Add k8s cfg file to the OAM firewall script

In the change https://review.opendev.org/c/starlingx/stx-puppet/+/897467 the OAM firewall was not updated to pass the k8s config file as argument to calico_firewall_apply_policy.sh. It then created an error that prevented the global network policy to be created, making the OAM interface to block all traffic, except for the failsafed ones. This change corrects that Test Plan [PASS] In AIO-DX remove the current OAM GNP and execute lock/unlock on one of the controllers, verify the OAM GNP is recreated. [PASS] In AIO-DX remove the current OAM GNP and force the runtime execution by creating the file /etc/platform/.platform_firewall_config_required and observe the request to recreate the OAM GNP Closes-Bug: 2038550 Change-Id: Ica03dbf6ffd9f6f592fa53efa40293191203377a Signed-off-by: Andre Kantek <[email protected]>
starlingx · Oct 10, 2023 · 58581b8 · 58581b8
1 parent d9f373a
commit 58581b8
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/puppet-manifests/src/modules/platform/manifests/firewall.pp b/puppet-manifests/src/modules/platform/manifests/firewall.pp
@@ -157,6 +157,11 @@
 ) {
   if $config != {} {
     $apply_script = 'calico_firewall_apply_policy.sh'
+    if $::personality == 'worker' {
+      $cfgf = '/etc/kubernetes/kubelet.conf'
+    } elsif $::personality == 'controller' {
+      $cfgf = '/etc/kubernetes/admin.conf'
+    }
     $yaml_config = hash2yaml($config)
     $gnp_name = "${::personality}-oam-if-gnp"
     $file_name_gnp = "/tmp/gnp_${gnp_name}.yaml"
@@ -169,7 +174,7 @@
     }
     -> exec { "apply globalnetworkpolicies ${gnp_name} with ${file_name_gnp}":
       path      => '/usr/bin:/usr/sbin:/bin:/usr/local/bin',
-      command   => "${apply_script} ${gnp_name} ${file_name_gnp}",
+      command   => "${apply_script} ${gnp_name} ${file_name_gnp} ${cfgf}",
       logoutput => true
     }
   }