Set firewall rules for custom CIDR ranges

[laszlojau]

Changes

role: prereq

Linked Issues

#292

[laszlojau]

I tried to keep multiple options open for passing the CIDR range to the prereq role, happy to update/simplify the logic if needed.

[dereknola]

I'm happy to support this since we introduced the firewall exception as an addon. But you should simplify the logic. Just have a cluster_cidr and service_cidr default vars that could be overriden by the inventory var.

Additionally, you need to sign all your commits to comply with the DCO.

[laszlojau]

I'm happy to support this since we introduced the firewall exception as an addon. But you should simplify the logic. Just have a cluster_cidr and service_cidr default vars that could be overriden by the inventory var.

Wouldn't that mean having to set the variable twice? Or you mean pass those values through as k3s server arguments as well? I'd prefer setting it once if possible. What if I just looked at the server_config_yaml?

I.e. do something like this instead:

cluster_cidr: "{{ (server_config_yaml | from_yaml)['cluster-cidr'] | default('10.42.0.0/16') }}"
service_cidr: "{{ (server_config_yaml | from_yaml)['service-cidr'] | default('10.43.0.0/16') }}"

And then the loop could be something like:

  loop: "{{ (cluster_cidr + ',' + service_cidr) | split(',') }}"

[dereknola]

Yeah i think that would work:

• If hard defined as a variable, use that.
• Otherwise attempt to figure it out from the k3s config.yaml values
• Otherwise use the defaults

[laszlojau]

Updated the logic and signed the commit, let me know if you need anything else.