From 044d7db0af8b65027cbffbe5ecc9783d24a0a57e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Dulko?= <mdulko@redhat.com>
Date: Tue, 10 Apr 2018 10:31:10 +0200
Subject: [PATCH] Fix K8s API access through LBaaS on gates

In the gate K8s API was inaccessible through the LB we create for it.
This means that we could only connect to the API directly through
HOST_IP.

This commit fixes the issue by adding required iptables rule that allows
traffic to the LB and fixes up the member IP added to the LB.

Change-Id: Icd53ec45a479d54015d0506fb5e8bb9896d0a9df
Related-Bug: 555040
(cherry picked from commit 49470991adedbf047567938e5c6c7f2695e62786)
---
 devstack/lib/kuryr_kubernetes |  2 ++
 devstack/plugin.sh            | 20 +++++++++++---------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes
index bb046e448..275e0b231 100644
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@@ -65,6 +65,8 @@ function ovs_bind_for_kubelet() {
         sudo ip addr add "${port_ips[$i]}/${prefix}" dev "$ifname"
     done
     sudo ip route add "$service_subnet_cidr" via "$pod_subnet_gw" dev "$ifname"
+    # Ignore the error if openstack-INPUT chain doesn't exist.
+    sudo iptables -I openstack-INPUT 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 6443 -j ACCEPT || true
 }
 
 # get_container
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index a79709ec7..e8f4c3bc5 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -198,7 +198,7 @@ function create_k8s_api_service {
     # containerized kuryr controller or kube-dns) to talk to the K8s API
     # service
     local service_cidr
-    local router_ip
+    local kubelet_iface_ip
     local lb_name
 
     lb_name='default/kubernetes'
@@ -207,6 +207,8 @@ function create_k8s_api_service {
                              subnet show "$KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET" \
                              -c cidr -f value)
 
+    kubelet_iface_ip=$(openstack port show kubelet-"${HOSTNAME}" -c fixed_ips -f value | cut -d \' -f 2)
+
     k8s_api_clusterip=$(_cidr_range "$service_cidr" | cut -f1)
 
     neutron lbaas-loadbalancer-create --name "$lb_name" \
@@ -237,17 +239,17 @@ function create_k8s_api_service {
     while [[ "$(_lb_state $lb_name)" != "ACTIVE" ]]; do
         sleep 1
     done
+
+    local api_port
     if is_service_enabled openshift-master; then
-        neutron lbaas-member-create  --subnet public-subnet \
-            --address "${HOST_IP}" \
-            --protocol-port 8443 \
-            default/kubernetes:443
+        api_port=8443
     else
-        neutron lbaas-member-create  --subnet public-subnet \
-            --address "${HOST_IP}" \
-            --protocol-port 6443 \
-            default/kubernetes:443
+        api_port=6443
     fi
+    neutron lbaas-member-create  --subnet public-subnet \
+        --address ${kubelet_iface_ip} \
+        --protocol-port ${api_port} \
+        default/kubernetes:443
 }
 
 function configure_neutron_defaults {