From 50f160a148b6a973891ffc6d0882f4c0d597336e Mon Sep 17 00:00:00 2001
From: Damien Ciabrini <dciabrin@redhat.com>
Date: Thu, 20 Jul 2017 11:48:22 -0400
Subject: Prevent haproxy to run iptables during docker-puppet configuration

When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.

Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.

Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
---
 manifests/haproxy.pp                   | 11 +++++++++--
 manifests/haproxy/endpoint.pp          |  8 +++++++-
 manifests/profile/base/haproxy.pp      |  7 +++++++
 manifests/profile/pacemaker/haproxy.pp | 10 +++++++++-
 4 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 924699b..bf52613 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -53,6 +53,11 @@
 #  Should haproxy run in daemon mode or not
 #  Defaults to true
 #
+# [*manage_firewall*]
+#  (optional) Enable or disable firewall settings for ports exposed by HAProxy
+#  (false means disabled, and true means enabled)
+#  Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
 # [*controller_hosts*]
 #  IPs of host or group of hosts to load-balance the services
 #  Can be a string or an array.
@@ -563,6 +568,7 @@ class tripleo::haproxy (
   $haproxy_daemon              = true,
   $haproxy_stats_user          = 'admin',
   $haproxy_stats_password      = undef,
+  $manage_firewall             = hiera('tripleo::firewall::manage_firewall', true),
   $controller_hosts            = hiera('controller_node_ips'),
   $controller_hosts_names      = hiera('controller_node_names', undef),
   $contrail_config_hosts       = hiera('contrail_config_node_ips', undef),
@@ -881,6 +887,7 @@ class tripleo::haproxy (
     use_internal_certificates   => $use_internal_certificates,
     internal_certificates_specs => $internal_certificates_specs,
     listen_options              => $default_listen_options,
+    manage_firewall             => $manage_firewall,
   }
 
   if $haproxy_stats {
@@ -1361,7 +1368,7 @@ class tripleo::haproxy (
       server_names      => hiera('mysql_node_names', $controller_hosts_names_real),
       options           => $mysql_member_options_real,
     }
-    if hiera('tripleo::firewall::manage_firewall', true) {
+    if $manage_firewall {
       include ::tripleo::firewall
       $mysql_firewall_rules = {
         '100 mysql_haproxy' => {
@@ -1443,7 +1450,7 @@ class tripleo::haproxy (
       server_names      => hiera('redis_node_names', $controller_hosts_names_real),
       options           => $haproxy_member_options,
     }
-    if hiera('tripleo::firewall::manage_firewall', true) {
+    if $manage_firewall {
       include ::tripleo::firewall
       $redis_firewall_rules = {
         '100 redis_haproxy' => {
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index f1e80e8..9139061 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -86,6 +86,11 @@
 #  fetching the certificate for that specific network.
 #  Defaults to undef
 #
+# [*manage_firewall*]
+#  (optional) Enable or disable firewall settings for ports exposed by HAProxy
+#  (false means disabled, and true means enabled)
+#  Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
 define tripleo::haproxy::endpoint (
   $internal_ip,
   $service_port,
@@ -103,6 +108,7 @@ define tripleo::haproxy::endpoint (
   $use_internal_certificates   = false,
   $internal_certificates_specs = {},
   $service_network             = undef,
+  $manage_firewall             = hiera('tripleo::firewall::manage_firewall', true),
 ) {
   if $public_virtual_ip {
     # service exposed to the public network
@@ -158,7 +164,7 @@ define tripleo::haproxy::endpoint (
     server_names      => $server_names,
     options           => $member_options,
   }
-  if hiera('tripleo::firewall::manage_firewall', true) {
+  if $manage_firewall {
     include ::tripleo::firewall
     # This block will construct firewall rules only when we specify
     # a port for the regular service and also the ssl port for the service.
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 4f3322c..145f283 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -36,6 +36,11 @@
 #   (Optional) Whether or not loadbalancer is enabled.
 #   Defaults to hiera('enable_load_balancer', true).
 #
+# [*manage_firewall*]
+#  (optional) Enable or disable firewall settings for ports exposed by HAProxy
+#  (false means disabled, and true means enabled)
+#  Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -44,12 +49,14 @@
 class tripleo::profile::base::haproxy (
   $certificates_specs            = {},
   $enable_load_balancer          = hiera('enable_load_balancer', true),
+  $manage_firewall               = hiera('tripleo::firewall::manage_firewall', true),
   $step                          = Integer(hiera('step')),
 ) {
   if $step >= 1 {
     if $enable_load_balancer {
       class {'::tripleo::haproxy':
         internal_certificates_specs => $certificates_specs,
+        manage_firewall             => $manage_firewall,
       }
 
       unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp
index 7331071..5198243 100644
--- a/manifests/profile/pacemaker/haproxy.pp
+++ b/manifests/profile/pacemaker/haproxy.pp
@@ -26,6 +26,11 @@
 #   (Optional) Whether load balancing is enabled for this cluster
 #   Defaults to hiera('enable_load_balancer', true)
 #
+# [*manage_firewall*]
+#  (optional) Enable or disable firewall settings for ports exposed by HAProxy
+#  (false means disabled, and true means enabled)
+#  Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -38,10 +43,13 @@
 class tripleo::profile::pacemaker::haproxy (
   $bootstrap_node       = hiera('haproxy_short_bootstrap_node_name'),
   $enable_load_balancer = hiera('enable_load_balancer', true),
+  $manage_firewall      = hiera('tripleo::firewall::manage_firewall', true),
   $step                 = Integer(hiera('step')),
   $pcs_tries            = hiera('pcs_tries', 20),
 ) {
-  include ::tripleo::profile::base::haproxy
+  class {'::tripleo::profile::base::haproxy':
+    manage_firewall => $manage_firewall,
+  }
 
   if $::hostname == downcase($bootstrap_node) {
     $pacemaker_master = true
-- 
cgit 1.2.3-korg