Fix horizon firewall rules in composable roles

Atm horizon haproxy firewall rules obfuscate any other rule defined via
the tripleo.haproxy.firewall_rules key.

Things broke with https://review.opendev.org/#/c/625600/.  The reason
that was pushed is that in composable roles, when splitting off horizon
away from where haproxy runs, we would not have the proper iptables rules
on the haproxy role. This was due to the fact that we had
the following code:
      service_config_settings:
        haproxy:
          tripleo.horizon.firewall_rules:
            '127 horizon':
              dport:
                - 80
                - 443

The above code never worked as explained in
3f8ce6fd96bc4f28a052b4c87a19b4b152734091 and so we fixed it by setting
the proper tripleo.haproxy.firewall_rules key. The issue is that rules
for haproxy should just never have been set at all via
service_config_settings keys in the first place. As demonstrated with
this bug, the merging of hiera dictionaries will mess us up and we'll
end up overwriting other keys. Haproxy stats access has this:
outputs:
  role_data:
    description: Role data for the HAproxy role.
    value:
      service_name: haproxy
      monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
      config_settings:
        map_merge:
          - tripleo.haproxy.firewall_rules:
              '107 haproxy stats':
                dport: 1993

And since hiera will return the horizon settings for
tripleo.haproxy.firewall_rules which won't be deep merged with the
firewall rules from haproxy stats and so rule '107 haproxy stats' will
never be present.

Rules for haproxy need to happen in puppet-tripleo/manifests/haproxy*.
Normally they do, the exception is horizon which uses a specialized
horizon_endpoint.pp manifest which does not trigger these rules.

Let's create the firewall rules in haproxy/horizon_endpoint.pp like we
do for all other endpoints.

Tested and correctly got:
[root@controller-0 ~]# iptables -nvL |grep hor
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443 state NEW /* 126 horizon ipv4 */

Change-Id: I1325171ef60d7a7e3b57373082fcdb5487be939b
Related-Bug: #1829338
(cherry picked from commit 6c2e164ada)
(cherry picked from commit f58d8af343)
This commit is contained in:
Michele Baldessari 2019-05-16 09:12:50 +02:00
parent 3adf960719
commit b34f02c7fe
2 changed files with 28 additions and 0 deletions

View File

@ -1292,6 +1292,7 @@ class tripleo::haproxy (
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
service_network => $horizon_network,
manage_firewall => $manage_firewall,
}
}

View File

@ -66,6 +66,11 @@
# fetching the certificate for that specific network.
# Defaults to undef
#
# [*manage_firewall*]
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
# (false means disabled, and true means enabled)
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
#
class tripleo::haproxy::horizon_endpoint (
$internal_ip,
$ip_addresses,
@ -77,6 +82,7 @@ class tripleo::haproxy::horizon_endpoint (
$use_internal_certificates = false,
$internal_certificates_specs = {},
$service_network = undef,
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
) {
# Let users override the options on a per-service basis
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
@ -158,4 +164,25 @@ class tripleo::haproxy::horizon_endpoint (
options => union($member_options, ["cookie ${server}"]),
}
}
if $manage_firewall {
include ::tripleo::firewall
$haproxy_horizon_firewall_rules = {
'100 horizon_haproxy' => {
'dport' => 80,
},
}
if $public_certificate {
$haproxy_horizon_ssl_firewall_rules = {
'100 horizon_haproxy_ssl' => {
'dport' => 443,
},
}
} else {
$haproxy_horizon_ssl_firewall_rules = {}
}
$horizon_firewall_rules = merge($haproxy_horizon_firewall_rules, $haproxy_horizon_ssl_firewall_rules)
if !empty($horizon_firewall_rules) {
create_resources('tripleo::firewall::rule', $horizon_firewall_rules)
}
}
}