Ironic: add missing haproxy and firewall configuration

Make sure Ironic API listens on a different IP than HAProxy.

Also open firewall ports for Ironic API and TFTP.

Change-Id: I9d843e76adcdb1085fd1e9fb7408a2387909382b

diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml
index 8ac669a..c0e1c11 100644 (file)
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@@ -75,6 +75,7 @@ outputs:
         tripleo::haproxy::heat_cloudwatch: true
         tripleo::haproxy::heat_cfn: true
         tripleo::haproxy::horizon: true
+        tripleo::haproxy::ironic: true
         tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
         tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
         tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}

diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml
index 6b49425..d0516e1 100644 (file)
--- a/puppet/services/ironic-api.yaml
+++ b/puppet/services/ironic-api.yaml
@@ -50,6 +50,7 @@ outputs:
             ironic::api::authtoken::username: 'ironic'
             ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
             ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
+            ironic::api::host_ip: {get_input: ironic_api_network}
             ironic::api::port: {get_param: [EndpointMap, IronicInternal, port]}
             # This is used to build links in responses
             ironic::api::public_endpoint: {get_param: [EndpointMap, IronicPublic, uri_no_suffix]}
@@ -59,5 +60,10 @@ outputs:
             ironic::keystone::auth::auth_name: 'ironic'
             ironic::keystone::auth::password: {get_param: IronicPassword }
             ironic::keystone::auth::tenant: 'service'
+            tripleo.ironic_api.firewall_rules:
+              '133 ironic api':
+                dport:
+                  - 6385
+                  - 13385
       step_config: |
         include ::tripleo::profile::base::ironic::api

diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml
index 9bc86a2..27479f7 100644 (file)
--- a/puppet/services/ironic-conductor.yaml
+++ b/puppet/services/ironic-conductor.yaml
@@ -41,10 +41,15 @@ outputs:
           - get_attr: [IronicBase, role_data, config_settings]
           # FIXME: I have no idea why neutron_url is in "api" manifest
           - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]}
+            ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]}
             ironic::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]}
             ironic::enabled_drivers: {get_param: IronicEnabledDrivers}
             # Prevent tftp_server from defaulting to my_ip setting, which is
             # controller VIP, not a real IP.
             ironic::drivers::pxe::tftp_server: {get_input: ironic_api_network}
+            tripleo.ironic_conductor.firewall_rules:
+              '134 ironic conductor TFTP':
+                dport: 69
+                proto: udp
       step_config: |
         include ::tripleo::profile::base::ironic::conductor