Ironic: add missing haproxy and firewall configuration

Make sure Ironic API listens on a different IP than HAProxy. Also open firewall ports for Ironic API and TFTP. Change-Id: I9d843e76adcdb1085fd1e9fb7408a2387909382b
2016-08-17 17:12:26 +02:00 · 2016-08-17 17:12:26 +02:00 · fc614ec1a3
commit fc614ec1a3
parent 319c42475c
3 changed files with 12 additions and 0 deletions
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -75,6 +75,7 @@ outputs:
        tripleo::haproxy::heat_cloudwatch: true
        tripleo::haproxy::heat_cfn: true
        tripleo::haproxy::horizon: true
+        tripleo::haproxy::ironic: true
        tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
        tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
        tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@ -50,6 +50,7 @@ outputs:
            ironic::api::authtoken::username: 'ironic'
            ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
            ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            ironic::api::host_ip: {get_input: ironic_api_network}
            ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
            # This is used to build links in responses
            ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
@ -59,5 +60,10 @@ outputs:
            ironic::keystone::auth::auth_name: 'ironic'
            ironic::keystone::auth::password: {get_param: IronicPassword }
            ironic::keystone::auth::tenant: 'service'
+            tripleo.ironic_api.firewall_rules:
+              '133 ironic api':
+                dport:
+                  - 6385
+                  - 13385
      step_config: |
        include ::tripleo::profile::base::ironic::api
--- a/puppet/services/ironic-conductor.yaml
+++ b/puppet/services/ironic-conductor.yaml
@ -41,10 +41,15 @@ outputs:
          - get_attr: [IronicBase, role_data, config_settings]
          # FIXME: I have no idea why neutron_url is in "api" manifest
          - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
+            ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
            ironic::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
            ironic::enabled_drivers: {get_param: IronicEnabledDrivers}
            # Prevent tftp_server from defaulting to my_ip setting, which is
            # controller VIP, not a real IP.
            ironic::drivers::pxe::tftp_server: {get_input: ironic_api_network}
+            tripleo.ironic_conductor.firewall_rules:
+              '134 ironic conductor TFTP':
+                dport: 69
+                proto: udp
      step_config: |
        include ::tripleo::profile::base::ironic::conductor