From ef6c23ef64ec7d96a45aabb844cf9451c27ae29c Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Wed, 8 May 2019 17:14:51 +0200
Subject: [PATCH] Fix haproxy firewall rules

The problem we want to selve is that the change
https://review.opendev.org/#/c/631486/ (moving iptables creation to the
host) never really worked.

The reason it never worked and we never noticed is two-fold:
A) It ran: -e include ::tripleo::profile::base::haproxy
the problem is that without quoting puppet basically does a noop

B) Once the quoting is fixed it breaks because 'export FACTER_step'
exports a custom fact but does not export a hiera key per-se (so calls
to hiera('step') would fail

So we add proper quoting only on the variables that are arguments to a
parameter so that there is no risk of ansible doing the wrong thing and
puppet gets the correct arguments.

We also explicitely set the step for hiera in the deploy_steps_tasks.
The reason we need it is because in non-HA the iptables rules would
be created at step 1. But since the deploy_steps_tasks run before the
actual tasks that set the step hieradata.we would get the following
error:
Error: Function lookup() did not find a value for the name 'step'

We can just write out the step hiera key during the deploy_steps_tasks,
it will be enforced again shortly afterwards once the
common/deploy-steps-tasks.yaml gets invoked.

We also switch back to puppet_execute: ::tripleo::profile::base::haproxy
even for the pacemaker profile. This was broken by the flattening of the
haproxy service (Id55ae44a7b1b5f08b40170f7406e14973fa93639)

Co-Authored-By: Luca Miccini <lmiccini@redhat.com>

Change-Id: Iab310207ca17a6c596470dda30a39e029c4fe09c
Closes-Bug: #1828250
---
 common/deploy-steps.j2                           | 6 ++++++
 deployment/haproxy/haproxy-container-puppet.yaml | 7 +++----
 deployment/haproxy/haproxy-pacemaker-puppet.yaml | 9 ++++-----
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2
index 8767581fb2..3b8b4044fe 100644
--- a/common/deploy-steps.j2
+++ b/common/deploy-steps.j2
@@ -430,6 +430,12 @@ outputs:
                 docker_puppet_process_count: DOCKER_PUPPET_PROCESS_COUNT
                 docker_puppet_mount_host_puppet: DOCKER_PUPPET_MOUNT_HOST_PUPPET
               tasks:
+                - name: Write the config_step hieradata for the deploy step {{step}} tasks
+                  copy:
+                    content: "{{ '{{' }} dict(step=step|int) | to_json {{ '}}' }}"
+                    dest: /etc/puppet/hieradata/config_step.json
+                    force: true
+                    mode: '0600'
 {%- for role in roles %}
                 - import_tasks: {{role.name}}/deploy_steps_tasks.yaml
                   when: tripleo_role_name == '{{role.name}}'
diff --git a/deployment/haproxy/haproxy-container-puppet.yaml b/deployment/haproxy/haproxy-container-puppet.yaml
index 448d4ceffc..b9c1f3b174 100644
--- a/deployment/haproxy/haproxy-container-puppet.yaml
+++ b/deployment/haproxy/haproxy-container-puppet.yaml
@@ -284,9 +284,8 @@ outputs:
           when: step|int == 1
           shell: |
             set +e
-            export FACTER_step=1
             puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
-                --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }}
+                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
             rc=$?
             set -e
             set +ux
@@ -296,8 +295,8 @@ outputs:
             exit $rc
           vars:
             puppet_execute: include ::tripleo::profile::base::haproxy
-            puppet_tags: 'tripleo::firewall::rule'
-            puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
+            puppet_tags: tripleo::firewall::rule
+            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
             puppet_debug:
               if:
                 - puppet_debug_enabled
diff --git a/deployment/haproxy/haproxy-pacemaker-puppet.yaml b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
index c1c82695fb..b866cd9207 100644
--- a/deployment/haproxy/haproxy-pacemaker-puppet.yaml
+++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml
@@ -335,9 +335,8 @@ outputs:
           when: step|int == 2
           shell: |
             set +e
-            export FACTER_step=2
             puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
-                --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }}
+                --modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
             rc=$?
             set -e
             set +ux
@@ -346,9 +345,9 @@ outputs:
             fi
             exit $rc
           vars:
-            puppet_execute: include ::tripleo::profile::pacemaker::haproxy
-            puppet_tags: 'tripleo::firewall::rule'
-            puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
+            puppet_execute: include ::tripleo::profile::base::haproxy
+            puppet_tags: tripleo::firewall::rule
+            puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
             puppet_debug:
               if:
                 - puppet_debug_enabled