From a10322497f3e122a0fbd22f171dba88d131b1ae4 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek
Date: Fri, 30 Apr 2021 07:43:07 +0200
Subject: Set up network for in-cluster deployment stage
This patch adds new network traffic exceptions to the infrastructure
setup step. This change has to be done during the infrastructure setup
step because OpenStack client is not available from within the cluster.
Issue-ID: INT-1601
Change-Id: I5adbce6197d8de6ab2bf7f54c73d6003442674da
Signed-off-by: Pawel Wieczorek
---
.../ansible/roles/create_bastion/tasks/main.yml | 35 ++++++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 deployment/noheat/cluster-rke/ansible/roles/create_bastion/tasks/main.yml
(limited to 'deployment/noheat/cluster-rke/ansible/roles/create_bastion')
diff --git a/deployment/noheat/cluster-rke/ansible/roles/create_bastion/tasks/main.yml b/deployment/noheat/cluster-rke/ansible/roles/create_bastion/tasks/main.yml
new file mode 100644
index 000000000..8189968c4
--- /dev/null
+++ b/deployment/noheat/cluster-rke/ansible/roles/create_bastion/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: Add cluster hostnames to /etc/hosts file
+ lineinfile:
+ path: /etc/hosts
+ line: "{{ ansible_default_ipv4.address + ' ' + ansible_hostname }}"
+
+- name: Enable IP forwarding
+ ansible.posix.sysctl:
+ name: net.ipv4.ip_forward
+ value: '1'
+ sysctl_set: yes
+
+- name: Create PREROUTING rule
+ ansible.builtin.iptables:
+ table: nat
+ chain: PREROUTING
+ protocol: tcp
+ destination_port: "{{ destination.port }}"
+ jump: DNAT
+ to_destination: "{{ destination.address }}:{{ destination.port }}"
+
+- name: Create OUTPUT rule
+ ansible.builtin.iptables:
+ table: nat
+ chain: OUTPUT
+ protocol: tcp
+ destination: "{{ ansible_default_ipv4.address }}"
+ destination_port: "{{ destination.port }}"
+ jump: DNAT
+ to_destination: "{{ destination.address }}"
+
+- name: Enable masquerading
+ ansible.builtin.iptables:
+ table: nat
+ chain: POSTROUTING
+ jump: MASQUERADE
--
cgit 1.2.3-korg