Datapath doesnt work with Policy Redirect to an LB
Adding a security group rule at provider group to allow traffic from a LB VIP associated with provider EPG using Network Service Policy Change-Id: I16b00518ad551e3a0d6b2131f926596be8481931 closes-bug:1388234
This commit is contained in:
parent
15fbe3fcec
commit
b3be657650
|
@ -108,7 +108,7 @@ class ServicePolicyEPGIpAddressMapping(model_base.BASEV2):
|
|||
sa.ForeignKey('gp_network_service_policies.id'),
|
||||
nullable=False, primary_key=True)
|
||||
endpoint_group = sa.Column(sa.String(36),
|
||||
sa.ForeignKey('gp_network_service_policies.id'),
|
||||
sa.ForeignKey('gp_endpoint_groups.id'),
|
||||
nullable=False, primary_key=True)
|
||||
ipaddress = sa.Column(sa.String(36))
|
||||
|
||||
|
@ -219,6 +219,9 @@ class ResourceMappingDriver(api.PolicyDriver):
|
|||
network_service_policy_id,
|
||||
context.current['id'],
|
||||
free_ip)
|
||||
provided_contracts = context.current['provided_contracts']
|
||||
self._allow_vip_traffic_on_provider(context, provided_contracts,
|
||||
free_ip)
|
||||
|
||||
def _get_service_policy_ipaddress(self, context, endpoint_group):
|
||||
ipaddress = self._get_epg_policy_ipaddress_mapping(
|
||||
|
@ -275,6 +278,12 @@ class ResourceMappingDriver(api.PolicyDriver):
|
|||
self._update_sgs_on_epg(context, epg_id,
|
||||
new_provided_contracts,
|
||||
new_consumed_contracts, "ASSOCIATE")
|
||||
vip_ip_address = self._get_service_policy_ipaddress(context,
|
||||
epg_id)
|
||||
if vip_ip_address:
|
||||
self._allow_vip_traffic_on_provider(context,
|
||||
new_provided_contracts,
|
||||
vip_ip_address)
|
||||
# generate the list of contracts (SGs) to remove from current ports
|
||||
removed_provided_contracts = list(set(orig_provided_contracts) -
|
||||
set(curr_provided_contracts))
|
||||
|
@ -1261,6 +1270,33 @@ class ResourceMappingDriver(api.PolicyDriver):
|
|||
contract_sg_mappings,
|
||||
cidr_mapping)
|
||||
|
||||
#Revisit(Magesh): Need to handle directions and rule removal/update
|
||||
#Can merge a part of this method and _assoc_sg_to_epg and
|
||||
#_add_or_remove_contract_rule into a generic method
|
||||
def _allow_vip_traffic_on_provider(self, context, provided_contracts,
|
||||
vip_ip):
|
||||
if not provided_contracts:
|
||||
return
|
||||
cidr = vip_ip + "/32"
|
||||
for contract_id in provided_contracts:
|
||||
contract = context._plugin.get_contract(
|
||||
context._plugin_context, contract_id)
|
||||
contract_sg_mappings = self._get_contract_sg_mapping(
|
||||
context._plugin_context.session, contract_id)
|
||||
policy_rules = contract['policy_rules']
|
||||
for policy_rule_id in policy_rules:
|
||||
policy_rule = context._plugin.get_policy_rule(
|
||||
context._plugin_context, policy_rule_id)
|
||||
classifier_id = policy_rule['policy_classifier_id']
|
||||
classifier = context._plugin.get_policy_classifier(
|
||||
context._plugin_context, classifier_id)
|
||||
protocol = classifier['protocol']
|
||||
port_range = classifier['port_range']
|
||||
self._sg_ingress_rule(context,
|
||||
contract_sg_mappings['provided_sg_id'],
|
||||
protocol, port_range,
|
||||
cidr, unset=False)
|
||||
|
||||
def _manage_contract_rules(self, context, contract, policy_rules,
|
||||
unset=False):
|
||||
contract_sg_mappings = self._get_contract_sg_mapping(
|
||||
|
|
|
@ -46,7 +46,6 @@ class ResourceMappingTestCase(
|
|||
config.cfg.CONF.set_override('policy_drivers',
|
||||
['implicit_policy', 'resource_mapping'],
|
||||
group='group_policy')
|
||||
config.cfg.CONF.set_override('allow_overlapping_ips', True)
|
||||
super(ResourceMappingTestCase, self).setUp(core_plugin=CORE_PLUGIN)
|
||||
|
||||
|
||||
|
@ -268,18 +267,6 @@ class TestEndpointGroup(ResourceMappingTestCase):
|
|||
self.assertNotEqual(subnet1['subnet']['cidr'],
|
||||
subnet2['subnet']['cidr'])
|
||||
|
||||
def test_no_extra_subnets_created(self):
|
||||
count = len(self._get_all_subnets())
|
||||
self.create_endpoint_group()
|
||||
self.create_endpoint_group()
|
||||
new_count = len(self._get_all_subnets())
|
||||
self.assertEqual(count + 2, new_count)
|
||||
|
||||
def _get_all_subnets(self):
|
||||
req = self.new_list_request('subnets', fmt=self.fmt)
|
||||
return self.deserialize(self.fmt,
|
||||
req.get_response(self.api))['subnets']
|
||||
|
||||
# TODO(rkukura): Test ip_pool exhaustion.
|
||||
|
||||
|
||||
|
@ -564,9 +551,19 @@ class TestContract(ResourceMappingTestCase):
|
|||
contract = self.create_contract(name="c1",
|
||||
policy_rules=policy_rule_list)
|
||||
contract_id = contract['contract']['id']
|
||||
sg_ingress_rule = mock.patch.object(
|
||||
resource_mapping.ResourceMappingDriver,
|
||||
'_sg_ingress_rule')
|
||||
sg_ingress_rule = sg_ingress_rule.start()
|
||||
params = [{'type': 'ip_single', 'name': 'vip', 'value': 'self_subnet'}]
|
||||
nsp = self.create_network_service_policy(network_service_params=params)
|
||||
nsp_id = nsp['network_service_policy']['id']
|
||||
self.create_endpoint_group(name="epg1",
|
||||
provided_contracts={contract_id: None})
|
||||
|
||||
provided_contracts={contract_id: None},
|
||||
network_service_policy_id=nsp_id)
|
||||
sg_ingress_rule.assert_called_once_with(mock.ANY, mock.ANY,
|
||||
"tcp", "20:90", mock.ANY,
|
||||
unset=False)
|
||||
create_chain_instance = mock.patch.object(
|
||||
servicechain_plugin.ServiceChainPlugin,
|
||||
'create_servicechain_instance')
|
||||
|
|
Loading…
Reference in New Issue