Provide support for security groups for ConnectionPoints

Add option for providing security groups in ConnectionPoint
node_type of TOSCA VNF templates.

Co-Authored-By: Sridhar Ramaswamy <srics.r@gmail.com>

Change-Id: I5fabaa8a33d684a591364510ed6d3df93989c419
Closes-Bug: #1591372

releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - Added support for security groups in TOSCA template for
+    type tosca.nodes.nfv.CP.Tacker.

samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml

@@ -0,0 +1,45 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: Demo example with key_name
+
+metadata:
+  template_name: sample-tosca-vnfd-secgroups
+
+topology_template:
+  node_templates:
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      capabilities:
+        nfv_compute:
+          properties:
+            num_cpus: 1
+            mem_size: 512 MB
+            disk_size: 1 GB
+      properties:
+        image: cirros-0.3.4-x86_64-uec
+        availability_zone: nova
+        mgmt_driver: noop
+        key_name: userKey
+        config: |
+          param0: key1
+          param1: key2
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+          - test_secgrp
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: net_mgmt
+        vendor: Tacker

tacker/tests/contrib/post_test_hook.sh

@@ -63,6 +63,7 @@ then
 
     fixup_quota
     add_key
+    add_secgrp
 fi
 
 # Set owner permissions according to job's requirements.

tacker/tests/contrib/post_test_hook_lib.sh

@@ -44,3 +44,37 @@ function add_key {
     userId=$(openstack user list | awk '/\ nfv_user\ / {print $2}')
     nova keypair-add userKey --user $userId > ${PRIVATE_KEY_FILE}
 }
+
+# Adding nova security groups (#1591372).
+function _create_secgrps {
+    openstack security group create --project nfv --description "tacker functest security group" test_secgrp
+    openstack security group rule create --project nfv --ingress --protocol icmp test_secgrp
+    openstack security group rule create --project nfv --ingress --protocol tcp --dst-port 22 test_secgrp
+}
+
+function _check_secgrps {
+    openstack security group show test_secgrp
+    if [[ "$?" != "0" ]]; then
+        echo "Warning: security group is not created correctly"
+    fi
+}
+
+function add_secgrp_if_not_exist {
+    echo "Adding nova security group"
+    source $DEVSTACK_DIR/openrc admin admin
+    openstack security group show test_secgrp
+    if [[ "$?" != "0" ]]; then
+        _create_secgrps
+        _check_secgrps
+    else
+        echo "Nova security group already exists"
+    fi
+}
+
+# Adding nova security groups (#1591372).
+function add_secgrp {
+    echo "Adding nova security group"
+    source $DEVSTACK_DIR/openrc admin admin
+    _create_secgrps
+    _check_secgrps
+}

tacker/tests/etc/samples/sample-tosca-vnfd.yaml

@@ -23,7 +23,9 @@ topology_template:
       type: tosca.nodes.nfv.CP.Tacker
       properties:
         management: true
-        anti_spoofing_protection: false
+        anti_spoofing_protection: true
+        security_groups:
+            - test_secgrp
       requirements:
         - virtualLink:
             node: VL1

tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml

@@ -0,0 +1,38 @@
+heat_template_version: 2013-05-23
+
+description: >
+  SecurityGroup Template
+
+outputs:
+  mgmt_ip-VDU1:
+    value:
+      get_attr: [CP1, fixed_ips, 0, ip_address]
+
+parameters: {}
+resources:
+  VDU1:
+    type: OS::Nova::Server
+    properties:
+      config_drive: false
+      flavor: m1.nano
+      image: {get_resource: VDU1_image}
+      networks:
+        - port:
+            get_resource: CP1
+      user_data_format: SOFTWARE_CONFIG
+  CP1:
+    type: OS::Neutron::Port
+    properties:
+      network: existing_network_1
+      port_security_enabled: true
+      security_groups:
+        - default
+        - test_secgrp
+
+  VDU1_image:
+    type: OS::Glance::Image
+    properties:
+      container_format: bare
+      disk_format: raw
+      location: http://URL/vRouterVNF.qcow2
+      name: vm_image

tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml

@@ -0,0 +1,46 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: SecurityGroup Template
+
+metadata:
+  template_name: SecurityGroup
+
+topology_template:
+  node_templates:
+
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      artifacts:
+        vm_image:
+          type: tosca.artifacts.Deployment.Image.VM
+          file: http://URL/vRouterVNF.qcow2
+      properties:
+        flavor: m1.nano
+        mgmt_driver: noop
+        monitoring_policy:
+          name: ping
+          actions:
+            failure: respawn
+          parameters:
+            count: 3
+            interval: 10
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+          - test_secgrp
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: existing_network_1
+        vendor: ACME

tacker/tests/unit/vm/infra_drivers/heat/test_heat.py

@@ -440,3 +440,9 @@ class TestDeviceHeat(base.TestCase):
                           plugin=None, context=self.context, vnf_info=vnf_obj,
                           auth_attr=utils.get_vim_auth_obj(),
                           region_name=None)
+
+    def test_create_port_with_security_groups(self):
+        self._test_assert_equal_for_tosca_templates(
+            'test_tosca_security_groups.yaml',
+            'hot_tosca_security_groups.yaml'
+        )

tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml

@@ -224,6 +224,9 @@ node_types:
       anti_spoofing_protection:
         type: boolean
         required: false
+      security_groups:
+        type: list
+        required: false
       type:
         type: string
         required: false

tools/prepare_functional_test.sh

@@ -16,3 +16,4 @@ source ${TACKER_DIR}/tacker/tests/contrib/post_test_hook_lib.sh
 
 fixup_quota
 add_key_if_not_exist
+add_secgrp_if_not_exist