From 34f3cbde646cbf263b4c2db7f828ba2edb13e2bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Tue, 13 Aug 2019 09:59:06 +0200
Subject: [PATCH] Ensure we get at least one ctlplane subnet

This will prevent situations where firewall rules are applied to the
overcloud nodes without any tagged ctlplane subnet, leading to a lockout
from the nodes, making the whole deploy failing (and node unreachable).

This is especially important for the deployed-server case.

Related-Bug: #1839324
Change-Id: Ib3eca07050474930bfe60d6db24ef1c683079a24
---
 .../tripleo-firewall-baremetal-puppet.yaml    | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
index be39f9d82a..393c8c1dbd 100644
--- a/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
+++ b/deployment/tripleo-firewall/tripleo-firewall-baremetal-puppet.yaml
@@ -39,6 +39,12 @@ parameters:
     description: Whether IPtables rules should be purged before setting up the new ones.
     type: boolean
 
+conditions:
+  no_ctlplane:
+    equals:
+      - get_params: [ServiceData, net_cidr_map, ctlplane]
+      - Null
+
 outputs:
   role_data:
     description: Role data for the TripleO firewall settings
@@ -60,6 +66,19 @@ outputs:
 
       step_config: |
         include ::tripleo::firewall
+
+      host_prep_tasks:
+        if:
+        - no_ctlplane
+        -
+          name: Ensure ctlplane subnet is set
+          fail:
+            msg: |
+              No CIDRs found in the ctlplane network tags.
+              Please refer to the documentation in order to
+              set the correct network tags in DeployedServerPortMap.
+        - null
+
       deploy_steps_tasks:
         - when: step|int == 0
           block: