diff --git a/upi/openstack/security-groups.yaml b/upi/openstack/security-groups.yaml index 82279ca619..b9f93e69c2 100644 --- a/upi/openstack/security-groups.yaml +++ b/upi/openstack/security-groups.yaml @@ -70,17 +70,6 @@ port_range_min: 6443 port_range_max: 6443 - - name: 'Create master-sg IPv6 rule "OpenShift API"' - openstack.cloud.security_group_rule: - security_group: "{{ os_sg_master }}" - ether_type: IPv6 - protocol: tcp - port_range_min: 6443 - port_range_max: 6443 - when: - - os_subnet6_range is defined - - "{{ os_subnet6_range|ansible.utils.ipv6 }}" - - name: 'Create master-sg rule "VXLAN"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_master }}" @@ -236,17 +225,6 @@ port_range_min: 80 port_range_max: 80 - - name: 'Create worker-sg IPv6 rule "Ingress HTTP"' - openstack.cloud.security_group_rule: - security_group: "{{ os_sg_worker }}" - ether_type: IPv6 - protocol: tcp - port_range_min: 80 - port_range_max: 80 - when: - - os_subnet6_range is defined - - "{{ os_subnet6_range|ansible.utils.ipv6 }}" - - name: 'Create worker-sg rule "Ingress HTTPS"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" @@ -254,17 +232,6 @@ port_range_min: 443 port_range_max: 443 - - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"' - openstack.cloud.security_group_rule: - security_group: "{{ os_sg_worker }}" - ether_type: IPv6 - protocol: tcp - port_range_min: 443 - port_range_max: 443 - when: - - os_subnet6_range is defined - - "{{ os_subnet6_range|ansible.utils.ipv6 }}" - - name: 'Create worker-sg rule "router"' openstack.cloud.security_group_rule: security_group: "{{ os_sg_worker }}" @@ -350,3 +317,61 @@ security_group: "{{ os_sg_worker }}" protocol: '112' remote_ip_prefix: "{{ os_subnet_range }}" + + - name: 'Create security groups for IPv6' + block: + - name: 'Create master-sg IPv6 rule "OpenShift API"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_master }}" + ether_type: IPv6 + protocol: tcp + port_range_min: 6443 + port_range_max: 6443 + + - name: 'Create worker-sg IPv6 rule "Ingress HTTP"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_worker }}" + ether_type: IPv6 + protocol: tcp + port_range_min: 80 + port_range_max: 80 + + - name: 'Create worker-sg IPv6 rule "Ingress HTTPS"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_worker }}" + ether_type: IPv6 + protocol: tcp + port_range_min: 443 + port_range_max: 443 + + - name: 'Create master-sg rule "master ingress HTTP (TCP)"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_master }}" + ether_type: IPv6 + protocol: tcp + port_range_min: 80 + port_range_max: 80 + when: os_master_schedulable is defined and os_master_schedulable + + - name: 'Create master-sg rule "master ingress HTTPS (TCP)"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_master }}" + ether_type: IPv6 + protocol: tcp + port_range_min: 443 + port_range_max: 443 + when: os_master_schedulable is defined and os_master_schedulable + + - name: 'Create master-sg rule "router"' + openstack.cloud.security_group_rule: + security_group: "{{ os_sg_master }}" + ether_type: IPv6 + protocol: tcp + remote_ip_prefix: "{{ os_subnet_range }}" + port_range_min: 1936 + port_range_max: 1936 + when: os_master_schedulable is defined and os_master_schedulable + + when: + - os_subnet6_range is defined + - os_subnet6_range|ansible.utils.ipv6