As openstacksdk 0.36.0 is needed on lower-constraints and it
does not support allowed_cidrs field on the listener, we must
ensure that field is present to properly update the listeners ACLs.

Closes-bug: 1881914
Change-Id: I46d14e9088a0643ba02b0a7d4c8000fa2a22d379

When no security groups is present on the LBaaSLoadBalancer oslo
versioned object it should default to an empty list and not to
None. Otherwise iterations of the security_groups field fails.

Closes-bug: 1881575

Change-Id: I9a98584f80219bf5c2ea414177826a26470d414f

Change-Id: I4b5b78f4667b0829c270809b518a765f290bf13d
Closes-Bug: 1881561

Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems

Update Sphinx version as well.

Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.

Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Change-Id: I4c358db3b0aae6370875c61120182443532c8e7b

This patch ensures if on_finalize event for a CR is processed before
its status got populated, it is still possible to remove its finalizer
and unblock the namespace deletion.

Change-Id: I338ad6967f96807431754e91d2c1f9031723ec8e
Closes-Bug: 1881318

When deleting services and the respective load balancer
with using ovn-octavia provider, the lb sg is not deleted.
This commit fixes the issue by removing the LB sg creation
when the octavia provider is ovn-octavia, as that sg is not
really enforced.

Closes-bug: 1880207
Change-Id: I2c77b1d0ac682008ff6c31781d6075c208c689d0

Add gate to check k8s-services backed by OVN provider

Depends-On: I414a3c6d2e97d30ff12eda4ecf71ec032998df7d
Depends-On: I89e969ae52378a7c62ac552e1a69b7e2a45bd23a
Depends-On: If10016325517e4a1fc5f7cfac7f7bd58deb09b54
Depends-On: Ife099f1d05c0cae954119f0ef4616c95076f83e7
Depends-On: Ibb958ea5acaaf07af8ebed5d9552036db9469346
Depends-On: I40bf39c4c1d0b43f5d83e6aed81786390753ce99
Change-Id: I31ebb17e84055d900338a18f83bf63818dc3ce0d
Implements: blueprint octavia-ovn-provider

Change-Id: I7e315eba661798655322c785bb578576da8e496a

This is to add missing white space between words in log message.

Change-Id: I3e77904154b9745df46c05a8ea4863ad80c2034b

In highly distributed environment like Kubernetes installation with
Kuryr, we need to plan for network outages in any case. If we don't, we
end up with bugs like one this patch tries to fix.

If we'd lose a Pod delete event on kuryr-daemon following can happen:

    1. Pod A of name "foo" gets created.
    2. It gets annotated normally and CNI ADD request gives it an IP X.
    3. Pod A gets deleted.
    4. Somehow the delete event gets lost on kuryr-daemon's watcher.
    5. CRI sends CNI DEL request and pod gets unplugged successfully. It
       never gets deleted from the daemon's registry, because we never
       got the Pod delete event from K8s API.
    6. Pod B of the same name "foo" gets created.
    7. CNI looks up registry by <namespace>/<pod>, finds old VIF there
       and plugs pod B with pod A's VIF X.
    8. kuryr-controller never notices that and assigns IP X to another
       pod.
    9. We get an IP conflict.

To solve the issue this patch makes sure that when handling ADD CNI calls, we
always get the pod from K8s API first, and if uid of the API one doesn't match
the one in the registry, we remove the registry entry. That way we can make
sure the pod we've cached isn't stale. This adds one K8s API call per CNI ADD
request, which is a significant load increase, but hopefully the K8s API can
handle it.

Closes-Bug: 1854928

Change-Id: I9916fca41bd917d85be973b8625b65a61139c3b3

This commit removes .testr.conf since this repo already has
.stestr.conf. We just need .stestr.conf instead of .testr.conf.

Change-Id: Iba32a9f8abc085b3ab6a5d95355ae24fa2b08819

In case a LB resource ends up with ERROR in the provisioning status
we must ensure the deletion and recreation of the resource.

Closes-bug: 1879371
Change-Id: I2531948ab6181cfa5049b54c78935c23f60173d2

flake8 new release 3.8.0 added new checks and gate pep8
job start failing. hacking 3.0.1 fix the pinning of flake8 to
avoid bringing in a new version with new checks.

Though it is fixed in latest hacking but 2.0 and 3.0 has cap for
flake8 as <4.0.0 which mean flake8 new version 3.9.0 can also
break the pep8 job if new check are added.

To avoid similar gate break in future, we need to bump the hacking min
version.

- http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014828.html

Change-Id: I54d3d778266d840bd724836018340d9bd3987844

This commit allows to use virtual functions in pods,
when these virtual functions are passed into VM.
Documentation in this commit describes the steps which
are necessary to run DPDK applications inside containers.

Limitations:
    1. MAC and VLAN tag could not be set from inside the VM
    2. Down state of VFs may ocure after rebinding process

Change-Id: I9d1c74b36afcd32d0c583a70a3d819eb775ae372
Signed-off-by: Danil Golov <d.golov@samsung.com>

We don't really care if on unstack the containers doesn't exist, so this
commit makes us ignore those errors.

Change-Id: I3345871e1308c961c375b5c3fac007e7c4d9e625
Closes-Bug: 1877531

Seems like flake8 3.8.1 got released that introduced new rules we
violate, rendering our pep8 job broken. This commit fixes them.

Change-Id: I7e4f2767856be8666c8f37f3b481f8bf43412ce8

In network policy driver we are using security groups for the OpenStack
side to create appropriate port ranges to be open for certain hosts (or
all hosts). In this patch we add a mechanism for selecting right IP
version to the rule, or create rules for both (IPv4 and IPv6) network
types.

Implements: blueprint kuryr-ipv6-support
Change-Id: Ie7544aeebb1d18038ebc19c8f815b69213b55a88

Currently we do have quotas for SG rules set to 100. While that's enough
for IPv4 networking, it insufficient for the IPv6. There are tests,
where a lot of security group rules are created, which number on the
IPv6 networks increases even more. We propose to raise that number to
300. 300 brave SG rules.

Change-Id: I3efd668d8a58706443426f14d77c119533b5dffb

Seems like new OVN is not compatible with networking-ovn, so we need to
pin version. I believe this should be done in OVN plugin itself but
whatever, I just want to have the gate green.

I already did that in stable/ussuri as part of
I29e19e13aa22047bfa07817a7794fc18612bbc32, but this should probably be
cherry-picked to stable/train and stable/stein too.

Change-Id: Ie32570dfd0bf2154fdac5886321d8432e21c022c

When a pod event is handled it's possible that a Network Policy and Service
are affected by that pod and the LB sg of selected services needs to be
updated. However, the endpoints for the matched service may not be yet
present or were deleted, resulting in a NotFound exception.
This commit handled this exception by skipping the LB sg update.

Change-Id: I21a4d6cb515633d47b534f180517687d07b8f83f
Closes-bug: 1876666

Sometimes we create a lot of security group rules, which might exceed
the quotas. In this patch we propose to distinguish conflict exceptions
for quota exceeding from rule already exists.

Change-Id: Icea686ec9d1fcb701f1853c40d6cfd4ca20fd0ac

This patch ensure the proper listener id is found and its associated
security groups are updated.

Change-Id: I72120c33debddfe6ba29c8c0152a0cef4e96a6eb
Closes-Bug: 1875428

Somehow an update to centos repos and the fact that docker.io centos
containers weren't updated for a while broke us. To fix this we need to
make sure RPMs in the container are upgraded, otherwise `yum history
undo last` fails miserably with missing packages errors.

Also this commit makes sure installation dies when we're unable to build
containers.

Change-Id: I29e19e13aa22047bfa07817a7794fc18612bbc32

OpenStackSDK have renamed some fields for Neutron API to be able to
create port object with attributes named after those fields. In our
workaround, we didn't spot that, so that all of the neutron API port
fields which prefixes started from 'binding_' cause an exception on the
neutron API call side.

In this patch we fix this by changing those fields to be acceptable
directly by Neutron API.

Note, that _create_ports is a workaround, which will be removed when
kuryr-kubernetes will bump openstakcsdk version to minimum 0.42 in
lower constraints.

Closes-bug: 1874276
Change-Id: Id36a00b94f9df837c49ced7155f8117fe9625fc2

This is an automatically generated patch to ensure unit testing
is in place for all the of the tested runtimes for victoria.

See also the PTI in governance [1].

[1]: https://governance.openstack.org/tc/reference/project-testing-interface.html

Change-Id: I658454adc9ff1d5350bd8c99b54f06cd545ed28f

Add file to the reno documentation build to show release notes for
stable/ussuri.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.

Change-Id: If662119ee01ef4f3ff11473919411eed75f0a778
Sem-Ver: feature

Change-Id: I094e4fcfc32cbcefdb96aa498f6c2c4ee3624019

And fix documents typo about "generate_k8s_resource_definitions.sh"

Closes-bug: 1873544
Change-Id: I1e227b6d9efce4c41ee2431a817b00d97d33af91