When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #
1697921
# Should haproxy run in daemon mode or not
# Defaults to true
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
$haproxy_daemon = true,
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$controller_hosts = hiera('controller_node_ips'),
$controller_hosts_names = hiera('controller_node_names', undef),
$contrail_config_hosts = hiera('contrail_config_node_ips', undef),
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
listen_options => $default_listen_options,
+ manage_firewall => $manage_firewall,
}
if $haproxy_stats {
server_names => hiera('mysql_node_names', $controller_hosts_names_real),
options => $mysql_member_options_real,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
$mysql_firewall_rules = {
'100 mysql_haproxy' => {
server_names => hiera('redis_node_names', $controller_hosts_names_real),
options => $haproxy_member_options,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
$redis_firewall_rules = {
'100 redis_haproxy' => {
# fetching the certificate for that specific network.
# Defaults to undef
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
define tripleo::haproxy::endpoint (
$internal_ip,
$service_port,
$use_internal_certificates = false,
$internal_certificates_specs = {},
$service_network = undef,
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
) {
if $public_virtual_ip {
# service exposed to the public network
server_names => $server_names,
options => $member_options,
}
- if hiera('tripleo::firewall::manage_firewall', true) {
+ if $manage_firewall {
include ::tripleo::firewall
# This block will construct firewall rules only when we specify
# a port for the regular service and also the ssl port for the service.
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
class tripleo::profile::base::haproxy (
$certificates_specs = {},
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
) {
if $step >= 1 {
if $enable_load_balancer {
class {'::tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
+ manage_firewall => $manage_firewall,
}
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
# (Optional) Whether load balancing is enabled for this cluster
# Defaults to hiera('enable_load_balancer', true)
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
class tripleo::profile::pacemaker::haproxy (
$bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
) {
- include ::tripleo::profile::base::haproxy
+ class {'::tripleo::profile::base::haproxy':
+ manage_firewall => $manage_firewall,
+ }
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
Code Review / apex-puppet-tripleo.git / commitdiff