[neutron] Bring in bgpvpn/bagpipe support

BGP-MPLS VPN extension allows attachment of Neutron networks and/or routers to VPNs built in carrier provided WANs using these standard protocols. Change-Id: Ib0ec8cb22e9c113d4be1c992d895b565db5e30b0
2019-06-27 13:40:13 +04:00 · 2019-06-27 13:40:13 +04:00 · 0e01e058a1
commit 0e01e058a1
parent ac3952a720
12 changed files with 356 additions and 0 deletions
--- a/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
+++ b/neutron/templates/bin/_neutron-bagpipe-bgp-init.sh.tpl
@ -0,0 +1,40 @@
 #!/bin/bash
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 set -ex
 {{- if (has "openvswitch" .Values.network.backend) }}
 chown neutron: /run/openvswitch/db.sock
 {{- end }}
 # handle any bridge mappings
 for bmap in `sed 's/[{}"]//g' /tmp/auto_bridge_add | tr "," "\n"`; do
  bridge=${bmap%:*}
  iface=${bmap#*:}
 {{- if (has "openvswitch" .Values.network.backend) }}
  ovs-vsctl --no-wait --may-exist add-br $bridge
  if [ -n "$iface" -a "$iface" != "null" ]; then
    ovs-vsctl --no-wait --may-exist add-port $bridge $iface
    ip link set dev $iface up
  fi
 {{- else if (has "linuxbridge" .Values.network.backend) }}
  set +e; ip link add name $bridge type bridge; set -e
  ip link set dev $bridge up
  [ -n "$iface" -a "$iface" != "null" ] && ip link set dev $iface master $bridge
 {{- end }}
 done
--- a/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
+++ b/neutron/templates/bin/_neutron-bagpipe-bgp.sh.tpl
@ -0,0 +1,20 @@
 #!/bin/bash
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 set -x
 exec bagpipe-bgp
--- a/neutron/templates/configmap-bin.yaml
+++ b/neutron/templates/configmap-bin.yaml
@ -73,6 +73,10 @@ data:
 {{ tuple "bin/_neutron-sriov-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  neutron-l2gw-agent.sh: |
 {{ tuple "bin/_neutron-l2gw-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  neutron-bagpipe-bgp.sh: |
 {{ tuple "bin/_neutron-bagpipe-bgp.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  neutron-bagpipe-bgp-init.sh: |
 {{ tuple "bin/_neutron-bagpipe-bgp-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  neutron-server.sh: |
 {{ tuple "bin/_neutron-server.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  rabbit-init.sh: |
--- a/neutron/templates/configmap-etc.yaml
+++ b/neutron/templates/configmap-etc.yaml
@ -196,6 +196,7 @@ data:
  openvswitch_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.openvswitch_agent | b64enc }}
  sriov_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.plugins.sriov_agent | b64enc }}
  l2gw_agent.ini: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.l2gateway_agent | b64enc) }}
  bagpipe_bgp.conf: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" .Values.conf.bagpipe_bgp | b64enc) }}
  dnsmasq.conf: ""
  neutron_sudoers: {{ $envAll.Values.conf.neutron_sudoers | b64enc }}
  rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }}
--- a/neutron/templates/daemonset-bagpipe-bgp.yaml
+++ b/neutron/templates/daemonset-bagpipe-bgp.yaml
@ -0,0 +1,175 @@
 {{/*
 Copyright 2019 The Openstack-Helm Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
   http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 {{- define "neutron.bagpipe_bgp.daemonset" }}
 {{- $daemonset := index . 0 }}
 {{- $configMapName := index . 1 }}
 {{- $serviceAccountName := index . 2 }}
 {{- $envAll := index . 3 }}
 {{- with $envAll }}
 {{- $mounts_neutron_bagpipe_bgp := .Values.pod.mounts.bagpipe_bgp.bagpipe_bgp }}
 {{- $mounts_neutron_bagpipe_bgp_init := .Values.pod.mounts.bagpipe_bgp.init_container }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
  name: bagpipe-bgp
  annotations:
    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
  labels:
 {{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 spec:
  selector:
    matchLabels:
 {{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
 {{ tuple $envAll "bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
  template:
    metadata:
      labels:
 {{ tuple $envAll "neutron" "bagpipe-bgp" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
 {{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.bagpipe_bgp.node_selector_key }}: {{ .Values.labels.bagpipe_bgp.node_selector_value }}
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
      shareProcessNamespace: true
      {{- else }}
      hostPID: true
      {{- end }}
      initContainers:
 {{ tuple $envAll "pod_dependency" $mounts_neutron_bagpipe_bgp_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
        - name: neutron-bagpipe-bgp-init
 {{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
          securityContext:
            privileged: true
            runAsUser: 0
          command:
            - /tmp/neutron-bagpipe-bgp-init.sh
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
            - name: neutron-bin
              mountPath: /tmp/neutron-bagpipe-bgp-init.sh
              subPath: neutron-bagpipe-bgp-init.sh
              readOnly: true
            - name: run
              mountPath: /run
      containers:
        - name: neutron-bagpipe-bgp
 {{ tuple $envAll "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.agent.bagpipe_bgp | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "neutron_bagpipe_bgp" "container" "neutron_bagpipe_bgp" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          readinessProbe:
            tcpSocket:
              port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
          livenessProbe:
            tcpSocket:
              port: {{ tuple "network" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
            initialDelaySeconds: 60
          command:
            - /tmp/neutron-bagpipe-bgp.sh
          volumeMounts:
            - name: pod-tmp
              mountPath: /tmp
            - name: pod-var-neutron
              mountPath: /var/lib/neutron
            - name: neutron-bin
              mountPath: /tmp/neutron-bagpipe-bgp.sh
              subPath: neutron-bagpipe-bgp.sh
              readOnly: true
            - name: neutron-bin
              mountPath: /tmp/health-probe.py
              subPath: health-probe.py
              readOnly: true
            - name: neutron-etc
              mountPath: /tmp/auto_bridge_add
              subPath: auto_bridge_add
              readOnly: true
            - name: neutron-etc
              mountPath: /etc/bagpipe-bgp/bgp.conf
              subPath: bagpipe_bgp.conf
              readOnly: true
            - name: neutron-etc
              # NOTE (Portdirect): We mount here to override Kollas
              # custom sudoers file when using Kolla images, this
              # location will also work fine for other images.
              mountPath: /etc/sudoers.d/kolla_neutron_sudoers
              subPath: neutron_sudoers
              readOnly: true
            - name: neutron-etc
              mountPath: /etc/neutron/rootwrap.conf
              subPath: rootwrap.conf
              readOnly: true
            {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
            {{- if ( has "bagpipe_bgp" $value.pods ) }}
            {{- $filePrefix := replace "_" "-"  $key }}
            {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }}
            - name: neutron-etc
              mountPath: {{ $rootwrapFile }}
              subPath: {{ base $rootwrapFile }}
              readOnly: true
            {{- end }}
            {{- end }}
            - name: libmodules
              mountPath: /lib/modules
              readOnly: true
            - name: run
              mountPath: /run
 {{ if $mounts_neutron_bagpipe_bgp.volumeMounts }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumeMounts | indent 12 }}{{ end }}
      volumes:
        - name: pod-tmp
          emptyDir: {}
        - name: pod-var-neutron
          emptyDir: {}
        - name: neutron-bin
          configMap:
            name: neutron-bin
            defaultMode: 0555
        - name: neutron-etc
          secret:
            secretName: {{ $configMapName }}
            defaultMode: 0444
        - name: libmodules
          hostPath:
            path: /lib/modules
        - name: run
          hostPath:
            path: /run
 {{ if $mounts_neutron_bagpipe_bgp.volumes }}{{ toYaml $mounts_neutron_bagpipe_bgp.volumes | indent 8 }}{{ end }}
 {{- end }}
 {{- end }}
 {{- if .Values.manifests.daemonset_bagpipe_bgp }}
 {{- $envAll := . }}
 {{- $daemonset := "bagpipe-bgp" }}
 {{- $configMapName := "neutron-etc" }}
 {{- $serviceAccountName := "neutron-bagpipe-bgp" }}
 {{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "bagpipe_bgp" -}}
 {{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }}
 {{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 {{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.bagpipe_bgp.daemonset" | toString | fromYaml }}
 {{- $configmap_yaml := "neutron.configmap.etc" }}
 {{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }}
 {{- end }}
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -39,6 +39,7 @@ images:
    neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:ocata-ubuntu_xenial
    neutron_sriov_agent: docker.io/openstackhelm/neutron:ocata-18.04-sriov
    neutron_sriov_agent_init: docker.io/openstackhelm/neutron:ocata-18.04-sriov
    neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:ocata-ubuntu_xenial
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: "IfNotPresent"
@ -78,6 +79,9 @@ labels:
  sriov:
    node_selector_key: sriov
    node_selector_value: enabled
  bagpipe_bgp:
    node_selector_key: openstack-compute-node
    node_selector_value: enabled
  server:
    node_selector_key: openstack-control-plane
    node_selector_value: enabled
@ -139,6 +143,7 @@ dependencies:
    targeted:
      sriov: {}
      l2gateway: {}
      bagpipe_bgp: {}
      openvswitch:
        dhcp:
          pod:
@ -392,6 +397,13 @@ pod:
    neutron_l2gw_agent:
      pod:
        runAsUser: 42424
    neutron_bagpipe_bgp:
      pod:
        runAsUser: 42424
      container:
        neutron_bagpipe_bgp:
          readOnlyRootFilesystem: true
          privileged: true
    neutron_l3_agent:
      pod:
        runAsUser: 42424
@ -489,6 +501,11 @@ pod:
      neutron_l2gw_agent:
        volumeMounts:
        volumes:
    bagpipe_bgp:
      init_container: null
      bagpipe_bgp:
        volumeMounts:
        volumes:
    neutron_tests:
      init_container: null
      neutron_tests:
@ -601,6 +618,13 @@ pod:
        limits:
          memory: "1024Mi"
          cpu: "2000m"
      bagpipe_bgp:
        requests:
          memory: "128Mi"
          cpu: "100m"
        limits:
          memory: "1024Mi"
          cpu: "2000m"
    server:
      requests:
        memory: "128Mi"
@ -1646,6 +1670,57 @@ conf:
        # This is needed to allow taas to insert/remove vlan id to the
        # target vf under /sys/class/net/[device-name]/device/sriov/[vf-index]/[mirror]
        i40e_sysfs_command: RegExpFilter, i40e_sysfs_command, root, i40e_sysfs_command, \w+, .+, .+
    linux_vxlan:
      pods:
        - bagpipe_bgp
      content: |
        # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
        # expected to control VXLAN Linux Bridge dataplane
        #
        # This file should be owned by (and only-writeable by) the root user
        # format seems to be
        # cmd-name: filter-name, raw-command, user, args
        [Filters]
        #
        modprobe: CommandFilter, modprobe, root
        #
        brctl: CommandFilter, brctl, root
        bridge: CommandFilter, bridge, root
        # ip_lib
        ip: IpFilter, ip, root
        ip_exec: IpNetnsExecFilter, ip, root
        # shell (for piped commands)
        sh: CommandFilter, sh, root
    mpls_ovs_dataplane:
      pods:
        - bagpipe_bgp
      content: |
        # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
        # expected to control MPLS OpenVSwitch dataplane
        #
        # This file should be owned by (and only-writeable by) the root user
        # format seems to be
        # cmd-name: filter-name, raw-command, user, args
        [Filters]
        # openvswitch
        ovs-vsctl: CommandFilter, ovs-vsctl, root
        ovs-ofctl: CommandFilter, ovs-ofctl, root
        # ip_lib
        ip: IpFilter, ip, root
        ip_exec: IpNetnsExecFilter, ip, root
        # shell (for piped commands)
        sh: CommandFilter, sh, root
  neutron:
    DEFAULT:
      log_config_append: /etc/neutron/logging.conf
@ -1834,6 +1909,7 @@ conf:
    cache:
      enabled: true
      backend: dogpile.cache.memcached
  bagpipe_bgp: {}
  rabbitmq:
    #NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
@ -2104,6 +2180,7 @@ manifests:
  daemonset_ovs_agent: true
  daemonset_sriov_agent: true
  daemonset_l2gw_agent: false
  daemonset_bagpipe_bgp: false
  deployment_server: true
  ingress_server: true
  job_bootstrap: true
--- a/neutron/values_overrides/pike-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/pike-ubuntu_xenial.yaml
@ -15,3 +15,4 @@ images:
    neutron_metadata: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:pike-ubuntu_xenial"
--- a/neutron/values_overrides/queens-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/queens-ubuntu_xenial.yaml
@ -15,3 +15,4 @@ images:
    neutron_metadata: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:queens-ubuntu_xenial"
--- a/neutron/values_overrides/rocky-opensuse_15.yaml
+++ b/neutron/values_overrides/rocky-opensuse_15.yaml
@ -15,3 +15,4 @@ images:
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-opensuse_15"
--- a/neutron/values_overrides/rocky-ubuntu_bionic.yaml
+++ b/neutron/values_overrides/rocky-ubuntu_bionic.yaml
@ -15,3 +15,4 @@ images:
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_bionic"
--- a/neutron/values_overrides/rocky-ubuntu_xenial.yaml
+++ b/neutron/values_overrides/rocky-ubuntu_xenial.yaml
@ -15,3 +15,4 @@ images:
    neutron_metadata: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_openvswitch_agent: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_server: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
    neutron_bagpipe_bgp: "docker.io/openstackhelm/neutron:rocky-ubuntu_xenial"
--- a/tools/overrides/backends/networking/bagpipe_bgp.yaml
+++ b/tools/overrides/backends/networking/bagpipe_bgp.yaml
@ -0,0 +1,34 @@
 ---
 conf:
  neutron:
    DEFAULT:
      service_plugins: router, bgpvpn
    service_providers:
      # BGPVPN:OpenContrail:networking_bgpvpn.neutron.services.service_drivers.opencontrail.opencontrail.OpenContrailBGPVPNDriver:default
      # BGPVPN:OpenDaylight:networking_odl.bgpvpn.odl_v2.OpenDaylightBgpvpnDriver:default
      service_provider: BGPVPN:BaGPipe:networking_bgpvpn.neutron.services.service_drivers.bagpipe.bagpipe_v2.BaGPipeBGPVPNDriver:default
  plugins:
    openvswitch_agent:
      agent:
        extensions: bagpipe_bgpvpn
  bagpipe_bgp:
    bgp:
      local_address: 192.168.143.88 # IP address for mpls/gre tunnels
      peers: 192.168.143.96 # IP addresses of BGP peers
      my_as: 23242 # Autonomous System number
      enable_rtc: true # Enable RT Constraint (RFC4684)
    common:
      root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
    api:
      host: localhost
      port: 8082
    dataplane_driver_ipvpn:
      dataplane_driver: ovs
      ovs_bridge: br-mpls
      mpls_interface: '*gre*'
      proxy_arp: false
  auto_bridge_add:
    br-mpls: null
 manifests:
  daemonset_bagpipe_bgp: true