From d64582fc6341ec6f13eeb4b3769bea5a853f5ef3 Mon Sep 17 00:00:00 2001
From: Daniel Mellado <dmellado@redhat.com>
Date: Thu, 26 Oct 2017 10:42:18 +0000
Subject: [PATCH] Add icmp sg rules to k8s project

This commit adds a sg rule to k8s project sg so pods there can reply to
ping for testing purpouses. By default it only enables ingress rules but
the functions could be extended depending on future requirements.

Partially implements: bp functional-testing-catch-up

Change-Id: I1e3f88a007260b485b246a3a3e12d41bc06983b2
---
 devstack/lib/kuryr_kubernetes | 17 +++++++++++++++++
 devstack/plugin.sh            | 15 +++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes
index 7486ed2b1..981684717 100644
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@@ -174,6 +174,23 @@ print("%s\\t%s" % (n[beg_offset], n[-end_offset]))
 EOF
 }
 
+# create_k8s_icmp_sg_rules
+#   Description: Creates icmp sg rules for Kuryr-Kubernetes pods
+#   Params:
+#      sg_id       - Kuryr's security group id
+#      direction   - egress or ingress direction
+function create_k8s_icmp_sg_rules {
+    local sg_id=$1
+    local direction="$2"
+    icmp_sg_rules=$(openstack --os-cloud devstack-admin \
+                              --os-region "$REGION_NAME" \
+                              security group rule create \
+                              --protocol icmp \
+                              --"$direction" "$sg_id")
+    die_if_not_set $LINENO icmp_sg_rules \
+        "Failure creating icmp sg ${direction} rule for ${sg_id}"
+}
+
 # create_k8s_subnet
 #   Description: Creates a network and subnet for Kuryr-Kubernetes usage
 #   Params:
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 9e2ac7151..d731c8a21 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -303,6 +303,20 @@ function configure_neutron_defaults {
     iniset "$KURYR_CONFIG" octavia_defaults member_mode "$KURYR_K8S_OCTAVIA_MEMBER_MODE"
 }
 
+function configure_k8s_pod_sg_rules {
+    local project_id
+    local sg_id
+
+    project_id=$(get_or_create_project \
+        "$KURYR_NEUTRON_DEFAULT_PROJECT" default)
+    sg_id=$(openstack --os-cloud devstack-admin \
+                      --os-region "$REGION_NAME" \
+                      security group list \
+                      --project "$project_id" -c ID -c Name -f value | \
+                      awk '/default/ {print $1}')
+    create_k8s_icmp_sg_rules "$sg_id" ingress
+}
+
 function get_hyperkube_container_cacert_setup_dir {
     case "$1" in
         1.[0-3].*) echo "/data";;
@@ -582,6 +596,7 @@ if [[ "$1" == "stack" && "$2" == "extra" ]]; then
 
     if is_service_enabled tempest; then
         copy_tempest_kubeconfig
+        configure_k8s_pod_sg_rules
     fi
 
     if is_service_enabled kuryr-kubernetes; then