From 52341d7a3a927d65c6146de0c1b1ba320adc40b0 Mon Sep 17 00:00:00 2001 From: Ryan Rotter Date: Tue, 5 Nov 2024 17:09:30 -0500 Subject: [PATCH 1/2] use firewall v8 semantics for exported resources `s/action/state/`, but only for exported resources, and only for the non-prefixed-tag version. Not yet actually collecting the firewall v8 resources, just adding them so they are present when we upgrade the firewall module. --- manifests/profile/haproxy.pp | 2 +- manifests/profile/prometheus.pp | 10 ++++++---- manifests/profile/prometheus/exporter/node.pp | 2 +- manifests/unison/client.pp | 2 +- spec/classes/profile/prometheus/exporter/node_spec.rb | 2 +- spec/classes/profile/prometheus_spec.rb | 4 ++-- 6 files changed, 12 insertions(+), 10 deletions(-) diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp index 44b445148..df6c28810 100644 --- a/manifests/profile/haproxy.pp +++ b/manifests/profile/haproxy.pp @@ -135,7 +135,7 @@ dport => [80, 443], source => $::ipaddress, state => 'NEW', - action => 'accept', + jump => 'accept', tag => 'haproxy' } diff --git a/manifests/profile/prometheus.pp b/manifests/profile/prometheus.pp index ed95fbe05..c7cee274b 100644 --- a/manifests/profile/prometheus.pp +++ b/manifests/profile/prometheus.pp @@ -231,7 +231,7 @@ proto => 'tcp', source => $address, state => 'NEW', - action => 'accept', + jump => 'accept', ; "010 prometheus public node exporter ${::hostname} ${address}": @@ -247,11 +247,13 @@ "010 prometheus public node exporter firewall6 ${::hostname} ${address}": tag => "firewall6-${::datacenter}_prometheus_public_node_exporter", dport => 9100, + action => 'accept', ; "010 prometheus public ipmi exporter firewall6 ${::hostname} ${address}": tag => "firewall6-${::datacenter}_prometheus_public_ipmi_exporter", dport => 9290, + action => 'accept', ; } } @@ -262,7 +264,7 @@ proto => 'tcp', source => $address, state => 'NEW', - action => 'accept', + jump => 'accept', ; "010 prometheus private node exporter ${::hostname} ${address}": @@ -302,7 +304,7 @@ dport => 9101, source => $::ipaddress, state => 'NEW', - action => 'accept', + jump => 'accept', } @@firewall { "010 prometheus firewall6 haproxy exporter ${::hostname}": @@ -320,7 +322,7 @@ dport => 9104, source => $::ipaddress, state => 'NEW', - action => 'accept', + jump => 'accept', } @@firewall { "010 prometheus firewall6 mysql exporter ${::hostname}": diff --git a/manifests/profile/prometheus/exporter/node.pp b/manifests/profile/prometheus/exporter/node.pp index 188d6e16c..b7b949b6f 100644 --- a/manifests/profile/prometheus/exporter/node.pp +++ b/manifests/profile/prometheus/exporter/node.pp @@ -155,7 +155,7 @@ dport => 9091, source => $address, state => 'NEW', - action => 'accept', + jump => 'accept', } @@firewall { "300 pushgateway firewall6 ${::hostname} ${address}": diff --git a/manifests/unison/client.pp b/manifests/unison/client.pp index 1c88918e4..ef8010e17 100644 --- a/manifests/unison/client.pp +++ b/manifests/unison/client.pp @@ -39,7 +39,7 @@ dport => [$port], source => $::ipaddress, state => 'NEW', - action => 'accept', + jump => 'accept', tag => "unison-client-${title}" } diff --git a/spec/classes/profile/prometheus/exporter/node_spec.rb b/spec/classes/profile/prometheus/exporter/node_spec.rb index 15c214291..b9802e8b4 100644 --- a/spec/classes/profile/prometheus/exporter/node_spec.rb +++ b/spec/classes/profile/prometheus/exporter/node_spec.rb @@ -117,7 +117,7 @@ .with_dport(9091) .with_source(facts[:ipaddress]) .with_state('NEW') - .with_action('accept') + .with_jump('accept') end context 'with both public and private mlibrary_ip_addresses' do diff --git a/spec/classes/profile/prometheus_spec.rb b/spec/classes/profile/prometheus_spec.rb index a8855fd1f..e77da9f62 100644 --- a/spec/classes/profile/prometheus_spec.rb +++ b/spec/classes/profile/prometheus_spec.rb @@ -189,7 +189,7 @@ .with_dport(port) .with_source(facts[:ipaddress]) .with_state('NEW') - .with_action('accept') + .with_jump('accept') end end @@ -346,7 +346,7 @@ .with_dport(port) .with_source(ip_address) .with_state('NEW') - .with_action('accept') + .with_jump('accept') end end end From aee89ce2c3c0ab13412e2e069b115994f1d4bc3b Mon Sep 17 00:00:00 2001 From: Ryan Rotter Date: Tue, 5 Nov 2024 17:22:08 -0500 Subject: [PATCH 2/2] scope haproxy `@@firewall` resource by datacenter --- manifests/profile/haproxy.pp | 2 +- spec/classes/profile/haproxy_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/profile/haproxy.pp b/manifests/profile/haproxy.pp index df6c28810..3277bd40f 100644 --- a/manifests/profile/haproxy.pp +++ b/manifests/profile/haproxy.pp @@ -136,7 +136,7 @@ source => $::ipaddress, state => 'NEW', jump => 'accept', - tag => 'haproxy' + tag => "${::datacenter}_haproxy" } @@firewall { "200 HTTP firewall6: HAProxy ${::hostname}": diff --git a/spec/classes/profile/haproxy_spec.rb b/spec/classes/profile/haproxy_spec.rb index 1637caa9e..c02a0c1e6 100644 --- a/spec/classes/profile/haproxy_spec.rb +++ b/spec/classes/profile/haproxy_spec.rb @@ -306,7 +306,7 @@ it 'exports a firewall resource tagged haproxy' do expect(exported_resources).to contain_firewall('200 HTTP: HAProxy thisnode').with( source: my_ip, - tag: 'haproxy', + tag: 'somedc_haproxy', ) end