add rule for mgmt network

openshift · Jan 10, 2025 · 38837b9 · 38837b9
1 parent 6447629
commit 38837b9
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 1 deletion.
diff --git a/...step-registry/baremetal/lab/ipi/disconnected/baremetal-lab-ipi-disconnected-workflow.yaml b/...step-registry/baremetal/lab/ipi/disconnected/baremetal-lab-ipi-disconnected-workflow.yaml
@@ -8,6 +8,7 @@ workflow:
       - chain: baremetal-lab-post
     env:
       DISCONNECTED: "true"
+      PLATFORM: "baremetal"
   documentation: |-
     The baremetal-lab-ipi-install-disconnected workflow provides pre- and post- steps that provision and
     deprovision an IPI OpenShift cluster with a disconnected configuration on a Baremetal lab,

diff --git a/...perator/step-registry/baremetal/lab/post/firewall/baremetal-lab-post-firewall-commands.sh b/...perator/step-registry/baremetal/lab/post/firewall/baremetal-lab-post-firewall-commands.sh
@@ -43,4 +43,18 @@ timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
   for ip in $IP_ARRAY; do
     iptables -D FORWARD -s ${ip} ! -d "${INTERNAL_NET_CIDR}" -j DROP
   done
-EOF
+EOF
+
+if [ x"${DISCONNECTED}" == x"true" ] && [ "${PLATFORM}" == "baremetal" ]; then
+  timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
+    "${INTERNAL_NET_CIDR}" "${IP_ARRAY[@]}" << 'EOF'
+  set -o nounset
+  set -o errexit
+  INTERNAL_NET_CIDR="${1}"
+  IP_ARRAY="${@:2}"
+  for ip in $IP_ARRAY; do
+    # TODO: change to firewalld or nftables
+    iptables -D FORWARD -s ${ip} -d 192.168.70.0/24 -j ACCEPT
+  done
+EOF
+fi
diff --git a/ci-operator/step-registry/baremetal/lab/post/firewall/baremetal-lab-post-firewall-ref.yaml b/ci-operator/step-registry/baremetal/lab/post/firewall/baremetal-lab-post-firewall-ref.yaml
@@ -15,6 +15,8 @@ ref:
       default: ""
     - name: DISCONNECTED
       default: "false"
+    - name: PLATFORM
+      default: "none"
     - name: INTERNAL_NET_CIDR
       default: "192.168.80.0/22"
   documentation: |-

diff --git a/ci-operator/step-registry/baremetal/lab/pre/firewall/baremetal-lab-pre-firewall-commands.sh b/ci-operator/step-registry/baremetal/lab/pre/firewall/baremetal-lab-pre-firewall-commands.sh
@@ -48,6 +48,20 @@ for bmhost in $(yq e -o=j -I=0 '.[]' "${SHARED_DIR}/hosts.yaml"); do
   IP_ARRAY+=( "$ip" )
 done
 
+if [ x"${DISCONNECTED}" == x"true" ] && [ "${PLATFORM}" == "baremetal" ]; then
+  timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
+    "${INTERNAL_NET_CIDR}" "${IP_ARRAY[@]}" << 'EOF'
+  set -o nounset
+  set -o errexit
+  INTERNAL_NET_CIDR="${1}"
+  IP_ARRAY="${@:2}"
+  for ip in $IP_ARRAY; do
+    # TODO: change to firewalld or nftables
+    iptables -A FORWARD -s ${ip} -d 192.168.70.0/24 -j ACCEPT
+  done
+EOF
+fi
+
 timeout -s 9 10m ssh "${SSHOPTS[@]}" "root@${AUX_HOST}" bash -s -- \
   "${INTERNAL_NET_CIDR}" "${IP_ARRAY[@]}" << 'EOF'
   set -o nounset

diff --git a/ci-operator/step-registry/baremetal/lab/pre/firewall/baremetal-lab-pre-firewall-ref.yaml b/ci-operator/step-registry/baremetal/lab/pre/firewall/baremetal-lab-pre-firewall-ref.yaml
@@ -14,6 +14,8 @@ ref:
       default: ""
     - name: DISCONNECTED
       default: "false"
+    - name: PLATFORM
+      default: "none"
     - name: INTERNAL_NET_CIDR
       default: "192.168.80.0/22"
     - name: CLUSTER_WIDE_PROXY