From 41bd86b7bdd9b227e111363c3cd9afbf5d9147e1 Mon Sep 17 00:00:00 2001
From: James Denton <james.denton@rackspace.com>
Date: Wed, 13 Feb 2019 21:02:28 +0000
Subject: [PATCH] Enable functional deployment of FWaaS v2

This patch updates various vars and templates to enable a functioning
deployment of FWaaS v2 on an Open vSwitch-based OSA cloud. A test is
also included for verification.

Change-Id: Ibfa2cbafd19f6870139c4ea3e9dfc80cf8c574e1
Closes-Bug: #1811070
---
 defaults/main.yml                       | 10 +++++++++
 templates/l3_agent.ini.j2               |  3 ++-
 templates/neutron.conf.j2               |  8 ++++++-
 tests/neutron-overrides-ovs-fwaasv2.yml | 30 +++++++++++++++++++++++++
 tox.ini                                 | 10 +++++++++
 zuul.d/jobs.yaml                        |  6 +++++
 zuul.d/project.yaml                     |  2 ++
 7 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 tests/neutron-overrides-ovs-fwaasv2.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 6a567c66..0cb2b362 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -227,6 +227,9 @@ neutron_quota_security_group: 10
 neutron_quota_security_group_rule: 100
 neutron_quota_subnet: 100
 neutron_quota_vip: 10
+neutron_quota_firewall: 10
+neutron_quota_firewall_policy: 10
+neutron_quota_firewall_rule: 100
 
 ###
 ### DB (Galera) integration
@@ -445,6 +448,13 @@ neutron_octavia_request_poll_timeout: 100
 # Use the Octavia proxy
 neutron_octavia_proxy_plugin: False
 
+###
+### FWaaS Configuration
+###
+
+neutron_driver_fwaasv2: iptables_v2
+neutron_fwaasv2_service_provider: FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
+
 ###
 ### VPNaaS Configuration
 ###
diff --git a/templates/l3_agent.ini.j2 b/templates/l3_agent.ini.j2
index 9ebad700..a89bb417 100644
--- a/templates/l3_agent.ini.j2
+++ b/templates/l3_agent.ini.j2
@@ -38,8 +38,9 @@ agent_version = v1
 {% set _ = l3_agent_plugins.append("fwaas_v2") %}
 [fwaas]
 enabled = true
-driver = iptables_v2
+driver = {{ neutron_driver_fwaasv2 }}
 agent_version = v2
+firewall_l2_driver = noop
 {% endif %}
 
 {% if neutron_vpnaas | bool %}
diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2
index da058cb3..d1b98cb3 100644
--- a/templates/neutron.conf.j2
+++ b/templates/neutron.conf.j2
@@ -163,6 +163,9 @@ quota_security_group = {{ neutron_quota_security_group }}
 quota_security_group_rule = {{ neutron_quota_security_group_rule }}
 quota_subnet = {{ neutron_quota_subnet }}
 quota_vip = {{ neutron_quota_vip }}
+quota_firewall = {{ neutron_quota_firewall }}
+quota_firewall_policy = {{ neutron_quota_firewall_policy }}
+quota_firewall_rule = {{ neutron_quota_firewall_rule }}
 
 # Keystone authentication
 [keystone_authtoken]
@@ -200,9 +203,12 @@ pool_timeout = {{ neutron_db_pool_timeout }}
 service_provider = {{ service_provider }}
 {% endfor %}
 {% endif %}
-{% if neutron_vpnaas| bool %}
+{% if neutron_vpnaas | bool %}
 service_provider = {{ neutron_vpnaas_service_provider }}
 {% endif %}
+{% if neutron_fwaas_v2 | bool %}
+service_provider = {{ neutron_fwaasv2_service_provider }}
+{% endif %}
 
 {% if neutron_lbaasv2 | bool %}
 {% if neutron_lbaas_octavia | bool %}
diff --git a/tests/neutron-overrides-ovs-fwaasv2.yml b/tests/neutron-overrides-ovs-fwaasv2.yml
new file mode 100644
index 00000000..e0cd1f62
--- /dev/null
+++ b/tests/neutron-overrides-ovs-fwaasv2.yml
@@ -0,0 +1,30 @@
+---
+openstack_host_specific_kernel_modules:
+  - name: "openvswitch"
+    pattern: "CONFIG_OPENVSWITCH"
+
+tempest_run: yes
+
+tempest_plugins:
+  - name: neutron
+    repo: https://git.openstack.org/openstack/neutron
+    branch: master
+  - name: neutron-plugins
+    repo: https://git.openstack.org/openstack/neutron-tempest-plugin
+    branch: master
+  - name: neutron-fwaas
+    repo: https://git.openstack.org/openstack/neutron-fwaas
+    branch: master
+
+tempest_test_whitelist:
+  - "neutron_tempest_plugin.api.test_networks*"
+  - "neutron_fwaas.tests.tempest_plugin.tests.api.test_fwaasv2_extensions*"
+  - "neutron_fwaas.tests.tempest_plugin.tests.api.v2_base*"
+
+tempest_network_ping_gateway: False
+
+neutron_plugin_type: ml2.ovs
+neutron_local_ip: "{{ ansible_host }}"
+neutron_plugin_base:
+  - router
+  - firewall_v2
diff --git a/tox.ini b/tox.ini
index aacaa3ab..617f017c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -175,6 +175,16 @@ setenv =
 commands =
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
 
+
+[testenv:ovs-fwaasv2]
+setenv =
+    {[testenv]setenv}
+    ANSIBLE_INVENTORY={toxinidir}/tests/ovs_inventory
+    ANSIBLE_OVERRIDES={toxinidir}/tests/neutron-overrides-ovs-fwaasv2.yml
+commands =
+    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
+
+
 [testenv:linters]
 basepython = python3
 commands =
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 15c585ad..ac73b3c9 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -66,3 +66,9 @@
     parent: openstack-ansible-functional-ubuntu-xenial
     vars:
       tox_env: opendaylight-bgpvpn
+
+- job:
+    name: openstack-ansible-ovs-fwaasv2-ubuntu-bionic
+    parent: openstack-ansible-functional-ubuntu-bionic
+    vars:
+      tox_env: ovs-fwaasv2
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 907eb735..950168fb 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -33,6 +33,8 @@
             voting: false
         - openstack-ansible-opendaylight-bgpvpn-ubuntu-xenial:
             voting: false
+        - openstack-ansible-ovs-fwaasv2-ubuntu-bionic:
+            voting: false
     gate:
       jobs:
         - openstack-ansible-ovs-ubuntu-xenial