Add VPNaaS OVN support
At the moment it's possible to deploy VPNaaS for non-OVN environemnts only. OVN implementation is slighly different and requires a standalone agent to run on gateway hosts, where OVN router is active. This agent spawns namespaces as used to do and talks through RPC with API. More detailed spec on the feature can be found here [1]. There's also configuration reference in progress of writing [2]. [1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst [2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651 Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1 Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
This commit is contained in:
parent
601c66666f
commit
4e855db6b2
@ -498,6 +498,8 @@ neutron_vpnaas_service_provider: "{{ _neutron_vpnaas_service_provider }}"
|
||||
# condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
|
||||
|
||||
neutron_vpnaas_custom_config: []
|
||||
neutron_ovn_vpn_agent_overrides: {}
|
||||
neutron_ovn_vpn_agent_init_overrides: {}
|
||||
|
||||
# OVN Defaults
|
||||
neutron_ovn_ssl: True
|
||||
|
@ -12,6 +12,8 @@ cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
|
||||
ip: IpFilter, ip, root
|
||||
ip_exec: IpNetnsExecFilter, ip, root
|
||||
ipsec: CommandFilter, ipsec, root
|
||||
sysctl_ip4_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv4.ip_forward=1
|
||||
sysctl_ip6_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv6.conf.all.forwarding=1
|
||||
rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
|
||||
rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
|
||||
strongswan: CommandFilter, strongswan, root
|
||||
|
@ -200,7 +200,7 @@
|
||||
loop: "{{ neutron_vpnaas_custom_config }}"
|
||||
when:
|
||||
- neutron_vpnaas_custom_config | length > 0
|
||||
- neutron_services['neutron-l3-agent']['group'] in group_names
|
||||
- (neutron_services['neutron-l3-agent']['group'] in group_names) or (neutron_services['neutron-ovn-vpn-agent']['group'] in group_names)
|
||||
- item.condition | default(True)
|
||||
|
||||
- name: Stop haproxy service on debian derivatives with standalone network nodes
|
||||
|
22
templates/neutron_ovn_vpn_agent.ini.j2
Normal file
22
templates/neutron_ovn_vpn_agent.ini.j2
Normal file
@ -0,0 +1,22 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[DEFAULT]
|
||||
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
|
||||
|
||||
[AGENT]
|
||||
extensions = vpnaas
|
||||
|
||||
[vpnagent]
|
||||
vpn_device_driver = {{ neutron_driver_vpnaas }}
|
||||
|
||||
[ovs]
|
||||
ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
|
||||
ovsdb_connection_timeout = 180
|
||||
|
||||
[ovn]
|
||||
ovn_sb_connection = {{ neutron_ovn_sb_connection }}
|
||||
{% if neutron_ovn_ssl %}
|
||||
ovn_sb_ca_cert = {{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
|
||||
ovn_sb_certificate = {{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
|
||||
ovn_sb_private_key = {{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
|
||||
{% endif %}
|
@ -104,8 +104,21 @@ neutron_lxb_distro_packages:
|
||||
neutron_vpnaas_distro_packages:
|
||||
- strongswan
|
||||
|
||||
_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
|
||||
_neutron_vpnaas_service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
|
||||
_neutron_driver_vpnaas: >-
|
||||
{{
|
||||
(neutron_plugin_type == 'ml2.ovn') | ternary(
|
||||
'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
|
||||
'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver'
|
||||
)
|
||||
}}
|
||||
|
||||
_neutron_vpnaas_service_provider: >-
|
||||
{{
|
||||
(neutron_plugin_type == 'ml2.ovn') | ternary(
|
||||
'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
|
||||
'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
|
||||
)
|
||||
}}
|
||||
|
||||
neutron_metadata_agent_distro_packages:
|
||||
- haproxy
|
||||
|
@ -39,7 +39,8 @@ neutron_package_list: |-
|
||||
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_fwaas_v2 | bool %}
|
||||
{% set _ = packages.extend(neutron_optional_fwaas_distro_packages) %}
|
||||
{% endif %}
|
||||
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
|
||||
{% if (neutron_services['neutron-l3-agent']['group'] in group_names or
|
||||
neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
|
||||
{% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
|
||||
{% set _ = packages.extend(neutron_optional_vpnaas_distro_packages) %}
|
||||
{% endif %}
|
||||
|
@ -284,7 +284,7 @@ neutron_fwaas_v2: "{{ ('firewall_v2' in neutron_plugin_base) | ternary('True', '
|
||||
###
|
||||
|
||||
# Please add the 'vpnaas' to the neutron_plugin_base list
|
||||
neutron_vpnaas: "{% if 'vpnaas' in neutron_plugin_base %}True{% else %}False{% endif %}"
|
||||
neutron_vpnaas: "{{ ('vpnaas' in neutron_plugin_base or 'ovn-vpnaas' in neutron_plugin_base) }}"
|
||||
|
||||
## Neutron Dynamic Routing Agent's BGP Plugin Configuration
|
||||
# To enable the BGP plugin, add the following item to the neutron_plugin_base list:
|
||||
@ -525,6 +525,21 @@ neutron_services:
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_ovn_metadata_agent_init_overrides }}"
|
||||
start_order: 3
|
||||
neutron-ovn-vpn-agent:
|
||||
group: neutron_ovn_gateway
|
||||
systemd_lock_dir: /run/lock/neutron-ovn-vpn-agent
|
||||
service_name: neutron-ovn-vpn-agent
|
||||
service_en: "{{ neutron_vpnaas and neutron_plugin_type == 'ml2.ovn' }}"
|
||||
service_conf_path: "{{ neutron_conf_version_dir }}"
|
||||
service_conf: neutron_ovn_vpn_agent.ini
|
||||
service_rootwrap: rootwrap.d/vpnaas.filters
|
||||
execstarts: >-
|
||||
{{ neutron_bin }}/neutron-ovn-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf
|
||||
--config-file {{ neutron_conf_dir }}/neutron_ovn_vpn_agent.ini
|
||||
config_overrides: "{{ neutron_ovn_vpn_agent_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_ovn_vpn_agent_init_overrides }}"
|
||||
start_order: 4
|
||||
ironic-neutron-agent:
|
||||
group: ironic_neutron_agent
|
||||
service_name: ironic-neutron-agent
|
||||
|
@ -95,8 +95,21 @@ neutron_lxb_distro_packages:
|
||||
neutron_vpnaas_distro_packages:
|
||||
- libreswan
|
||||
|
||||
_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
|
||||
_neutron_vpnaas_service_provider: VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
|
||||
_neutron_driver_vpnaas: >-
|
||||
{{
|
||||
(neutron_plugin_type == 'ml2.ovn') | ternary(
|
||||
'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
|
||||
'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
|
||||
)
|
||||
}}
|
||||
|
||||
_neutron_vpnaas_service_provider: >-
|
||||
{{
|
||||
(neutron_plugin_type == 'ml2.ovn') | ternary(
|
||||
'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
|
||||
'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
|
||||
)
|
||||
}}
|
||||
|
||||
neutron_metadata_agent_distro_packages:
|
||||
- haproxy
|
||||
|
@ -34,7 +34,8 @@ neutron_package_list: |-
|
||||
{% if neutron_services['neutron-linuxbridge-agent']['group'] in group_names and neutron_services['neutron-linuxbridge-agent'].service_en | bool %}
|
||||
{% set _ = packages.extend(neutron_lxb_distro_packages) %}
|
||||
{% endif %}
|
||||
{% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
|
||||
{% if (neutron_services['neutron-l3-agent']['group'] in group_names or
|
||||
neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
|
||||
{% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
|
||||
{% endif %}
|
||||
{% if neutron_services['neutron-metadata-agent']['group'] in group_names %}
|
||||
|
Loading…
Reference in New Issue
Block a user