From 15c53698bcae520ded5d7d8a79351966643661b4 Mon Sep 17 00:00:00 2001
From: Carlos Goncalves <cgoncalves@redhat.com>
Date: Thu, 29 Mar 2018 17:54:40 +0300
Subject: [PATCH] Add firewall rule to octavia health mgmt iface

The Octavia amphora agent periodically sends heartbeat packets to the
Octavia health manager service which listens on udp/5555. A firewall
rule needs to be added to allow such traffic on interface
OctaviaMgmtPortDevName.

Change-Id: If6c98c18dfe02d5ab8af1806fed401ab945ed18a
---
 puppet/services/octavia-health-manager.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/puppet/services/octavia-health-manager.yaml b/puppet/services/octavia-health-manager.yaml
index 35874394bf..d4693888e9 100644
--- a/puppet/services/octavia-health-manager.yaml
+++ b/puppet/services/octavia-health-manager.yaml
@@ -42,6 +42,12 @@ parameters:
     type: string
     description: Key to identify heartbeat messages for amphorae.
     hidden: true
+  OctaviaMgmtPortDevName:
+    type: string
+    default: "o-hm0"
+    description: Name of the octavia management network interface using
+                 for communication between octavia worker/health-manager
+                 with the amphora machine.
 
 resources:
 
@@ -66,6 +72,11 @@ outputs:
           - get_attr: [OctaviaBase, role_data, config_settings]
           - octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey}
             octavia::health_manager::event_streamer_driver: 'queue_event_streamer'
+            tripleo.octavia_api.firewall_rules:
+              '200 octavia health manager interface':
+                proto: udp
+                dport: 5555
+                iniface: {get_param: OctaviaMgmtPortDevName}
       service_config_settings:
         fluentd:
           tripleo_fluentd_groups_octavia_health_manager: