Ensure we get at least one ctlplane subnet

This will prevent situations where firewall rules are applied to the overcloud nodes without any tagged ctlplane subnet, leading to a lockout from the nodes, making the whole deploy failing (and node unreachable). This is especially important for the deployed-server case. Related-Bug: #1839324 Change-Id: Ib3eca07050474930bfe60d6db24ef1c683079a24
2019-08-13 09:59:06 +02:00 · 2019-08-13 09:59:06 +02:00 · 34f3cbde64
parent add486cfec
commit 34f3cbde64
1 changed files with 19 additions and 0 deletions
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@ -39,6 +39,12 @@ parameters:
    description: Whether IPtables rules should be purged before setting up the new ones.
    type: boolean

+conditions:
+  no_ctlplane:
+    equals:
+      - get_params: [ServiceData, net_cidr_map, ctlplane]
+      - Null
+
 outputs:
  role_data:
    description: Role data for the TripleO firewall settings
@ -60,6 +66,19 @@ outputs:

      step_config: |
        include ::tripleo::firewall
+
+      host_prep_tasks:
+        if:
+        - no_ctlplane
+        -
+          name: Ensure ctlplane subnet is set
+          fail:
+            msg: |
+              No CIDRs found in the ctlplane network tags.
+              Please refer to the documentation in order to
+              set the correct network tags in DeployedServerPortMap.
+        - null
+
      deploy_steps_tasks:
        - when: step|int == 0
          block: