Fix horizon firewall rules in composable roles
Atm horizon haproxy firewall rules obfuscate any other rule defined via the tripleo.haproxy.firewall_rules key. Things broke with https://review.opendev.org/#/c/625600/. The reason that was pushed is that in composable roles, when splitting off horizon away from where haproxy runs, we would not have the proper iptables rules on the haproxy role. This was due to the fact that we had the following code: service_config_settings: haproxy: tripleo.horizon.firewall_rules: '127 horizon': dport: - 80 - 443 The above code never worked as explained in 3f8ce6fd96bc4f28a052b4c87a19b4b152734091 and so we fixed it by setting the proper tripleo.haproxy.firewall_rules key. The issue is that rules for haproxy should just never have been set at all via service_config_settings keys in the first place. As demonstrated with this bug, the merging of hiera dictionaries will mess us up and we'll end up overwriting other keys. Haproxy stats access has this: outputs: role_data: description: Role data for the HAproxy role. value: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - tripleo.haproxy.firewall_rules: '107 haproxy stats': dport: 1993 And since hiera will return the horizon settings for tripleo.haproxy.firewall_rules which won't be deep merged with the firewall rules from haproxy stats and so rule '107 haproxy stats' will never be present. Rules for haproxy need to happen in puppet-tripleo/manifests/haproxy*. Normally they do, the exception is horizon which uses a specialized horizon_endpoint.pp manifest which does not trigger these rules. Let's create the firewall rules in haproxy/horizon_endpoint.pp like we do for all other endpoints. Tested and correctly got: [root@controller-0 ~]# iptables -nvL |grep hor 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */ Change-Id: I1325171ef60d7a7e3b57373082fcdb5487be939b Related-Bug: #1829338 (cherry picked from commit6c2e164ada
) (cherry picked from commitf58d8af343
)
This commit is contained in:
parent
3adf960719
commit
b34f02c7fe
@ -1292,6 +1292,7 @@ class tripleo::haproxy (
|
||||
use_internal_certificates => $use_internal_certificates,
|
||||
internal_certificates_specs => $internal_certificates_specs,
|
||||
service_network => $horizon_network,
|
||||
manage_firewall => $manage_firewall,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -66,6 +66,11 @@
|
||||
# fetching the certificate for that specific network.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*manage_firewall*]
|
||||
# (optional) Enable or disable firewall settings for ports exposed by HAProxy
|
||||
# (false means disabled, and true means enabled)
|
||||
# Defaults to hiera('tripleo::firewall::manage_firewall', true)
|
||||
#
|
||||
class tripleo::haproxy::horizon_endpoint (
|
||||
$internal_ip,
|
||||
$ip_addresses,
|
||||
@ -77,6 +82,7 @@ class tripleo::haproxy::horizon_endpoint (
|
||||
$use_internal_certificates = false,
|
||||
$internal_certificates_specs = {},
|
||||
$service_network = undef,
|
||||
$manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
|
||||
) {
|
||||
# Let users override the options on a per-service basis
|
||||
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
|
||||
@ -158,4 +164,25 @@ class tripleo::haproxy::horizon_endpoint (
|
||||
options => union($member_options, ["cookie ${server}"]),
|
||||
}
|
||||
}
|
||||
if $manage_firewall {
|
||||
include ::tripleo::firewall
|
||||
$haproxy_horizon_firewall_rules = {
|
||||
'100 horizon_haproxy' => {
|
||||
'dport' => 80,
|
||||
},
|
||||
}
|
||||
if $public_certificate {
|
||||
$haproxy_horizon_ssl_firewall_rules = {
|
||||
'100 horizon_haproxy_ssl' => {
|
||||
'dport' => 443,
|
||||
},
|
||||
}
|
||||
} else {
|
||||
$haproxy_horizon_ssl_firewall_rules = {}
|
||||
}
|
||||
$horizon_firewall_rules = merge($haproxy_horizon_firewall_rules, $haproxy_horizon_ssl_firewall_rules)
|
||||
if !empty($horizon_firewall_rules) {
|
||||
create_resources('tripleo::firewall::rule', $horizon_firewall_rules)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user