update LB ports iff the provider is haproxy

The legacy neutron-lbaasv2 implementation based on haproxy is not aware
of security groupts at VIP creation and sets the default SG. The default
SG may not provide access from the cluster ingress, so we make sure in
this patch that the right SG is used.

This was not an issue with OpenStack's hybrid firewall because the
haproxy running on namespaces were bypassing the security groups. The
problem popped up when newer firewall implementations in Neutron fixed
that hole and exposed the wrong SG setting.

Finally, it is not possible to set the SG directly in Heat and that is a
wontfix bug there.

Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
Change-Id: Ia5100609655fef2ad7906a2f9df63aa8e8d2f33f

playbooks/openstack/inventory.py

@@ -142,16 +142,20 @@ def build_inventory():
 
         inventory['_meta']['hostvars'][server.name] = hostvars
 
-    kuryr_vars = _get_kuryr_vars(cloud)
-    if kuryr_vars:
-        inventory['OSEv3']['vars'] = kuryr_vars
-
+    stout = _get_stack_outputs(cloud)
+    if stout is not None:
+        inventory['_meta']['hostvars']['localhost'] = {
+            'openshift_openstack_api_lb_provider': stout['api_lb_provider'],
+            'openshift_openstack_api_lb_port_id': stout['api_lb_vip_port_id'],
+            'openshift_openstack_api_lb_sg_id': stout['api_lb_sg_id']}
+        kuryr_vars = _get_kuryr_vars(cloud, stout)
+        if kuryr_vars:
+            inventory['OSEv3']['vars'] = kuryr_vars
     return inventory
 
 
-def _get_kuryr_vars(cloud_client):
-    """Returns a dictionary of Kuryr variables resulting of heat stacking"""
-    # TODO: Filter the cluster stack with tags once it is supported in shade
+def _get_stack_outputs(cloud_client):
+    """Returns a dictionary with the stack outputs"""
     cluster_name = os.getenv('OPENSHIFT_CLUSTER', 'openshift-cluster')
 
     stack = cloud_client.get_stack(cluster_name)
@@ -162,7 +166,11 @@ def _get_kuryr_vars(cloud_client):
     data = {}
     for output in stack['outputs']:
         data[output['output_key']] = output['output_value']
+    return data
 
+
+def _get_kuryr_vars(cloud_client, data):
+    """Returns a dictionary of Kuryr variables resulting of heat stacking"""
     settings = {}
     settings['kuryr_openstack_pod_subnet_id'] = data['pod_subnet']
     settings['kuryr_openstack_worker_nodes_subnet_id'] = data['vm_subnet']

roles/openshift_openstack/tasks/provision.yml

@@ -81,6 +81,14 @@
   when:
   - stack_create|failed
 
+- name: Legacy LBaaSv2 SG OpenShift API correction
+  os_port:
+    state: present
+    name: openshift_openstack_api_lb_port_id
+    security_groups: openshift_openstack_api_lb_sg_id
+  when:
+  - openshift_openstack_api_lb_provider == "haproxy"
+
 - name: Add the new nodes to the inventory
   meta: refresh_inventory
 

roles/openshift_openstack/templates/heat_stack.yaml.j2

@@ -70,6 +70,18 @@ outputs:
   pod_access_sg_id:
     description: Id of the security group for services to be able to reach pods
     value: { get_resource: pod_access_sg }
+
+  api_lb_vip_port_id:
+    description: Id of the OpenShift API load balancer VIP port
+    value: { get_resource: api_lb }
+
+  api_lb_sg_id:
+    description: Security Group Id of the OpenShift API load balancer VIP port
+    value: { get_resource: lb-secgrp }
+
+  api_lb_provider:
+    description: Id of the OpenShift API load balancer VIP port
+    value: { get_attr: [api_lb, show, provider] }
 {% endif %}
 
 conditions:
@@ -603,7 +615,6 @@ resources:
           port_range_min: 49152
           port_range_max: 49251
 
-{% if openshift_openstack_num_masters|int > 1 %}
   lb-secgrp:
     type: OS::Neutron::SecurityGroup
     properties:
@@ -622,7 +633,6 @@ resources:
         port_range_max: {{ openshift_master_console_port | default(8443) }}
         remote_ip_prefix: {{ openshift_openstack_lb_ingress_cidr }}
 {% endif %}
-{% endif %}
 
   etcd:
     type: OS::Heat::ResourceGroup