Add Neutron FWaaS to integration tests

Support for FWaaS was recently restored. Add the extension to a few integration scenarios. Depends-on: https://review.opendev.org/953213 Change-Id: I8b023f972128c64281c9eb2a37d5f58d94ec5945 Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
2025-08-31 15:56:44 +09:00
parent 07663d76e4
commit 655acbfc4b
6 changed files with 115 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ scenario](#all-in-one).
 | vitrage    |      X      |             |             |             |             |              |
 | watcher    |      X      |             |             |             |             |              |
 | cloudkitty |      X      |             |             |             |             |              |
+| fwaas      |             |             |             |      X      |      X      |              |
 | vpnaas     |             |             |             |      X      |      X      |              |
 | taas       |             |             |             |      X      |             |              |
 | bgpvpn-api |             |             |             |      X      |             |              |
--- a/fixtures/scenario004.pp
+++ b/fixtures/scenario004.pp
@@ -27,6 +27,7 @@ case $facts['os']['family'] {
    $bgpvpn_enabled = false
    $l2gw_enabled = false
    $bgp_dragent_enabled = false
+    $fwaas_enabled = false
    $vpnaas_enabled = false
    $taas_enabled = false
  }
@@ -35,6 +36,7 @@ case $facts['os']['family'] {
    $bgpvpn_enabled = true
    $l2gw_enabled = true
    $bgp_dragent_enabled = true
+    $fwaas_enabled = true
    $vpnaas_enabled = true
    $taas_enabled = true
  }
@@ -64,6 +66,7 @@ class { 'openstack_integration::glance':
 }

 class { 'openstack_integration::neutron':
+  fwaas_enabled       => $fwaas_enabled,
  vpnaas_enabled      => $vpnaas_enabled,
  taas_enabled        => $taas_enabled,
  bgpvpn_enabled      => $bgpvpn_enabled,
@@ -97,6 +100,7 @@ class { 'openstack_integration::provision':
 # Glance, nova, neutron are true by default.
 class { 'openstack_integration::tempest':
  horizon             => true,
+  fwaas               => $fwaas_enabled,
  vpnaas              => $vpnaas_enabled,
  taas                => $taas_enabled,
  bgpvpn              => $bgpvpn_enabled,
--- a/fixtures/scenario005.pp
+++ b/fixtures/scenario005.pp
@@ -25,11 +25,13 @@ case $facts['os']['family'] {
    $ipv6 = false
    $jobboard_backend = 'redis'
    # TODO(tkajinam): Enable these along with the other plugins
+    $fwaas_enabled  = false
    $vpnaas_enabled = false
  }
  'RedHat': {
    $ipv6 = true
    $jobboard_backend = 'redis_sentinel'
+    $fwaas_enabled  = true
    $vpnaas_enabled = true
  }
  default: {
@@ -60,6 +62,7 @@ class { 'openstack_integration::glance':
 class { 'openstack_integration::neutron':
  driver                     => 'ovn',
  ovn_metadata_agent_enabled => false,
+  fwaas_enabled              => $fwaas_enabled,
  vpnaas_enabled             => $vpnaas_enabled,
 }
 include openstack_integration::placement
@@ -90,5 +93,6 @@ class { 'openstack_integration::tempest':
  octavia        => true,
  neutron_driver => 'ovn',
  image_format   => 'raw',
+  fwaas          => $fwaas_enabled,
  vpnaas         => $vpnaas_enabled,
 }
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@@ -13,6 +13,10 @@
 #   (optional) Flag to enable metering agent
 #   Defaults to false.
 #
+# [*fwaas_enabled*]
+#   (optional) Flag to enable FWaaS.
+#   Defaults to false.
+#
 # [*vpnaas_enabled*]
 #   (optional) Flag to enable VPNaaS.
 #   Defaults to false.
@@ -49,6 +53,7 @@ class openstack_integration::neutron (
  $driver                     = 'openvswitch',
  $ovn_metadata_agent_enabled = true,
  $metering_enabled           = false,
+  $fwaas_enabled              = false,
  $vpnaas_enabled             = false,
  $taas_enabled               = false,
  $bgpvpn_enabled             = false,
@@ -154,12 +159,18 @@ class openstack_integration::neutron (

  if $driver == 'ovn' {
    $dhcp_agent_notification = false
+    $fwaas_plugin = $fwaas_enabled ? {
+      true    => 'firewall_v2',
+      default => undef,
+    }
    $vpnaas_plugin = $vpnaas_enabled ? {
      true    => 'ovn-vpnaas',
      default => undef,
    }
    $plugins_list = delete_undef_values([
-      'qos', 'ovn-router', 'trunk', $vpnaas_plugin,
+      'qos', 'ovn-router', 'trunk',
+      $fwaas_plugin,
+      $vpnaas_plugin,
    ])
  } else {
    $dhcp_agent_notification = true
@@ -167,6 +178,10 @@ class openstack_integration::neutron (
      true    => 'metering',
      default => undef,
    }
+    $fwaas_plugin = $fwaas_enabled ? {
+      true    => 'firewall_v2',
+      default => undef,
+    }
    $vpnaas_plugin = $vpnaas_enabled ? {
      true    => 'vpnaas',
      default => undef,
@@ -191,6 +206,7 @@ class openstack_integration::neutron (
    $plugins_list = delete_undef_values([
      'router', 'qos', 'trunk',
      $metering_plugin,
+      $fwaas_plugin,
      $vpnaas_plugin,
      $taas_plugin,
      $bgpvpn_plugin,
@@ -283,6 +299,10 @@ class openstack_integration::neutron (
    workers   => 2,
  }

+  $fwaas_conf = $fwaas_enabled ? {
+    true    => 'neutron_fwaas.conf',
+    default => undef,
+  }
  $vpnaas_conf = $vpnaas_enabled ? {
    true    => 'neutron_vpnaas.conf',
    default => undef,
@@ -302,7 +322,7 @@ class openstack_integration::neutron (

  $neutron_conf_files = delete_undef_values([
    'neutron.conf', 'plugins/ml2/ml2_conf.ini',
-    $vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf,
+    $fwaas_conf, $vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf,
  ])

  # TODO(tkajinam): Should this be in puppet-neutron ?
@@ -364,10 +384,17 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",

  case $driver {
    'openvswitch': {
-      $agent_extensions = $taas_enabled ? {
-        true    => ['taas'],
+      $fwaas_agent_extension = $fwaas_enabled ? {
+        true    => 'taas',
        default => undef,
      }
+      $taas_agent_extension = $taas_enabled ? {
+        true    => 'taas',
+        default => undef,
+      }
+      $agent_extensions = delete_undef_values([
+        $fwaas_agent_extension, $taas_agent_extension,
+      ])

      class { 'neutron::agents::ml2::ovs':
        local_ip          => $openstack_integration::config::host,
@@ -437,6 +464,24 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
      }
    }

+    if $fwaas_enabled {
+      class { 'neutron::services::fwaas':
+        service_providers => join([
+          'FIREWALL_V2',
+          'fwaas_db',
+          'neutron_fwaas.services.firewall.service_drivers.ovn.firewall_l3_driver.OVNFwaasDriver',
+          'default',
+        ], ':'),
+      }
+      # TODO(tkajinam): Remove this once the following change is available.
+      # https://review.rdoproject.org/r/c/openstack/neutron-fwaas-distgit/+/57896
+      file { '/usr/share/neutron/server/neutron_fwaas.conf':
+        ensure => link,
+        target => '/etc/neutron/neutron_fwaas.conf',
+        tag    => 'neutron-config-file',
+      }
+    }
+
    $vpn_device_driver = $facts['os']['family'] ? {
      'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver',
      default  => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver',
@@ -464,10 +509,17 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
      metadata_protocol => $openstack_integration::config::proto,
    }

-    $l3_extensions = $vpnaas_enabled ? {
-      true    => ['vpnaas'],
+    $fwaas_l3_extension = $fwaas_enabled ? {
+      true    => 'fwaas_v2',
      default => undef,
    }
+    $vpnaas_l3_extension = $vpnaas_enabled ? {
+      true    => 'vpnaas',
+      default => undef,
+    }
+    $l3_extensions = delete_undef_values([
+      $fwaas_l3_extension, $vpnaas_l3_extension,
+    ])
    class { 'neutron::agents::l3':
      interface_driver => $driver,
      debug            => true,
@@ -486,6 +538,29 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
      }
    }

+    if $fwaas_enabled {
+      class { 'neutron::services::fwaas':
+        service_providers => join([
+          'FIREWALL_V2',
+          'fwaas_db',
+          'neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver',
+          'default',
+        ], ':'),
+      }
+      # TODO(tkajinam): Remove this once the following change is available.
+      # https://review.rdoproject.org/r/c/openstack/neutron-fwaas-distgit/+/57896
+      file { '/usr/share/neutron/server/neutron_fwaas.conf':
+        ensure => link,
+        target => '/etc/neutron/neutron_fwaas.conf',
+        tag    => 'neutron-config-file',
+      }
+      class { 'neutron::agents::fwaas':
+        enabled            => true,
+        driver             => 'iptables_v2',
+        firewall_l2_driver => 'noop',
+      }
+    }
+
    $vpn_device_driver = $facts['os']['family'] ? {
      'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver',
      default  => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver'
@@ -507,13 +582,23 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}",
        # NOTE(tkajinm): This value is picked up from the one used in CI, but is
        # apparently wrong (It should have rpc_l2gw), but we can't enable
        # the correct provider because of incomplete setup we have in CI.
-        service_providers => ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default'],
+        service_providers => join([
+          'L2GW',
+          'l2gw',
+          'networking_l2gw.services.l2gateway.service_drivers.L2gwDriver',
+          'default',
+        ], ':'),
      }
      class { 'neutron::agents::l2gw': }
    }
    if $bgpvpn_enabled {
      class { 'neutron::services::bgpvpn':
-        service_providers => 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default',
+        service_providers => join([
+          'BGPVPN',
+          'Dummy',
+          'networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver',
+          'default',
+        ], ':'),
      }
    }
    if $bgp_dragent_enabled {
--- a/manifests/tempest.pp
+++ b/manifests/tempest.pp
@@ -104,6 +104,10 @@
 #   (optional) Define if Vitrage needs to be tested.
 #   Default to false.
 #
+# [*fwaas*]
+#   (optional) Define if Neutron FWaaS needs to be tested.
+#   Default to false.
+#
 # [*vpnaas*]
 #   (optional) Define if Neutron VPNaaS needs to be tested.
 #   Default to false.
@@ -183,6 +187,7 @@ class openstack_integration::tempest (
  $trove                   = false,
  $watcher                 = false,
  $vitrage                 = false,
+  $fwaas                   = false,
  $vpnaas                  = false,
  $taas                    = false,
  $zaqar                   = false,
@@ -259,6 +264,10 @@ class openstack_integration::tempest (
      true    => ['bgpvpn'],
      default => [],
    }
+    $neutron_fwaas_extensions = $fwaas ? {
+      true    => ['fwaas_v2'],
+      default => [],
+    }
    $neutron_vpnaas_extensions = $vpnaas ? {
      true    => ['vpnaas'],
      default => [],
@@ -275,6 +284,7 @@ class openstack_integration::tempest (
      $neutron_metering_extensions +
      $neutron_l2gw_extensions +
      $neutron_bgpvpn_extensions +
+      $neutron_fwaas_extensions +
      $neutron_vpnaas_extensions +
      $neutron_taas_extensions
    )
--- a/run_tests.sh
+++ b/run_tests.sh
@@ -330,6 +330,9 @@ echo "TestEncryptedCinderVolumes" >> /tmp/openstack/tempest/test-include-list.tx
 # Mistral
 echo "test_create_and_delete_workflow" >> /tmp/openstack/tempest/test-include-list.txt

+# FWaaS
+echo "api.test_fwaasv2_extensions" >> /tmp/openstack/tempest/test-include-list.txt
+
 # TaaS
 echo "test_create_tap_service_and_flow" >> /tmp/openstack/tempest/test-include-list.txt