Reserve tiller ports as part of controller bootstrap

Ephemeral port reservation was taking place only after the initial
controller unlock. This still allowed for kubernetes based services to
claim the tiller ports in the ephemeral range after initial bootstrap.

Include tiller port reservation as part of the bootstrap manifests and
add an explicit dependency with the platform::kubernetes::master class.

Change-Id: I7540cdfdd13ded63d154ee8ea0b1c8c326491d63
Closes-Bug: #1856209
Signed-off-by: Robert Church <robert.church@windriver.com>
(cherry picked from commit 34f3c3ff41)

puppet-manifests/src/manifests/ansible_bootstrap.pp

@@ -9,6 +9,7 @@ Exec {
 
 include ::platform::config::bootstrap
 include ::platform::users::bootstrap
+include ::platform::sysctl::bootstrap
 include ::platform::ldap::bootstrap
 include ::platform::drbd::bootstrap
 include ::platform::postgresql::bootstrap

puppet-manifests/src/manifests/bootstrap.pp

@@ -9,6 +9,7 @@ Exec {
 
 include ::platform::config::bootstrap
 include ::platform::users::bootstrap
+include ::platform::sysctl::bootstrap
 include ::platform::ldap::bootstrap
 include ::platform::drbd::bootstrap
 include ::platform::postgresql::bootstrap

puppet-manifests/src/modules/platform/manifests/kubernetes.pp

@@ -368,6 +368,7 @@ class platform::kubernetes::master
   contain ::platform::kubernetes::coredns
   contain ::platform::kubernetes::firewall
 
+  Class['::platform::sysctl::controller::reserve_ports'] -> Class[$name]
   Class['::platform::etcd'] -> Class[$name]
   Class['::platform::docker::config'] -> Class[$name]
   # Ensure DNS is configured as name resolution is required when

puppet-manifests/src/modules/platform/manifests/sysctl.pp

@@ -84,10 +84,30 @@ class platform::sysctl
 }
 
 
+class platform::sysctl::controller::reserve_ports
+  inherits ::platform::sysctl::params {
+
+  # Reserve ports in the ephemeral port range:
+  #
+  # Incorporate the reserved keystone port (35357) from
+  # /usr/lib/sysctl.d/openstack-keystone.conf
+  #
+  # Helm v2.13.1 hardcodes the following Tiller ports when installed in the
+  # k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
+  # from the ephemeral port range. This will avoid potential port conflicts
+  # that will cause the tiller pod to crash when the port is assigned to
+  # another client/server
+  sysctl::value { 'net.ipv4.ip_local_reserved_ports':
+    value => '35357,44134-44136'
+  }
+}
+
+
 class platform::sysctl::controller
   inherits ::platform::sysctl::params {
 
   include ::platform::sysctl
+  include ::platform::sysctl::controller::reserve_ports
 
   # Engineer VM page cache tunables to prevent significant IO delays that may
   # occur if we flush a buildup of dirty pages.  Engineer VM settings to make
@@ -129,20 +149,6 @@ class platform::sysctl::controller
   sysctl::value { 'kernel.shmmax':
     value => '167772160'
   }
-
-  # Reserve ports in the ephemeral port range:
-  #
-  # Incorporate the reserved keystone port (35357) from
-  # /usr/lib/sysctl.d/openstack-keystone.conf
-  #
-  # Helm v2.13.1 hardcodes the following Tiller ports when installed in the
-  # k8s cluster: 44134 (server), 44135 (probe), 44136 (trace). Reserve them
-  # from the ephemeral port range. This will avoid potential port conflicts
-  # that will cause the tiller pod to crash when the port is assigned to
-  # another client/server
-  sysctl::value { 'net.ipv4.ip_local_reserved_ports':
-    value => '35357,44134-44136'
-  }
 }
 
 
@@ -159,3 +165,8 @@ class platform::sysctl::storage {
 class platform::sysctl::controller::runtime {
   include ::platform::sysctl::controller
 }
+
+
+class platform::sysctl::bootstrap {
+  include ::platform::sysctl::controller::reserve_ports
+}