add new changes

rcarrata · Apr 15, 2021 · 33fd310 · 33fd310
1 parent 3eca86f
commit 33fd310
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 6 deletions.
diff --git a/docs/pics/securitygroups_prereqs.png b/docs/pics/securitygroups_prereqs.png
diff --git a/install-private-prereqs-only.yml b/install-private-prereqs-only.yml
@@ -0,0 +1,9 @@
+- name: "[AZURE-PRIVATE] Add Azure Prereqs in Private Mode"
+  hosts: localhost
+  gather_facts: yes
+  vars_files:
+    - vault/azure.yml
+    - vars/vars-private.yml
+  tasks:
+    - name: Install Azure Infra Prereqs for Private
+      include_tasks: roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml
diff --git a/install-private-without-prereqs.yml b/install-private-without-prereqs.yml
@@ -0,0 +1,41 @@
+---
+
+- name: "[OCP4-INSTALL] Create Azure Openshift Cluster in Private/Disconnected Mode"
+  hosts: localhost
+  gather_facts: yes
+  vars_files:
+    - vault/azure.yml
+    - vars/vars-private.yml
+    - vars/vars-firewall.yml # Only used in egress=firewall
+  environment:
+    AZURE_SUBSCRIPTION_ID: "{{ azure_subscription_id }}"
+    AZURE_TENANT: "{{ azure_tenant }}"
+    AZURE_CLIENT_ID: "{{ azure_client_id }}"
+    AZURE_SECRET: "{{ azure_secret }}"
+  tasks:
+    - name: Install Bastion Infra Azure
+      include_tasks: roles/ocp4-cloud-ipi/tasks/azure-bastion-infra.yml
+
+- name: "[OCP4-INSTALL] Create Azure Openshift Cluster in Private/Disconnected mode"
+  hosts: inv
+  become: true
+  vars_files:
+    - vault/azure.yml
+    - vars/vars-private.yml
+  environment:
+    AZURE_SUBSCRIPTION_ID: "{{ azure_subscription_id }}"
+    AZURE_TENANT: "{{ azure_tenant }}"
+    AZURE_CLIENT_ID: "{{ azure_client_id }}"
+    AZURE_SECRET: "{{ azure_secret }}"
+  tasks:
+    - name: Install SW and Configure Registry into the Bastion
+      include_role:
+        name: ocp4-cloud-ipi
+      vars:
+        action: prepare-bastion
+
+    - name: Install cluster
+      include_role:
+        name: ocp4-cloud-ipi
+      vars:
+        action: install
diff --git a/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml b/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml
@@ -19,28 +19,32 @@
         priority: 101
         direction: Inbound
         destination_port_range: 6443
-      - name: apps_http
+      - name: apps_http_in
         description: "No public IP Exposed in Private Mode. Only reachable within VNet/Peering or ExpressRoute"
         protocol: Tcp
         access: Allow
         priority: 102
         direction: Inbound
         source_address_prefix: Internet
         destination_port_range: 80
-      - name: apps_https
+      - name: apps_https_in
         description: "No public IP Exposed in Private Mode. Only reachable within VNet/Peering or ExpressRoute"
         protocol: Tcp
         access: Allow
         priority: 103
         direction: Inbound
         source_address_prefix: Internet
         destination_port_range: 443
-      - name: AllowVnetInbound
+      - name: mcs_in
+        description: "Not needed because the 65000 - AllowVnetInBound allows Any traffic inside of the Vnet, and master&workers subnets are in the same Vnet"
         protocol: Tcp
         access: Allow
-        priority: 65000
-        direction: Outbound
-        source_address_prefix: AzureLoadBalancer
+        priority: 104
+        direction: Inbound
+        source_address_prefix: VirtualNetwork
+        destination_port_range: 22623
+        destination_address_prefix: VirtualNetwork
+        #
         #  Bastion is INSIDE of the VNet. Port 22 is reachable of Any Nay VNet to Vnet in port 65001
         #- name: bootstrap_ssh_in
         #  description: "Only needed during the OCP4 Install for Tshoot Purposes. Delete after"