openstack/openstack-ansible-os_neutron
Code Issues Proposed changes

[doc] Briefly describe VPNaaS plugin changes with OVN

Browse Source 
Change-Id: I471537e7c299ed5f44148883d030f6cfe4d3ef61
This commit is contained in:
Dmitriy Rabotyagov 2024-03-04 19:32:26 +01:00 committed by Dmitriy Rabotyagov
parent 4e855db6b2
commit 4a4ff70478
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/source/configure-network-services.rst
View File

@ -88,6 +88,11 @@ The following procedure describes how to modify the
#. ``neutron_plugin_base`` is as follows:
.. NOTE::
In the case your ``neutron_plugin_type`` is ``ml2.ovn``,
use ``ovn-vpnaas`` plugin instead
.. code-block:: yaml
neutron_plugin_base:
@ -152,6 +157,11 @@ You can also define customized configuration files for VPN service with the vari
With that ``neutron_l3_agent_ini_overrides`` should be also defined in 'user_variables.yml'
to tell ``l3_agent`` use the new config file:
.. NOTE::
Please, use variable ``neutron_ovn_vpn_agent_overrides`` when
``neutron_plugin_type`` is set to ``ml2.ovn``.
.. code-block:: yaml
neutron_l3_agent_ini_overrides:
@ -162,6 +172,30 @@ to tell ``l3_agent`` use the new config file:
openswan:
ipsec_config_template: "{{ neutron_conf_dir }}/ipsec.conf.template"
VPNaaS Agent for OVN
--------------------
Since 2024.1 release (Caracal) VPNaaS service does support ``ml2.ovn``
plugin type.
While configuration of the service is pretty much alike, implementation beneath
has significant differences.
First of all, VPNaaS is represented with a standalone agent that is coordinated
with help of RabbitMQ. This means, that a new Agent Type ``VPN Agent`` will
appear in ``openstack network agent list`` output.
On a VPN site connection creation, VPN agent will handle a namespace creation
on an arbitrary OVN gateway node, inside which ipsec connection will be created
Since OVN L3 Router implementation is not using namespaces, VPN Agent will
utilize an extra external IP, since it can not be shared now with the router.
Moreover, an extra patch network will be created to connect VPN Agent with L3
agent.
For more details on the implementation please reffer to the `VPNaaS OVN Spec`_
.. _VPNaaS OVN Spec: https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
BGP Dynamic Routing service (optional)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~