- hosts: undercloud
  tasks:
    - name: Add hosts to access all tripleo nodes via controlplane
      vars:
        undercloud_ip: "{{ hostvars['undercloud']['ansible_host'] }}"
      ansible.builtin.add_host:
        name: "{{ item }}-through-undercloud"
        ansible_host: "192.168.122.{{ hostvars[item]['address_suffix'] }}"
        ansible_ssh_common_args: '-o StrictHostKeyChecking=no -J zuul@{{ undercloud_ip }}'
        ansible_user: zuul
        groups: tripleo_nodes
      loop: "{{ groups.all | select('match', '^overcloud*')  }}"

- hosts: tripleo_nodes
  become: true
  tasks:
    - name: Ensure iptables package is installed
      ansible.builtin.package:
        name: iptables

    - name: Add firewall rule to allow zuul executor to reach tripleo nodes
      vars:
        executor_ip: "{{ lookup('env', 'SSH_CLIENT') | split | first }}"
      ansible.builtin.iptables:
        action: "insert"
        chain: "INPUT"
        comment: "allow ssh access for zuul executor"
        in_interface: "eth0"
        jump: "ACCEPT"
        protocol: "tcp"
        source: "{{ executor_ip }}"