Enable OVN L4 provider from Victoria onward

The driver is unreliable at Ussuri.

Also ensure we restart the ovn-driver-agent when configuration is
written to disk.

Ensure Port Security is enabled as this is a requirement for
reliable operation of the Amphora driver also exercised by the
functional tests.

Enable focal/groovy-victoria gates and re-enable Ussuri OVS gate.

Closes-Bug: #1927960
Closes-Bug: #1927962
Related-Bug: #1927959
Change-Id: I1bafd9eecb83aefb425bc5286f23d47c0885ac8e

osci.yaml

@@ -7,8 +7,15 @@
       - bionic-stein-ha
       - bionic-train-ha-ovn
       - bionic-train-ha
+      # Awaiting SRU in LP: #1924981 to complete
+      #- bionic-ussuri-ha-ovn
+      - bionic-ussuri-ha
       - focal-ussuri-ha-ovn
       - focal-ussuri-ha
+      - focal-victoria-ha-ovn
+      - focal-victoria-ha
+      - groovy-victoria-ha-ovn
+      - groovy-victoria-ha
     vars:
       needs_charm_build: true
       charm_build_name: octavia
@@ -19,6 +26,14 @@
     dependencies: &smoke-jobs
       - focal-ussuri-ha
       - focal-ussuri-ha-ovn
+    vars:
+      needs_charm_build: true
+      charm_build_name: octavia
+
+- job:
+    name: bionic-rocky-ha
+    parent: func-target
+    dependencies: *smoke-jobs
     vars:
       tox_extra_args: bionic-rocky-ha
 - job:
@@ -39,6 +54,18 @@
     dependencies: *smoke-jobs
     vars:
       tox_extra_args: bionic-train-ha
+- job:
+    name: bionic-ussuri-ha-ovn
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: bionic-ussuri-ha-ovn
+- job:
+    name: bionic-ussuri-ha
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: bionic-ussuri-ha
 - job:
     name: focal-ussuri-ha-ovn
     parent: func-target
@@ -56,4 +83,28 @@
     parent: func-target
     dependencies: *lint-jobs
     vars:
-      tox_extra_args: focal-ussuri-ha
+      tox_extra_args: focal-ussuri-ha
+- job:
+    name: focal-victoria-ha-ovn
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: focal-victoria-ha-ovn
+- job:
+    name: focal-victoria-ha
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: focal-victoria-ha
+- job:
+    name: groovy-victoria-ha-ovn
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: groovy-victoria-ha-ovn
+- job:
+    name: groovy-victoria-ha
+    parent: func-target
+    dependencies: *smoke-jobs
+    vars:
+      tox_extra_args: groovy-victoria-ha

src/lib/charm/openstack/octavia.py

@@ -324,15 +324,8 @@ class BaseOctaviaCharm(ch_plugins.PolicydOverridePlugin,
         },
     }
     default_service = 'octavia-api'
-    services = ['apache2', 'octavia-health-manager', 'octavia-housekeeping',
-                'octavia-worker']
     required_relations = ['shared-db', 'amqp', 'identity-service',
                           'sdn-subordinate']
-    restart_map = {
-        OCTAVIA_MGMT_INTF_CONF: services + ['systemd-networkd'],
-        OCTAVIA_CONF: services,
-        OCTAVIA_WSGI_CONF: ['apache2'],
-    }
     sync_cmd = ['sudo', 'octavia-db-manage', 'upgrade', 'head']
     ha_resources = ['vips', 'haproxy', 'dnsha']
     release_pkg = 'octavia-common'
@@ -351,6 +344,21 @@ class BaseOctaviaCharm(ch_plugins.PolicydOverridePlugin,
     policyd_service_name = 'octavia'
     policyd_restart_on_change = True
 
+    @property
+    def services(self):
+        """Allow descendents to modify the service list."""
+        return ['apache2', 'octavia-health-manager', 'octavia-housekeeping',
+                'octavia-worker']
+
+    @property
+    def restart_map(self):
+        """Allow descendents to modify the restart map."""
+        return {
+            OCTAVIA_MGMT_INTF_CONF: self.services + ['systemd-networkd'],
+            OCTAVIA_CONF: self.services,
+            OCTAVIA_WSGI_CONF: ['apache2'],
+        }
+
     def install(self):
         """Custom install function.
 
@@ -477,9 +485,9 @@ class RockyOctaviaCharm(BaseOctaviaCharm):
     release = 'rocky'
 
 
-class UssuriOctaviaCharm(BaseOctaviaCharm):
+class VictoriaOctaviaCharm(BaseOctaviaCharm):
     """Charm class for the Octavia charm on Ussuri and newer releases."""
-    release = 'ussuri'
+    release = 'victoria'
 
     @property
     def all_packages(self):
@@ -495,8 +503,8 @@ class UssuriOctaviaCharm(BaseOctaviaCharm):
         return all_packages
 
     @property
-    def full_service_list(self):
-        services = super().full_service_list
+    def services(self):
+        _services = super().services
         if reactive.is_flag_set('charm.octavia.enable-ovn-driver'):
-            services.extend(['octavia-driver-agent'])
-        return services
+            _services.extend(['octavia-driver-agent'])
+        return _services

src/templates/ussuri/octavia.conf

@@ -1,154 +0,0 @@
-[DEFAULT]
-debug = {{ options.debug }}
-
-{% include "parts/section-transport-url" %}
-
-{% if ovsdb_subordinate and ovsdb_subordinate.ovn_configured and ovsdb_cms -%}
-[api_settings]
-enabled_provider_drivers = amphora:The Octavia Amphora driver,ovn:Octavia OVN driver
-
-[ovn]
-ovn_nb_connection={{ ','.join(ovsdb_cms.db_nb_connection_strs) }}
-ovn_nb_private_key=/etc/apache2/ssl/{{ options.service_name }}/key_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_certificate=/etc/apache2/ssl/{{ options.service_name }}/cert_{{ ovsdb_subordinate.chassis_name }}
-ovn_nb_ca_cert=/etc/ssl/certs/ca-certificates.crt
-{% endif %}
-
-[health_manager]
-{% if options.health_manager_bind_ip -%}
-bind_ip = {{ options.health_manager_bind_ip }}
-{% endif -%}
-{% if options.controller_ip_port_list -%}
-controller_ip_port_list = {{ options.controller_ip_port_list }}
-{% endif -%}
-heartbeat_key = {{ options.heartbeat_key }}
-health_update_threads = {{ options.workers }}
-stats_update_threads = {{ options.workers }}
-
-[house_keeping]
-{% if options.spare_amphora_pool_size -%}
-spare_amphora_pool_size = {{ options.spare_amphora_pool_size }}
-{% endif %}
-
-[controller_worker]
-{% if options.amp_ssh_key_name %}
-amp_ssh_key_name = {{ options.amp_ssh_key_name }}
-{% endif -%}
-{% if options.amp_image_owner_id -%}
-amp_image_owner_id = {{ options.amp_image_owner_id }}
-{% endif -%}
-{% if options.amp_secgroup_list -%}
-amp_secgroup_list = {{ options.amp_secgroup_list }}
-{% endif -%}
-{% if options.amp_flavor_id -%}
-amp_flavor_id = {{ options.amp_flavor_id }}
-{% endif -%}
-{% if options.amp_boot_network_list -%}
-amp_boot_network_list = {{ options.amp_boot_network_list }}
-{% endif -%}
-{% if options.amp_image_tag -%}
-amp_image_tag = {{ options.amp_image_tag }}
-{% endif -%}
-amp_active_retries = 180
-# This certificate is installed on the ``Amphorae`` and used for validating
-# the authenticity of the ``Octavia`` controller.
-client_ca = {{ options.controller_cacert }}
-network_driver = allowed_address_pairs_driver
-compute_driver = compute_nova_driver
-amphora_driver = amphora_haproxy_rest_driver
-loadbalancer_topology = {{ options.loadbalancer_topology }}
-{%- if options.loadbalancer_topology == "SINGLE" or options.anti_affinity_policy == "disable" %}
-enable_anti_affinity = False
-{%- elif options.loadbalancer_topology == "ACTIVE_STANDBY" %}
-{%- if options.anti_affinity_policy == "auto" %}
-enable_anti_affinity = True
-anti_affinity_policy = "soft-anti-affinity"
-{%- elif options.anti_affinity_policy in ["anti-affinity", "soft-anti-affinity"] %}
-enable_anti_affinity = True
-anti_affinity_policy = {{ options.anti_affinity_policy }}
-{%- endif %}
-{%- endif %}
-
-[certificates]
-# NOTE(fnordahl) certificates for authentication between Octavia controllers
-# and its Amphorae instances are issued locally on the Octavia controller.
-#
-# At the time of this writing this is the only supported alternative upstream
-# after the retirement of the Anchor project [0].
-#
-# Note that these certificates are not used for any load balancer payload data
-#
-# 0: https://review.opendev.org/#/c/597022/
-cert_generator = local_cert_generator
-# This certificate is used to issue individual certificates for each
-# ``Amphora`` and to validate their authenticity when they connect to the
-# ``Octavia`` controller.
-ca_certificate = {{ options.issuing_cacert }}
-ca_private_key = {{ options.issuing_ca_private_key }}
-ca_private_key_passphrase = {{ options.issuing_ca_private_key_passphrase }}
-
-cert_manager = barbican_cert_manager
-{% if options.region -%}
-region_name = {{ options.region }}
-{% endif -%}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-
-[haproxy_amphora]
-# This certificate is used by the ``Octavia`` controller to validate the
-# authenticity of the ``Amphorae`` connecting to it.
-server_ca = {{ options.issuing_cacert }}
-# This certificate is used by the ``Octavia`` controller when it takes on the
-# role as a "client" connecting to the ``Amphorae``.
-client_cert = {{ options.controller_cert }}
-
-{% include "parts/section-database" %}
-
-[service_auth]
-auth_section = keystone_authtoken
-
-{% include "parts/section-keystone-authtoken" %}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-[oslo_messaging]
-topic = octavia
-
-[nova]
-{% if options.region -%}
-region_name = {{ options.region }}
-{% endif -%}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-[cinder]
-{% if options.region -%}
-region_name = {{ options.region }}
-{% endif -%}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-[glance]
-{% if options.region -%}
-region_name = {{ options.region }}
-{% endif -%}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-[neutron]
-{% if options.region -%}
-region_name = {{ options.region }}
-{% endif -%}
-{% if options.use_internal_endpoints -%}
-endpoint_type = internalURL
-{%- endif %}
-
-{% include "parts/section-oslo-messaging-rabbit" %}
-
-{% include "parts/section-oslo-middleware" %}

src/tests/bundles/bionic-rocky-ha.yaml

@@ -96,6 +96,7 @@ applications:
       openstack-origin: cloud:bionic-rocky
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
   neutron-openvswitch:

src/tests/bundles/bionic-rocky-lxd.yaml

@@ -109,6 +109,7 @@ applications:
       openstack-origin: cloud:bionic-rocky
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
     to:
     - lxd:1

src/tests/bundles/bionic-stein-ha.yaml

@@ -96,6 +96,7 @@ applications:
       openstack-origin: cloud:bionic-stein
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
   neutron-openvswitch:

src/tests/bundles/bionic-train-ha-ovn.yaml

@@ -106,6 +106,7 @@ applications:
       openstack-origin: cloud:bionic-train
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       manage-neutron-plugin-legacy-mode: False
   nova-cloud-controller:

src/tests/bundles/bionic-train-ha.yaml

@@ -101,6 +101,7 @@ applications:
       openstack-origin: cloud:bionic-train
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
   neutron-openvswitch:

src/tests/bundles/bionic-ussuri-ha-ovn.yaml

@@ -103,12 +103,10 @@ applications:
     charm: cs:~openstack-charmers-next/neutron-api
     num_units: 1
     options:
-      # NOTE(fnordahl): At current state of upstream Neutron development this
-      # is a requirement.  Remove once fixed upstream.
-      enable-ml2-port-security: true
       openstack-origin: cloud:bionic-ussuri/proposed
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
   nova-cloud-controller:
     constraints: mem=7168M

src/tests/bundles/bionic-ussuri-ha.yaml

@@ -101,6 +101,7 @@ applications:
       openstack-origin: cloud:bionic-ussuri/proposed
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
       manage-neutron-plugin-legacy-mode: True

src/tests/bundles/focal-ussuri-ha-ovn.yaml

@@ -127,6 +127,7 @@ applications:
       openstack-origin: distro
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
   nova-cloud-controller:
     constraints: mem=7168M

src/tests/bundles/focal-ussuri-ha.yaml

@@ -122,6 +122,7 @@ applications:
       openstack-origin: distro
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
       manage-neutron-plugin-legacy-mode: True

src/tests/bundles/focal-victoria-ha-ovn.yaml

@@ -127,6 +127,7 @@ applications:
       openstack-origin: cloud:focal-victoria
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
   nova-cloud-controller:
     constraints: mem=7168M
@@ -169,6 +170,8 @@ applications:
     options:
       amp-image-tag: 'octavia-amphora'
       retrofit-series: focal
+      # LP: #1928179
+      # retrofit-uca-pocket: victoria
   placement:
     charm: cs:~openstack-charmers-next/placement
     num_units: 1

src/tests/bundles/focal-victoria-ha.yaml

@@ -122,6 +122,7 @@ applications:
       openstack-origin: cloud:focal-victoria
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
       manage-neutron-plugin-legacy-mode: True
@@ -186,6 +187,8 @@ applications:
     options:
       amp-image-tag: 'octavia-amphora'
       retrofit-series: focal
+      # LP: #1928179
+      # retrofit-uca-pocket: victoria
   placement:
     charm: cs:~openstack-charmers-next/placement
     num_units: 1

src/tests/bundles/groovy-victoria-ha-ovn.yaml

@@ -127,6 +127,7 @@ applications:
       openstack-origin: distro
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
   nova-cloud-controller:
     constraints: mem=7168M
@@ -168,7 +169,9 @@ applications:
     charm: cs:~openstack-charmers-next/octavia-diskimage-retrofit
     options:
       amp-image-tag: 'octavia-amphora'
-      retrofit-series: groovy
+      # LP: #1928179
+      # retrofit-series: groovy
+      retrofit-series: focal
   placement:
     charm: cs:~openstack-charmers-next/placement
     num_units: 1

src/tests/bundles/groovy-victoria-ha.yaml

@@ -122,6 +122,7 @@ applications:
       openstack-origin: distro
       debug: True
       flat-network-providers: physnet1
+      enable-ml2-port-security: True
       neutron-security-groups: True
       enable-dvr: True
       manage-neutron-plugin-legacy-mode: True
@@ -185,7 +186,9 @@ applications:
     charm: cs:~openstack-charmers-next/octavia-diskimage-retrofit
     options:
       amp-image-tag: 'octavia-amphora'
-      retrofit-series: groovy
+      # LP: #1928179
+      # retrofit-series: groovy
+      retrofit-series: focal
   placement:
     charm: cs:~openstack-charmers-next/placement
     num_units: 1

src/tests/tests.yaml

@@ -3,21 +3,19 @@ gate_bundles:
 - bionic-stein-ha
 - bionic-train-ha-ovn
 - bionic-train-ha
-# focal-ussuri-ha-ovn disabled due to LP: #1893756
-# - focal-ussuri-ha-ovn
+# Awaiting SRU in LP: #1924981 to complete
+# - bionic-ussuri-ha-ovn
+- bionic-ussuri-ha
+- focal-ussuri-ha-ovn
 - focal-ussuri-ha
-smoke_bundles:
-# focal-ussuri-ha-ovn disabled due to LP: #1893756
-# - focal-ussuri-ha-ovn
-- focal-ussuri-ha
-dev_bundles:
-- groovy-victoria-ha-ovn
-- groovy-victoria-ha
 - focal-victoria-ha-ovn
 - focal-victoria-ha
-# LP: #1896729
-- bionic-ussuri-ha-ovn
-- bionic-ussuri-ha
+- groovy-victoria-ha-ovn
+- groovy-victoria-ha
+smoke_bundles:
+- focal-ussuri-ha-ovn
+- focal-ussuri-ha
+dev_bundles:
 - bionic-rocky-ha
 - bionic-rocky-lxd
 comment: |

unit_tests/test_lib_charm_openstack_octavia.py

@@ -133,7 +133,7 @@ class TestOctaviaCharm(Helper):
         self.assertFalse(
             'python3-ovn-octavia-provider' in self.target.packages)
         self.patch_object(octavia.reactive, 'is_flag_set', return_value=True)
-        c = octavia.UssuriOctaviaCharm()
+        c = octavia.VictoriaOctaviaCharm()
         self.assertTrue('octavia-driver-agent' in c.all_packages)
         self.assertTrue('python3-ovn-octavia-provider' in c.all_packages)
         self.assertTrue('octavia-driver-agent' in c.full_service_list)