disable port_security for VRRP ports

For tenant networks port_security makes sense, but for the VRRP router
case it can get in the way. This change disables it for Akanda managed
ports for now.

Change-Id: I0fb9fd5253ad0538a35b25d8806323f83cfc48e4
Closes-bug: #1482389

akanda/rug/api/neutron.py

@@ -49,6 +49,7 @@ neutron_opts = [
     cfg.IntOpt('akanda_mgt_service_port', default=5000),
     cfg.StrOpt('default_instance_flavor', default=1),
     cfg.StrOpt('interface_driver'),
+    cfg.BoolOpt('neutron_port_security_extension_enabled', default=True),
 
 ]
 CONF.register_opts(neutron_opts)
@@ -662,6 +663,9 @@ class Neutron(object):
 
         if label in ['VRRP', 'LB']:
             port_dict['fixed_ips'] = []
+            # disable port_securty on VRRP
+            if self.conf.neutron_port_security_extension_enabled:
+                port_dict['port_security_enabled'] = False
 
         response = self.api_client.create_port(dict(port=port_dict))
         port_data = response.get('port')

akanda/rug/test/unit/api/test_neutron_wrapper.py

@@ -245,7 +245,6 @@ class FakeConf:
 
 
 class TestNeutronWrapper(base.RugTestBase):
-
     @mock.patch('akanda.rug.api.neutron.cfg')
     @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
     @mock.patch('akanda.rug.api.neutron.importutils')
@@ -275,6 +274,60 @@ class TestNeutronWrapper(base.RugTestBase):
         neutron_wrapper = neutron.Neutron(conf)
         neutron_wrapper.update_router_status('router-id', 'new-status')
 
+    @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
+    def _test_create_vrrp_port_success_hlpr(self, ext_enabled, client_wrapper):
+        conf = mock.Mock()
+        conf.neutron_port_security_extension_enabled = ext_enabled
+
+        expected_port_data = {
+            'port': {
+                'name': 'AKANDA:VRRP:obj_id',
+                'admin_state_up': True,
+                'network_id': 'the_net_id',
+                'fixed_ips': [],
+                'security_groups': []
+            }
+        }
+
+        if ext_enabled:
+            expected_port_data['port']['port_security_enabled'] = False
+
+        neutron_wrapper = neutron.Neutron(conf)
+        api_client = neutron_wrapper.api_client
+        with mock.patch.object(api_client, 'create_port') as create_port:
+            with mock.patch.object(neutron.Port, 'from_dict') as port_from_d:
+                retval = neutron_wrapper.create_vrrp_port(
+                    'obj_id',
+                    'the_net_id'
+                )
+
+                self.assertIs(retval, port_from_d.return_value)
+                port_from_d.assert_called_once_with(
+                    create_port.return_value.get()
+                )
+                create_port.assert_called_once_with(
+                    expected_port_data
+                )
+
+    def test_create_vrrp_port_success(self):
+        self._test_create_vrrp_port_success_hlpr(True)
+
+    def test_create_vrrp_port_success_port_security_disabled(self):
+        self._test_create_vrrp_port_success_hlpr(False)
+
+    @mock.patch('akanda.rug.api.neutron.AkandaExtClientWrapper')
+    def test_create_vrrp_port_error(self, client_wrapper):
+        neutron_wrapper = neutron.Neutron(mock.Mock())
+        api_client = neutron_wrapper.api_client
+        with mock.patch.object(api_client, 'create_port') as create_port:
+            create_port.return_value.get.return_value = None
+            self.assertRaises(
+                ValueError,
+                neutron_wrapper.create_vrrp_port,
+                'obj_id',
+                'the_net_id'
+            )
+
 
 class TestExternalPort(base.RugTestBase):
 

etc/rug.ini

@@ -31,6 +31,7 @@ rabbit_host = 192.168.57.200
 
 provider_rules_path=/opt/stack/akanda-rug/etc/provider_rules.json
 control_exchange = quantum
+neutron_port_security_extension_enabled = True
 
 [AGENT]
 root_helper=sudo