Ensure OpenShift gate uses the namespace subnet/sg drivers

Depends-On: I5d12d6be2b89b6301d7f2509513a558b33ef5898 Implements: blueprint openshift-project-isolation-support Change-Id: I46dcb331e63421437468fd55f5ffdf02ed2ee148
2018-07-06 14:31:19 +02:00 · 2018-07-06 14:31:19 +02:00 · b4b2c7bf48
commit b4b2c7bf48
parent e3a33599a3
4 changed files with 25 additions and 6 deletions
--- a/.zuul.d/octavia.yaml
+++ b/.zuul.d/octavia.yaml
@ -105,6 +105,10 @@
    vars:
      devstack_services:
        kuryr-daemon: true
+      devstack_localrc:
+        KURYR_SUBNET_DRIVER: namespace
+        KURYR_SG_DRIVER: namespace
+        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
    voting: false

 - job:
@ -113,12 +117,10 @@
      Tempest with Octavia, CNI daemon, containers and namespace subnet driver
    parent: kuryr-kubernetes-tempest-daemon-containerized-octavia
    vars:
-      tempest_test_regex: '^(kuryr_tempest_plugin.tests.scenario.test_namespace.TestNamespaceScenario.test_namespace)'
      devstack_localrc:
        KURYR_SUBNET_DRIVER: namespace
        KURYR_SG_DRIVER: namespace
        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
-    voting: false

 - job:
    name: kuryr-kubernetes-tempest-daemon-containerized-openshift-octavia
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@ -491,6 +491,12 @@ rules:
    - nodes
    - services
    - services/status
+    - namespaces
+- apiGroups:
+    - openstack.org
+  verbs: ["*"]
+  resources:
+    - kuryrnets
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@ -419,7 +419,7 @@ function configure_neutron_defaults {
            "$allow_default_sg_id"
        openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
            security group rule create --project "$project_id" \
-            --description "allow traffic from default namespace" \
+            --description "allow icmp traffic from default namespace" \
            --remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol icmp \
            "$allow_default_sg_id"
        openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
@ -427,11 +427,20 @@ function configure_neutron_defaults {
            --description "allow traffic from namespaces at default namespace" \
            --remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol tcp \
            "$allow_namespace_sg_id"
+        # NOTE(ltomasbo): Some tempest test are using FIP and depends on icmp
+        # traffic being allowed to the pods. To enable these tests we permit
+        # icmp traffic from everywhere on the default namespace. Note tcp
+        # traffic will be dropped, just icmp is permitted.
        openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
            security group rule create --project "$project_id" \
-            --description "allow traffic from namespaces at default namespace" \
-            --remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol icmp \
-            "$allow_namespace_sg_id"
+            --description "allow imcp traffic from everywhere to default namespace" \
+            --ethertype IPv4 --protocol icmp "$allow_namespace_sg_id"
+
+        # NOTE(ltomasbo): As more security groups and rules are created, there
+        # is a need to increase the quota for it
+         openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
+             quota set --secgroups 100 --secgroup-rules 100 "$project_id"
+

        iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id"
        iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id"
--- a/tools/gate/copy_k8s_logs.sh
+++ b/tools/gate/copy_k8s_logs.sh
@ -32,6 +32,8 @@ sudo chown ${USER}:${USER} ${HOME}/.kube/config
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ds -o yaml --all-namespaces >> ${K8S_LOG_DIR}/daemonsets.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get nodes -o yaml --all-namespaces >> ${K8S_LOG_DIR}/nodes.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ingress -o yaml --all-namespaces >> ${K8S_LOG_DIR}/ingress.txt
+/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get namespaces -o yaml >> ${K8S_LOG_DIR}/namespaces.txt
+/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnets -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnets_crds.txt

 # Kubernetes pods logs
 mkdir -p ${K8S_LOG_DIR}/pod_logs