X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=docker%2Fservices%2Fhaproxy.yaml;h=2f0584ea2db18fd3c25967c5ad0ee4f78c997e21;hb=865c65b8f43a909c94b1b50712b5baf088af9566;hp=f080dcb2039c7a8998bfbbb439c9b99002b22c61;hpb=04d797c09e3ae3fbc0025dfc4dec30b2b44d4620;p=apex-tripleo-heat-templates.git

diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index f080dcb2..2f0584ea 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -85,6 +85,7 @@ outputs:
         map_merge:
           - get_attr: [HAProxyBase, role_data, config_settings]
           - tripleo::haproxy::haproxy_daemon: false
+            tripleo::haproxy::haproxy_service_manage: false
       step_config: &step_config
         get_attr: [HAProxyBase, role_data, step_config]
       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@@ -92,7 +93,8 @@ outputs:
       puppet_config:
         config_volume: haproxy
         puppet_tags: haproxy_config
-        step_config: *step_config
+        step_config:
+          "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
         config_image: {get_param: DockerHAProxyConfigImage}
         volumes: &deployed_cert_mount
           - list_join:
@@ -110,10 +112,44 @@ outputs:
               preserve_properties: true
       docker_config:
         step_1:
+          haproxy_firewall:
+            detach: false
+            image: {get_param: DockerHAProxyImage}
+            net: host
+            user: root
+            privileged: true
+            command:
+              - '/bin/bash'
+              - '-c'
+              - str_replace:
+                  template:
+                    list_join:
+                      - '; '
+                      - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
+                        - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
+                  params:
+                    TAGS: 'tripleo::firewall::rule'
+                    CONFIG: *step_config
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                - *deployed_cert_mount
+                -
+                  - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
+                  - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+                  # puppet saves iptables rules in /etc/sysconfig
+                  - /etc/sysconfig:/etc/sysconfig:rw
+                  # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
+                  # the necessary bit and prevent systemd to try to reload the service in the container
+                  - /usr/libexec/iptables:/usr/libexec/iptables:ro
+                  - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
+                  - /etc/puppet:/tmp/puppet-etc:ro
+                  - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+            environment:
+              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
           haproxy:
             image: {get_param: DockerHAProxyImage}
             net: host
-            privileged: false
             restart: always
             volumes:
               list_concat: