From 0cd31ddc216e98a36071fd4dd362eb1457f4d3ae Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Sun, 5 Nov 2023 21:58:34 +0900
Subject: [PATCH] inspector: Add support for iptables PXE filter options

This introduces a new class to manage [pxe] options, which are used by
the iptables PXE filter options.

The configuration of [pxe] dnsmasq_interface option will be moved to
the new class, following the existing implementation to configure
the [dnsmasq_pxe_filter] dhcp_hostsdir option.

Change-Id: If0ec9eecb70d9976de76899fc115fc9facc75fdd
---
 manifests/inspector.pp                        |  6 ++
 manifests/inspector/pxe_filter/iptables.pp    | 50 ++++++++++++++
 .../iptables-pxe-filter-e4f0ce5fb8e55d09.yaml | 10 +++
 ...ronic_inspector_pxe_filter_dnsmasq_spec.rb | 10 +--
 ...onic_inspector_pxe_filter_iptables_spec.rb | 65 +++++++++++++++++++
 5 files changed, 136 insertions(+), 5 deletions(-)
 create mode 100644 manifests/inspector/pxe_filter/iptables.pp
 create mode 100644 releasenotes/notes/iptables-pxe-filter-e4f0ce5fb8e55d09.yaml
 create mode 100644 spec/classes/ironic_inspector_pxe_filter_iptables_spec.rb

diff --git a/manifests/inspector.pp b/manifests/inspector.pp
index 8e9c5356..309fbf8e 100644
--- a/manifests/inspector.pp
+++ b/manifests/inspector.pp
@@ -342,6 +342,12 @@ class ironic::inspector (
     'port_physnet/cidr_map':                      value => $port_physnet_cidr_map_real;
   }
 
+  if $dnsmasq_interface != 'br-ctlplane' {
+    warning("The [pxe] dnsmasq_interface option may not be configured by this class \
+in a future release. Make sure the ironic::inspector::pxe_filter::iptables class is \
+included in the manifest")
+  }
+
   # Install package
   package { 'ironic-inspector':
     ensure => $package_ensure,
diff --git a/manifests/inspector/pxe_filter/iptables.pp b/manifests/inspector/pxe_filter/iptables.pp
new file mode 100644
index 00000000..bee40cfa
--- /dev/null
+++ b/manifests/inspector/pxe_filter/iptables.pp
@@ -0,0 +1,50 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# Configure parameters related to the "iptables" PXE filter
+#
+# === Parameters
+#
+# [*firewall_chain*]
+#   (optional) iptables chain name to use.
+#   Defaults to $facts['os_service_default'].
+#
+# [*ethoib_interfaces*]
+#   (optional) List of Ethernet Over InfiniBand interfaces on the Inspector
+#   host which are used for physical access to the DHCP network.
+#   Defaults to $facts['os_service_default'].
+#
+# [*ip_version*]
+#   (optional) The IP version that will be used for iptables filter.
+#   Defaults to $facts['os_service_default'].
+#
+class ironic::inspector::pxe_filter::iptables (
+  $firewall_chain    = $facts['os_service_default'],
+  $ethoib_interfaces = $facts['os_service_default'],
+  $ip_version        = $facts['os_service_default'],
+) {
+
+  include ironic::deps
+  include ironic::inspector
+
+  # TODO(tkajinam): Remove usage of ensure_resource once we drop the same
+  #                 option from ironic::inspector
+  ensure_resource('ironic_inspector_config', 'iptables/dnsmasq_interface', {
+    value => $::ironic::inspector::dnsmasq_interface
+  })
+
+  ironic_inspector_config {
+    'iptables/firewall_chain':    value => $firewall_chain;
+    'iptables/ethoib_interfaces': value => join(any2array($ethoib_interfaces), ',');
+    'iptables/ip_version':        value => $ip_version;
+  }
+}
diff --git a/releasenotes/notes/iptables-pxe-filter-e4f0ce5fb8e55d09.yaml b/releasenotes/notes/iptables-pxe-filter-e4f0ce5fb8e55d09.yaml
new file mode 100644
index 00000000..1c1fca91
--- /dev/null
+++ b/releasenotes/notes/iptables-pxe-filter-e4f0ce5fb8e55d09.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    The new ``ironic::inspector::pxe_filter::iptables`` class has been added.
+
+deprecations:
+  - |
+    Configuration of the ``[pxe] dnsmasq_interface`` option by
+    the ``ironic::inspector`` class is deprecated. The option will be
+    managed by only the ``ironic::inspector::pxe_filter::iptables`` class.
diff --git a/spec/classes/ironic_inspector_pxe_filter_dnsmasq_spec.rb b/spec/classes/ironic_inspector_pxe_filter_dnsmasq_spec.rb
index 6f7a73e1..7fe517aa 100644
--- a/spec/classes/ironic_inspector_pxe_filter_dnsmasq_spec.rb
+++ b/spec/classes/ironic_inspector_pxe_filter_dnsmasq_spec.rb
@@ -28,8 +28,8 @@ describe 'ironic::inspector::pxe_filter::dnsmasq' do
       }"
   end
 
-  shared_examples_for 'ironic inspector pxe_filter dnsmasq' do
-    it 'configure pxe_filter default params' do
+  shared_examples_for 'ironic::inspector::pxe_filter::dnsmasq' do
+    it 'configure dnsmasq pxe filter default params' do
       is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dhcp_hostsdir').with_value('/etc/ironic-inspector/dhcp-hostsdir')
       is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dnsmasq_start_command').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dnsmasq_stop_command').with_value('<SERVICE DEFAULT>')
@@ -51,7 +51,7 @@ describe 'ironic::inspector::pxe_filter::dnsmasq' do
         params
       end
 
-      it 'configure pxe_filter dnsmasq specific params' do
+      it 'configure dnsmasq pxe filter specific params' do
         is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dhcp_hostsdir').with_value('/etc/ironic-inspector/dhcp-hostsdir')
         is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dnsmasq_start_command').with_value(p[:dnsmasq_start_command])
         is_expected.to contain_ironic_inspector_config('dnsmasq_pxe_filter/dnsmasq_stop_command').with_value(p[:dnsmasq_stop_command])
@@ -71,8 +71,8 @@ describe 'ironic::inspector::pxe_filter::dnsmasq' do
         facts.merge!(OSDefaults.get_facts())
       end
 
-      it_behaves_like 'ironic inspector pxe_filter dnsmasq'
+      it_behaves_like 'ironic::inspector::pxe_filter::dnsmasq'
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/spec/classes/ironic_inspector_pxe_filter_iptables_spec.rb b/spec/classes/ironic_inspector_pxe_filter_iptables_spec.rb
new file mode 100644
index 00000000..0694d11e
--- /dev/null
+++ b/spec/classes/ironic_inspector_pxe_filter_iptables_spec.rb
@@ -0,0 +1,65 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for ironic::inspector::pxe_filter::iptables class
+#
+
+require 'spec_helper'
+
+describe 'ironic::inspector::pxe_filter::iptables' do
+  let :pre_condition do
+     "class { 'ironic::inspector::authtoken':
+        password => 'password',
+      }
+      class { 'ironic::inspector':
+      }"
+  end
+
+  shared_examples_for 'ironic::inspector::pxe_filter::iptables' do
+    it 'configure iptables pxe filter default params' do
+      is_expected.to contain_ironic_inspector_config('iptables/dnsmasq_interface').with_value('br-ctlplane')
+      is_expected.to contain_ironic_inspector_config('iptables/firewall_chain').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_inspector_config('iptables/ethoib_interfaces').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_inspector_config('iptables/ip_version').with_value('<SERVICE DEFAULT>')
+    end
+
+    context 'with specific parameters' do
+      let :params do
+        {
+          :firewall_chain    => 'ironic-inspector',
+          :ethoib_interfaces => ['interface0', 'interface1'],
+          :ip_version        => 4,
+        }
+      end
+
+      it 'configure iptables pxe filter specific params' do
+        is_expected.to contain_ironic_inspector_config('iptables/dnsmasq_interface').with_value('br-ctlplane')
+        is_expected.to contain_ironic_inspector_config('iptables/firewall_chain').with_value('ironic-inspector')
+        is_expected.to contain_ironic_inspector_config('iptables/ethoib_interfaces').with_value('interface0,interface1')
+        is_expected.to contain_ironic_inspector_config('iptables/ip_version').with_value(4)
+      end
+    end
+  end
+
+  on_supported_os({
+    :supported_os   => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'ironic::inspector::pxe_filter::iptables'
+    end
+  end
+
+end