#  Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Install firewalld
  package:
    name: firewalld
    state: present
  tags: firewalld

- name: Start and enable firewalld
  service:
    name: firewalld
    state: started
    enabled: yes
  tags: firewalld

- name: Configure firewalld on master nodes
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
  with_items: '{{ k8s_master_ports }}'
  when: "'manager' in group_names"
  tags: firewalld

- name: Configure firewalld on compute nodes
  firewalld:
    port: "{{ item }}/tcp"
    permanent: yes
    state: enabled
  with_items: '{{ k8s_compute_ports }}'
  when: "'compute' in group_names and groups['manager'][0] != groups['compute'][0] and groups['compute']|length >= 1"
  tags: firewalld

- name: Open flannel ports on the firewall
  firewalld:
    port: "{{ item }}/udp"
    permanent: yes
    state: enabled
  with_items: "{{ flannel_udp_ports }}"
  when: hostvars['127.0.0.1']['k8s_cni'] == "flannel"
  tags: firewalld

- name: Open calico UDP ports on the firewall
  firewalld:
    port: "{{ item }}/udp"
    permanent: yes
    state: enabled
  with_items: "{{ calico_udp_ports }}"
  when: hostvars['127.0.0.1']['k8s_cni'] == "calico"
  tags: firewalld

- name: Open calico TCP ports on the firewall
  firewalld:
    port: "{{ item }}/tcp"
    permanent: yes
    state: enabled
  with_items: "{{ calico_tcp_ports }}"
  when: hostvars['127.0.0.1']['k8s_cni'] == "calico"
  tags: firewalld

- name: Masquerade the firewall
  command: firewall-cmd --add-masquerade --permanent
  changed_when: true
  tags: firewalld

- name: Reload firewalld
  command: firewall-cmd --reload
  changed_when: true
  tags: firewalld

- name: Stop and disable firewalld
  service:
    name: firewalld
    state: stopped
    enabled: no
  tags: firewalld