diff --git a/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl b/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl new file mode 100644 index 0000000000..5df2cecdf9 --- /dev/null +++ b/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl @@ -0,0 +1,40 @@ +#!/bin/bash + +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +{{- if (has "openvswitch" .Values.network.backend) }} +chown neutron: /run/openvswitch/db.sock +{{- end }} + +# handle any bridge mappings +for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`; do + bridge=${bmap%:*} + iface=${bmap#*:} +{{- if (has "openvswitch" .Values.network.backend) }} + ovs-vsctl --no-wait --may-exist add-br $bridge + if [ -n "$iface" -a "$iface" != "null" ]; then + ovs-vsctl --no-wait --may-exist add-port $bridge $iface + ip link set dev $iface up + fi +{{- else if (has "linuxbridge" .Values.network.backend) }} + set +e; ip link add name $bridge type bridge; set -e + ip link set dev $bridge up + [ -n "$iface" -a "$iface" != "null" ] && ip link set dev $iface master $bridge +{{- end }} +done diff --git a/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl b/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl new file mode 100644 index 0000000000..bbb5c6c979 --- /dev/null +++ b/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl @@ -0,0 +1,20 @@ +#!/bin/bash + +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -x +exec bagpipe-bgp diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml index 1e03ce3cb7..d36cb1b857 100644 --- a/neutron/templates/configmap-bin.yaml +++ b/neutron/templates/configmap-bin.yaml @@ -73,6 +73,10 @@ data: {{ tuple "bin/_neutron-sriov-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-l2gw-agent.sh: | {{ tuple "bin/_neutron-l2gw-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-bagpipe-bgp.sh: | +{{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-bagpipe-bgp-init.sh: | +{{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-server.sh: | {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} rabbit-init.sh: | diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index 251e51b34f..b07f16fb05 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -196,6 +196,7 @@ data: openvswitch_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.openvswitch_agent | b64enc }} sriov_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | b64enc }} l2gw_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.l2gateway_agent | b64enc) }} + bagpipe_bgp.conf: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.bagpipe_bgp | b64enc) }} dnsmasq.conf: "" neutron_sudoers: {{ $envAll.Values.conf.neutron_sudoers | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} diff --git a/neutron/templates/daemonset-bagpipe-bgp.yaml b/neutron/templates/daemonset-bagpipe-bgp.yaml new file mode 100644 index 0000000000..458c40f0db --- /dev/null +++ b/neutron/templates/daemonset-bagpipe-bgp.yaml @@ -0,0 +1,175 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "neutron.bagpipe_bgp.daemonset" }} +{{- $daemonset := index . 0 }} +{{- $configMapName := index . 1 }} +{{- $serviceAccountName := index . 2 }} +{{- $envAll := index . 3 }} +{{- with $envAll }} + +{{- $mounts_neutron_bagpipe_bgp := .Values.pod.mounts.bagpipe_bgp.bagpipe_bgp }} +{{- $mounts_neutron_bagpipe_bgp_init := .Values.pod.mounts.bagpipe_bgp.init_container }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: bagpipe-bgp + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll "bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} + nodeSelector: + {{ .Values.labels.bagpipe_bgp.node_selector_key }}: {{ .Values.labels.bagpipe_bgp.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + shareProcessNamespace: true + {{- else }} + hostPID: true + {{- end }} + initContainers: +{{ tuple $envAll "pod_dependency" $mounts_neutron_bagpipe_bgp_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: neutron-bagpipe-bgp-init +{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }} + securityContext: + privileged: true + runAsUser: 0 + command: + - /tmp/neutron-bagpipe-bgp-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: neutron-bin + mountPath: /tmp/neutron-bagpipe-bgp-init.sh + subPath: neutron-bagpipe-bgp-init.sh + readOnly: true + - name: run + mountPath: /run + containers: + - name: neutron-bagpipe-bgp +{{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.agent.bagpipe_bgp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" "container" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + readinessProbe: + tcpSocket: + port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + livenessProbe: + tcpSocket: + port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + initialDelaySeconds: 60 + command: + - /tmp/neutron-bagpipe-bgp.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: pod-var-neutron + mountPath: /var/lib/neutron + - name: neutron-bin + mountPath: /tmp/neutron-bagpipe-bgp.sh + subPath: neutron-bagpipe-bgp.sh + readOnly: true + - name: neutron-bin + mountPath: /tmp/health-probe.py + subPath: health-probe.py + readOnly: true + - name: neutron-etc + mountPath: /tmp/auto_bridge_add + subPath: auto_bridge_add + readOnly: true + - name: neutron-etc + mountPath: /etc/bagpipe-bgp/bgp.conf + subPath: bagpipe_bgp.conf + readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to override Kollas + # custom sudoers file when using Kolla images, this + # location will also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "bagpipe_bgp" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} + - name: neutron-etc + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} + readOnly: true + {{- end }} + {{- end }} + - name: libmodules + mountPath: /lib/modules + readOnly: true + - name: run + mountPath: /run +{{ if $mounts_neutron_bagpipe_bgp.volumeMounts }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-var-neutron + emptyDir: {} + - name: neutron-bin + configMap: + name: neutron-bin + defaultMode: 0555 + - name: neutron-etc + secret: + secretName: {{ $configMapName }} + defaultMode: 0444 + - name: libmodules + hostPath: + path: /lib/modules + - name: run + hostPath: + path: /run +{{ if $mounts_neutron_bagpipe_bgp.volumes }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumes | indent 8 }}{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.manifests.daemonset_bagpipe_bgp }} +{{- $envAll := . }} +{{- $daemonset := "bagpipe-bgp" }} +{{- $configMapName := "neutron-etc" }} +{{- $serviceAccountName := "neutron-bagpipe-bgp" }} +{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "bagpipe_bgp" -}} +{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }} +{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.bagpipe_bgp.daemonset" | toString | fromYaml }} +{{- $configmap_yaml := "neutron.configmap.etc" }} +{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }} +{{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index c139b13682..88058d562c 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -39,6 +39,7 @@ images: neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:ocata-ubuntu_xenial neutron_sriov_agent: docker.io/openstackhelm/neutron:ocata-18.04-sriov neutron_sriov_agent_init: docker.io/openstackhelm/neutron:ocata-18.04-sriov + neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:ocata-ubuntu_xenial dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 pull_policy: "IfNotPresent" @@ -78,6 +79,9 @@ labels: sriov: node_selector_key: sriov node_selector_value: enabled + bagpipe_bgp: + node_selector_key: openstack-compute-node + node_selector_value: enabled server: node_selector_key: openstack-control-plane node_selector_value: enabled @@ -139,6 +143,7 @@ dependencies: targeted: sriov: {} l2gateway: {} + bagpipe_bgp: {} openvswitch: dhcp: pod: @@ -392,6 +397,13 @@ pod: neutron_l2gw_agent: pod: runAsUser: 42424 + neutron_bagpipe_bgp: + pod: + runAsUser: 42424 + container: + neutron_bagpipe_bgp: + readOnlyRootFilesystem: true + privileged: true neutron_l3_agent: pod: runAsUser: 42424 @@ -489,6 +501,11 @@ pod: neutron_l2gw_agent: volumeMounts: volumes: + bagpipe_bgp: + init_container: null + bagpipe_bgp: + volumeMounts: + volumes: neutron_tests: init_container: null neutron_tests: @@ -601,6 +618,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + bagpipe_bgp: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" server: requests: memory: "128Mi" @@ -1646,6 +1670,57 @@ conf: # This is needed to allow taas to insert/remove vlan id to the # target vf under /sys/class/net/[device-name]/device/sriov/[vf-index]/[mirror] i40e_sysfs_command: RegExpFilter, i40e_sysfs_command, root, i40e_sysfs_command, \w+, .+, .+ + linux_vxlan: + pods: + - bagpipe_bgp + content: | + # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is + # expected to control VXLAN Linux Bridge dataplane + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # + modprobe: CommandFilter, modprobe, root + + # + brctl: CommandFilter, brctl, root + bridge: CommandFilter, bridge, root + + # ip_lib + ip: IpFilter, ip, root + ip_exec: IpNetnsExecFilter, ip, root + + # shell (for piped commands) + sh: CommandFilter, sh, root + mpls_ovs_dataplane: + pods: + - bagpipe_bgp + content: | + # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is + # expected to control MPLS OpenVSwitch dataplane + # + # This file should be owned by (and only-writeable by) the root user + + # format seems to be + # cmd-name: filter-name, raw-command, user, args + + [Filters] + + # openvswitch + ovs-vsctl: CommandFilter, ovs-vsctl, root + ovs-ofctl: CommandFilter, ovs-ofctl, root + + # ip_lib + ip: IpFilter, ip, root + ip_exec: IpNetnsExecFilter, ip, root + + # shell (for piped commands) + sh: CommandFilter, sh, root neutron: DEFAULT: log_config_append: /etc/neutron/logging.conf @@ -1834,6 +1909,7 @@ conf: cache: enabled: true backend: dogpile.cache.memcached + bagpipe_bgp: {} rabbitmq: #NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones @@ -2104,6 +2180,7 @@ manifests: daemonset_ovs_agent: true daemonset_sriov_agent: true daemonset_l2gw_agent: false + daemonset_bagpipe_bgp: false deployment_server: true ingress_server: true job_bootstrap: true diff --git a/neutron/values_overrides/pike-ubuntu_xenial.yaml b/neutron/values_overrides/pike-ubuntu_xenial.yaml index 90158f8969..8458fc05ad 100644 --- a/neutron/values_overrides/pike-ubuntu_xenial.yaml +++ b/neutron/values_overrides/pike-ubuntu_xenial.yaml @@ -15,3 +15,4 @@ images: neutron_metadata: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" + neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial" diff --git a/neutron/values_overrides/queens-ubuntu_xenial.yaml b/neutron/values_overrides/queens-ubuntu_xenial.yaml index 1d0c32eeab..ef332bc235 100644 --- a/neutron/values_overrides/queens-ubuntu_xenial.yaml +++ b/neutron/values_overrides/queens-ubuntu_xenial.yaml @@ -15,3 +15,4 @@ images: neutron_metadata: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" + neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial" diff --git a/neutron/values_overrides/rocky-opensuse_15.yaml b/neutron/values_overrides/rocky-opensuse_15.yaml index 72f5de80f4..1dd621ac0f 100644 --- a/neutron/values_overrides/rocky-opensuse_15.yaml +++ b/neutron/values_overrides/rocky-opensuse_15.yaml @@ -15,3 +15,4 @@ images: neutron_metadata: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15" neutron_server: "docker.io/openstackhelm/neutron:rocky-opensuse_15" + neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-opensuse_15" diff --git a/neutron/values_overrides/rocky-ubuntu_bionic.yaml b/neutron/values_overrides/rocky-ubuntu_bionic.yaml index f5c20ff90e..3e2598ae81 100644 --- a/neutron/values_overrides/rocky-ubuntu_bionic.yaml +++ b/neutron/values_overrides/rocky-ubuntu_bionic.yaml @@ -15,3 +15,4 @@ images: neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" + neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic" diff --git a/neutron/values_overrides/rocky-ubuntu_xenial.yaml b/neutron/values_overrides/rocky-ubuntu_xenial.yaml index 78e677ca10..0335527d46 100644 --- a/neutron/values_overrides/rocky-ubuntu_xenial.yaml +++ b/neutron/values_overrides/rocky-ubuntu_xenial.yaml @@ -15,3 +15,4 @@ images: neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" + neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial" diff --git a/tools/overrides/backends/networking/bagpipe_bgp.yaml b/tools/overrides/backends/networking/bagpipe_bgp.yaml new file mode 100644 index 0000000000..7a82e29f45 --- /dev/null +++ b/tools/overrides/backends/networking/bagpipe_bgp.yaml @@ -0,0 +1,34 @@ +--- +conf: + neutron: + DEFAULT: + service_plugins: router, bgpvpn + service_providers: + # BGPVPN:OpenContrail:networking_bgpvpn.neutron.services.service_drivers.opencontrail.opencontrail.OpenContrailBGPVPNDriver:default + # BGPVPN:OpenDaylight:networking_odl.bgpvpn.odl_v2.OpenDaylightBgpvpnDriver:default + service_provider: BGPVPN:BaGPipe:networking_bgpvpn.neutron.services.service_drivers.bagpipe.bagpipe_v2.BaGPipeBGPVPNDriver:default + plugins: + openvswitch_agent: + agent: + extensions: bagpipe_bgpvpn + bagpipe_bgp: + bgp: + local_address: 192.168.143.88 # IP address for mpls/gre tunnels + peers: 192.168.143.96 # IP addresses of BGP peers + my_as: 23242 # Autonomous System number + enable_rtc: true # Enable RT Constraint (RFC4684) + common: + root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf + api: + host: localhost + port: 8082 + dataplane_driver_ipvpn: + dataplane_driver: ovs + ovs_bridge: br-mpls + mpls_interface: '*gre*' + proxy_arp: false + auto_bridge_add: + br-mpls: null + +manifests: + daemonset_bagpipe_bgp: true