From 1868cb6dc5fb25e492bfc08742b7fee4c9b5680b Mon Sep 17 00:00:00 2001
From: Slawek Kaplonski <skaplons@redhat.com>
Date: Fri, 15 May 2020 15:41:48 +0200
Subject: [PATCH] Deprecate firewal_driver option in the Neutron's ML2 config

Config option ``firewall_driver`` should be set in the Neutron agent's, not
in the server.
Usage of this option in the Neutron server was there just for backward
compatibility with old agents which can't report what driver they are using.
Since Newton all Neutron drivers are reporting that in heartbeat messages and
there is no need to keep configure this in the neutron server's side.

Neutron is removing this option from the neutron server in patch:
https://review.opendev.org/#/c/726351/

Change-Id: I19a2aa4151cd798fa35248bf3f39dd0819fdc8af
---
 manifests/plugins/ml2.pp                      | 24 +++++++++++--------
 ...-ml2-firewall_driver-a8598f1c2dd060f1.yaml | 11 +++++++++
 spec/classes/neutron_plugins_ml2_spec.rb      |  3 ---
 3 files changed, 25 insertions(+), 13 deletions(-)
 create mode 100644 releasenotes/notes/deprecate-ml2-firewall_driver-a8598f1c2dd060f1.yaml

diff --git a/manifests/plugins/ml2.pp b/manifests/plugins/ml2.pp
index a033780bf..81d72469c 100644
--- a/manifests/plugins/ml2.pp
+++ b/manifests/plugins/ml2.pp
@@ -93,10 +93,6 @@
 #   It should be false when you use nova security group.
 #   Defaults to $::os_service_default.
 #
-# [*firewall_driver*]
-#   (optional) Firewall driver for realizing neutron security group function.
-#   Defaults to $::os_service_default
-#
 # [*package_ensure*]
 #   (optional) Ensure state for package.
 #   Defaults to 'present'.
@@ -127,6 +123,12 @@
 #   are 4 and 6.
 #   Defaults to $::os_service_default
 #
+# DEPRECATED PARAMETERS
+#
+# [*firewall_driver*]
+#   (optional) Firewall driver for realizing neutron security group function.
+#   Defaults to undef
+#
 class neutron::plugins::ml2 (
   $type_drivers              = ['local', 'flat', 'vlan', 'gre', 'vxlan', 'geneve'],
   $extension_drivers         = $::os_service_default,
@@ -138,24 +140,27 @@ class neutron::plugins::ml2 (
   $vxlan_group               = '224.0.0.1',
   $vni_ranges                = '10:100',
   $enable_security_group     = $::os_service_default,
-  $firewall_driver           = $::os_service_default,
   $package_ensure            = 'present',
   $physical_network_mtus     = $::os_service_default,
   $path_mtu                  = 0,
   $purge_config              = false,
   $max_header_size           = $::os_service_default,
   $overlay_ip_version        = $::os_service_default,
+  # DEPRECATED PARAMETERS
+  $firewall_driver           = undef,
 ) {
 
   include neutron::deps
   include neutron::params
 
-  if ! $mechanism_drivers {
-    warning('Without networking mechanism driver, ml2 will not communicate with L2 agents')
+  if $firewall_driver != undef {
+    warning('Using "firewall_driver" option in the ml2 plugin is deprecated \
+and have no any effect. This option should be set in the L2 agent. \
+It will be removed in the future releases.')
   }
 
-  if !is_service_default($enable_security_group) and $enable_security_group and is_service_default($firewall_driver) {
-    warning('Security groups will not work without properly set firewall_driver')
+  if ! $mechanism_drivers {
+    warning('Without networking mechanism driver, ml2 will not communicate with L2 agents')
   }
 
   # lint:ignore:only_variable_string
@@ -218,7 +223,6 @@ class neutron::plugins::ml2 (
     'ml2/extension_drivers':                value => join(any2array($extension_drivers), ',');
     'ml2/overlay_ip_version':               value => $overlay_ip_version;
     'securitygroup/enable_security_group':  value => $enable_security_group;
-    'securitygroup/firewall_driver':        value => $firewall_driver;
   }
 
   if is_service_default($physical_network_mtus) {
diff --git a/releasenotes/notes/deprecate-ml2-firewall_driver-a8598f1c2dd060f1.yaml b/releasenotes/notes/deprecate-ml2-firewall_driver-a8598f1c2dd060f1.yaml
new file mode 100644
index 000000000..a7931c1aa
--- /dev/null
+++ b/releasenotes/notes/deprecate-ml2-firewall_driver-a8598f1c2dd060f1.yaml
@@ -0,0 +1,11 @@
+---
+deprecations:
+  - |
+    Usage of config option ``firewall_driver`` in the ``neutron::plugins::ml2``
+    class is now deprecated and has no effect on the deployment.
+    Config option ``firewall_driver`` should be set in the classes for agents'
+    configuration like ``neutron::agents::ml2::ovs`` instead.
+    Usage of this option in the Neutron server was there just for backward
+    compatibility with old agents which can't report what driver they are using.
+    Since Newton all Neutron drivers are reporting that in heartbeat messages and
+    there is no need to keep configure this in the neutron server's side.
diff --git a/spec/classes/neutron_plugins_ml2_spec.rb b/spec/classes/neutron_plugins_ml2_spec.rb
index 1b3ab673b..b37d2891f 100644
--- a/spec/classes/neutron_plugins_ml2_spec.rb
+++ b/spec/classes/neutron_plugins_ml2_spec.rb
@@ -73,7 +73,6 @@ describe 'neutron::plugins::ml2' do
       should contain_neutron_plugin_ml2('ml2/path_mtu').with_value(p[:path_mtu])
       should contain_neutron_plugin_ml2('ml2/physical_network_mtus').with_ensure('absent')
       should contain_neutron_plugin_ml2('ml2/overlay_ip_version').with_value('<SERVICE DEFAULT>')
-      should contain_neutron_plugin_ml2('securitygroup/firewall_driver').with_value('<SERVICE DEFAULT>')
       should contain_neutron_plugin_ml2('securitygroup/enable_security_group').with_value('<SERVICE DEFAULT>')
     end
 
@@ -100,12 +99,10 @@ describe 'neutron::plugins::ml2' do
       before :each do
         params.merge!(
           :enable_security_group => true,
-          :firewall_driver       => 'iptables_hybrid',
         )
       end
       it 'configures enable_security_group and firewall_driver options' do
         should contain_neutron_plugin_ml2('securitygroup/enable_security_group').with_value('true')
-        should contain_neutron_plugin_ml2('securitygroup/firewall_driver').with_value('iptables_hybrid')
       end
     end