From 814ae5c1825b71dbfd9d2bdec2576f8467e5bfa5 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sun, 14 Jun 2020 15:34:00 -0700
Subject: [PATCH] drop qa_isolated.

We no longer need this as it was put in place when taskotron was going
to run user provided tests. Since the only left in 'qa' is openqa and it
only tests fedora images/updates and is still also in it's own vlan, we
no longer need to reject things in qa from the rest of their same vlan.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 inventory/inventory                           | 25 -------------------
 roles/base/templates/iptables/iptables        | 13 ----------
 .../iptables.torrent02.fedoraproject.org      | 13 ----------
 roles/fedmsg/base/tasks/main.yml              |  4 +--
 4 files changed, 2 insertions(+), 53 deletions(-)

diff --git a/inventory/inventory b/inventory/inventory
index b8578e6216..ba019c216e 100644
--- a/inventory/inventory
+++ b/inventory/inventory
@@ -927,31 +927,6 @@ pagure-stg01.fedoraproject.org
 
 [gnome_backups]
 
-[qa_isolated]
-# openQA boxes start - note old openQA aarch64 workers intentionally
-# not here as they are not in QA network at all
-openqa01.qa.fedoraproject.org
-#openqa01.iad2.fedoraproject.org
-openqa-stg01.qa.fedoraproject.org
-openqa-aarch64-01.qa.fedoraproject.org
-openqa-aarch64-03.qa.fedoraproject.org
-openqa-ppc64le-01.qa.fedoraproject.org
-openqa-ppc64le-02.qa.fedoraproject.org
-openqa-ppc64le-03.qa.fedoraproject.org
-qa01.qa.fedoraproject.org
-qa02.qa.fedoraproject.org
-qa05.qa.fedoraproject.org
-qa07.qa.fedoraproject.org
-qa09.qa.fedoraproject.org
-qa14.qa.fedoraproject.org
-# openQA boxes end
-db-qa01.qa.fedoraproject.org
-db-qa02.qa.fedoraproject.org
-db-qa03.qa.fedoraproject.org
-db-openqa01.iad2.fedoraproject.org
-resultsdb01.qa.fedoraproject.org
-resultsdb-stg01.qa.fedoraproject.org
-
 [osbs_control]
 osbs-control01.iad2.fedoraproject.org
 
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 53a9c7f517..1693c0f34a 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -44,19 +44,6 @@
 
 {% endif %}
 
-{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
-#
-# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
-# to block all access from that group. This is to protect them from any possible attack 
-# vectors from qa-isolated machines.
-#
-{% for host in groups['qa_isolated']|sort %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
 {% if wsgi_fedmsg_service is defined %}
 {% for i in range(wsgi_procs * wsgi_threads) %}
diff --git a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
index 1b3cd2d34e..0fd6380748 100644
--- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
@@ -49,19 +49,6 @@
 {% endfor %}
 {% endif %}
 
-{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
-#
-# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
-# to block all access from that group. This is to protect them from any possible attack 
-# vectors from qa-isolated machines.
-#
-{% for host in groups['qa_isolated']|sort %}
-{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
--A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
-{% else %}# {{ host }} has no 'eth0_ip' listed
-{% endif %}
-{% endfor %}
-{% endif %}
 # if the host declares a fedmsg-enabled wsgi app, open ports for it
 {% if wsgi_fedmsg_service is defined %}
 {% for i in range(wsgi_procs * wsgi_threads) %}
diff --git a/roles/fedmsg/base/tasks/main.yml b/roles/fedmsg/base/tasks/main.yml
index 15d28a0358..43ab5c080f 100644
--- a/roles/fedmsg/base/tasks/main.yml
+++ b/roles/fedmsg/base/tasks/main.yml
@@ -110,7 +110,7 @@
   - relay.py
   - logging.py
   - base.py
-  when: "'persistent_cloud' not in group_names and 'qa_isolated' not in group_names"
+  when: "'persistent_cloud' not in group_names
   tags:
   - config
   - fedmsgdconfig
@@ -156,7 +156,7 @@
   - relay.py
   - logging.py
   - base.py
-  when: "'persistent_cloud' in group_names or 'qa_isolated' in group_names"
+  when: "'persistent_cloud' in group_names
   tags:
   - config
   - fedmsgdconfig