Fix horizon's iptables rules for haproxy when split off a separate role

This should have been fixed via:
https://review.openstack.org/#/c/460175/2

where we did:
service_config_settings:
  haproxy:
    tripleo.horizon.firewall_rules:
     '127 horizon':
        dport:
          - 80
          - 443

The problem is that the above does not work. Reason for this is the way
tripleo::firewall works.  It will only apply iptables rules for that
show up in hiera('service_names'):
    $service_names = hiera('service_names', [])
    tripleo::firewall::service_rules { $service_names: }

And since horizon is not in the service running on the haproxy role, the
above rule would never have been created.

Tested this change and now I correctly get the iptables rules on the
haproxy role for horizon:
[root@overcloud-core-0 ~]# iptables -nvL |grep horizon
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            multiport dports 80,443 state NEW /* 127 horizon ipv4 */
[root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
[root@overcloud-core-0 ~]#

Closes-Bug: #1808530

Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>

This commit is contained in:

Michele Baldessari

2018-12-14 14:40:08 +01:00

parent c4b816e8c5

commit 3114300c9c

1 changed files with 1 additions and 1 deletions

									
										2

puppet/services/horizon.yaml
									
				@ -152,7 +152,7 @@ outputs:

				      upgrade_tasks: []

				      service_config_settings:

				        haproxy:

				          tripleo::horizon::firewall_rules:

				          tripleo::haproxy::firewall_rules:

				            '127 horizon':

				              dport:

				                - 80

Fix horizon's iptables rules for haproxy when split off a separate role

2 puppet/services/horizon.yaml

2

puppet/services/horizon.yaml