From 27cfc11310b1a4ef6cdea969d79f599f3a34dc02 Mon Sep 17 00:00:00 2001 From: ricolin Date: Fri, 22 Dec 2023 17:56:00 +0800 Subject: [PATCH] feat: add OVN VPNaaS support ovn vpnaas is now supported with [1]. Add it to neutron ovn mode [1] https://review.opendev.org/c/openstack/neutron-vpnaas/+/765353 Change-Id: I03f133e544afa6f93f35ff206cd5869a74d54dfd --- neutron/Chart.yaml | 2 +- .../bin/_neutron-ovn-vpn-agent-init.sh.tpl | 27 ++ .../bin/_neutron-ovn-vpn-agent.sh.tpl | 27 ++ neutron/templates/configmap-bin.yaml | 4 + neutron/templates/configmap-etc.yaml | 2 + .../daemonset-neutron-ovn-vpn-agent.yaml | 261 ++++++++++++++++++ neutron/values.yaml | 68 +++++ neutron/values_overrides/ovn_vpn.yaml | 34 +++ releasenotes/notes/neutron.yaml | 1 + 9 files changed, 425 insertions(+), 1 deletion(-) create mode 100644 neutron/templates/bin/_neutron-ovn-vpn-agent-init.sh.tpl create mode 100644 neutron/templates/bin/_neutron-ovn-vpn-agent.sh.tpl create mode 100644 neutron/templates/daemonset-neutron-ovn-vpn-agent.yaml create mode 100644 neutron/values_overrides/ovn_vpn.yaml diff --git a/neutron/Chart.yaml b/neutron/Chart.yaml index eda51e8528..a65d2944d3 100644 --- a/neutron/Chart.yaml +++ b/neutron/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Neutron name: neutron -version: 0.3.43 +version: 0.3.44 home: https://docs.openstack.org/neutron/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png sources: diff --git a/neutron/templates/bin/_neutron-ovn-vpn-agent-init.sh.tpl b/neutron/templates/bin/_neutron-ovn-vpn-agent-init.sh.tpl new file mode 100644 index 0000000000..5b6ce43e1d --- /dev/null +++ b/neutron/templates/bin/_neutron-ovn-vpn-agent-init.sh.tpl @@ -0,0 +1,27 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -ex + +chown ${NEUTRON_USER_UID} /var/lib/neutron/openstack-helm + +{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }} +mkdir -p /tmp/pod-shared +tee > /tmp/pod-shared/neutron-agent.ini << EOF +[DEFAULT] +host = $(hostname --fqdn) +EOF +{{- end }} diff --git a/neutron/templates/bin/_neutron-ovn-vpn-agent.sh.tpl b/neutron/templates/bin/_neutron-ovn-vpn-agent.sh.tpl new file mode 100644 index 0000000000..3a248bf475 --- /dev/null +++ b/neutron/templates/bin/_neutron-ovn-vpn-agent.sh.tpl @@ -0,0 +1,27 @@ +#!/bin/bash + +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -x + +exec neutron-ovn-vpn-agent \ + --config-file /etc/neutron/neutron.conf \ + --config-file /etc/neutron/neutron_vpnaas.conf \ + --config-file /etc/neutron/neutron_ovn_vpn_agent.ini \ +{{- if and ( empty .Values.conf.neutron.DEFAULT.host ) ( .Values.pod.use_fqdn.neutron_agent ) }} + --config-file /tmp/pod-shared/neutron-agent.ini \ +{{- end }} + --config-file /tmp/pod-shared/ovn.ini + diff --git a/neutron/templates/configmap-bin.yaml b/neutron/templates/configmap-bin.yaml index 40b7006050..f5fc72973d 100644 --- a/neutron/templates/configmap-bin.yaml +++ b/neutron/templates/configmap-bin.yaml @@ -109,6 +109,10 @@ data: {{ tuple "bin/_neutron-ovn-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} neutron-ovn-init.sh: | {{ tuple "bin/_neutron-ovn-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-ovn-vpn-agent-init.sh: | +{{ tuple "bin/_neutron-ovn-vpn-agent-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + neutron-ovn-vpn-agent.sh: | +{{ tuple "bin/_neutron-ovn-vpn-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{- else }} neutron-metadata-agent.sh: | {{ tuple "bin/_neutron-metadata-agent.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/neutron/templates/configmap-etc.yaml b/neutron/templates/configmap-etc.yaml index f7411bf5cf..0fd7aa3ac3 100644 --- a/neutron/templates/configmap-etc.yaml +++ b/neutron/templates/configmap-etc.yaml @@ -317,12 +317,14 @@ data: neutron_sudoers: {{ $envAll.Values.conf.neutron_sudoers | b64enc }} rootwrap.conf: {{ $envAll.Values.conf.rootwrap | b64enc }} auto_bridge_add: {{ toJson $envAll.Values.conf.auto_bridge_add | b64enc }} + neutron_vpnaas.conf: {{ default "\"\"" (include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.neutron_vpnaas | b64enc) }} {{- if .Values.conf.netoffload.enabled }} netoffload: {{ toJson $envAll.Values.conf.netoffload | b64enc }} {{- end }} dpdk.conf: {{ toJson $envAll.Values.conf.ovs_dpdk | b64enc }} update_dpdk_bond_config: {{ $envAll.Values.conf.ovs_dpdk.update_dpdk_bond_config | toString | b64enc }} {{- if ( has "ovn" .Values.network.backend ) }} + neutron_ovn_vpn_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.ovn_vpn_agent | b64enc }} ovn_metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.ovn_metadata_agent | b64enc }} {{- else }} metadata_agent.ini: {{ include "helm-toolkit.utils.to_oslo_conf" $envAll.Values.conf.metadata_agent | b64enc }} diff --git a/neutron/templates/daemonset-neutron-ovn-vpn-agent.yaml b/neutron/templates/daemonset-neutron-ovn-vpn-agent.yaml new file mode 100644 index 0000000000..0302fae95f --- /dev/null +++ b/neutron/templates/daemonset-neutron-ovn-vpn-agent.yaml @@ -0,0 +1,261 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "ovnVPNAgentReadinessProbeTemplate" }} +exec: + command: + - python + - /tmp/health-probe.py + - --config-file + - /etc/neutron/neutron.conf + - --config-file + - /etc/neutron/neutron_vpnaas.conf + - --config-file + - /etc/neutron/neutron_ovn_vpn_agent.ini +{{- if .Values.pod.use_fqdn.neutron_agent }} + - --use-fqdn +{{- end }} +{{- end }} +{{- define "ovnVPNAgentLivenessProbeTemplate" }} +exec: + command: + - python + - /tmp/health-probe.py + - --config-file + - /etc/neutron/neutron.conf + - --config-file + - /etc/neutron/neutron_vpnaas.conf + - --config-file + - /etc/neutron/neutron_ovn_vpn_agent.ini + - --liveness-probe +{{- if .Values.pod.use_fqdn.neutron_agent }} + - --use-fqdn +{{- end }} +{{- end }} + +{{- define "neutron.ovn_vpn_agent.daemonset" }} +{{- $daemonset := index . 0 }} +{{- $configMapName := index . 1 }} +{{- $serviceAccountName := index . 2 }} +{{- $envAll := index . 3 }} +{{- with $envAll }} + +{{- $mounts_ovn_vpn_agent := .Values.pod.mounts.ovn_vpn_agent.ovn_vpn_agent }} +{{- $mounts_ovn_vpn_agent_init := .Values.pod.mounts.ovn_vpn_agent.init_container }} + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: neutron-ovn-vpn-agent + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: +{{ tuple $envAll "neutron" "ovn-vpn-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + selector: + matchLabels: +{{ tuple $envAll "neutron" "ovn-vpn-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} +{{ tuple $envAll "ovn_vpn_agent" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} + template: + metadata: + labels: +{{ tuple $envAll "neutron" "ovn-vpn-agent" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "ovn_vpn_agent" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + serviceAccountName: {{ $serviceAccountName }} +{{ if $envAll.Values.pod.tolerations.neutron.enabled }} +{{ tuple $envAll "neutron" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }} +{{ end }} + nodeSelector: + {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }} + shareProcessNamespace: true + {{- else }} + hostPID: true + {{- end }} + initContainers: +{{ tuple $envAll "pod_dependency" $mounts_ovn_vpn_agent_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + - name: ovn-vpn-agent-init +{{ tuple $envAll "neutron_ovn_vpn" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.agent.ovn_vpn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ovn_vpn_agent" "container" "ovn_vpn_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + env: + - name: NEUTRON_USER_UID + value: "{{ .Values.pod.security_context.ovn_vpn_agent.pod.runAsUser }}" + command: + - /tmp/neutron-ovn-vpn-agent-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: neutron-bin + mountPath: /tmp/neutron-ovn-vpn-agent-init.sh + subPath: neutron-ovn-vpn-agent-init.sh + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/neutron.conf + subPath: neutron.conf + readOnly: true + - name: socket + mountPath: /var/lib/neutron/openstack-helm + - name: ovn-neutron-init +{{ tuple $envAll "neutron_ovn_vpn" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.agent.ovn_vpn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ dict "envAll" $envAll "application" "ovn_vpn_agent" "container" "ovn_vpn_agent_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/neutron-ovn-init.sh + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: neutron-bin + mountPath: /tmp/neutron-ovn-init.sh + subPath: neutron-ovn-init.sh + readOnly: true + containers: + - name: neutron-ovn-vpn-agent +{{ tuple $envAll "neutron_ovn_vpn" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.agent.ovn_vpn | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + env: + - name: RPC_PROBE_TIMEOUT + value: "{{ .Values.pod.probes.rpc_timeout }}" + - name: RPC_PROBE_RETRIES + value: "{{ .Values.pod.probes.rpc_retries }}" +{{ dict "envAll" $envAll "component" "ovn_vpn_agent" "container" "ovn_vpn_agent" "type" "readiness" "probeTemplate" (include "ovnVPNAgentReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} +{{ dict "envAll" $envAll "component" "ovn_vpn_agent" "container" "ovn_vpn_agent" "type" "liveness" "probeTemplate" (include "ovnVPNAgentLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | indent 10 }} + securityContext: + privileged: true + command: + - /tmp/neutron-ovn-vpn-agent.sh + volumeMounts: + - name: run + mountPath: /run + - name: pod-tmp + mountPath: /tmp + - name: pod-var-neutron + mountPath: {{ .Values.conf.neutron.DEFAULT.state_path }} + - name: neutron-bin + mountPath: /tmp/neutron-ovn-vpn-agent.sh + subPath: neutron-ovn-vpn-agent.sh + readOnly: true + - name: neutron-bin + mountPath: /tmp/health-probe.py + subPath: health-probe.py + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/neutron.conf + subPath: neutron.conf + readOnly: true + {{- if .Values.conf.neutron.DEFAULT.log_config_append }} + - name: neutron-etc + mountPath: {{ .Values.conf.neutron.DEFAULT.log_config_append }} + subPath: {{ base .Values.conf.neutron.DEFAULT.log_config_append }} + readOnly: true + {{- end }} + - name: neutron-etc + mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini + subPath: ml2_conf.ini + readOnly: true + {{- if ( has "openvswitch" .Values.network.backend ) }} + - name: neutron-etc + mountPath: /etc/neutron/plugins/ml2/openvswitch_agent.ini + subPath: openvswitch_agent.ini + readOnly: true + {{- end }} + - name: neutron-etc + mountPath: /etc/neutron/neutron_vpnaas.conf + subPath: neutron_vpnaas.conf + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/neutron_ovn_vpn_agent.ini + subPath: neutron_ovn_vpn_agent.ini + readOnly: true + - name: neutron-etc + # NOTE (Portdirect): We mount here to override Kollas + # custom sudoers file when using Kolla images, this + # location will also work fine for other images. + mountPath: /etc/sudoers.d/kolla_neutron_sudoers + subPath: neutron_sudoers + readOnly: true + - name: neutron-etc + mountPath: /etc/neutron/rootwrap.conf + subPath: rootwrap.conf + readOnly: true + {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }} + {{- if ( has "ovn_vpn_agent" $value.pods ) }} + {{- $filePrefix := replace "_" "-" $key }} + {{- $rootwrapFile := printf "/etc/neutron/rootwrap.d/%s.filters" $filePrefix }} + - name: neutron-etc + mountPath: {{ $rootwrapFile }} + subPath: {{ base $rootwrapFile }} + readOnly: true + {{- end }} + {{- end }} + - name: socket + mountPath: /var/lib/neutron/openstack-helm + {{- if .Values.network.share_namespaces }} + - name: host-run-netns + mountPath: /run/netns + mountPropagation: Bidirectional + {{- end }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{ if $mounts_ovn_vpn_agent.volumeMounts }}{{ toYaml $mounts_ovn_vpn_agent.volumeMounts | indent 12 }}{{ end }} + volumes: + - name: pod-tmp + emptyDir: {} + - name: pod-var-neutron + emptyDir: {} + - name: run + hostPath: + path: /run + - name: neutron-bin + configMap: + name: neutron-bin + defaultMode: 0555 + - name: neutron-etc + secret: + secretName: {{ $configMapName }} + defaultMode: 0444 + - name: socket + hostPath: + path: /var/lib/neutron/openstack-helm + {{- if .Values.network.share_namespaces }} + - name: host-run-netns + hostPath: + path: /run/netns + {{- end }} +{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_metadata.metadata.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{ if $mounts_ovn_vpn_agent.volumes }}{{ toYaml $mounts_ovn_vpn_agent.volumes | indent 8 }}{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.manifests.daemonset_ovn_vpn_agent }} +{{- $envAll := . }} +{{- $daemonset := "ovn-vpn-agent" }} +{{- $configMapName := "neutron-etc" }} +{{- $serviceAccountName := "neutron-ovn-vpn-agent" }} +{{- $dependencyOpts := dict "envAll" $envAll "dependencyMixinParam" $envAll.Values.network.backend "dependencyKey" "ovn_vpn_agent" -}} +{{- $_ := include "helm-toolkit.utils.dependency_resolver" $dependencyOpts | toString | fromYaml }} +{{ tuple $envAll "pod_dependency" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +{{- $daemonset_yaml := list $daemonset $configMapName $serviceAccountName . | include "neutron.ovn_vpn_agent.daemonset" | toString | fromYaml }} +{{- $configmap_yaml := "neutron.configmap.etc" }} +{{- list $daemonset $daemonset_yaml $configmap_yaml $configMapName . | include "helm-toolkit.utils.daemonset_overrides" }} +{{- end }} diff --git a/neutron/values.yaml b/neutron/values.yaml index 502a3d99c9..8333a90b09 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -36,6 +36,7 @@ images: neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy + neutron_ovn_vpn: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy @@ -304,6 +305,17 @@ dependencies: service: compute_metadata - endpoint: internal service: network + ovn_vpn_agent: + pod: + - requireSameNode: true + labels: + application: ovn + component: ovn-controller + services: + - endpoint: internal + service: oslo_messaging + - endpoint: internal + service: network ovs_agent: jobs: - neutron-rabbit-init @@ -423,6 +435,20 @@ pod: initialDelaySeconds: 120 periodSeconds: 600 timeoutSeconds: 580 + ovn_vpn_agent: + ovn_vpn_agent: + readiness: + enabled: true + params: + initialDelaySeconds: 30 + periodSeconds: 190 + timeoutSeconds: 185 + liveness: + enabled: true + params: + initialDelaySeconds: 120 + periodSeconds: 600 + timeoutSeconds: 580 ovn_metadata_agent: ovn_metadata_agent: readiness: @@ -583,6 +609,13 @@ pod: neutron_ovn_metadata_agent_init: runAsUser: 0 readOnlyRootFilesystem: true + ovn_vpn_agent: + pod: + runAsUser: 42424 + container: + ovn_vpn_agent_init: + runAsUser: 0 + readOnlyRootFilesystem: true neutron_ovs_agent: pod: runAsUser: 42424 @@ -701,6 +734,11 @@ pod: neutron_ovn_metadata_agent: volumeMounts: volumes: + ovn_vpn_agent: + init_container: null + ovn_vpn_agent: + volumeMounts: + volumes: neutron_ovs_agent: init_container: null neutron_ovs_agent: @@ -788,6 +826,10 @@ pod: enabled: true min_ready_seconds: 0 max_unavailable: 1 + ovn_vpn_agent: + enabled: true + min_ready_seconds: 0 + max_unavailable: 1 ovs_agent: enabled: true min_ready_seconds: 0 @@ -848,6 +890,13 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + ovn_vpn: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" ovs: requests: memory: "128Mi" @@ -1393,6 +1442,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1421,6 +1471,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1447,6 +1498,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1469,6 +1521,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1560,6 +1613,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent - netns_cleanup_cron @@ -1583,6 +1637,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent - netns_cleanup_cron @@ -1633,6 +1688,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1654,6 +1710,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1691,6 +1748,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1729,6 +1787,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent content: | @@ -1767,6 +1826,7 @@ conf: - lb_agent - metadata_agent - ovn_metadata_agent + - ovn_vpn_agent - ovs_agent - sriov_agent - netns_cleanup_cron @@ -2068,6 +2128,14 @@ conf: #dhcp-option=3,10.10.10.1 #dhcp-option-force=26,1450 + neutron_vpnaas: null + ovn_vpn_agent: + DEFAULT: + interface_driver: openvswitch + vpnagent: + vpn_device_driver: neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver + ovs: + ovsdb_connection: unix:/run/openvswitch/db.sock l3_agent: DEFAULT: # (NOTE)portdirect: if unset this is populated dyanmicly from the value in diff --git a/neutron/values_overrides/ovn_vpn.yaml b/neutron/values_overrides/ovn_vpn.yaml new file mode 100644 index 0000000000..50e53cbc04 --- /dev/null +++ b/neutron/values_overrides/ovn_vpn.yaml @@ -0,0 +1,34 @@ +--- +network: + backend: + - openvswitch + - ovn + +conf: + neutron: + DEFAULT: + router_distributed: true + service_plugins: ovn-router,ovn-vpnaas + l3_ha_network_type: geneve + ovn_vpn_agent: + service_providers: + service_provider: VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ovn_ipsec.IPsecOvnVPNDriver:default + plugins: + ml2_conf: + ml2: + extension_drivers: port_security + type_drivers: flat,vxlan,geneve + tenant_network_types: geneve + ovn: + ovn_l3_scheduler: leastloaded + dns_servers: 8.8.8.8,1.1.1.1 + neutron_sync_mode: repair + +manifests: + daemonset_dhcp_agent: false + daemonset_l3_agent: false + daemonset_metadata_agent: false + daemonset_ovs_agent: false + + daemonset_ovn_metadata_agent: true + daemonset_ovn_vpn_agent: true diff --git a/releasenotes/notes/neutron.yaml b/releasenotes/notes/neutron.yaml index e64f8a4048..0d1430fa90 100644 --- a/releasenotes/notes/neutron.yaml +++ b/releasenotes/notes/neutron.yaml @@ -85,4 +85,5 @@ neutron: - 0.3.41 Enable custom annotations for Openstack secrets - 0.3.42 Update images used by default - 0.3.43 Switch neutron to uWSGI + - 0.3.44 Add OVN VPNaas support ...