octavia: Make Octavia ready devstack

This patch changes the main sample devstack local.conf to use Octavia.
In order for that to work, it does some security group changes to ensure
that the communication from the LB to the members will work in both L2
and L3 modes.

In L2 mode, which is the default behavior after this patch, but not the
default behavior we'll chose going forward, Octavia creates a pod_subnet
port per each Load Balancer with the 'default' security group of the
'admin' project. This means that it would not be allowed by the members
since they use the 'default' security group from the 'k8s' project.

In L3 mode, Octavia does not create a port in the members subnet and
relies on the service and the pod subnet to be connected to the same
router. Some changes are necessary on the lbaas handler for that and
they'll come in a follow-up patch. In case the developers want to try, I
added a security group for the service subnet to be allowed into the pod
subnet.

Partially-Implements: blueprint octavia-support
Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7
Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>

devstack/local.conf.sample

@@ -36,10 +36,16 @@ enable_service q-l3
 enable_service q-svc
 
 # LBaaSv2 service and Haproxy agent
-enable_plugin neutron-lbaas \
-    git://git.openstack.org/openstack/neutron-lbaas
-enable_service q-lbaasv2
-NEUTRON_LBAAS_SERVICE_PROVIDERV2="LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default"
+#enable_plugin neutron-lbaas \
+#   git://git.openstack.org/openstack/neutron-lbaas
+#enable_service q-lbaasv2
+#NEUTRON_LBAAS_SERVICE_PROVIDERV2="LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default"
+
+# Octavia LBaaSv2
+LIBS_FROM_GIT+=python-octaviaclient
+ENABLED_SERVICES+=,n-api,n-api-meta,n-cpu,n-cond,n-sch,placement-api,placement-client
+ENABLED_SERVICES+=,g-api,g-reg
+ENABLED_SERVICES+=,octavia,o-api,o-cw,o-hm,o-hk
 
 # Keystone
 enable_service key
@@ -139,3 +145,9 @@ enable_service kubelet
 # part of the codebase that connects to the Kubernetes API server to read the
 # resource events and convert them to Neutron actions
 enable_service kuryr-kubernetes
+
+# Increase Octavia amphorae timeout so that the first LB amphora has time to
+# build and boot
+[[post-config|$OCTAVIA_CONF_DIR/octavia.conf]]
+[controller_worker]
+amp_active_retries=9999

devstack/plugin.sh

@@ -206,9 +206,6 @@ function configure_neutron_defaults {
     pod_subnet_id="$(neutron subnet-show -c id -f value \
         "${KURYR_NEUTRON_DEFAULT_POD_SUBNET}")"
 
-    sg_ids=$(echo $(neutron security-group-list \
-        --project-id "$project_id" -c id -f value) | tr ' ' ',')
-
     create_k8s_subnet "$project_id" \
                       "$KURYR_NEUTRON_DEFAULT_SERVICE_NET" \
                       "$KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET" \
@@ -217,6 +214,45 @@ function configure_neutron_defaults {
     service_subnet_id="$(neutron subnet-show -c id -f value \
         "${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}")"
 
+    sg_ids=$(echo $(neutron security-group-list \
+        --project-id "$project_id" -c id -f value) | tr ' ' ',')
+    # In order for the pods to allow service traffic under Octavia, it is
+    # necessary for the service subnet to be allowd into the $sg_ids
+    local service_cidr
+    local service_pod_access_sg_id
+    service_cidr=$(openstack --os-cloud devstack-admin \
+        --os-region "$REGION_NAME" subnet show \
+        "${KURYR_NEUTRON_DEFAULT_SERVICE_SUBNET}" -f value -c cidr)
+    service_pod_access_sg_id=$(openstack --os-cloud devstack-admin \
+        --os-region "$REGION_NAME" \
+        security group create --project "$project_id" \
+        service_pod_access -f value -c id)
+    openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
+        security group rule create --project "$project_id" \
+        --description "k8s service subnet allowed" \
+        --remote-ip "$service_cidr" --ethertype IPv4 --protocol tcp \
+        "$service_pod_access_sg_id"
+    sg_ids+=",${service_pod_access_sg_id}"
+
+    # In case the member connectivity is L2, we'll create a security group
+    # for that too, which means allowing all access from the pod subnet range
+    # as Octavia by default uses the admin 'default' sg for the member ports
+    local pod_cidr
+    local pod_pod_access_sg_id
+    pod_cidr=$(openstack --os-cloud devstack-admin \
+        --os-region "$REGION_NAME" subnet show \
+        "${KURYR_NEUTRON_DEFAULT_POD_SUBNET}" -f value -c cidr)
+    pod_pod_access_sg_id=$(openstack --os-cloud devstack-admin \
+        --os-region "$REGION_NAME" \
+        security group create --project "$project_id" \
+        pod_pod_access -f value -c id)
+    openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
+        security group rule create --project "$project_id" \
+        --description "k8s pod subnet allowed from other sg" \
+        --remote-ip "$pod_cidr" --ethertype IPv4 --protocol tcp \
+        "$pod_pod_access_sg_id"
+    sg_ids+=",${pod_pod_access_sg_id}"
+
     iniset "$KURYR_CONFIG" neutron_defaults project "$project_id"
     iniset "$KURYR_CONFIG" neutron_defaults pod_subnet "$pod_subnet_id"
     iniset "$KURYR_CONFIG" neutron_defaults pod_security_groups "$sg_ids"

doc/source/installation/manual.rst

@@ -51,6 +51,25 @@ Edit ``kuryr.conf``::
     project = {id_of_project}
     service_subnet = {id_of_subnet_for_k8s_services}
 
+Note that the service_subnet and the pod_subnet *should be routable* and that
+the pods should allow service subnet access. This means that:
+
+* there should be a router between the two subnets.
+* The pod_security_groups setting should include a security group with a rule
+  granting access to all the CIDR or the service subnet.
+
+It would be possible to use two non-routed subnets under the following
+conditions:
+
+* Octavia was the selected neutron LBaaSv2 provider.
+* The service handler chose the pod subnet as the lbaas member subnet.
+* A security rule would be made to give access to the Octavia vrrp security
+  group in the pod security group.
+
+In this non-routed subnets scenario, Octavia would create and attach a port of
+the pod subnet to each load balancer. This means that you should size the pod
+subnet taking into account this extra usage.
+
 Run kuryr-k8s-controller::
 
     $ kuryr-k8s-controller --config-file /etc/kuryr/kuryr.conf -d