diff --git a/docs/pics/securitygroups_prereqs.png b/docs/pics/securitygroups_prereqs.png index 948870c..5766676 100644 Binary files a/docs/pics/securitygroups_prereqs.png and b/docs/pics/securitygroups_prereqs.png differ diff --git a/install-private-prereqs-only.yml b/install-private-prereqs-only.yml new file mode 100644 index 0000000..a47412b --- /dev/null +++ b/install-private-prereqs-only.yml @@ -0,0 +1,9 @@ +- name: "[AZURE-PRIVATE] Add Azure Prereqs in Private Mode" + hosts: localhost + gather_facts: yes + vars_files: + - vault/azure.yml + - vars/vars-private.yml + tasks: + - name: Install Azure Infra Prereqs for Private + include_tasks: roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml diff --git a/install-private-without-prereqs.yml b/install-private-without-prereqs.yml new file mode 100644 index 0000000..6f95d6a --- /dev/null +++ b/install-private-without-prereqs.yml @@ -0,0 +1,41 @@ +--- + +- name: "[OCP4-INSTALL] Create Azure Openshift Cluster in Private/Disconnected Mode" + hosts: localhost + gather_facts: yes + vars_files: + - vault/azure.yml + - vars/vars-private.yml + - vars/vars-firewall.yml # Only used in egress=firewall + environment: + AZURE_SUBSCRIPTION_ID: "{{ azure_subscription_id }}" + AZURE_TENANT: "{{ azure_tenant }}" + AZURE_CLIENT_ID: "{{ azure_client_id }}" + AZURE_SECRET: "{{ azure_secret }}" + tasks: + - name: Install Bastion Infra Azure + include_tasks: roles/ocp4-cloud-ipi/tasks/azure-bastion-infra.yml + +- name: "[OCP4-INSTALL] Create Azure Openshift Cluster in Private/Disconnected mode" + hosts: inv + become: true + vars_files: + - vault/azure.yml + - vars/vars-private.yml + environment: + AZURE_SUBSCRIPTION_ID: "{{ azure_subscription_id }}" + AZURE_TENANT: "{{ azure_tenant }}" + AZURE_CLIENT_ID: "{{ azure_client_id }}" + AZURE_SECRET: "{{ azure_secret }}" + tasks: + - name: Install SW and Configure Registry into the Bastion + include_role: + name: ocp4-cloud-ipi + vars: + action: prepare-bastion + + - name: Install cluster + include_role: + name: ocp4-cloud-ipi + vars: + action: install diff --git a/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml b/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml index c8eb14b..b9b2500 100644 --- a/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml +++ b/roles/ocp4-cloud-ipi/tasks/azure-infra-private.yml @@ -19,7 +19,7 @@ priority: 101 direction: Inbound destination_port_range: 6443 - - name: apps_http + - name: apps_http_in description: "No public IP Exposed in Private Mode. Only reachable within VNet/Peering or ExpressRoute" protocol: Tcp access: Allow @@ -27,7 +27,7 @@ direction: Inbound source_address_prefix: Internet destination_port_range: 80 - - name: apps_https + - name: apps_https_in description: "No public IP Exposed in Private Mode. Only reachable within VNet/Peering or ExpressRoute" protocol: Tcp access: Allow @@ -35,12 +35,16 @@ direction: Inbound source_address_prefix: Internet destination_port_range: 443 - - name: AllowVnetInbound + - name: mcs_in + description: "Not needed because the 65000 - AllowVnetInBound allows Any traffic inside of the Vnet, and master&workers subnets are in the same Vnet" protocol: Tcp access: Allow - priority: 65000 - direction: Outbound - source_address_prefix: AzureLoadBalancer + priority: 104 + direction: Inbound + source_address_prefix: VirtualNetwork + destination_port_range: 22623 + destination_address_prefix: VirtualNetwork + # # Bastion is INSIDE of the VNet. Port 22 is reachable of Any Nay VNet to Vnet in port 65001 #- name: bootstrap_ssh_in # description: "Only needed during the OCP4 Install for Tshoot Purposes. Delete after"