Fix haproxy firewall rules

The problem we want to selve is that the change https://review.opendev.org/#/c/631486/ (moving iptables creation to the host) never really worked. The reason it never worked and we never noticed is two-fold: A) It ran: -e include ::tripleo::profile::base::haproxy the problem is that without quoting puppet basically does a noop B) Once the quoting is fixed it breaks because 'export FACTER_step' exports a custom fact but does not export a hiera key per-se (so calls to hiera('step') would fail So we add proper quoting only on the variables that are arguments to a parameter so that there is no risk of ansible doing the wrong thing and puppet gets the correct arguments. We also explicitely set the step for hiera in the deploy_steps_tasks. The reason we need it is because in non-HA the iptables rules would be created at step 1. But since the deploy_steps_tasks run before the actual tasks that set the step hieradata.we would get the following error: Error: Function lookup() did not find a value for the name 'step' We can just write out the step hiera key during the deploy_steps_tasks, it will be enforced again shortly afterwards once the common/deploy-steps-tasks.yaml gets invoked. We also switch back to puppet_execute: ::tripleo::profile::base::haproxy even for the pacemaker profile. This was broken by the flattening of the haproxy service (Id55ae44a7b1b5f08b40170f7406e14973fa93639) Co-Authored-By: Luca Miccini <lmiccini@redhat.com> Change-Id: Iab310207ca17a6c596470dda30a39e029c4fe09c Closes-Bug: #1828250
2019-05-08 17:14:51 +02:00 · 2019-05-08 17:14:51 +02:00 · ef6c23ef64
commit ef6c23ef64
parent 33c98887c0
3 changed files with 13 additions and 9 deletions
--- a/common/deploy-steps.j2
+++ b/common/deploy-steps.j2
@ -430,6 +430,12 @@ outputs:
                docker_puppet_process_count: DOCKER_PUPPET_PROCESS_COUNT
                docker_puppet_mount_host_puppet: DOCKER_PUPPET_MOUNT_HOST_PUPPET
              tasks:
+                - name: Write the config_step hieradata for the deploy step {{step}} tasks
+                  copy:
+                    content: "{{ '{{' }} dict(step=step|int) | to_json {{ '}}' }}"
+                    dest: /etc/puppet/hieradata/config_step.json
+                    force: true
+                    mode: '0600'
 {%- for role in roles %}
                - import_tasks: {{role.name}}/deploy_steps_tasks.yaml
                  when: tripleo_role_name == '{{role.name}}'
--- a/deployment/haproxy/haproxy-container-puppet.yaml
+++ b/deployment/haproxy/haproxy-container-puppet.yaml
@ -284,9 +284,8 @@ outputs:
          when: step|int == 1
          shell: |
            set +e
-            export FACTER_step=1
            puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
-                --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }}
+                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
            rc=$?
            set -e
            set +ux
@ -296,8 +295,8 @@ outputs:
            exit $rc
          vars:
            puppet_execute: include ::tripleo::profile::base::haproxy
-            puppet_tags: 'tripleo::firewall::rule'
-            puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
+            puppet_tags: tripleo::firewall::rule
+            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
            puppet_debug:
              if:
                - puppet_debug_enabled
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@ -335,9 +335,8 @@ outputs:
          when: step|int == 2
          shell: |
            set +e
-            export FACTER_step=2
            puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
-                --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }}
+                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
            rc=$?
            set -e
            set +ux
@ -346,9 +345,9 @@ outputs:
            fi
            exit $rc
          vars:
-            puppet_execute: include ::tripleo::profile::pacemaker::haproxy
-            puppet_tags: 'tripleo::firewall::rule'
-            puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
+            puppet_execute: include ::tripleo::profile::base::haproxy
+            puppet_tags: tripleo::firewall::rule
+            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
            puppet_debug:
              if:
                - puppet_debug_enabled