Add haproxy firewall rules for galera and redis

This change adds haproxy rules for galera and redis.  They are not there
because these haproxy entries do not use the ::tripleo::haproxy::endpoint
function which does this automatically.

Rabbit does not need them because it does not go through haproxy.

Closes-Bug: #1654280
Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 1e76733..b0c7734 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -1206,6 +1206,15 @@ class tripleo::haproxy (
       server_names      => hiera('mysql_node_names', $controller_hosts_names_real),
       options           => $mysql_member_options_real,
     }
+    if hiera('manage_firewall', true) {
+      include ::tripleo::firewall
+      $mysql_firewall_rules = {
+        '100 mysql_haproxy' => {
+          'dport' => 3306,
+        }
+      }
+      create_resources('tripleo::firewall::rule', $mysql_firewall_rules)
+    }
   }
 
   if $rabbitmq {
@@ -1265,6 +1274,15 @@ class tripleo::haproxy (
       server_names      => hiera('redis_node_names', $controller_hosts_names_real),
       options           => $haproxy_member_options,
     }
+    if hiera('manage_firewall', true) {
+      include ::tripleo::firewall
+      $redis_firewall_rules = {
+        '100 redis_haproxy' => {
+          'dport' => 6379,
+        }
+      }
+      create_resources('tripleo::firewall::rule', $redis_firewall_rules)
+    }
   }
 
   $midonet_cluster_vip = hiera('midonet_cluster_vip', $controller_virtual_ip)