Add support for OVN Metadata Agent

This patch adds support for configuring networking-ovn-metadata-agent.

Change-Id: I38f775479d178f5b252619635b67f876bc8c5ed5
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>

lib/puppet/provider/ovn_metadata_agent_config/ini_setting.rb

@@ -0,0 +1,15 @@
+Puppet::Type.type(:ovn_metadata_agent_config).provide(
+  :ini_setting,
+  :parent => Puppet::Type.type(:openstack_config).provider(:ini_setting)
+) do
+
+  def self.file_path
+    '/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini'
+  end
+
+  # added for backwards compatibility with older versions of inifile
+  def file_path
+    self.class.file_path
+  end
+
+end

lib/puppet/type/ovn_metadata_agent_config.rb

@@ -0,0 +1,52 @@
+Puppet::Type.newtype(:ovn_metadata_agent_config) do
+
+  ensurable
+
+  newparam(:name, :namevar => true) do
+    desc 'Section/setting name to manage from networking-ovn-metadata-agent.ini'
+    newvalues(/\S+\/\S+/)
+  end
+
+  newproperty(:value) do
+    desc 'The value of the setting to be defined.'
+    munge do |value|
+      value = value.to_s.strip
+      value.capitalize! if value =~ /^(true|false)$/i
+      value
+    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
+  newparam(:ensure_absent_val) do
+    desc 'A value that is specified as the value property will behave as if ensure => absent was specified'
+    defaultto('<SERVICE DEFAULT>')
+  end
+
+  autorequire(:package) do
+    'networking-ovn-metadata-agent'
+  end
+
+end

manifests/agents/ovn_metadata.pp

@@ -0,0 +1,180 @@
+# == Class: neutron::agents::ovn_metadata
+#
+# Setup and configure networking-ovn metadata agent.
+#
+# === Parameters
+#
+# [*shared_secret*]
+#   (required) Shared secret to validate proxies Neutron metadata requests.
+#
+# [*package_ensure*]
+#   Ensure state of the package. Defaults to 'present'.
+#
+# [*enabled*]
+#   State of the service. Defaults to true.
+#
+# [*manage_service*]
+#   (optional) Whether to start/stop the service
+#   Defaults to true
+#
+# [*debug*]
+#   Debug. Defaults to false.
+#
+# [*auth_ca_cert*]
+#   CA cert to check against with for ssl keystone. (Defaults to $::os_service_default)
+#
+# [*nova_client_cert*]
+#   Client certificate for nova metadata api server. (Defaults to $::os_service_default)
+#
+# [*nova_client_priv_key*]
+#   Private key of client certificate. (Defaults to $::os_service_default)
+#
+# [*metadata_ip*]
+#   The IP address of the metadata service. Defaults to $::os_service_default.
+#
+# [*metadata_host*]
+#   The hostname of the metadata service. Defaults to $::os_service_default.
+#
+# [*metadata_port*]
+#   The TCP port of the metadata service. Defaults to $::os_service_default.
+#
+# [*metadata_protocol*]
+#   The protocol to use for requests to Nova metadata server. Defaults to $::os_service_default.
+#
+# [*metadata_workers*]
+#   (optional) Number of separate worker processes to spawn.  Greater than 0
+#   launches that number of child processes as workers.  The parent process
+#   manages them.
+#   Defaults to: $::os_workers
+#
+# [*metadata_backlog*]
+#   (optional) Number of backlog requests to configure the metadata server socket with.
+#   Defaults to $::os_service_default
+#
+# [*metadata_insecure*]
+#   (optional) Allow to perform insecure SSL (https) requests to nova metadata.
+#   Defaults to $::os_service_default
+#
+# [*ovsdb_connection*]
+#   (optional) The URI used to connect to the local OVSDB server.
+#   Defaults to 'tcp:127.0.0.1:6640'
+#
+# [*ovs_manager*]
+#   The manager target that will be set to OVS so that the metadata agent can
+#   connect to.
+#   Defaults to 'ptcp:6640:127.0.0.1'
+#
+# [*ovn_sb_connection*]
+#   (optional) The connection string for the OVN_Southbound OVSDB
+#   Defaults to '$::os_service_default'
+#
+# [*ovsdb_connection_timeout*]
+#   (optional) Timeout in seconds for the OVSDB connection transaction
+#   Defaults to $::os_service_default
+#
+# [*root_helper*]
+#  (optional) Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
+#  root filter facility. Change to "sudo" to skip the filtering and just run the command
+#  directly
+#  Defaults to 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf'.
+#
+# [*root_helper_daemon*]
+#  (optional) Root helper daemon application to use when possible.
+#  Defaults to $::os_service_default.
+#
+# [*state_path*]
+#   (optional) Where to store state files. This directory must be writable
+#   by the user executing the agent
+#   Defaults to: '/var/lib/neutron'.
+#
+# [*purge_config*]
+#   (optional) Whether to set only the specified config options
+#   in the metadata config.
+#   Defaults to false.
+
+class neutron::agents::ovn_metadata (
+  $shared_secret,
+  $package_ensure            = 'present',
+  $enabled                   = true,
+  $manage_service            = true,
+  $debug                     = false,
+  $auth_ca_cert              = $::os_service_default,
+  $metadata_ip               = $::os_service_default,
+  $metadata_host             = $::os_service_default,
+  $metadata_port             = $::os_service_default,
+  $metadata_protocol         = $::os_service_default,
+  $metadata_workers          = $::os_workers,
+  $metadata_backlog          = $::os_service_default,
+  $metadata_insecure         = $::os_service_default,
+  $nova_client_cert          = $::os_service_default,
+  $nova_client_priv_key      = $::os_service_default,
+  $ovsdb_connection          = 'tcp:127.0.0.1:6640',
+  $ovs_manager               = 'ptcp:6640:127.0.0.1',
+  $ovn_sb_connection         = $::os_service_default,
+  $ovsdb_connection_timeout  = $::os_service_default,
+  $root_helper               = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
+  $root_helper_daemon        = $::os_service_default,
+  $state_path                = '/var/lib/neutron',
+  $purge_config              = false,
+  ) {
+
+  include ::neutron::deps
+  include ::neutron::params
+
+  resources { 'ovn_metadata_agent_config':
+    purge => $purge_config,
+  }
+
+  ovn_metadata_agent_config {
+    'DEFAULT/debug':                          value => $debug;
+    'DEFAULT/auth_ca_cert':                   value => $auth_ca_cert;
+    'DEFAULT/nova_metadata_ip':               value => $metadata_ip;
+    'DEFAULT/nova_metadata_host':             value => $metadata_host;
+    'DEFAULT/nova_metadata_port':             value => $metadata_port;
+    'DEFAULT/nova_metadata_protocol':         value => $metadata_protocol;
+    'DEFAULT/nova_metadata_insecure':         value => $metadata_insecure;
+    'DEFAULT/metadata_proxy_shared_secret':   value => $shared_secret;
+    'DEFAULT/metadata_workers':               value => $metadata_workers;
+    'DEFAULT/metadata_backlog':               value => $metadata_backlog;
+    'DEFAULT/nova_client_cert':               value => $nova_client_cert;
+    'DEFAULT/nova_client_priv_key':           value => $nova_client_priv_key;
+    'DEFAULT/state_path':                     value => $state_path;
+    'agent/root_helper':                      value => $root_helper;
+    'agent/root_helper_daemon':               value => $root_helper_daemon;
+    'ovs/ovsdb_connection':                   value => $ovsdb_connection;
+    'ovs/ovsdb_connection_timeout':           value => $ovsdb_connection_timeout;
+    'ovn/ovn_sb_connection':                  value => $ovn_sb_connection;
+  }
+
+  if $::neutron::params::ovn_metadata_agent_package {
+    package { 'ovn-metadata':
+      ensure => $package_ensure,
+      name   => $::neutron::params::ovn_metadata_agent_package,
+      tag    => ['openstack', 'neutron-package'],
+    }
+  }
+
+  if $manage_service {
+    if $enabled {
+      $service_ensure = 'running'
+    } else {
+      $service_ensure = 'stopped'
+    }
+  }
+
+  service { 'ovn-metadata':
+    ensure => $service_ensure,
+    name   => $::neutron::params::ovn_metadata_agent_service,
+    enable => $enabled,
+    tag    => 'neutron-service',
+  }
+
+  # Set OVS manager so that metadata agent can connect to Open vSwitch
+  exec { 'Set OVS Manager':
+    command => "ovs-vsctl --timeout=5 --id=@manager -- create Manager target=\\\"${ovs_manager}\\\" \
+               -- add Open_vSwitch . manager_options @manager",
+    unless  => "ovs-vsctl show | grep \"${ovs_manager}\"",
+    path    => '/usr/sbin:/usr/bin:/sbin:/bin',
+    notify  => Service['ovn-metadata'],
+  }
+}

manifests/config.pp

@@ -54,6 +54,9 @@
 # [*metadata_agent_config*]
 #   (optional) Manage configuration of metadata_agent.ini
 #
+# [*ovn_metadata_agent_config*]
+#   (optional) Manage configuration of networking-ovn metadata_agent.ini
+#
 # [*metering_agent_config*]
 #   (optional) Manage configuration of metering_agent.ini
 #
@@ -108,6 +111,7 @@ class neutron::config (
   $dhcp_agent_config             = {},
   $lbaas_agent_config            = {},
   $metadata_agent_config         = {},
+  $ovn_metadata_agent_config     = {},
   $metering_agent_config         = {},
   $vpnaas_agent_config           = {},
   $plugin_linuxbridge_config     = {},
@@ -136,6 +140,7 @@ class neutron::config (
   validate_hash($dhcp_agent_config)
   validate_hash($lbaas_agent_config)
   validate_hash($metadata_agent_config)
+  validate_hash($ovn_metadata_agent_config)
   validate_hash($metering_agent_config)
   validate_hash($vpnaas_agent_config)
   validate_hash($plugin_linuxbridge_config)
@@ -174,4 +179,5 @@ class neutron::config (
   create_resources('neutron_l2gw_service_config', $l2gw_service_config)
   create_resources('neutron_plugin_nsx', $plugin_nsx_config)
   create_resources('neutron_plugin_nvp', $plugin_nvp_config)
+  create_resources('ovn_metadata_agent_config', $ovn_metadata_agent_config)
 }

manifests/deps.pp

@@ -69,6 +69,7 @@ class neutron::deps {
   Anchor['neutron::config::begin'] -> Neutron_vpnaas_service_config<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_plugin_nsx<||> ~> Anchor['neutron::config::end']
   Anchor['neutron::config::begin'] -> Neutron_rootwrap_config<||> ~> Anchor['neutron::config::end']
+  Anchor['neutron::config::begin'] -> Ovn_metadata_agent_config<||> ~> Anchor['neutron::config::end']
 
   # Support packages need to be installed in the install phase, but we don't
   # put them in the chain above because we don't want any false dependencies

manifests/params.pp

@@ -29,6 +29,7 @@ class neutron::params {
   $metering_agent_service      = 'neutron-metering-agent'
   $l3_agent_service            = 'neutron-l3-agent'
   $metadata_agent_service      = 'neutron-metadata-agent'
+  $ovn_metadata_agent_service  = 'networking-ovn-metadata-agent'
   $bagpipe_bgp_package         = 'openstack-bagpipe-bgp'
   $bgpvpn_bagpipe_package      = 'python-networking-bagpipe'
   $bgpvpn_bagpipe_service      = 'bagpipe-bgp'
@@ -64,6 +65,7 @@ class neutron::params {
     $vpnaas_agent_package       = 'openstack-neutron-vpnaas'
     $l2gw_agent_package         = 'openstack-neutron-l2gw-agent'
     $l2gw_package               = 'python2-networking-l2gw'
+    $ovn_metadata_agent_package = 'networking-ovn-metadata-agent'
     if $::operatingsystemrelease =~ /^7.*/ or $::operatingsystem == 'Fedora' {
       $openswan_package = 'libreswan'
     } else {

manifests/plugins/ml2/ovn.pp

@@ -42,6 +42,11 @@
 #   (optional) Type of VIF to be used for ports.
 #   Valid values are 'ovs', 'vhostuser'
 #   Defaults to $::os_service_default
+#
+# [*ovn_metadata_enabled*]
+#   (optional) Whether to enable metadata service in OVN.
+#   Type: boolean
+#   Defaults to $::os_service_default
 
 class neutron::plugins::ml2::ovn(
   $ovn_nb_connection        = $::os_service_default,
@@ -51,6 +56,7 @@ class neutron::plugins::ml2::ovn(
   $neutron_sync_mode        = $::os_service_default,
   $ovn_l3_mode              = $::os_service_default,
   $vif_type                 = $::os_service_default,
+  $ovn_metadata_enabled     = $::os_service_default,
   ) {
 
   include ::neutron::deps
@@ -82,5 +88,6 @@ class neutron::plugins::ml2::ovn(
     'ovn/neutron_sync_mode'        : value => $neutron_sync_mode;
     'ovn/ovn_l3_mode'              : value => $ovn_l3_mode;
     'ovn/vif_type'                 : value => $vif_type;
+    'ovn/ovn_metadata_enabled'     : value => $ovn_metadata_enabled;
   }
 }

releasenotes/notes/networking_ovn_metadata_support-f58ce24ce7e8a2bc.yaml

@@ -0,0 +1,3 @@
+---
+features:
+  - Adds ability to configure metadata agent in networking-ovn.

spec/classes/neutron_agents_ovn_metadata_spec.rb

@@ -0,0 +1,140 @@
+require 'spec_helper'
+
+describe 'neutron::agents::ovn_metadata' do
+
+  let :pre_condition do
+    "class { 'neutron': rabbit_password => 'passw0rd' }"
+  end
+
+  let :params do
+    { :package_ensure    => 'present',
+      :debug             => false,
+      :enabled           => true,
+      :shared_secret     => 'metadata-secret',
+      :purge_config      => false,
+      :ovsdb_connection  => 'tcp:127.0.0.1:6640',
+      :root_helper       => 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
+      :state_path        => '/var/lib/neutron/',
+    }
+  end
+
+  let :test_facts do
+    { :operatingsystem           => 'default',
+      :operatingsystemrelease    => 'default',
+    }
+  end
+
+  shared_examples_for 'ovn metadata agent' do
+
+    it { is_expected.to contain_class('neutron::params') }
+
+    it 'configures ovn metadata agent service' do
+      is_expected.to contain_service('ovn-metadata').with(
+        :name    => platform_params[:ovn_metadata_agent_service],
+        :enable  => params[:enabled],
+        :ensure  => 'running',
+        :tag     => 'neutron-service',
+      )
+      is_expected.to contain_service('ovn-metadata').that_subscribes_to('Anchor[neutron::service::begin]')
+      is_expected.to contain_service('ovn-metadata').that_notifies('Anchor[neutron::service::end]')
+    end
+
+    context 'with manage_service as false' do
+      before :each do
+        params.merge!(:manage_service => false)
+      end
+      it 'should not start/stop service' do
+        is_expected.to contain_service('ovn-metadata').without_ensure
+      end
+    end
+
+    it 'passes purge to resource' do
+      is_expected.to contain_resources('ovn_metadata_agent_config').with({
+        :purge => false
+      })
+    end
+
+    it 'configures ovn_metadata_agent.ini' do
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/debug').with(:value => params[:debug])
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/auth_ca_cert').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_client_cert').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_client_priv_key').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_ip').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_host').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_port').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_protocol').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/metadata_workers').with(:value => facts[:os_workers])
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/metadata_backlog').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_insecure').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/state_path').with(:value => params[:state_path])
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/metadata_proxy_shared_secret').with(:value => params[:shared_secret])
+      is_expected.to contain_ovn_metadata_agent_config('agent/root_helper').with(:value => params[:root_helper])
+      is_expected.to contain_ovn_metadata_agent_config('agent/root_helper_daemon').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('ovs/ovsdb_connection_timeout').with(:value => '<SERVICE DEFAULT>')
+      is_expected.to contain_ovn_metadata_agent_config('ovs/ovsdb_connection').with(:value => params[:ovsdb_connection])
+      is_expected.to contain_ovn_metadata_agent_config('ovn/ovn_sb_connection').with(:value => '<SERVICE DEFAULT>')
+    end
+  end
+
+  shared_examples_for 'ovn metadata agent with auth_ca_cert set' do
+    let :params do
+      { :auth_ca_cert         => '/some/cert',
+        :shared_secret        => '42',
+        :nova_client_cert     => '/nova/cert',
+        :nova_client_priv_key => '/nova/key',
+        :metadata_insecure    => true,
+      }
+    end
+
+    it 'configures certificate' do
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/auth_ca_cert').with_value('/some/cert')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_client_cert').with_value('/nova/cert')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_client_priv_key').with_value('/nova/key')
+      is_expected.to contain_ovn_metadata_agent_config('DEFAULT/nova_metadata_insecure').with_value(true)
+    end
+  end
+
+  context 'on Debian platforms' do
+    let :facts do
+      @default_facts.merge(test_facts.merge(
+        { :osfamily => 'Debian' }
+      ))
+    end
+
+    let :platform_params do
+      { :ovn_metadata_agent_service => 'networking-ovn-metadata-agent' }
+    end
+    
+    it_configures 'ovn metadata agent'
+    it_configures 'ovn metadata agent with auth_ca_cert set'
+  end
+
+  context 'on Red Hat platforms' do
+    let :facts do
+      @default_facts.merge(test_facts.merge({
+         :osfamily => 'RedHat',
+         :operatingsystemrelease => '7'
+      }))
+    end
+
+    let :platform_params do
+      { :ovn_metadata_agent_package => 'networking-ovn-metadata-agent',
+        :ovn_metadata_agent_service => 'networking-ovn-metadata-agent' }
+    end
+
+    it 'installs ovn metadata agent package' do
+      is_expected.to contain_package('ovn-metadata').with(
+        :ensure => params[:package_ensure],
+        :name   => platform_params[:ovn_metadata_agent_package],
+        :tag    => ['openstack', 'neutron-package'],
+      )
+    end
+
+    it_configures 'ovn metadata agent'
+    it_configures 'ovn metadata agent with auth_ca_cert set'
+    it 'configures subscription to ovn-metadata package' do
+      is_expected.to contain_service('ovn-metadata').that_subscribes_to('Anchor[neutron::service::begin]')
+      is_expected.to contain_service('ovn-metadata').that_notifies('Anchor[neutron::service::end]')
+    end
+  end
+end

spec/unit/provider/ovn_metadata_agent_config/ini_setting_spec.rb

@@ -0,0 +1,74 @@
+$LOAD_PATH.push(
+  File.join(
+    File.dirname(__FILE__),
+    '..',
+    '..',
+    '..',
+    'fixtures',
+    'modules',
+    'inifile',
+    'lib')
+)
+$LOAD_PATH.push(
+  File.join(
+    File.dirname(__FILE__),
+    '..',
+    '..',
+    '..',
+    'fixtures',
+    'modules',
+    'openstacklib',
+    'lib')
+)
+
+require 'spec_helper'
+
+provider_class = Puppet::Type.type(:ovn_metadata_agent_config).provider(:ini_setting)
+
+describe provider_class do
+
+  it 'should default to the default setting when no other one is specified' do
+    resource = Puppet::Type::Ovn_metadata_agent_config.new(
+      {
+        :name => 'DEFAULT/foo',
+        :value => 'bar'
+      }
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('DEFAULT')
+    expect(provider.setting).to eq('foo')
+    expect(provider.file_path).to eq('/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini')
+  end
+
+  it 'should allow setting to be set explicitly' do
+    resource = Puppet::Type::Ovn_metadata_agent_config.new(
+      {
+        :name => 'dude/foo',
+        :value => 'bar'
+      }
+    )
+    provider = provider_class.new(resource)
+    expect(provider.section).to eq('dude')
+    expect(provider.setting).to eq('foo')
+    expect(provider.file_path).to eq('/etc/neutron/plugins/networking-ovn/networking-ovn-metadata-agent.ini')
+  end
+
+  it 'should ensure absent when <SERVICE DEFAULT> is specified as a value' do
+    resource = Puppet::Type::Ovn_metadata_agent_config.new(
+      {:name => 'dude/foo', :value => '<SERVICE DEFAULT>'}
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+  it 'should ensure absent when value matches ensure_absent_val' do
+    resource = Puppet::Type::Ovn_metadata_agent_config.new(
+      {:name => 'dude/foo', :value => 'foo', :ensure_absent_val => 'foo' }
+    )
+    provider = provider_class.new(resource)
+    provider.exists?
+    expect(resource[:ensure]).to eq :absent
+  end
+
+end

spec/unit/type/ovn_metadata_agent_config_spec.rb

@@ -0,0 +1,20 @@
+require 'puppet'
+require 'puppet/type/ovn_metadata_agent_config'
+
+describe 'Puppet::Type.type(:ovn_metadata_agent_config)' do
+
+  before :each do
+    @ovn_metadata_agent_config = Puppet::Type.type(:ovn_metadata_agent_config).new(:name => 'DEFAULT/foo', :value => 'bar')
+  end
+
+  it 'should autorequire the package that install the file' do
+    catalog = Puppet::Resource::Catalog.new
+    package = Puppet::Type.type(:package).new(:name => 'networking-ovn-metadata-agent')
+    catalog.add_resource package, @ovn_metadata_agent_config
+    dependency = @ovn_metadata_agent_config.autorequire
+    expect(dependency.size).to eq(1)
+    expect(dependency[0].target).to eq(@ovn_metadata_agent_config)
+    expect(dependency[0].source).to eq(package)
+  end
+
+end