openstack
/
openstack
Code Issues Proposed changes

Update git submodules 

* Update puppet-tripleo from branch 'master'
  - Merge "Fix horizon firewall rules in composable roles"
  - Fix horizon firewall rules in composable roles
    
    Atm horizon haproxy firewall rules obfuscate any other rule defined via
    the tripleo.haproxy.firewall_rules key.
    
    Things broke with https://review.opendev.org/#/c/625600/.  The reason
    that was pushed is that in composable roles, when splitting off horizon
    away from where haproxy runs, we would not have the proper iptables rules
    on the haproxy role. This was due to the fact that we had
    the following code:
          service_config_settings:
            haproxy:
              tripleo.horizon.firewall_rules:
                '127 horizon':
                  dport:
                    - 80
                    - 443
    
    The above code never worked as explained in
    3f8ce6fd96bc4f28a052b4c87a19b4b152734091 and so we fixed it by setting
    the proper tripleo.haproxy.firewall_rules key. The issue is that rules
    for haproxy should just never have been set at all via
    service_config_settings keys in the first place. As demonstrated with
    this bug, the merging of hiera dictionaries will mess us up and we'll
    end up overwriting other keys. Haproxy stats access has this:
    outputs:
      role_data:
        description: Role data for the HAproxy role.
        value:
          service_name: haproxy
          monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
          config_settings:
            map_merge:
              - tripleo.haproxy.firewall_rules:
                  '107 haproxy stats':
                    dport: 1993
    
    And since hiera will return the horizon settings for
    tripleo.haproxy.firewall_rules which won't be deep merged with the
    firewall rules from haproxy stats and so rule '107 haproxy stats' will
    never be present.
    
    Rules for haproxy need to happen in puppet-tripleo/manifests/haproxy*.
    Normally they do, the exception is horizon which uses a specialized
    horizon_endpoint.pp manifest which does not trigger these rules.
    
    Let's create the firewall rules in haproxy/horizon_endpoint.pp like we
    do for all other endpoints.
    
    Tested and correctly got:
    [root@controller-0 ~]# iptables -nvL |grep hor
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW /* 126 horizon ipv4 */
    
    Change-Id: I1325171ef60d7a7e3b57373082fcdb5487be939b
    Related-Bug: #1829338
This commit is contained in:
Zuul 2019-05-24 15:17:06 +00:00 committed by Gerrit Code Review
parent 0e51208dd7
commit c34450bc9e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
puppet-tripleo

@ -1 +1 @@
Subproject commit 5424bbcea3749ee0d6518f600d3a60abbdd4d114
Subproject commit 0ca8882dca79e90e1ad7f66a862789cecdddcb94