Datapath doesnt work with Policy Redirect to an LB
Adding a security group rule at provider group to allow traffic from a LB VIP associated with provider EPG using Network Service Policy Change-Id: I16b00518ad551e3a0d6b2131f926596be8481931 closes-bug:1388234
This commit is contained in:
parent
15fbe3fcec
commit
b3be657650
|
@ -108,7 +108,7 @@ class ServicePolicyEPGIpAddressMapping(model_base.BASEV2):
|
||||||
sa.ForeignKey('gp_network_service_policies.id'),
|
sa.ForeignKey('gp_network_service_policies.id'),
|
||||||
nullable=False, primary_key=True)
|
nullable=False, primary_key=True)
|
||||||
endpoint_group = sa.Column(sa.String(36),
|
endpoint_group = sa.Column(sa.String(36),
|
||||||
sa.ForeignKey('gp_network_service_policies.id'),
|
sa.ForeignKey('gp_endpoint_groups.id'),
|
||||||
nullable=False, primary_key=True)
|
nullable=False, primary_key=True)
|
||||||
ipaddress = sa.Column(sa.String(36))
|
ipaddress = sa.Column(sa.String(36))
|
||||||
|
|
||||||
|
@ -219,6 +219,9 @@ class ResourceMappingDriver(api.PolicyDriver):
|
||||||
network_service_policy_id,
|
network_service_policy_id,
|
||||||
context.current['id'],
|
context.current['id'],
|
||||||
free_ip)
|
free_ip)
|
||||||
|
provided_contracts = context.current['provided_contracts']
|
||||||
|
self._allow_vip_traffic_on_provider(context, provided_contracts,
|
||||||
|
free_ip)
|
||||||
|
|
||||||
def _get_service_policy_ipaddress(self, context, endpoint_group):
|
def _get_service_policy_ipaddress(self, context, endpoint_group):
|
||||||
ipaddress = self._get_epg_policy_ipaddress_mapping(
|
ipaddress = self._get_epg_policy_ipaddress_mapping(
|
||||||
|
@ -275,6 +278,12 @@ class ResourceMappingDriver(api.PolicyDriver):
|
||||||
self._update_sgs_on_epg(context, epg_id,
|
self._update_sgs_on_epg(context, epg_id,
|
||||||
new_provided_contracts,
|
new_provided_contracts,
|
||||||
new_consumed_contracts, "ASSOCIATE")
|
new_consumed_contracts, "ASSOCIATE")
|
||||||
|
vip_ip_address = self._get_service_policy_ipaddress(context,
|
||||||
|
epg_id)
|
||||||
|
if vip_ip_address:
|
||||||
|
self._allow_vip_traffic_on_provider(context,
|
||||||
|
new_provided_contracts,
|
||||||
|
vip_ip_address)
|
||||||
# generate the list of contracts (SGs) to remove from current ports
|
# generate the list of contracts (SGs) to remove from current ports
|
||||||
removed_provided_contracts = list(set(orig_provided_contracts) -
|
removed_provided_contracts = list(set(orig_provided_contracts) -
|
||||||
set(curr_provided_contracts))
|
set(curr_provided_contracts))
|
||||||
|
@ -1261,6 +1270,33 @@ class ResourceMappingDriver(api.PolicyDriver):
|
||||||
contract_sg_mappings,
|
contract_sg_mappings,
|
||||||
cidr_mapping)
|
cidr_mapping)
|
||||||
|
|
||||||
|
#Revisit(Magesh): Need to handle directions and rule removal/update
|
||||||
|
#Can merge a part of this method and _assoc_sg_to_epg and
|
||||||
|
#_add_or_remove_contract_rule into a generic method
|
||||||
|
def _allow_vip_traffic_on_provider(self, context, provided_contracts,
|
||||||
|
vip_ip):
|
||||||
|
if not provided_contracts:
|
||||||
|
return
|
||||||
|
cidr = vip_ip + "/32"
|
||||||
|
for contract_id in provided_contracts:
|
||||||
|
contract = context._plugin.get_contract(
|
||||||
|
context._plugin_context, contract_id)
|
||||||
|
contract_sg_mappings = self._get_contract_sg_mapping(
|
||||||
|
context._plugin_context.session, contract_id)
|
||||||
|
policy_rules = contract['policy_rules']
|
||||||
|
for policy_rule_id in policy_rules:
|
||||||
|
policy_rule = context._plugin.get_policy_rule(
|
||||||
|
context._plugin_context, policy_rule_id)
|
||||||
|
classifier_id = policy_rule['policy_classifier_id']
|
||||||
|
classifier = context._plugin.get_policy_classifier(
|
||||||
|
context._plugin_context, classifier_id)
|
||||||
|
protocol = classifier['protocol']
|
||||||
|
port_range = classifier['port_range']
|
||||||
|
self._sg_ingress_rule(context,
|
||||||
|
contract_sg_mappings['provided_sg_id'],
|
||||||
|
protocol, port_range,
|
||||||
|
cidr, unset=False)
|
||||||
|
|
||||||
def _manage_contract_rules(self, context, contract, policy_rules,
|
def _manage_contract_rules(self, context, contract, policy_rules,
|
||||||
unset=False):
|
unset=False):
|
||||||
contract_sg_mappings = self._get_contract_sg_mapping(
|
contract_sg_mappings = self._get_contract_sg_mapping(
|
||||||
|
|
|
@ -46,7 +46,6 @@ class ResourceMappingTestCase(
|
||||||
config.cfg.CONF.set_override('policy_drivers',
|
config.cfg.CONF.set_override('policy_drivers',
|
||||||
['implicit_policy', 'resource_mapping'],
|
['implicit_policy', 'resource_mapping'],
|
||||||
group='group_policy')
|
group='group_policy')
|
||||||
config.cfg.CONF.set_override('allow_overlapping_ips', True)
|
|
||||||
super(ResourceMappingTestCase, self).setUp(core_plugin=CORE_PLUGIN)
|
super(ResourceMappingTestCase, self).setUp(core_plugin=CORE_PLUGIN)
|
||||||
|
|
||||||
|
|
||||||
|
@ -268,18 +267,6 @@ class TestEndpointGroup(ResourceMappingTestCase):
|
||||||
self.assertNotEqual(subnet1['subnet']['cidr'],
|
self.assertNotEqual(subnet1['subnet']['cidr'],
|
||||||
subnet2['subnet']['cidr'])
|
subnet2['subnet']['cidr'])
|
||||||
|
|
||||||
def test_no_extra_subnets_created(self):
|
|
||||||
count = len(self._get_all_subnets())
|
|
||||||
self.create_endpoint_group()
|
|
||||||
self.create_endpoint_group()
|
|
||||||
new_count = len(self._get_all_subnets())
|
|
||||||
self.assertEqual(count + 2, new_count)
|
|
||||||
|
|
||||||
def _get_all_subnets(self):
|
|
||||||
req = self.new_list_request('subnets', fmt=self.fmt)
|
|
||||||
return self.deserialize(self.fmt,
|
|
||||||
req.get_response(self.api))['subnets']
|
|
||||||
|
|
||||||
# TODO(rkukura): Test ip_pool exhaustion.
|
# TODO(rkukura): Test ip_pool exhaustion.
|
||||||
|
|
||||||
|
|
||||||
|
@ -564,9 +551,19 @@ class TestContract(ResourceMappingTestCase):
|
||||||
contract = self.create_contract(name="c1",
|
contract = self.create_contract(name="c1",
|
||||||
policy_rules=policy_rule_list)
|
policy_rules=policy_rule_list)
|
||||||
contract_id = contract['contract']['id']
|
contract_id = contract['contract']['id']
|
||||||
|
sg_ingress_rule = mock.patch.object(
|
||||||
|
resource_mapping.ResourceMappingDriver,
|
||||||
|
'_sg_ingress_rule')
|
||||||
|
sg_ingress_rule = sg_ingress_rule.start()
|
||||||
|
params = [{'type': 'ip_single', 'name': 'vip', 'value': 'self_subnet'}]
|
||||||
|
nsp = self.create_network_service_policy(network_service_params=params)
|
||||||
|
nsp_id = nsp['network_service_policy']['id']
|
||||||
self.create_endpoint_group(name="epg1",
|
self.create_endpoint_group(name="epg1",
|
||||||
provided_contracts={contract_id: None})
|
provided_contracts={contract_id: None},
|
||||||
|
network_service_policy_id=nsp_id)
|
||||||
|
sg_ingress_rule.assert_called_once_with(mock.ANY, mock.ANY,
|
||||||
|
"tcp", "20:90", mock.ANY,
|
||||||
|
unset=False)
|
||||||
create_chain_instance = mock.patch.object(
|
create_chain_instance = mock.patch.object(
|
||||||
servicechain_plugin.ServiceChainPlugin,
|
servicechain_plugin.ServiceChainPlugin,
|
||||||
'create_servicechain_instance')
|
'create_servicechain_instance')
|
||||||
|
|
Loading…
Reference in New Issue