Add test job for address_group api backend Ml2/OVN

Depends-on: https://review.opendev.org/c/openstack/neutron/+/949852
Depends-on: https://review.opendev.org/c/openstack/neutron/+/949854

Closes-Bug: #1982287
Change-Id: Idd64c04b98006b0ecfaad9f9c3a8c218a57ab4db

neutron_tempest_plugin/scenario/base.py

@@ -176,7 +176,7 @@ class BaseTempestTestCase(base_api.BaseNetworkTest):
                                        client=None):
         """This rule is intended to permit inbound ssh
 
-        Allowing ssh traffic traffic from all sources, so no group_id is
+        Allowing ssh traffic from all sources, so no group_id is
         provided.
         Setting a group_id would only permit traffic from ports
         belonging to the same security group.

neutron_tempest_plugin/scenario/test_security_groups.py

@@ -437,6 +437,9 @@ class BaseNetworkSecGroupTest(base.BaseTempestTestCase):
         # configure sec group to support SSH connectivity
         self.create_loginable_secgroup_rule(
             secgroup_id=ssh_secgrp['id'])
+        if self.stateless_sg:
+            self.create_ingress_metadata_secgroup_rule(
+                secgroup_id=ssh_secgrp['id'])
         # spawn two instances with the sec group created
         server_ssh_clients, fips, servers = self.create_vm_testing_sec_grp(
             security_groups=[{'name': ssh_secgrp['name']}])
@@ -464,9 +467,13 @@ class BaseNetworkSecGroupTest(base.BaseTempestTestCase):
                              should_succeed=False)
 
         # add ICMP rule with remote address group
+        address_set = [str(netaddr.IPNetwork(fips[0]['fixed_ip_address']))]
+        if self.stateless_sg:
+            address_set.append(
+                str(netaddr.IPNetwork(fips[1]['fixed_ip_address'])))
         test_ag = self.create_address_group(
             name=data_utils.rand_name('test_ag'),
-            addresses=[str(netaddr.IPNetwork(fips[0]['fixed_ip_address']))])
+            addresses=address_set)
         rule_list = [{'protocol': constants.PROTO_NUM_ICMP,
                       'direction': constants.INGRESS_DIRECTION,
                       'remote_address_group_id': test_ag['id']}]
@@ -762,8 +769,8 @@ class StatefulNetworkSecGroupTest(BaseNetworkSecGroupTest):
         self._test_remote_group()
 
     @testtools.skipUnless(
-        CONF.neutron_plugin_options.firewall_driver == 'openvswitch',
-        "Openvswitch agent is required to run this test")
+        CONF.neutron_plugin_options.firewall_driver in ['openvswitch', 'ovn'],
+        "Openvswitch agent or Ml2/OVN is required to run this test")
     @decorators.idempotent_id('678dd4c0-2953-4626-b89c-8e7e4110ec4b')
     @tempest_utils.requires_ext(extension="address-group", service="network")
     @tempest_utils.requires_ext(
@@ -949,8 +956,8 @@ class StatelessNetworkSecGroupIPv4Test(BaseNetworkSecGroupTest):
         self._test_remote_group()
 
     @testtools.skipUnless(
-        CONF.neutron_plugin_options.firewall_driver == 'openvswitch',
-        "Openvswitch agent is required to run this test")
+        CONF.neutron_plugin_options.firewall_driver in ['openvswitch', 'ovn'],
+        "Openvswitch agent or Ml2/OVN is required to run this test")
     @decorators.idempotent_id('9fae530d-2711-4c61-a4a5-8efe6e58ab14')
     @tempest_utils.requires_ext(extension="address-group", service="network")
     @tempest_utils.requires_ext(

zuul.d/2023_1_jobs.yaml

@@ -216,6 +216,11 @@
           (^neutron_tempest_plugin.scenario)|\
           (^tempest.api.compute.servers.test_attach_interfaces)|\
           (^tempest.api.compute.servers.test_multiple_create)"
+      # NOTE(liushy): This branch of Neutron does not support
+      # the address_group feature for the OVN driver.
+      tempest_exclude_regex: "\
+          (^neutron_tempest_plugin.scenario.test_security_groups.StatefulNetworkSecGroupTest.test_remote_group_and_remote_address_group)|\
+          (^neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_remote_group_and_remote_address_group)"
       devstack_localrc:
         NETWORK_API_EXTENSIONS: "{{ (network_api_extensions_common + network_api_extensions_ovn) | join(',') }}"
         NEUTRON_DEPLOY_MOD_WSGI: false

zuul.d/yoga_jobs.yaml

@@ -185,13 +185,17 @@
           (^tempest.api.compute.servers.test_multiple_create)"
       # NOTE(ralonsoh): tests disabled because of https://bugs.launchpad.net/neutron/+bug/2082070
       # NOTE(ralonsoh): ``NetworkWritableMtuTest`` excluded because of https://bugs.launchpad.net/neutron/+bug/2082344
+      # NOTE(liushy): This branch of Neutron does not support
+      # the address_group feature for the OVN driver.
       tempest_exclude_regex: "\
           (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_connectivity_between_vms_using_different_sec_groups)|\
           (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_packets_of_any_connection_state_can_reach_dest)|\
           (neutron_tempest_plugin.scenario.test_vlan_transparency.VlanTransparencyTest.test_vlan_transparent_allowed_address_pairs)|\
           (neutron_tempest_plugin.scenario.test_vlan_transparency.VlanTransparencyTest.test_vlan_transparent_port_sec_disabled)|\
           (neutron_tempest_plugin.scenario.test_mtu.NetworkWritableMtuTest.*)|\
-          (^neutron_tempest_plugin.scenario.test_multicast.MulticastTestIPv4.test_multicast_between_vms_on_same_network)"
+          (^neutron_tempest_plugin.scenario.test_multicast.MulticastTestIPv4.test_multicast_between_vms_on_same_network)|\
+          (neutron_tempest_plugin.scenario.test_security_groups.StatefulNetworkSecGroupTest.test_remote_group_and_remote_address_group)|\
+          (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_remote_group_and_remote_address_group)"
       network_api_extensions: *api_extensions
       network_api_extensions_ovn:
         - vlan-transparent

zuul.d/zed_jobs.yaml

@@ -189,13 +189,17 @@
           (^tempest.api.compute.servers.test_multiple_create)"
       # NOTE(ralonsoh): tests disabled because of https://bugs.launchpad.net/neutron/+bug/2082070
       # NOTE(ralonsoh): ``NetworkWritableMtuTest`` excluded because of https://bugs.launchpad.net/neutron/+bug/2082344
+      # NOTE(liushy): This branch of Neutron does not support
+      # the address_group feature for the OVN driver.
       tempest_exclude_regex: "\
           (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_connectivity_between_vms_using_different_sec_groups)|\
           (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_packets_of_any_connection_state_can_reach_dest)|\
           (neutron_tempest_plugin.scenario.test_vlan_transparency.VlanTransparencyTest.test_vlan_transparent_allowed_address_pairs)|\
           (neutron_tempest_plugin.scenario.test_vlan_transparency.VlanTransparencyTest.test_vlan_transparent_port_sec_disabled)|\
           (neutron_tempest_plugin.scenario.test_mtu.NetworkWritableMtuTest.*)|\
-          (^neutron_tempest_plugin.scenario.test_multicast.MulticastTestIPv4.test_multicast_between_vms_on_same_network)"
+          (^neutron_tempest_plugin.scenario.test_multicast.MulticastTestIPv4.test_multicast_between_vms_on_same_network)|\
+          (neutron_tempest_plugin.scenario.test_security_groups.StatefulNetworkSecGroupTest.test_remote_group_and_remote_address_group)|\
+          (neutron_tempest_plugin.scenario.test_security_groups.StatelessNetworkSecGroupIPv4Test.test_remote_group_and_remote_address_group)"
       network_api_extensions: *api_extensions
       network_api_extensions_ovn:
         - vlan-transparent