summaryrefslogtreecommitdiffstats
path: root/manifests/profile
diff options
context:
space:
mode:
authorDamien Ciabrini <dciabrin@redhat.com>2017-07-20 11:48:22 -0400
committerAlex Schultz <aschultz@redhat.com>2017-07-27 18:59:30 +0000
commit50f160a148b6a973891ffc6d0882f4c0d597336e (patch)
tree187d7584789b669c94f8ecbd896618cef79409a4 /manifests/profile
parent237e613a175fd975bf6679646eaf092ff6725015 (diff)
Prevent haproxy to run iptables during docker-puppet configuration
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
Diffstat (limited to 'manifests/profile')
-rw-r--r--manifests/profile/base/haproxy.pp7
-rw-r--r--manifests/profile/pacemaker/haproxy.pp10
2 files changed, 16 insertions, 1 deletions
diff --git a/manifests/profile/base/haproxy.pp b/manifests/profile/base/haproxy.pp
index 4f3322c..145f283 100644
--- a/manifests/profile/base/haproxy.pp
+++ b/manifests/profile/base/haproxy.pp
@@ -36,6 +36,11 @@
# (Optional) Whether or not loadbalancer is enabled.
# Defaults to hiera('enable_load_balancer', true).
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -44,12 +49,14 @@
class tripleo::profile::base::haproxy (
$certificates_specs = {},
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
) {
if $step >= 1 {
if $enable_load_balancer {
class {'::tripleo::haproxy':
internal_certificates_specs => $certificates_specs,
+ manage_firewall => $manage_firewall,
}
unless hiera('tripleo::haproxy::haproxy_service_manage', true) {
diff --git a/manifests/profile/pacemaker/haproxy.pp b/manifests/profile/pacemaker/haproxy.pp
index 7331071..5198243 100644
--- a/manifests/profile/pacemaker/haproxy.pp
+++ b/manifests/profile/pacemaker/haproxy.pp
@@ -26,6 +26,11 @@
# (Optional) Whether load balancing is enabled for this cluster
# Defaults to hiera('enable_load_balancer', true)
#
+# [*manage_firewall*]
+# (optional) Enable or disable firewall settings for ports exposed by HAProxy
+# (false means disabled, and true means enabled)
+# Defaults to hiera('tripleo::firewall::manage_firewall', true)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@@ -38,10 +43,13 @@
class tripleo::profile::pacemaker::haproxy (
$bootstrap_node = hiera('haproxy_short_bootstrap_node_name'),
$enable_load_balancer = hiera('enable_load_balancer', true),
+ $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
$step = Integer(hiera('step')),
$pcs_tries = hiera('pcs_tries', 20),
) {
- include ::tripleo::profile::base::haproxy
+ class {'::tripleo::profile::base::haproxy':
+ manage_firewall => $manage_firewall,
+ }
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true