From b4b2c7bf481dddce28f2aae3cb6bb0afd2ee344d Mon Sep 17 00:00:00 2001
From: Luis Tomas Bolivar <ltomasbo@redhat.com>
Date: Fri, 6 Jul 2018 14:31:19 +0200
Subject: [PATCH] Ensure OpenShift gate uses the namespace subnet/sg drivers

Depends-On: I5d12d6be2b89b6301d7f2509513a558b33ef5898
Implements: blueprint openshift-project-isolation-support

Change-Id: I46dcb331e63421437468fd55f5ffdf02ed2ee148
---
 .zuul.d/octavia.yaml          |  6 ++++--
 devstack/lib/kuryr_kubernetes |  6 ++++++
 devstack/plugin.sh            | 17 +++++++++++++----
 tools/gate/copy_k8s_logs.sh   |  2 ++
 4 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/.zuul.d/octavia.yaml b/.zuul.d/octavia.yaml
index 862a9c6f5..54cbd573f 100644
--- a/.zuul.d/octavia.yaml
+++ b/.zuul.d/octavia.yaml
@@ -105,6 +105,10 @@
     vars:
       devstack_services:
         kuryr-daemon: true
+      devstack_localrc:
+        KURYR_SUBNET_DRIVER: namespace
+        KURYR_SG_DRIVER: namespace
+        KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
     voting: false
 
 - job:
@@ -113,12 +117,10 @@
       Tempest with Octavia, CNI daemon, containers and namespace subnet driver
     parent: kuryr-kubernetes-tempest-daemon-containerized-octavia
     vars:
-      tempest_test_regex: '^(kuryr_tempest_plugin.tests.scenario.test_namespace.TestNamespaceScenario.test_namespace)'
       devstack_localrc:
         KURYR_SUBNET_DRIVER: namespace
         KURYR_SG_DRIVER: namespace
         KURYR_ENABLED_HANDLERS: vif,lb,lbaasspec,namespace
-    voting: false
 
 - job:
     name: kuryr-kubernetes-tempest-daemon-containerized-openshift-octavia
diff --git a/devstack/lib/kuryr_kubernetes b/devstack/lib/kuryr_kubernetes
index a092f9581..ac4d55b94 100644
--- a/devstack/lib/kuryr_kubernetes
+++ b/devstack/lib/kuryr_kubernetes
@@ -491,6 +491,12 @@ rules:
     - nodes
     - services
     - services/status
+    - namespaces
+- apiGroups:
+    - openstack.org
+  verbs: ["*"]
+  resources:
+    - kuryrnets
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 52efa673f..a4cee5f2d 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -419,7 +419,7 @@ function configure_neutron_defaults {
             "$allow_default_sg_id"
         openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
             security group rule create --project "$project_id" \
-            --description "allow traffic from default namespace" \
+            --description "allow icmp traffic from default namespace" \
             --remote-group "$allow_namespace_sg_id" --ethertype IPv4 --protocol icmp \
             "$allow_default_sg_id"
         openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
@@ -427,11 +427,20 @@ function configure_neutron_defaults {
             --description "allow traffic from namespaces at default namespace" \
             --remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol tcp \
             "$allow_namespace_sg_id"
+        # NOTE(ltomasbo): Some tempest test are using FIP and depends on icmp
+        # traffic being allowed to the pods. To enable these tests we permit
+        # icmp traffic from everywhere on the default namespace. Note tcp
+        # traffic will be dropped, just icmp is permitted.
         openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
             security group rule create --project "$project_id" \
-            --description "allow traffic from namespaces at default namespace" \
-            --remote-group "$allow_default_sg_id" --ethertype IPv4 --protocol icmp \
-            "$allow_namespace_sg_id"
+            --description "allow imcp traffic from everywhere to default namespace" \
+            --ethertype IPv4 --protocol icmp "$allow_namespace_sg_id"
+
+        # NOTE(ltomasbo): As more security groups and rules are created, there
+        # is a need to increase the quota for it
+         openstack --os-cloud devstack-admin --os-region "$REGION_NAME" \
+             quota set --secgroups 100 --secgroup-rules 100 "$project_id"
+
 
         iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_namespaces "$allow_namespace_sg_id"
         iniset "$KURYR_CONFIG" namespace_sg sg_allow_from_default "$allow_default_sg_id"
diff --git a/tools/gate/copy_k8s_logs.sh b/tools/gate/copy_k8s_logs.sh
index d4d7fd5b6..d454904f4 100755
--- a/tools/gate/copy_k8s_logs.sh
+++ b/tools/gate/copy_k8s_logs.sh
@@ -32,6 +32,8 @@ sudo chown ${USER}:${USER} ${HOME}/.kube/config
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ds -o yaml --all-namespaces >> ${K8S_LOG_DIR}/daemonsets.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get nodes -o yaml --all-namespaces >> ${K8S_LOG_DIR}/nodes.txt
 /usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get ingress -o yaml --all-namespaces >> ${K8S_LOG_DIR}/ingress.txt
+/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get namespaces -o yaml >> ${K8S_LOG_DIR}/namespaces.txt
+/usr/local/bin/kubectl --kubeconfig=${HOME}/.kube/config get kuryrnets -o yaml --all-namespaces >> ${K8S_LOG_DIR}/kuryrnets_crds.txt
 
 # Kubernetes pods logs
 mkdir -p ${K8S_LOG_DIR}/pod_logs