In the ML2/OVN backend, if IP address of the unbound port is added to
the other port as `allowed_address_pair`, OVN treats this port as
`virtual`.
This could break connectivity to the metadata service as it uses
"special" port with device_owner set to `network:distributed` and this
port is `unbound`. So if someone would add IP address assigned to such
`network:distributed` port to the allowed_address_pair of the other
port, connectivity to the metadata will be broken.
This patch adds new validation of the allowed_address_pairs by the OVN
mech_driver. If IP address set as allowed_address_pair is used by the
`network:distributed` port, such API request will return BadRequest
error code and allowed_address_pair will not be set for the port.
Closes-Bug: #2116249
Depends-On: https://review.opendev.org/c/openstack/tempest/+/955569
Conflicts:
neutron/tests/unit/db/test_db_base_plugin_v2.py
neutron/tests/unit/plugins/ml2/drivers/ovn/mech_driver/test_mech_driver.py
Change-Id: I9b54e12fbd9b930a79660f2be195641107a5754e
Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>
(cherry picked from commit 79e9b02c65)
(cherry picked from commit b6f730fc99)
dbdc27fb93