From 2bb87c1b69839d969ac372044f95cc3bf2987d7e Mon Sep 17 00:00:00 2001
From: Sam Betts <sam@code-smash.net>
Date: Mon, 2 Jul 2018 14:31:17 +0100
Subject: [PATCH] Ensure we allow Ironic API traffic from baremetal network

In deployments with a separate baremetal network we need to ensure we
apply an iptables rule to allow traffic on port 80 to the Ironic API.

Change-Id: I468f511dd8ad9a25c17f2a2754f7a45f7147c483
Story: 2002788
Task: 22673
---
 devstack/lib/ironic | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index ca5e0e70e8..7ff7177ce5 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -2145,6 +2145,9 @@ function configure_iptables {
     else
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 80 -j ACCEPT || true
         sudo iptables -I INPUT -d $HOST_IP -p tcp --dport 443 -j ACCEPT || true
+        # open ironic API on baremetal network
+        sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport 80 -j ACCEPT || true
+        sudo iptables -I INPUT -d $IRONIC_HTTP_SERVER -p tcp --dport 443 -j ACCEPT || true
     fi
     if is_deployed_by_agent; then
         # agent ramdisk gets instance image from swift