From 655acbfc4bf9c9d10cf158875839de844aef7187 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 31 Aug 2025 15:56:44 +0900 Subject: [PATCH] Add Neutron FWaaS to integration tests Support for FWaaS was recently restored. Add the extension to a few integration scenarios. Depends-on: https://review.opendev.org/953213 Change-Id: I8b023f972128c64281c9eb2a37d5f58d94ec5945 Signed-off-by: Takashi Kajinami --- README.md | 1 + fixtures/scenario004.pp | 4 ++ fixtures/scenario005.pp | 4 ++ manifests/neutron.pp | 101 ++++++++++++++++++++++++++++++++++++---- manifests/tempest.pp | 10 ++++ run_tests.sh | 3 ++ 6 files changed, 115 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ec10e804d..d23ff7f7c 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ scenario](#all-in-one). | vitrage | X | | | | | | | watcher | X | | | | | | | cloudkitty | X | | | | | | +| fwaas | | | | X | X | | | vpnaas | | | | X | X | | | taas | | | | X | | | | bgpvpn-api | | | | X | | | diff --git a/fixtures/scenario004.pp b/fixtures/scenario004.pp index 75ed45013..de09e8f36 100644 --- a/fixtures/scenario004.pp +++ b/fixtures/scenario004.pp @@ -27,6 +27,7 @@ case $facts['os']['family'] { $bgpvpn_enabled = false $l2gw_enabled = false $bgp_dragent_enabled = false + $fwaas_enabled = false $vpnaas_enabled = false $taas_enabled = false } @@ -35,6 +36,7 @@ case $facts['os']['family'] { $bgpvpn_enabled = true $l2gw_enabled = true $bgp_dragent_enabled = true + $fwaas_enabled = true $vpnaas_enabled = true $taas_enabled = true } @@ -64,6 +66,7 @@ class { 'openstack_integration::glance': } class { 'openstack_integration::neutron': + fwaas_enabled => $fwaas_enabled, vpnaas_enabled => $vpnaas_enabled, taas_enabled => $taas_enabled, bgpvpn_enabled => $bgpvpn_enabled, @@ -97,6 +100,7 @@ class { 'openstack_integration::provision': # Glance, nova, neutron are true by default. class { 'openstack_integration::tempest': horizon => true, + fwaas => $fwaas_enabled, vpnaas => $vpnaas_enabled, taas => $taas_enabled, bgpvpn => $bgpvpn_enabled, diff --git a/fixtures/scenario005.pp b/fixtures/scenario005.pp index 2a3c728eb..81df3b55f 100644 --- a/fixtures/scenario005.pp +++ b/fixtures/scenario005.pp @@ -25,11 +25,13 @@ case $facts['os']['family'] { $ipv6 = false $jobboard_backend = 'redis' # TODO(tkajinam): Enable these along with the other plugins + $fwaas_enabled = false $vpnaas_enabled = false } 'RedHat': { $ipv6 = true $jobboard_backend = 'redis_sentinel' + $fwaas_enabled = true $vpnaas_enabled = true } default: { @@ -60,6 +62,7 @@ class { 'openstack_integration::glance': class { 'openstack_integration::neutron': driver => 'ovn', ovn_metadata_agent_enabled => false, + fwaas_enabled => $fwaas_enabled, vpnaas_enabled => $vpnaas_enabled, } include openstack_integration::placement @@ -90,5 +93,6 @@ class { 'openstack_integration::tempest': octavia => true, neutron_driver => 'ovn', image_format => 'raw', + fwaas => $fwaas_enabled, vpnaas => $vpnaas_enabled, } diff --git a/manifests/neutron.pp b/manifests/neutron.pp index eea2cfd56..7344537f8 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -13,6 +13,10 @@ # (optional) Flag to enable metering agent # Defaults to false. # +# [*fwaas_enabled*] +# (optional) Flag to enable FWaaS. +# Defaults to false. +# # [*vpnaas_enabled*] # (optional) Flag to enable VPNaaS. # Defaults to false. @@ -49,6 +53,7 @@ class openstack_integration::neutron ( $driver = 'openvswitch', $ovn_metadata_agent_enabled = true, $metering_enabled = false, + $fwaas_enabled = false, $vpnaas_enabled = false, $taas_enabled = false, $bgpvpn_enabled = false, @@ -154,12 +159,18 @@ class openstack_integration::neutron ( if $driver == 'ovn' { $dhcp_agent_notification = false + $fwaas_plugin = $fwaas_enabled ? { + true => 'firewall_v2', + default => undef, + } $vpnaas_plugin = $vpnaas_enabled ? { true => 'ovn-vpnaas', default => undef, } $plugins_list = delete_undef_values([ - 'qos', 'ovn-router', 'trunk', $vpnaas_plugin, + 'qos', 'ovn-router', 'trunk', + $fwaas_plugin, + $vpnaas_plugin, ]) } else { $dhcp_agent_notification = true @@ -167,6 +178,10 @@ class openstack_integration::neutron ( true => 'metering', default => undef, } + $fwaas_plugin = $fwaas_enabled ? { + true => 'firewall_v2', + default => undef, + } $vpnaas_plugin = $vpnaas_enabled ? { true => 'vpnaas', default => undef, @@ -191,6 +206,7 @@ class openstack_integration::neutron ( $plugins_list = delete_undef_values([ 'router', 'qos', 'trunk', $metering_plugin, + $fwaas_plugin, $vpnaas_plugin, $taas_plugin, $bgpvpn_plugin, @@ -283,6 +299,10 @@ class openstack_integration::neutron ( workers => 2, } + $fwaas_conf = $fwaas_enabled ? { + true => 'neutron_fwaas.conf', + default => undef, + } $vpnaas_conf = $vpnaas_enabled ? { true => 'neutron_vpnaas.conf', default => undef, @@ -302,7 +322,7 @@ class openstack_integration::neutron ( $neutron_conf_files = delete_undef_values([ 'neutron.conf', 'plugins/ml2/ml2_conf.ini', - $vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf, + $fwaas_conf, $vpnaas_conf, $taas_conf, $bgpvpn_conf, $l2gw_conf, ]) # TODO(tkajinam): Should this be in puppet-neutron ? @@ -364,10 +384,17 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", case $driver { 'openvswitch': { - $agent_extensions = $taas_enabled ? { - true => ['taas'], + $fwaas_agent_extension = $fwaas_enabled ? { + true => 'taas', default => undef, } + $taas_agent_extension = $taas_enabled ? { + true => 'taas', + default => undef, + } + $agent_extensions = delete_undef_values([ + $fwaas_agent_extension, $taas_agent_extension, + ]) class { 'neutron::agents::ml2::ovs': local_ip => $openstack_integration::config::host, @@ -437,6 +464,24 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", } } + if $fwaas_enabled { + class { 'neutron::services::fwaas': + service_providers => join([ + 'FIREWALL_V2', + 'fwaas_db', + 'neutron_fwaas.services.firewall.service_drivers.ovn.firewall_l3_driver.OVNFwaasDriver', + 'default', + ], ':'), + } + # TODO(tkajinam): Remove this once the following change is available. + # https://review.rdoproject.org/r/c/openstack/neutron-fwaas-distgit/+/57896 + file { '/usr/share/neutron/server/neutron_fwaas.conf': + ensure => link, + target => '/etc/neutron/neutron_fwaas.conf', + tag => 'neutron-config-file', + } + } + $vpn_device_driver = $facts['os']['family'] ? { 'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver', default => 'neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnLibreSwanDriver', @@ -464,10 +509,17 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", metadata_protocol => $openstack_integration::config::proto, } - $l3_extensions = $vpnaas_enabled ? { - true => ['vpnaas'], + $fwaas_l3_extension = $fwaas_enabled ? { + true => 'fwaas_v2', default => undef, } + $vpnaas_l3_extension = $vpnaas_enabled ? { + true => 'vpnaas', + default => undef, + } + $l3_extensions = delete_undef_values([ + $fwaas_l3_extension, $vpnaas_l3_extension, + ]) class { 'neutron::agents::l3': interface_driver => $driver, debug => true, @@ -486,6 +538,29 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", } } + if $fwaas_enabled { + class { 'neutron::services::fwaas': + service_providers => join([ + 'FIREWALL_V2', + 'fwaas_db', + 'neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver', + 'default', + ], ':'), + } + # TODO(tkajinam): Remove this once the following change is available. + # https://review.rdoproject.org/r/c/openstack/neutron-fwaas-distgit/+/57896 + file { '/usr/share/neutron/server/neutron_fwaas.conf': + ensure => link, + target => '/etc/neutron/neutron_fwaas.conf', + tag => 'neutron-config-file', + } + class { 'neutron::agents::fwaas': + enabled => true, + driver => 'iptables_v2', + firewall_l2_driver => 'noop', + } + } + $vpn_device_driver = $facts['os']['family'] ? { 'Debian' => 'neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver', default => 'neutron_vpnaas.services.vpn.device_drivers.libreswan_ipsec.LibreSwanDriver' @@ -507,13 +582,23 @@ Environment=OS_NEUTRON_CONFIG_FILES=${join($neutron_conf_files, ';')}", # NOTE(tkajinm): This value is picked up from the one used in CI, but is # apparently wrong (It should have rpc_l2gw), but we can't enable # the correct provider because of incomplete setup we have in CI. - service_providers => ['L2GW:l2gw:networking_l2gw.services.l2gateway.service_drivers.L2gwDriver:default'], + service_providers => join([ + 'L2GW', + 'l2gw', + 'networking_l2gw.services.l2gateway.service_drivers.L2gwDriver', + 'default', + ], ':'), } class { 'neutron::agents::l2gw': } } if $bgpvpn_enabled { class { 'neutron::services::bgpvpn': - service_providers => 'BGPVPN:Dummy:networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver:default', + service_providers => join([ + 'BGPVPN', + 'Dummy', + 'networking_bgpvpn.neutron.services.service_drivers.driver_api.BGPVPNDriver', + 'default', + ], ':'), } } if $bgp_dragent_enabled { diff --git a/manifests/tempest.pp b/manifests/tempest.pp index 21803884a..6197d2fd8 100644 --- a/manifests/tempest.pp +++ b/manifests/tempest.pp @@ -104,6 +104,10 @@ # (optional) Define if Vitrage needs to be tested. # Default to false. # +# [*fwaas*] +# (optional) Define if Neutron FWaaS needs to be tested. +# Default to false. +# # [*vpnaas*] # (optional) Define if Neutron VPNaaS needs to be tested. # Default to false. @@ -183,6 +187,7 @@ class openstack_integration::tempest ( $trove = false, $watcher = false, $vitrage = false, + $fwaas = false, $vpnaas = false, $taas = false, $zaqar = false, @@ -259,6 +264,10 @@ class openstack_integration::tempest ( true => ['bgpvpn'], default => [], } + $neutron_fwaas_extensions = $fwaas ? { + true => ['fwaas_v2'], + default => [], + } $neutron_vpnaas_extensions = $vpnaas ? { true => ['vpnaas'], default => [], @@ -275,6 +284,7 @@ class openstack_integration::tempest ( $neutron_metering_extensions + $neutron_l2gw_extensions + $neutron_bgpvpn_extensions + + $neutron_fwaas_extensions + $neutron_vpnaas_extensions + $neutron_taas_extensions ) diff --git a/run_tests.sh b/run_tests.sh index b70c42d6d..f74656e1d 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -330,6 +330,9 @@ echo "TestEncryptedCinderVolumes" >> /tmp/openstack/tempest/test-include-list.tx # Mistral echo "test_create_and_delete_workflow" >> /tmp/openstack/tempest/test-include-list.txt +# FWaaS +echo "api.test_fwaasv2_extensions" >> /tmp/openstack/tempest/test-include-list.txt + # TaaS echo "test_create_tap_service_and_flow" >> /tmp/openstack/tempest/test-include-list.txt