[tripleo] Dynamically generating firewall rules for the haproxy host on behalf of a deployed service

Brent Eagles beagles at redhat.com
Wed Mar 2 14:59:18 UTC 2022 

Hi all,

Designate has a requirement that appears to be a first for TripleO. It
needs to deploy miniDNS instances on the internal network but each are
accessible from the public network so external bind instances can sync
with them. This is done by mapping port numbers on the VIP to each
miniDNS instances [1] e.g.

 10.0.0.5:16000        --> 172.16.2.184:5354
 10.0.0.5:16001        --> 172.16.2.185:5354
 10.0.0.5:16002        --> 172.16.2.186:5354
      .
      .
      .
<for each controller>

The haproxy configuration is relatively straightforward [2].  There
would be no problem if it the haproxy puppet managed the firewall rules,
but for typical deployments we appear to disable this [3] and rely on
the tripleo.firewall ansible module instead.


The complicating factors are:

a. the ports range depends on the number of miniDNS instances.

b. the miniDNS deployment needs to set firewall rules wherever haproxy
happens to live as they are not guaranteed to be on the same host.
AFAICT, our ansible based firewall rule mechanism doesn't allow for
setting firewall rules on hosts in addition to the ones that the service
is being deployed on.


Possible solutions I've been considering:

a. Have haproxy puppet create firewall rules on the public API network
and use tripleo.firewall for everything else. I think we generally don't
distinguish which networks firewall rules are applicable to so this
would be an "interesting", pervasive change. This is in PID 1's
wheelhouse and I'd be interested in how they feel about this.

b. Somehow create a jinja-ed firewall rule for haproxy that gets
processed at deploy time so details could be filled in using cloud
information. This seems like it would be kind of fragile, may not even
be possible and depends on details of the framework I'm not familiar
with.

c. Extend tripleo.firewall or tripleo.iptables to process jinja'd rules
- but that's problematic because it needs to be set on the haproxy host,
  and miniDNS is elsewhere.

d. Create some ansible that gets run in the haproxy hosts that
generates the firewall rules based on cloud info. I feel this is a bit
ugly.


Does anyone have any suggestions on other solutions or thoughts on the
above?

Cheers,

Brent


1. https://bugzilla.redhat.com/show_bug.cgi?id=1897319 The TripleO HAProxy instance needs to be configured for BIND->miniDNS AXFR

2. https://review.opendev.org/c/openstack/puppet-tripleo/+/828169
Designate: create proxy ports on external VIP to access miniDNS workers.

3. https://bugs.launchpad.net/tripleo/+bug/1961799 haproxy template
tasks to apply IPTables rules are no ops.

--
Brent Eagles
Principal Software Engineer
Red Hat Inc.

More information about the openstack-discuss mailing list