TVD: Add VPNaaS wrapper driver
Change-Id: I39746cf7dc251ad8a6cc632e2c2627c80a41564a
This commit is contained in:
parent
d18e17af8f
commit
e9b4d3484a
@ -302,3 +302,12 @@ Add neutron-dynamic-routing repo as an external repository and configure followi
|
||||
[[post-config|$NEUTRON_CONF]]
|
||||
[DEFAULT]
|
||||
api_extensions_path = $DEST/neutron-dynamic-routing/neutron_dynamic_routing/extensions
|
||||
|
||||
Neutron VPNaaS
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Add neutron-vpnaas repo as an external repository and configure following flags in ``local.conf``::
|
||||
|
||||
[[local|localrc]]
|
||||
enable_plugin neutron-vpnaas https://git.openstack.org/openstack/neutron-vpnaas
|
||||
NEUTRON_VPNAAS_SERVICE_PROVIDER=VPN:vmware:vmware_nsx.services.vpnaas.nsx_tvd.ipsec_driver.NSXIPsecVpnDriver:default
|
||||
|
@ -3894,7 +3894,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
|
||||
if vpn_plugin:
|
||||
vpn_driver = vpn_plugin.drivers[vpn_plugin.default_provider]
|
||||
vpn_rules = (
|
||||
vpn_driver._generate_ipsecvpn_firewall_rules(edge_id))
|
||||
vpn_driver._generate_ipsecvpn_firewall_rules(
|
||||
self.plugin_type(), context, edge_id=edge_id))
|
||||
fw_rules.extend(vpn_rules)
|
||||
|
||||
# Get the load balancer rules in case they are refreshed
|
||||
|
@ -3658,7 +3658,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
|
||||
vpn_driver = vpn_plugin.drivers[vpn_plugin.default_provider]
|
||||
vpn_rules = (
|
||||
vpn_driver._generate_ipsecvpn_firewall_rules(
|
||||
context, router_id))
|
||||
self.plugin_type(), context, router_id=router_id))
|
||||
if vpn_rules:
|
||||
extra_rules.extend(vpn_rules)
|
||||
|
||||
|
0
vmware_nsx/services/vpnaas/nsx_tvd/__init__.py
Normal file
0
vmware_nsx/services/vpnaas/nsx_tvd/__init__.py
Normal file
100
vmware_nsx/services/vpnaas/nsx_tvd/ipsec_driver.py
Normal file
100
vmware_nsx/services/vpnaas/nsx_tvd/ipsec_driver.py
Normal file
@ -0,0 +1,100 @@
|
||||
# Copyright 2018 VMware, Inc.
|
||||
# All Rights Reserved
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron_lib.plugins import directory
|
||||
from neutron_vpnaas.services.vpn import service_drivers
|
||||
|
||||
from vmware_nsx.common import exceptions as nsx_exc
|
||||
from vmware_nsx.extensions import projectpluginmap
|
||||
from vmware_nsx.plugins.nsx import utils as tvd_utils
|
||||
from vmware_nsx.services.vpnaas.nsx_tvd import ipsec_validator
|
||||
from vmware_nsx.services.vpnaas.nsxv import ipsec_driver as v_driver
|
||||
from vmware_nsx.services.vpnaas.nsxv3 import ipsec_driver as t_driver
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
IPSEC = 'ipsec'
|
||||
|
||||
|
||||
class NSXIPsecVpnDriver(service_drivers.VpnDriver):
|
||||
"""Wrapper driver to select the relevant driver for each VPNaaS request"""
|
||||
def __init__(self, service_plugin):
|
||||
self.vpn_plugin = service_plugin
|
||||
self._core_plugin = directory.get_plugin()
|
||||
validator = ipsec_validator.IPsecValidator(service_plugin)
|
||||
super(NSXIPsecVpnDriver, self).__init__(service_plugin, validator)
|
||||
|
||||
# supported drivers:
|
||||
self.drivers = {}
|
||||
try:
|
||||
self.drivers[projectpluginmap.NsxPlugins.NSX_T] = (
|
||||
t_driver.NSXv3IPsecVpnDriver(service_plugin))
|
||||
except Exception as e:
|
||||
LOG.error("NSXIPsecVpnDriver failed to initialize the NSX-T "
|
||||
"driver: %s", e)
|
||||
self.drivers[projectpluginmap.NsxPlugins.NSX_T] = None
|
||||
try:
|
||||
self.drivers[projectpluginmap.NsxPlugins.NSX_V] = (
|
||||
v_driver.NSXvIPsecVpnDriver(service_plugin))
|
||||
except Exception as e:
|
||||
LOG.error("NSXIPsecVpnDriver failed to initialize the NSX-V "
|
||||
"driver: %s", e)
|
||||
self.drivers[projectpluginmap.NsxPlugins.NSX_V] = None
|
||||
|
||||
@property
|
||||
def service_type(self):
|
||||
return IPSEC
|
||||
|
||||
def _get_driver_for_project(self, project):
|
||||
plugin_type = tvd_utils.get_tvd_plugin_type_for_project(project)
|
||||
if not self.drivers.get(plugin_type):
|
||||
msg = (_("Project %(project)s with plugin %(plugin)s has no "
|
||||
"support for VPNaaS"), {'project': project,
|
||||
'plugin': plugin_type})
|
||||
raise nsx_exc.NsxPluginException(err_msg=msg)
|
||||
return self.drivers[plugin_type]
|
||||
|
||||
def create_ipsec_site_connection(self, context, ipsec_site_conn):
|
||||
d = self._get_driver_for_project(ipsec_site_conn['tenant_id'])
|
||||
return d.create_ipsec_site_connection(context, ipsec_site_conn)
|
||||
|
||||
def delete_ipsec_site_connection(self, context, ipsec_site_conn):
|
||||
d = self._get_driver_for_project(ipsec_site_conn['tenant_id'])
|
||||
return d.delete_ipsec_site_connection(context, ipsec_site_conn)
|
||||
|
||||
def update_ipsec_site_connection(self, context, old_ipsec_conn,
|
||||
ipsec_site_conn):
|
||||
d = self._get_driver_for_project(old_ipsec_conn['tenant_id'])
|
||||
return d.update_ipsec_site_connection(context, old_ipsec_conn,
|
||||
ipsec_site_conn)
|
||||
|
||||
def create_vpnservice(self, context, vpnservice):
|
||||
d = self._get_driver_for_project(vpnservice['tenant_id'])
|
||||
return d.create_vpnservice(context, vpnservice)
|
||||
|
||||
def update_vpnservice(self, context, old_vpnservice, vpnservice):
|
||||
pass
|
||||
|
||||
def delete_vpnservice(self, context, vpnservice):
|
||||
pass
|
||||
|
||||
def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
|
||||
**kargs):
|
||||
d = self.drivers.get(plugin_type)
|
||||
if d:
|
||||
return d._generate_ipsecvpn_firewall_rules(
|
||||
plugin_type, context, **kargs)
|
||||
return []
|
112
vmware_nsx/services/vpnaas/nsx_tvd/ipsec_validator.py
Normal file
112
vmware_nsx/services/vpnaas/nsx_tvd/ipsec_validator.py
Normal file
@ -0,0 +1,112 @@
|
||||
# Copyright 2018 VMware, Inc.
|
||||
# All Rights Reserved
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron_vpnaas.db.vpn import vpn_validator
|
||||
|
||||
from vmware_nsx._i18n import _
|
||||
from vmware_nsx.common import exceptions as nsx_exc
|
||||
from vmware_nsx.extensions import projectpluginmap
|
||||
from vmware_nsx.plugins.nsx import utils as tvd_utils
|
||||
from vmware_nsx.services.vpnaas.nsxv import ipsec_validator as v_validator
|
||||
from vmware_nsx.services.vpnaas.nsxv3 import ipsec_validator as t_validator
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class IPsecValidator(vpn_validator.VpnReferenceValidator):
|
||||
"""Wrapper validator for selecting the V/T validator to use"""
|
||||
def __init__(self, service_plugin):
|
||||
super(IPsecValidator, self).__init__()
|
||||
self.vpn_plugin = service_plugin
|
||||
|
||||
# supported validatorss:
|
||||
self.validators = {}
|
||||
try:
|
||||
self.validators[projectpluginmap.NsxPlugins.NSX_T] = (
|
||||
t_validator.IPsecV3Validator(service_plugin))
|
||||
except Exception as e:
|
||||
LOG.error("IPsecValidator failed to initialize the NSX-T "
|
||||
"validator: %s", e)
|
||||
self.validators[projectpluginmap.NsxPlugins.NSX_T] = None
|
||||
try:
|
||||
self.validators[projectpluginmap.NsxPlugins.NSX_V] = (
|
||||
v_validator.IPsecValidator(service_plugin))
|
||||
except Exception as e:
|
||||
LOG.error("IPsecValidator failed to initialize the NSX-V "
|
||||
"validator: %s", e)
|
||||
self.validators[projectpluginmap.NsxPlugins.NSX_V] = None
|
||||
|
||||
def _get_validator_for_project(self, project):
|
||||
plugin_type = tvd_utils.get_tvd_plugin_type_for_project(project)
|
||||
if not self.validators.get(plugin_type):
|
||||
msg = (_("Project %(project)s with plugin %(plugin)s has no "
|
||||
"support for VPNaaS"), {'project': project,
|
||||
'plugin': plugin_type})
|
||||
raise nsx_exc.NsxPluginException(err_msg=msg)
|
||||
return self.validators[plugin_type]
|
||||
|
||||
def validate_ipsec_site_connection(self, context, ipsec_site_conn):
|
||||
if not ipsec_site_conn.get('tenant_id'):
|
||||
# nothing we can do here.
|
||||
return
|
||||
|
||||
v = self._get_validator_for_project(ipsec_site_conn['tenant_id'])
|
||||
|
||||
# first make sure the plugin is the same as the one of the vpnservice
|
||||
srv_id = ipsec_site_conn.get('vpnservice_id')
|
||||
srv = self.vpn_plugin._get_vpnservice(context, srv_id)
|
||||
srv_validator = self._get_validator_for_project(srv['tenant_id'])
|
||||
if v != srv_validator:
|
||||
err_msg = _('VPN service should belong to the same plugin '
|
||||
'as the connection')
|
||||
raise nsx_exc.NsxVpnValidationError(details=err_msg)
|
||||
|
||||
return v.validate_ipsec_site_connection(context, ipsec_site_conn)
|
||||
|
||||
def validate_vpnservice(self, context, vpnservice):
|
||||
if not vpnservice.get('tenant_id'):
|
||||
# This will happen during update.
|
||||
# nothing significant like router or subnet can be changes
|
||||
# so we can skip it.
|
||||
return
|
||||
|
||||
v = self._get_validator_for_project(vpnservice['tenant_id'])
|
||||
|
||||
# first make sure the router&subnet plugin matches the vpnservice
|
||||
router_id = vpnservice['router_id']
|
||||
p = self.core_plugin._get_plugin_from_router_id(context, router_id)
|
||||
if self.validators.get(p.plugin_type()) != v:
|
||||
err_msg = _('Router & subnet should belong to the same plugin '
|
||||
'as the VPN service')
|
||||
raise nsx_exc.NsxVpnValidationError(details=err_msg)
|
||||
return v.validate_vpnservice(context, vpnservice)
|
||||
|
||||
def validate_ipsec_policy(self, context, ipsec_policy):
|
||||
if not ipsec_policy.get('tenant_id'):
|
||||
# nothing we can do here
|
||||
return
|
||||
|
||||
v = self._get_validator_for_project(ipsec_policy['tenant_id'])
|
||||
return v.validate_ipsec_policy(context, ipsec_policy)
|
||||
|
||||
def validate_ike_policy(self, context, ike_policy):
|
||||
if not ike_policy.get('tenant_id'):
|
||||
# nothing we can do here
|
||||
return
|
||||
|
||||
v = self._get_validator_for_project(ike_policy['tenant_id'])
|
||||
return v.validate_ike_policy(context, ike_policy)
|
@ -24,6 +24,7 @@ from vmware_nsx.common import exceptions as nsxv_exc
|
||||
from vmware_nsx.common import locking
|
||||
from vmware_nsx.common import nsxv_constants
|
||||
from vmware_nsx.db import nsxv_db
|
||||
from vmware_nsx.extensions import projectpluginmap
|
||||
from vmware_nsx.plugins.nsx_v.vshield.common import exceptions as vcns_exc
|
||||
from vmware_nsx.services.vpnaas.nsxv import ipsec_validator
|
||||
|
||||
@ -35,6 +36,9 @@ class NSXvIPsecVpnDriver(service_drivers.VpnDriver):
|
||||
|
||||
def __init__(self, service_plugin):
|
||||
self._core_plugin = directory.get_plugin()
|
||||
if self._core_plugin.is_tvd_plugin():
|
||||
self._core_plugin = self._core_plugin.get_plugin_by_type(
|
||||
projectpluginmap.NsxPlugins.NSX_V)
|
||||
self._vcns = self._core_plugin.nsx_v.vcns
|
||||
validator = ipsec_validator.IPsecValidator(service_plugin)
|
||||
super(NSXvIPsecVpnDriver, self).__init__(service_plugin, validator)
|
||||
@ -111,7 +115,8 @@ class NSXvIPsecVpnDriver(service_drivers.VpnDriver):
|
||||
vse_sites.append(ipsec_site_conn)
|
||||
return vse_sites
|
||||
|
||||
def _generate_ipsecvpn_firewall_rules(self, edge_id):
|
||||
def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
|
||||
edge_id=None):
|
||||
ipsecvpn_configs = self._get_ipsec_config(edge_id)
|
||||
ipsec_vpn_fw_rules = []
|
||||
if ipsecvpn_configs[1]['enabled']:
|
||||
|
@ -26,6 +26,7 @@ from neutron_vpnaas.services.vpn import service_drivers
|
||||
|
||||
from vmware_nsx.common import exceptions as nsx_exc
|
||||
from vmware_nsx.db import db
|
||||
from vmware_nsx.extensions import projectpluginmap
|
||||
from vmware_nsx.services.vpnaas.nsxv3 import ipsec_utils
|
||||
from vmware_nsx.services.vpnaas.nsxv3 import ipsec_validator
|
||||
from vmware_nsxlib.v3 import exceptions as nsx_lib_exc
|
||||
@ -41,6 +42,9 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver):
|
||||
def __init__(self, service_plugin):
|
||||
self.vpn_plugin = service_plugin
|
||||
self._core_plugin = directory.get_plugin()
|
||||
if self._core_plugin.is_tvd_plugin():
|
||||
self._core_plugin = self._core_plugin.get_plugin_by_type(
|
||||
projectpluginmap.NsxPlugins.NSX_T)
|
||||
self._nsxlib = self._core_plugin.nsxlib
|
||||
self._nsx_vpn = self._nsxlib.vpn_ipsec
|
||||
validator = ipsec_validator.IPsecV3Validator(service_plugin)
|
||||
@ -66,7 +70,8 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver):
|
||||
def _translate_addresses_to_target(self, cidrs):
|
||||
return [self._translate_cidr(ip) for ip in cidrs]
|
||||
|
||||
def _generate_ipsecvpn_firewall_rules(self, context, router_id):
|
||||
def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
|
||||
router_id=None):
|
||||
"""Return the firewall rules needed to allow vpn traffic"""
|
||||
fw_rules = []
|
||||
# get all the active services of this router
|
||||
|
@ -21,6 +21,7 @@ from neutron_vpnaas.db.vpn import vpn_validator
|
||||
|
||||
from vmware_nsx._i18n import _
|
||||
from vmware_nsx.common import exceptions as nsx_exc
|
||||
from vmware_nsx.extensions import projectpluginmap
|
||||
from vmware_nsx.services.vpnaas.nsxv3 import ipsec_utils
|
||||
from vmware_nsxlib.v3 import nsx_constants as consts
|
||||
from vmware_nsxlib.v3 import vpn_ipsec
|
||||
@ -34,7 +35,13 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
|
||||
def __init__(self, service_plugin):
|
||||
super(IPsecV3Validator, self).__init__()
|
||||
self.vpn_plugin = service_plugin
|
||||
self.nsxlib = self.core_plugin.nsxlib
|
||||
|
||||
self._core_plugin = self.core_plugin
|
||||
if self._core_plugin.is_tvd_plugin():
|
||||
self._core_plugin = self._core_plugin.get_plugin_by_type(
|
||||
projectpluginmap.NsxPlugins.NSX_T)
|
||||
self.nsxlib = self._core_plugin.nsxlib
|
||||
|
||||
self.check_backend_version()
|
||||
|
||||
def check_backend_version(self):
|
||||
@ -219,7 +226,7 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
|
||||
this_cidr = srv['subnet']['cidr']
|
||||
|
||||
# get all subnets of no-snat routers
|
||||
all_routers = self.core_plugin.get_routers(admin_con)
|
||||
all_routers = self._core_plugin.get_routers(admin_con)
|
||||
nosnat_routers = [rtr for rtr in all_routers
|
||||
if (rtr['id'] != this_router and
|
||||
rtr.get('external_gateway_info') and
|
||||
@ -229,7 +236,7 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
|
||||
if rtr['id'] == this_router:
|
||||
continue
|
||||
# go over the subnets of this router
|
||||
subnets = self.core_plugin._find_router_subnets_cidrs(
|
||||
subnets = self._core_plugin._find_router_subnets_cidrs(
|
||||
admin_con, rtr['id'])
|
||||
if subnets and netaddr.IPSet(subnets) & netaddr.IPSet([this_cidr]):
|
||||
msg = (_("Cannot create connection with overlapping local "
|
||||
@ -283,9 +290,10 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
|
||||
ipsec_policy_id)
|
||||
self.validate_ipsec_policy(context, ipsecpolicy)
|
||||
|
||||
self._check_advertisment_overlap(context, ipsec_site_conn)
|
||||
self._check_unique_addresses(context, ipsec_site_conn)
|
||||
self._check_policy_rules_overlap(context, ipsec_site_conn)
|
||||
if ipsec_site_conn.get('vpnservice_id'):
|
||||
self._check_advertisment_overlap(context, ipsec_site_conn)
|
||||
self._check_unique_addresses(context, ipsec_site_conn)
|
||||
self._check_policy_rules_overlap(context, ipsec_site_conn)
|
||||
|
||||
#TODO(asarfaty): IPv6 is not yet supported. add validation
|
||||
|
||||
@ -293,15 +301,15 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
|
||||
vpnservice = self.vpn_plugin._get_vpnservice(context,
|
||||
vpnservice_id)
|
||||
router_id = vpnservice['router_id']
|
||||
router_db = self.core_plugin.get_router(context, router_id)
|
||||
router_db = self._core_plugin.get_router(context, router_id)
|
||||
gw = router_db['external_gateway_info']
|
||||
return gw['external_fixed_ips'][0]['ip_address']
|
||||
|
||||
def _validate_router(self, context, router_id):
|
||||
# Verify that the router gw network is connected to an active-standby
|
||||
# Tier0 router
|
||||
router_db = self.core_plugin._get_router(context, router_id)
|
||||
tier0_uuid = self.core_plugin._get_tier0_uuid_by_router(context,
|
||||
router_db = self._core_plugin._get_router(context, router_id)
|
||||
tier0_uuid = self._core_plugin._get_tier0_uuid_by_router(context,
|
||||
router_db)
|
||||
# TODO(asarfaty): cache this result
|
||||
tier0_router = self.nsxlib.logical_router.get(tier0_uuid)
|
||||
|
Loading…
Reference in New Issue
Block a user