From e770e364fb0840d1f192530af8ec453f118327eb Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Fri, 14 Dec 2018 14:40:08 +0100
Subject: [PATCH] Fix horizon's iptables rules for haproxy when split off a
 separate role

This should have been fixed via:
https://review.openstack.org/#/c/460175/2

where we did:
service_config_settings:
  haproxy:
    tripleo.horizon.firewall_rules:
     '127 horizon':
        dport:
          - 80
          - 443

The problem is that the above does not work. Reason for this is the way
tripleo::firewall works.  It will only apply iptables rules for that
show up in hiera('service_names'):
    $service_names = hiera('service_names', [])
    tripleo::firewall::service_rules { $service_names: }

And since horizon is not in the service running on the haproxy role, the
above rule would never have been created.

Tested this change and now I correctly get the iptables rules on the
haproxy role for horizon:
[root@overcloud-core-0 ~]# iptables -nvL |grep horizon
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 0.0.0.0/0            multiport dports 80,443 state NEW /* 127 horizon ipv4 */
[root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
[root@overcloud-core-0 ~]#

Closes-Bug: #1808530

Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
(cherry picked from commit 3114300c9cd922998d426e4d33269a9fc96630c0)
---
 puppet/services/horizon.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml
index 724a6380b8..4dd5820ead 100644
--- a/puppet/services/horizon.yaml
+++ b/puppet/services/horizon.yaml
@@ -171,7 +171,7 @@ outputs:
           service: name=httpd state=stopped
       service_config_settings:
         haproxy:
-          tripleo.horizon.firewall_rules:
+          tripleo.haproxy.firewall_rules:
             '127 horizon':
               dport:
                 - 80