Add config flag to disable security groups, tidy relation usage from neutron-api

2014-10-10 10:55:20 +01:00 · 2014-10-10 10:55:20 +01:00 · 962e5e9f50
commit 962e5e9f50
parent fe4e70f7a4
5 changed files with 70 additions and 5 deletions
--- a/4
+++ b/4
@ -6,7 +6,7 @@ lint:
 	@flake8 --exclude hooks/charmhelpers unit_tests
 	@charm proof

-test:
+unit_test:
 	@echo Starting tests...
 	@$(PYTHON) /usr/bin/nosetests --nologcapture unit_tests

@ -18,6 +18,6 @@ bin/charm_helpers_sync.py:
 sync: bin/charm_helpers_sync.py
 	@$(PYTHON) bin/charm_helpers_sync.py -c charm-helpers-sync.yaml

-publish: lint test
+publish: lint unit_test
 	bzr push lp:charms/neutron-openvswitch
 	bzr push lp:charms/trusty/neutron-openvswitch
--- a/config.yaml
+++ b/config.yaml
@ -27,6 +27,15 @@ options:
    description: |
      The data port will be added to br-data and will allow usage of flat or VLAN
      network types
+  disable-security-groups:
+    type: boolean
+    default: false
+    description: |
+      Disable neutron based security groups - setting this configuration option
+      will override any settings configured via the neutron-api charm.
+      .
+      BE CAREFUL - this option allows you to disable all port level security within
+      an OpenStack cloud.
  # Network configuration options
  # by default all access is over 'private-address'
  os-data-network:
--- a/hooks/neutron_ovs_context.py
+++ b/hooks/neutron_ovs_context.py
@ -37,6 +37,9 @@ def _neutron_api_settings():
                'neutron_security_groups': rdata['neutron-security-groups'],
                'overlay_network_type': rdata['overlay-network-type'],
            }
+            # Override with configuration if set to true
+            if config('disable-security-groups'):
+                neutron_settings['neutron_security_groups'] = False
            return neutron_settings
    return neutron_settings

--- a/templates/icehouse/ml2_conf.ini
+++ b/templates/icehouse/ml2_conf.ini
@ -31,7 +31,7 @@ tunnel_types = {{ overlay_network_type }}
 l2_population = {{ l2_population }}

 [securitygroup]
-{% if neutron_security_groups == 'True' -%}
+{% if neutron_security_groups -%}
 enable_security_group = True
 firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
 {% else -%}
--- a/unit_tests/test_neutron_ovs_context.py
+++ b/unit_tests/test_neutron_ovs_context.py
@ -88,7 +88,7 @@ class OVSPluginContextTest(CharmTestCase):
        _is_clus.return_value = False
        self.related_units.return_value = ['unit1']
        self.relation_ids.return_value = ['rid2']
-        self.test_relation.set({'neutron-security-groups': 'yes',
+        self.test_relation.set({'neutron-security-groups': True,
                                'l2-population': True,
                                'overlay-network-type': 'gre',
                                })
@ -97,7 +97,60 @@ class OVSPluginContextTest(CharmTestCase):
        napi_ctxt = context.OVSPluginContext()
        expect = {
            'neutron_alchemy_flags': {},
-            'neutron_security_groups': 'yes',
+            'neutron_security_groups': True,
+            'verbose': True,
+            'local_ip': '127.0.0.15',
+            'config': 'neutron.randomconfig',
+            'use_syslog': True,
+            'network_manager': 'neutron',
+            'debug': True,
+            'core_plugin': 'neutron.randomdriver',
+            'neutron_plugin': 'ovs',
+            'neutron_url': 'https://127.0.0.13:9696',
+            'l2_population': True,
+            'overlay_network_type': 'gre',
+        }
+        self.assertEquals(expect, napi_ctxt())
+        self.service_start.assertCalled()
+
+    @patch.object(charmhelpers.contrib.openstack.context, 'config')
+    @patch.object(charmhelpers.contrib.openstack.context, 'unit_get')
+    @patch.object(charmhelpers.contrib.openstack.context, 'is_clustered')
+    @patch.object(charmhelpers.contrib.openstack.context, 'https')
+    @patch.object(context.OVSPluginContext, '_save_flag_file')
+    @patch.object(context.OVSPluginContext, '_ensure_packages')
+    @patch.object(charmhelpers.contrib.openstack.context,
+                  'neutron_plugin_attribute')
+    @patch.object(charmhelpers.contrib.openstack.context, 'unit_private_ip')
+    def test_neutroncc_context_api_rel_disable_security(self,
+                                                        _unit_priv_ip, _npa,
+                                                        _ens_pkgs, _save_ff,
+                                                        _https, _is_clus,
+                                                        _unit_get,
+                                                        _config):
+        def mock_npa(plugin, section, manager):
+            if section == "driver":
+                return "neutron.randomdriver"
+            if section == "config":
+                return "neutron.randomconfig"
+        _npa.side_effect = mock_npa
+        _config.return_value = 'ovs'
+        _unit_get.return_value = '127.0.0.13'
+        _unit_priv_ip.return_value = '127.0.0.14'
+        _is_clus.return_value = False
+        self.test_config.set('disable-security-groups', True)
+        self.related_units.return_value = ['unit1']
+        self.relation_ids.return_value = ['rid2']
+        self.test_relation.set({'neutron-security-groups': True,
+                                'l2-population': True,
+                                'overlay-network-type': 'gre',
+                                })
+        self.get_host_ip.return_value = '127.0.0.15'
+        self.service_running.return_value = False
+        napi_ctxt = context.OVSPluginContext()
+        expect = {
+            'neutron_alchemy_flags': {},
+            'neutron_security_groups': False,
            'verbose': True,
            'local_ip': '127.0.0.15',
            'config': 'neutron.randomconfig',