb9ee83615780e46535ec80c5f49 Mon Sep 17 00:00:00 2001 From: Ryan Rotter Date: Wed, 6 Nov 2024 11:53:15 -0500 Subject: [PATCH] use firewall 8 - remove `firewall6-` prefix from Firewall collectors - add datacenter prefix for haproxy Firewall collector - delete all `firewall6-` `@@firewall` exports --- manifests/profile/haproxy.pp | 9 ---- manifests/profile/networking/firewall/http.pp | 2 +- manifests/profile/prometheus.pp | 51 +------------------ .../profile/prometheus/exporter/haproxy.pp | 2 +- manifests/profile/prometheus/exporter/ipmi.pp | 4 +- .../profile/prometheus/exporter/mysql.pp | 2 +- manifests/profile/prometheus/exporter/node.pp | 13 +---- manifests/unison/client.pp | 9 ---- manifests/unison/server.pp | 2 +- 9 files changed, 9 insertions(+), 85 deletions(-) diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp index 3277bd40f..f2553e623 100644 --- a/manifests/profile/haproxy.pp +++ b/manifests/profile/haproxy.pp @@ -139,15 +139,6 @@ tag => "${::datacenter}_haproxy" } - @@firewall { "200 HTTP firewall6: HAProxy ${::hostname}": - proto => 'tcp', - dport => [80, 443], - source => $::ipaddress, - state => 'NEW', - action => 'accept', - tag => 'firewall6-haproxy' - } - # HAProxy should listen for kubernetes connections. nebula::exposed_port { '200 kubectl': port => 6443, diff --git a/manifests/profile/networking/firewall/http.pp b/manifests/profile/networking/firewall/http.pp index 7822f52cf..9ec5d71ca 100644 --- a/manifests/profile/networking/firewall/http.pp +++ b/manifests/profile/networking/firewall/http.pp @@ -14,7 +14,7 @@ # @example # include nebula::profile::networking::firewall::http class nebula::profile::networking::firewall::http () { - Firewall <<| tag == 'firewall6-haproxy' |>> + Firewall <<| tag == "${::datacenter}_haproxy" |>> } diff --git a/manifests/profile/prometheus.pp b/manifests/profile/prometheus.pp index c7cee274b..61788b971 100644 --- a/manifests/profile/prometheus.pp +++ b/manifests/profile/prometheus.pp @@ -243,18 +243,6 @@ tag => "${::datacenter}_prometheus_public_ipmi_exporter", dport => 9290, ; - - "010 prometheus public node exporter firewall6 ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_public_node_exporter", - dport => 9100, - action => 'accept', - ; - - "010 prometheus public ipmi exporter firewall6 ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_public_ipmi_exporter", - dport => 9290, - action => 'accept', - ; } } @@ -277,25 +265,6 @@ dport => 9290, ; } - - @@firewall { - default: - proto => 'tcp', - source => $address, - state => 'NEW', - action => 'accept', - ; - - "010 prometheus firewall6 private node exporter ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_private_node_exporter", - dport => 9100, - ; - - "010 prometheus firewall6 private ipmi exporter ${::hostname} ${address}": - tag => "firewall6-${::datacenter}_prometheus_private_ipmi_exporter", - dport => 9290, - ; - } } @@firewall { "010 prometheus haproxy exporter ${::hostname}": @@ -307,15 +276,6 @@ jump => 'accept', } - @@firewall { "010 prometheus firewall6 haproxy exporter ${::hostname}": - tag => "firewall6-${::datacenter}_prometheus_haproxy_exporter", - proto => 'tcp', - dport => 9101, - source => $::ipaddress, - state => 'NEW', - action => 'accept', - } - @@firewall { "010 prometheus mysql exporter ${::hostname}": tag => "${::datacenter}_prometheus_mysql_exporter", proto => 'tcp', @@ -325,14 +285,5 @@ jump => 'accept', } - @@firewall { "010 prometheus firewall6 mysql exporter ${::hostname}": - tag => "firewall6-${::datacenter}_prometheus_mysql_exporter", - proto => 'tcp', - dport => 9104, - source => $::ipaddress, - state => 'NEW', - action => 'accept', - } - - Firewall <<| tag == "firewall6-${::datacenter}_pushgateway_node" |>> + Firewall <<| tag == "${::datacenter}_pushgateway_node" |>> } diff --git a/manifests/profile/prometheus/exporter/haproxy.pp b/manifests/profile/prometheus/exporter/haproxy.pp index 771d50a43..b76418185 100644 --- a/manifests/profile/prometheus/exporter/haproxy.pp +++ b/manifests/profile/prometheus/exporter/haproxy.pp @@ -32,6 +32,6 @@ content => template('nebula/profile/prometheus/exporter/haproxy/target.yaml.erb') } - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_haproxy_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_haproxy_exporter" |>> } diff --git a/manifests/profile/prometheus/exporter/ipmi.pp b/manifests/profile/prometheus/exporter/ipmi.pp index 38ad49d2b..372dcadcf 100644 --- a/manifests/profile/prometheus/exporter/ipmi.pp +++ b/manifests/profile/prometheus/exporter/ipmi.pp @@ -33,10 +33,10 @@ fail('Host cannot be scraped without a public or private IP address') } elsif $all_private_addresses != [] { $ipaddress = $all_private_addresses[0] - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_private_ipmi_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_private_ipmi_exporter" |>> } else { $ipaddress = $all_public_addresses[0] - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_public_ipmi_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_public_ipmi_exporter" |>> } @@concat_fragment { "prometheus ipmi scrape config ${::hostname}": diff --git a/manifests/profile/prometheus/exporter/mysql.pp b/manifests/profile/prometheus/exporter/mysql.pp index f01faeaa2..a93693006 100644 --- a/manifests/profile/prometheus/exporter/mysql.pp +++ b/manifests/profile/prometheus/exporter/mysql.pp @@ -30,7 +30,7 @@ content => template('nebula/profile/prometheus/exporter/mysql/target.yaml.erb') } - Firewall <<| tag == "firewall6-${::datacenter}_prometheus_mysql_exporter" |>> + Firewall <<| tag == "${::datacenter}_prometheus_mysql_exporter" |>> $role = lookup_role() diff --git a/manifests/profile/prometheus/exporter/node.pp b/manifests/profile/prometheus/exporter/node.pp index b7b949b6f..34fd714aa 100644 --- a/manifests/profile/prometheus/exporter/node.pp +++ b/manifests/profile/prometheus/exporter/node.pp @@ -139,11 +139,11 @@ fail("${datacenter} host cannot be scraped by ${monitoring_datacenter} prometheus server without a public IP address") } elsif $all_private_addresses != [] and $monitoring_datacenter == $datacenter { $ipaddresses = $all_private_addresses - Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_private_node_exporter" |>> + Firewall <<| tag == "${monitoring_datacenter}_prometheus_private_node_exporter" |>> Concat_fragment <<| title == "02 pushgateway advanced private url ${monitoring_datacenter}" |>> } else { $ipaddresses = $all_public_addresses - Firewall <<| tag == "firewall6-${monitoring_datacenter}_prometheus_public_node_exporter" |>> + Firewall <<| tag == "${monitoring_datacenter}_prometheus_public_node_exporter" |>> Concat_fragment <<| title == "02 pushgateway advanced public url ${monitoring_datacenter}" |>> } @@ -157,15 +157,6 @@ state => 'NEW', jump => 'accept', } - - @@firewall { "300 pushgateway firewall6 ${::hostname} ${address}": - tag => "firewall6-${monitoring_datacenter}_pushgateway_node", - proto => 'tcp', - dport => 9091, - source => $address, - state => 'NEW', - action => 'accept', - } } ensure_packages(['curl', 'jq']) diff --git a/manifests/unison/client.pp b/manifests/unison/client.pp index ef8010e17..c515e3f83 100644 --- a/manifests/unison/client.pp +++ b/manifests/unison/client.pp @@ -42,13 +42,4 @@ jump => 'accept', tag => "unison-client-${title}" } - - @@firewall { "200 Unison firewall6: ${title} ${::hostname}": - proto => 'tcp', - dport => [$port], - source => $::ipaddress, - state => 'NEW', - action => 'accept', - tag => "firewall6-unison-client-${title}" - } } diff --git a/manifests/unison/server.pp b/manifests/unison/server.pp index 7445e84dc..f9ca32b73 100644 --- a/manifests/unison/server.pp +++ b/manifests/unison/server.pp @@ -33,6 +33,6 @@ filesystems => $filesystems } - Firewall <<| tag == "firewall6-unison-client-${title}" |>> + Firewall <<| tag == "unison-client-${title}" |>> }