From 8cc44c41a3997729b2fb86eacd5f95fb4b0e86d4 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 15 Sep 2024 23:13:52 +0900 Subject: [PATCH] Test deployment with VPNaaS + ml2 ovn driver The neutron-vpnaas plugin supports deployment with ml2 + ovs since 2024.1 . Enable the plugin and its agent to test the new capability to deploy the plugin. Depends-on: https://review.opendev.org/930070 Change-Id: I7c79ba34d5a39639bffdc9278a8455e8eec10bbf --- README.md | 2 +- fixtures/scenario005.pp | 5 +++ manifests/neutron.pp | 73 ++++++++++++++++++++++++++++------------- 3 files changed, 57 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 6683c9e26..af99f2a6e 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ scenario](#all-in-one). | ceph rgw | | | | X | | | | vitrage | X | | | | | | | watcher | | | | X | | | -| vpnaas | | | | X | | | +| vpnaas | | | | X | X | | | taas | | | | X | | | | bgpvpn-api | | | | X | | | | bgp-dr | | | | X | | | diff --git a/fixtures/scenario005.pp b/fixtures/scenario005.pp index 7416e3303..b27545dd8 100644 --- a/fixtures/scenario005.pp +++ b/fixtures/scenario005.pp @@ -25,11 +25,14 @@ case $facts['os']['family'] { $ipv6 = false $ovn_metadata_agent_enabled = true $jobboard_backend = 'redis' + # TODO(tkajinam): Enable these along with the other plugins + $vpnaas_enabled = false } 'RedHat': { $ipv6 = true $ovn_metadata_agent_enabled = false $jobboard_backend = 'redis_sentinel' + $vpnaas_enabled = true } default: { fail("Unsupported osfamily (${facts['os']['family']})") @@ -59,6 +62,7 @@ class { 'openstack_integration::glance': class { 'openstack_integration::neutron': driver => 'ovn', ovn_metadata_agent_enabled => $ovn_metadata_agent_enabled, + vpnaas_enabled => $vpnaas_enabled } include openstack_integration::placement class { 'openstack_integration::nova': @@ -88,4 +92,5 @@ class { 'openstack_integration::tempest': octavia => true, neutron_driver => 'ovn', image_format => 'raw', + vpnaas => $vpnaas_enabled, } diff --git a/manifests/neutron.pp b/manifests/neutron.pp index 7bdf7778f..dbac65c6e 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -61,9 +61,6 @@ class openstack_integration::neutron ( if $metering_enabled { fail('Metering agent is not supported when ovn mechanism driver is used.') } - if $vpnaas_enabled { - fail('VPNaaS is not supported when ovn mechanism driver is used.') - } if $bgpvpn_enabled { fail('BGP VPN is not supported when ovn mechanism driver is used.') } @@ -158,7 +155,13 @@ class openstack_integration::neutron ( if $driver == 'ovn' { $dhcp_agent_notification = false - $plugins_list = ['qos', 'ovn-router', 'trunk'] + $vpaaas_plugin = $vpnaas_enabled ? { + true => 'ovn-vpnaas', + default => undef, + } + $plugins_list = delete_undef_values([ + 'qos', 'ovn-router', 'trunk', $vpaaas_plugin, + ]) } else { $dhcp_agent_notification = true $metering_plugin = $metering_enabled ? { @@ -281,7 +284,10 @@ class openstack_integration::neutron ( } $rpc_workers = $driver ? { - 'ovn' => 0, + 'ovn' => $vpnaas_enabled ? { + true => 2, + default => 0, + }, default => 2, } $rpc_state_report_workers = $driver ? { @@ -405,6 +411,23 @@ class openstack_integration::neutron ( ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem', } } + + $vpn_device_driver = $facts['os']['family'] ? { + 'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver', + default => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver', + } + $vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver' + if $vpnaas_enabled { + class { 'neutron::agents::vpnaas::ovn': + debug => true, + vpn_device_driver => $vpn_device_driver, + interface_driver => 'openvswitch', + ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection, + ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem', + ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem', + ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem', + } + } } else { class { 'neutron::agents::metadata': debug => true, @@ -435,29 +458,19 @@ class openstack_integration::neutron ( debug => true, } } - if $vpnaas_enabled { - $vpn_device_driver = $facts['os']['family'] ? { - 'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver', - default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver' - } - $service_provider_name = $facts['os']['family'] ? { - 'Debian' => 'strongswan', - default => 'openswan' - } - class { 'neutron::services::vpnaas': - service_providers => join([ - 'VPN', - $service_provider_name, - 'neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver', - 'default' - ], ':') - } + $vpn_device_driver = $facts['os']['family'] ? { + 'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver', + default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver' + } + $vpnaas_driver = 'neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver' + if $vpnaas_enabled { class { 'neutron::agents::vpnaas': vpn_device_driver => $vpn_device_driver, interface_driver => $driver, } } + if $taas_enabled { class { 'neutron::agents::taas': } class { 'neutron::services::taas': } @@ -483,6 +496,22 @@ class openstack_integration::neutron ( } } + if $vpnaas_enabled { + $vpnaas_service_provider = $facts['os']['family'] ? { + 'Debian' => 'strongswan', + default => 'openswan' + } + + class { 'neutron::services::vpnaas': + service_providers => join([ + 'VPN', + $vpnaas_service_provider, + $vpnaas_driver, + 'default' + ], ':') + } + } + if $baremetal_enabled { class { 'neutron::plugins::ml2::networking_baremetal': } class { 'neutron::agents::ml2::networking_baremetal':