From 7bb267c7f9c1b047406f4ad4bbe4069a935393b1 Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Wed, 19 Aug 2020 08:38:25 -0400
Subject: [PATCH] Move n-ovs-agent to Kubernetes

Change-Id: I8e6d62341b327137c69585a26a3d37cf5554ea08
---
 devstack/lib/neutron-legacy                   | 20 ++++
 images/neutron/Dockerfile                     |  4 +
 images/neutron/bindep.txt                     |  2 +
 images/neutron/neutron-openvswitch-agent      | 29 ++++++
 images/neutron/setup-repos.sh                 | 55 +++++++++++
 openstack_operator/neutron.py                 |  4 +-
 .../identity/applicationcredential.py         | 12 +++
 .../openstack/identity/services.py            |  4 +-
 .../daemonset-openvswitch-agent.yml.j2        | 97 +++++++++++++++++++
 ...emonset.yml.j2 => daemonset-server.yml.j2} |  0
 zuul.d/functional-jobs.yaml                   |  3 +-
 zuul.d/neutron-jobs.yaml                      |  3 +
 12 files changed, 229 insertions(+), 4 deletions(-)
 create mode 100755 images/neutron/neutron-openvswitch-agent
 create mode 100644 images/neutron/setup-repos.sh
 create mode 100644 openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2
 rename openstack_operator/templates/neutron/{daemonset.yml.j2 => daemonset-server.yml.j2} (100%)

diff --git a/devstack/lib/neutron-legacy b/devstack/lib/neutron-legacy
index 99811416..6ef9a423 100644
--- a/devstack/lib/neutron-legacy
+++ b/devstack/lib/neutron-legacy
@@ -87,6 +87,26 @@ function start_neutron_service_and_check {
 }
 export -f start_neutron_service_and_check
 
+function start_mutnauq_l2_agent {
+	kubernetes_rollout_restart daemonset/neutron-openvswitch-agent
+	kubernetes_rollout_status daemonset/neutron-openvswitch-agent
+
+	if is_provider_network && [[ $Q_AGENT == "openvswitch" ]]; then
+		sudo ovs-vsctl --no-wait -- --may-exist add-port $OVS_PHYSICAL_BRIDGE $PUBLIC_INTERFACE
+		sudo ip link set $OVS_PHYSICAL_BRIDGE up
+		sudo ip link set br-int up
+		sudo ip link set $PUBLIC_INTERFACE up
+		if is_ironic_hardware; then
+			for IP in $(ip addr show dev $PUBLIC_INTERFACE | grep ' inet ' | awk '{print $2}'); do
+				sudo ip addr del $IP dev $PUBLIC_INTERFACE
+				sudo ip addr add $IP dev $OVS_PHYSICAL_BRIDGE
+			done
+			sudo ip route replace $FIXED_RANGE via $NETWORK_GATEWAY dev $OVS_PHYSICAL_BRIDGE
+		fi
+	fi
+}
+export -f start_neutron_agents
+
 function _configure_neutron_common {
 	_create_neutron_conf_dir
 
diff --git a/images/neutron/Dockerfile b/images/neutron/Dockerfile
index d6cce6c5..f03467b9 100644
--- a/images/neutron/Dockerfile
+++ b/images/neutron/Dockerfile
@@ -25,3 +25,7 @@ CMD ["/usr/local/bin/uwsgi", "--ini", "/etc/uwsgi/uwsgi.ini"]
 FROM neutron-base AS neutron-rpc-server
 COPY neutron-rpc-server /usr/local/bin/neutron-rpc-server
 CMD ["/usr/local/bin/neutron-rpc-server"]
+
+FROM neutron-base AS neutron-openvswitch-agent
+COPY neutron-openvswitch-agent /usr/local/bin/neutron-openvswitch-agent
+CMD ["/usr/local/bin/neutron-openvswitch-agent", "--config-file", "/etc/neutron/neutron.conf", "--config-file", "/etc/neutron/plugins/ml2/ml2_conf.ini"]
\ No newline at end of file
diff --git a/images/neutron/bindep.txt b/images/neutron/bindep.txt
index 64b038ba..80478861 100644
--- a/images/neutron/bindep.txt
+++ b/images/neutron/bindep.txt
@@ -1,2 +1,4 @@
 gcc [compile]
 libc-dev [compile]
+sudo
+openvswitch-common
diff --git a/images/neutron/neutron-openvswitch-agent b/images/neutron/neutron-openvswitch-agent
new file mode 100755
index 00000000..b4d91bed
--- /dev/null
+++ b/images/neutron/neutron-openvswitch-agent
@@ -0,0 +1,29 @@
+#!/usr/local/bin/python
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pkg_resources
+import re
+import sys
+
+import sentry_sdk
+
+from neutron.cmd.eventlet.plugins.ovs_neutron_agent import main
+
+VERSION = pkg_resources.get_distribution("neutron").version
+sentry_sdk.init(release="neutron@%s" % VERSION)
+
+sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
+sys.exit(main())
diff --git a/images/neutron/setup-repos.sh b/images/neutron/setup-repos.sh
new file mode 100644
index 00000000..97a0dd1d
--- /dev/null
+++ b/images/neutron/setup-repos.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+# Copyright (c) 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -xe
+
+apt-get install -y gnupg2
+
+cat <<EOF | apt-key add -
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQINBF3u81cBEACbfsspk7WNkcXCn3N5T9VKYt/dmvSsEW8nIIf/iwV7dSISmruz
+1b7bviqfekEvf37yiFwHVFxxS70ry/ofXp51X7RUVytrJY/hNMvr7C7zyNqM928+
+c8TP3FjGsPvFiWw/L2JgGl9/4+OYW5yF3HabMOa63xbFPAU891o9HIN5YfFDZZWD
+VNsMyXCUjVB9wy7anF77moqXuews1OmvMSArE7erLjAnC5HHGdTeZO7KfDCylqPB
+oBWF3pzNU1Vu6wEq9vL5NDYglsbN7jmDA+8mS0SyAnFxvTsqjisR8gpNtPaatQqM
+wTdOydscSoXS9MfpCrxPne0dBmpAlcVdI4hq1T4l9Osf2x5s+Kb9JxF+Q4V87n4q
+8fjusePRIMxO7aZjFUEvL8uIzg7VvF3b1X9UXkS6LH2YPLOqOf3lhvyk5RwwMfHp
+p99KOVrTWbaBYVKuxR17oWkYBPOPp+4ld8F6zSk36GK+lzPP8814X28kS357lg1y
+4kla/CfNav3AXdnsZkCvJhrwwR8HCXwTYaF2TzrZPqv5TZB1k9iBuL2X52BSxobR
+PvTTM00iZhipC/EsA7vQu4FOla/ySb/R6cfFIiDyOrDiOJ3+zlWDQ0uBikCP4lIY
+uUB+uVIWd8F7Us1voqsqUrVL1CSu1cYn+NOhf12eZsA740wgUZfCU2qmGwARAQAB
+tBhyZXBvIDxyZXBvQHZleHhob3N0Lm5ldD6JAjkEEwEIACMFAl3u81cCGy8HCwkI
+BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDETupUFYbjJ7WxD/9HcMd9HMwg7WC3
+eKSFeHGJXtN/0IuCJ6r3q10/dhb8QqqZ+Rnlr5CH4DAHdkhnL5+OvnHVYu/LVejX
+17dZUS0uB+JXZpMdfsv8i2g/c8uxi2KPsRa3pxXudb+WhjbxhRxeMpsQNbMc5M5+
+cYseUYj1nzTioDn9MQH43GcYBuhydiWsp7zRs2CNWrWJgwTOwnd/g4YV+9VWqshM
+x+/N0bdD+LIT0MmYYGBaK6vBnM2kG6gcwc0ZMwMYHJk+MotuFNM7KDu06XWkp/Uq
+8uzi7tZKHTa/kc+LrJrIOwLIkFH1uMvRZXma+JwASbcEW97YCUw/vhLa3AbZvCum
+9QLHv28zyUXfo9QLEhkOGC/ykkYOSt0u/lznokpf840tmYHBCLavFzOPJ0Nc2T7Y
+tCyEA5sV2UVI4hdBtwG1Vz8rAggDu0NWDW3BGyP0X2x1jddzzNRhevqQqcAe83Ei
+XOOP1aunhtUKUe+sXLFOY0d3OK0RysKAn9kdxcZ9qqZdrKhj+dwuvMBeZPau0ZGT
+t81b/zv6hiwA1b1b4X6EKz/aZwQyQ3/UUovM0KC9rMSzm5kKYWwcfkSDY6aLZtgc
+GBc+auY+9Mwcp4V5kEH6zMXF4baJzMj2m7LFYlLRVofY5kxlrr86TAK0jMmiDOx8
+AcjcZTiXBPNU8sK+VbsXvtB0Mel7Vw==
+=hpXM
+-----END PGP PUBLIC KEY BLOCK-----
+EOF
+
+cat <<EOF | tee /etc/apt/sources.list.d/vexxhost.list
+deb http://repo.vexxhost.net/ buster main
+EOF
diff --git a/openstack_operator/neutron.py b/openstack_operator/neutron.py
index c53bff24..da85396e 100644
--- a/openstack_operator/neutron.py
+++ b/openstack_operator/neutron.py
@@ -40,7 +40,9 @@ def create_or_resume(spec, **_):
     database.ensure_mysql_cluster("neutron")
 
     utils.create_or_update('neutron/rabbitmq.yml.j2')
-    utils.create_or_update('neutron/daemonset.yml.j2', spec=spec)
+    utils.create_or_update('neutron/daemonset-server.yml.j2', spec=spec)
+    utils.create_or_update('neutron/daemonset-openvswitch-agent.yml.j2',
+                           spec=spec)
     utils.create_or_update('neutron/service.yml.j2')
 
     identity.ensure_application_credential(name="neutron")
diff --git a/openstack_operator/openstack/identity/applicationcredential.py b/openstack_operator/openstack/identity/applicationcredential.py
index 080e26c8..17bc431f 100644
--- a/openstack_operator/openstack/identity/applicationcredential.py
+++ b/openstack_operator/openstack/identity/applicationcredential.py
@@ -54,6 +54,18 @@ def create_or_resume(name, **_):
             'identity/secret-applicationcredential.yml.j2',
             name=name, secret=credential.secret,
             id=credential.id, adopt=True)
+        return
+
+    # NOTE(Alex): Sometimes, double POST application_credential requests
+    # are made to keystone API at the "same time".
+    # The credential secret is not created in this case.
+    # The following codes should fix this case.
+    if utils.get_secret(name=name+"-application-credential",
+                        namespace="openstack") is None:
+        utils.create_or_update(
+            'identity/secret-applicationcredential.yml.j2',
+            name=name, secret=credential.secret,
+            id=credential.id, adopt=True)
 
 
 @kopf.on.delete('identity.openstack.org', 'v1alpha1', 'applicationcredentials')
diff --git a/openstack_operator/openstack/identity/services.py b/openstack_operator/openstack/identity/services.py
index 41a964f9..8db89756 100644
--- a/openstack_operator/openstack/identity/services.py
+++ b/openstack_operator/openstack/identity/services.py
@@ -33,8 +33,8 @@ def _get_service(conn, name, service_type):
     try:
         services = conn.search_services(name_or_id=name,
                                         filters={"type": service_type})
-    except ConnectionRefusedError:
-        raise kopf.TemporaryError("Keystone is not up yet", delay=5)
+    except ConnectionRefusedError as ex:
+        raise kopf.TemporaryError(str(ex), delay=5)
 
     if len(services) > 1:
         raise RuntimeError("Found multiple services with name and type")
diff --git a/openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2 b/openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2
new file mode 100644
index 00000000..f1927af9
--- /dev/null
+++ b/openstack_operator/templates/neutron/daemonset-openvswitch-agent.yml.j2
@@ -0,0 +1,97 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: neutron-openvswitch-agent
+  namespace: openstack
+  labels:
+    {{ labels("neutron", component="openvswitch-agent") | indent(4) }}
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      {{ labels("neutron", component="openvswitch-agent") | indent(6) }}
+  template:
+    metadata:
+      labels:
+        {{ labels("neutron", component="openvswitch-agent") | indent(8) }}
+    spec:
+      automountServiceAccountToken: false
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      initContainers:
+      # TODO(mnaser): This should parse the configuration file and then create
+      #               the bridges as needed.
+      - name: create-bridge
+        image: vexxhost/neutron-openvswitch-agent:latest
+        imagePullPolicy: Always
+        command:
+        - ovs-vsctl
+        - --may-exist
+        - add-br
+        - br-ex
+        volumeMounts:
+        - name: config
+          mountPath: /etc/neutron
+        - name: ml2-config
+          mountPath: /etc/neutron/plugins/ml2
+        - name: host-run-ovs
+          mountPath: /run/openvswitch
+      containers:
+      - name: agent
+        image: vexxhost/neutron-openvswitch-agent:latest
+        imagePullPolicy: Always
+        env:
+        {% if 'sentryDSN' in spec %}
+        - name: SENTRY_DSN
+          value: {{ spec.sentryDSN }}
+        {% endif %}
+        - name: OS_OVS__LOCAL_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        securityContext:
+          # NOTE(mnaser): We need to revisit this
+          privileged: true
+        volumeMounts:
+        - name: config
+          mountPath: /etc/neutron
+        - name: ml2-config
+          mountPath: /etc/neutron/plugins/ml2
+        - name: host-run-ovs
+          mountPath: /run/openvswitch
+      volumes:
+      - name: config
+        secret:
+          secretName: neutron-config
+      - name: ml2-config
+        secret:
+          secretName: neutron-ml2-config
+      - name: host-run-ovs
+        hostPath:
+          path: /run/openvswitch
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+{% if 'hostAliases' in spec %}
+      hostAliases:
+        {{ spec.hostAliases | to_yaml | indent(8) }}
+{% endif %}
+
diff --git a/openstack_operator/templates/neutron/daemonset.yml.j2 b/openstack_operator/templates/neutron/daemonset-server.yml.j2
similarity index 100%
rename from openstack_operator/templates/neutron/daemonset.yml.j2
rename to openstack_operator/templates/neutron/daemonset-server.yml.j2
diff --git a/zuul.d/functional-jobs.yaml b/zuul.d/functional-jobs.yaml
index 1884a913..32a51d25 100644
--- a/zuul.d/functional-jobs.yaml
+++ b/zuul.d/functional-jobs.yaml
@@ -50,7 +50,8 @@
       - magnum-tempest-plugin
       - tempest-horizon
       devstack_localrc:
-        NEUTRON_DEPLOY_MOD_WSGI: True
+        NEUTRON_DEPLOY_MOD_WSGI: true
+        Q_USE_ROOTWRAP: false
         TEMPEST_PLUGINS: /opt/stack/barbican-tempest-plugin /opt/stack/heat-tempest-plugin
           /opt/stack/magnum-tempest-plugin /opt/stack/tempest-horizon
       docker_use_buildset_registry: true
diff --git a/zuul.d/neutron-jobs.yaml b/zuul.d/neutron-jobs.yaml
index 24100106..f4ec5269 100644
--- a/zuul.d/neutron-jobs.yaml
+++ b/zuul.d/neutron-jobs.yaml
@@ -17,6 +17,9 @@
       - context: images/neutron
         repository: vexxhost/neutron-rpc-server
         target: neutron-rpc-server
+      - context: images/neutron
+        repository: vexxhost/neutron-openvswitch-agent
+        target: neutron-openvswitch-agent
     dependencies:
     - openstack-operator:images:build:openstack-operator
     files: &id003