From 4e855db6b2f4e04242e4ef38f12367ed4f564329 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Wed, 7 Feb 2024 19:17:58 +0100
Subject: [PATCH] Add VPNaaS OVN support

At the moment it's possible to deploy VPNaaS for non-OVN environemnts only.
OVN implementation is slighly different and requires a standalone agent to
run on gateway hosts, where OVN router is active.

This agent spawns namespaces as used to do and talks through RPC with API.

More detailed spec on the feature can be found here [1]. There's also
configuration reference in progress of writing [2].

[1] https://opendev.org/openstack/neutron-specs/src/branch/master/specs/xena/vpnaas-ovn.rst
[2] https://review.opendev.org/c/openstack/neutron-vpnaas/+/895651
Change-Id: Idb223ee0d8187f372682aafda1b8d6fd78cb71d1

Change-Id: Iad163ac7b032a97bd49164d94490b0f0deb83d90
---
 defaults/main.yml                      |  2 ++
 files/rootwrap.d/vpnaas.filters        |  2 ++
 tasks/neutron_post_install.yml         |  2 +-
 templates/neutron_ovn_vpn_agent.ini.j2 | 22 ++++++++++++++++++++++
 vars/debian.yml                        | 17 +++++++++++++++--
 vars/distro_install.yml                |  3 ++-
 vars/main.yml                          | 17 ++++++++++++++++-
 vars/redhat.yml                        | 17 +++++++++++++++--
 vars/source_install.yml                |  3 ++-
 9 files changed, 77 insertions(+), 8 deletions(-)
 create mode 100644 templates/neutron_ovn_vpn_agent.ini.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index b08914ec..1e76449a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -498,6 +498,8 @@ neutron_vpnaas_service_provider: "{{ _neutron_vpnaas_service_provider }}"
 #     condition: "{{ ansible_facts['os_family'] | lower == 'debian' }}"
 
 neutron_vpnaas_custom_config: []
+neutron_ovn_vpn_agent_overrides: {}
+neutron_ovn_vpn_agent_init_overrides: {}
 
 # OVN Defaults
 neutron_ovn_ssl: True
diff --git a/files/rootwrap.d/vpnaas.filters b/files/rootwrap.d/vpnaas.filters
index 846ac2d1..7d261533 100644
--- a/files/rootwrap.d/vpnaas.filters
+++ b/files/rootwrap.d/vpnaas.filters
@@ -12,6 +12,8 @@ cp: RegExpFilter, cp, root, cp, -a, .*, .*/strongswan.d
 ip: IpFilter, ip, root
 ip_exec: IpNetnsExecFilter, ip, root
 ipsec: CommandFilter, ipsec, root
+sysctl_ip4_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv4.ip_forward=1
+sysctl_ip6_forward: RegExpFilter, sysctl, root, sysctl, -w, net.ipv6.conf.all.forwarding=1
 rm: RegExpFilter, rm, root, rm, -rf, (.*/strongswan.d|.*/ipsec/[0-9a-z-]+)
 rm_file: RegExpFilter, rm, root, rm, -f, .*/ipsec.secrets
 strongswan: CommandFilter, strongswan, root
diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml
index 331cfee7..9b91c1c3 100644
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@@ -200,7 +200,7 @@
   loop: "{{ neutron_vpnaas_custom_config }}"
   when:
     - neutron_vpnaas_custom_config | length > 0
-    - neutron_services['neutron-l3-agent']['group'] in group_names
+    - (neutron_services['neutron-l3-agent']['group'] in group_names) or (neutron_services['neutron-ovn-vpn-agent']['group'] in group_names)
     - item.condition | default(True)
 
 - name: Stop haproxy service on debian derivatives with standalone network nodes
diff --git a/templates/neutron_ovn_vpn_agent.ini.j2 b/templates/neutron_ovn_vpn_agent.ini.j2
new file mode 100644
index 00000000..3c8ad89f
--- /dev/null
+++ b/templates/neutron_ovn_vpn_agent.ini.j2
@@ -0,0 +1,22 @@
+# {{ ansible_managed }}
+
+[DEFAULT]
+interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
+
+[AGENT]
+extensions = vpnaas
+
+[vpnagent]
+vpn_device_driver = {{ neutron_driver_vpnaas }}
+
+[ovs]
+ovsdb_connection = {{ neutron_ovsdb_manager_connection }}
+ovsdb_connection_timeout = 180
+
+[ovn]
+ovn_sb_connection = {{ neutron_ovn_sb_connection }}
+{% if neutron_ovn_ssl %}
+ovn_sb_ca_cert = {{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
+ovn_sb_certificate = {{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
+ovn_sb_private_key = {{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
+{% endif %}
diff --git a/vars/debian.yml b/vars/debian.yml
index 8b939c95..b4298da4 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -104,8 +104,21 @@ neutron_lxb_distro_packages:
 neutron_vpnaas_distro_packages:
   - strongswan
 
-_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
-_neutron_vpnaas_service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+_neutron_driver_vpnaas: >-
+  {{
+    (neutron_plugin_type == 'ml2.ovn') | ternary(
+      'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
+      'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver'
+    )
+  }}
+
+_neutron_vpnaas_service_provider: >-
+  {{
+    (neutron_plugin_type == 'ml2.ovn') | ternary(
+      'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
+      'VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
+    )
+  }}
 
 neutron_metadata_agent_distro_packages:
   - haproxy
diff --git a/vars/distro_install.yml b/vars/distro_install.yml
index 6bd45a0f..4675ed1c 100644
--- a/vars/distro_install.yml
+++ b/vars/distro_install.yml
@@ -39,7 +39,8 @@ neutron_package_list: |-
   {% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_fwaas_v2 | bool %}
   {% set _ = packages.extend(neutron_optional_fwaas_distro_packages) %}
   {% endif %}
-  {% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
+  {% if (neutron_services['neutron-l3-agent']['group'] in group_names or
+         neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
   {% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
   {% set _ = packages.extend(neutron_optional_vpnaas_distro_packages) %}
   {% endif %}
diff --git a/vars/main.yml b/vars/main.yml
index a9de53da..214c8809 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -284,7 +284,7 @@ neutron_fwaas_v2: "{{ ('firewall_v2' in neutron_plugin_base) | ternary('True', '
 ###
 
 # Please add the 'vpnaas' to the neutron_plugin_base list
-neutron_vpnaas: "{% if 'vpnaas' in neutron_plugin_base %}True{% else %}False{% endif %}"
+neutron_vpnaas: "{{ ('vpnaas' in neutron_plugin_base or 'ovn-vpnaas' in neutron_plugin_base) }}"
 
 ## Neutron Dynamic Routing Agent's BGP Plugin Configuration
 # To enable the BGP plugin, add the following item to the neutron_plugin_base list:
@@ -525,6 +525,21 @@ neutron_services:
     config_type: "ini"
     init_config_overrides: "{{ neutron_ovn_metadata_agent_init_overrides }}"
     start_order: 3
+  neutron-ovn-vpn-agent:
+    group: neutron_ovn_gateway
+    systemd_lock_dir: /run/lock/neutron-ovn-vpn-agent
+    service_name: neutron-ovn-vpn-agent
+    service_en: "{{ neutron_vpnaas and neutron_plugin_type == 'ml2.ovn' }}"
+    service_conf_path: "{{ neutron_conf_version_dir }}"
+    service_conf: neutron_ovn_vpn_agent.ini
+    service_rootwrap: rootwrap.d/vpnaas.filters
+    execstarts: >-
+      {{ neutron_bin }}/neutron-ovn-vpn-agent --config-file {{ neutron_conf_dir }}/neutron.conf
+      --config-file {{ neutron_conf_dir }}/neutron_ovn_vpn_agent.ini
+    config_overrides: "{{ neutron_ovn_vpn_agent_overrides }}"
+    config_type: "ini"
+    init_config_overrides: "{{ neutron_ovn_vpn_agent_init_overrides }}"
+    start_order: 4
   ironic-neutron-agent:
     group: ironic_neutron_agent
     service_name: ironic-neutron-agent
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 096b2754..6752351f 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -95,8 +95,21 @@ neutron_lxb_distro_packages:
 neutron_vpnaas_distro_packages:
   - libreswan
 
-_neutron_driver_vpnaas: neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver
-_neutron_vpnaas_service_provider: VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
+_neutron_driver_vpnaas: >-
+  {{
+    (neutron_plugin_type == 'ml2.ovn') | ternary(
+      'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
+      'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
+    )
+  }}
+
+_neutron_vpnaas_service_provider: >-
+  {{
+    (neutron_plugin_type == 'ml2.ovn') | ternary(
+      'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default',
+      'VPN:openswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default'
+    )
+  }}
 
 neutron_metadata_agent_distro_packages:
   - haproxy
diff --git a/vars/source_install.yml b/vars/source_install.yml
index 5dea3c86..5d597da2 100644
--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@@ -34,7 +34,8 @@ neutron_package_list: |-
   {% if neutron_services['neutron-linuxbridge-agent']['group'] in group_names and neutron_services['neutron-linuxbridge-agent'].service_en | bool %}
   {% set _ = packages.extend(neutron_lxb_distro_packages) %}
   {% endif %}
-  {% if neutron_services['neutron-l3-agent']['group'] in group_names and neutron_vpnaas | bool %}
+  {% if (neutron_services['neutron-l3-agent']['group'] in group_names or
+         neutron_services['neutron-ovn-vpn-agent']['group'] in group_names) and neutron_vpnaas | bool %}
   {% set _ = packages.extend(neutron_vpnaas_distro_packages) %}
   {% endif %}
   {% if neutron_services['neutron-metadata-agent']['group'] in group_names %}