Add VPNaaS OVN support

At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.

This agent spawns namespaces as used to do and talks through RPC with API.

More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].

[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1

Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
This commit is contained in:
Dmitriy Rabotyagov 2024-02-07 19:17:58 +01:00 committed by Dmitriy Rabotyagov
parent 601c66666f
commit 4e855db6b2
9 changed files with 77 additions and 8 deletions

View File

@ -498,6 +498,8 @@ neutron_vpnaas_service_provider: "{{ _neutron_vpnaas_service_provider }}"
# condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
neutron_vpnaas_custom_config: []
neutron_ovn_vpn_agent_overrides: {}
neutron_ovn_vpn_agent_init_overrides: {}
# OVN Defaults
neutron_ovn_ssl: True

View File

@ -12,6 +12,8 @@ cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
ip: IpFilter, ip, root
ip_exec: IpNetnsExecFilter, ip, root
ipsec: CommandFilter, ipsec, root
sysctl_ip4_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv4.ip_forward=1
sysctl_ip6_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv6.conf.all.forwarding=1
rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
strongswan: CommandFilter, strongswan, root

View File

@ -200,7 +200,7 @@
loop: "{{ neutron_vpnaas_custom_config }}"
when:
- neutron_vpnaas_custom_config | length > 0
- neutron_services['neutron-l3-agent']['group'] in group_names
- (neutron_services['neutron-l3-agent']['group'] in group_names) or (neutron_services['neutron-ovn-vpn-agent']['group'] in group_names)
- item.condition | default(True)
- name: Stop haproxy service on debian derivatives with standalone network nodes

View File

@ -0,0 +1,22 @@
# {{ ansible_managed }}
[DEFAULT]
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
[AGENT]
extensions = vpnaas
[vpnagent]
vpn_device_driver = {{ neutron_driver_vpnaas }}
[ovs]
ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
ovsdb_connection_timeout = 180
[ovn]
ovn_sb_connection = {{ neutron_ovn_sb_connection }}
{% if neutron_ovn_ssl %}
ovn_sb_ca_cert = {{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
ovn_sb_certificate = {{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
ovn_sb_private_key = {{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
{% endif %}

View File

@ -104,8 +104,21 @@ neutron_lxb_distro_packages:
neutron_vpnaas_distro_packages:
- strongswan
_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
_neutron_vpnaas_service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
_neutron_driver_vpnaas: >-
{{
(neutron_plugin_type == 'ml2.ovn') | ternary(
'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver'
)
}}
_neutron_vpnaas_service_provider: >-
{{
(neutron_plugin_type == 'ml2.ovn') | ternary(
'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
)
}}
neutron_metadata_agent_distro_packages:
- haproxy

View File

@ -39,7 +39,8 @@ neutron_package_list: |-
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_fwaas_v2 | bool %}
{% set _ = packages.extend(neutron_optional_fwaas_distro_packages) %}
{% endif %}
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
{% if (neutron_services['neutron-l3-agent']['group'] in group_names or
neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
{% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
{% set _ = packages.extend(neutron_optional_vpnaas_distro_packages) %}
{% endif %}

View File

@ -284,7 +284,7 @@ neutron_fwaas_v2: "{{ ('firewall_v2' in neutron_plugin_base) | ternary('True', '
###
# Please add the 'vpnaas' to the neutron_plugin_base list
neutron_vpnaas: "{% if 'vpnaas' in neutron_plugin_base %}True{% else %}False{% endif %}"
neutron_vpnaas: "{{ ('vpnaas' in neutron_plugin_base or 'ovn-vpnaas' in neutron_plugin_base) }}"
## Neutron Dynamic Routing Agent's BGP Plugin Configuration
# To enable the BGP plugin, add the following item to the neutron_plugin_base list:
@ -525,6 +525,21 @@ neutron_services:
config_type: "ini"
init_config_overrides: "{{ neutron_ovn_metadata_agent_init_overrides }}"
start_order: 3
neutron-ovn-vpn-agent:
group: neutron_ovn_gateway
systemd_lock_dir: /run/lock/neutron-ovn-vpn-agent
service_name: neutron-ovn-vpn-agent
service_en: "{{ neutron_vpnaas and neutron_plugin_type == 'ml2.ovn' }}"
service_conf_path: "{{ neutron_conf_version_dir }}"
service_conf: neutron_ovn_vpn_agent.ini
service_rootwrap: rootwrap.d/vpnaas.filters
execstarts: >-
{{ neutron_bin }}/neutron-ovn-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf
--config-file {{ neutron_conf_dir }}/neutron_ovn_vpn_agent.ini
config_overrides: "{{ neutron_ovn_vpn_agent_overrides }}"
config_type: "ini"
init_config_overrides: "{{ neutron_ovn_vpn_agent_init_overrides }}"
start_order: 4
ironic-neutron-agent:
group: ironic_neutron_agent
service_name: ironic-neutron-agent

View File

@ -95,8 +95,21 @@ neutron_lxb_distro_packages:
neutron_vpnaas_distro_packages:
- libreswan
_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
_neutron_vpnaas_service_provider: VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
_neutron_driver_vpnaas: >-
{{
(neutron_plugin_type == 'ml2.ovn') | ternary(
'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
)
}}
_neutron_vpnaas_service_provider: >-
{{
(neutron_plugin_type == 'ml2.ovn') | ternary(
'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
)
}}
neutron_metadata_agent_distro_packages:
- haproxy

View File

@ -34,7 +34,8 @@ neutron_package_list: |-
{% if neutron_services['neutron-linuxbridge-agent']['group'] in group_names and neutron_services['neutron-linuxbridge-agent'].service_en | bool %}
{% set _ = packages.extend(neutron_lxb_distro_packages) %}
{% endif %}
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
{% if (neutron_services['neutron-l3-agent']['group'] in group_names or
neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
{% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
{% endif %}
{% if neutron_services['neutron-metadata-agent']['group'] in group_names %}