Provide support for security groups for ConnectionPoints

Add option for providing security groups in ConnectionPoint node_type of TOSCA VNF templates. Co-Authored-By: Sridhar Ramaswamy <srics.r@gmail.com> Change-Id: I5fabaa8a33d684a591364510ed6d3df93989c419 Closes-Bug: #1591372
2016-06-21 00:00:07 -05:00 · 2016-06-21 00:00:07 -05:00 · 043c147690
commit 043c147690
parent 4ce287946a
10 changed files with 181 additions and 1 deletions
--- a/releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml
+++ b/releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - Added support for security groups in TOSCA template for
+    type tosca.nodes.nfv.CP.Tacker.
--- a/samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml
+++ b/samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml
@ -0,0 +1,45 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: Demo example with key_name
+
+metadata:
+  template_name: sample-tosca-vnfd-secgroups
+
+topology_template:
+  node_templates:
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      capabilities:
+        nfv_compute:
+          properties:
+            num_cpus: 1
+            mem_size: 512 MB
+            disk_size: 1 GB
+      properties:
+        image: cirros-0.3.4-x86_64-uec
+        availability_zone: nova
+        mgmt_driver: noop
+        key_name: userKey
+        config: |
+          param0: key1
+          param1: key2
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+          - test_secgrp
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: net_mgmt
+        vendor: Tacker
--- a/tacker/tests/contrib/post_test_hook.sh
+++ b/tacker/tests/contrib/post_test_hook.sh
@ -63,6 +63,7 @@ then

    fixup_quota
    add_key
+    add_secgrp
 fi

 # Set owner permissions according to job's requirements.
--- a/tacker/tests/contrib/post_test_hook_lib.sh
+++ b/tacker/tests/contrib/post_test_hook_lib.sh
@ -44,3 +44,37 @@ function add_key {
    userId=$(openstack user list | awk '/\ nfv_user\ / {print $2}')
    nova keypair-add userKey --user $userId > ${PRIVATE_KEY_FILE}
 }
+
+# Adding nova security groups (#1591372).
+function _create_secgrps {
+    openstack security group create --project nfv --description "tacker functest security group" test_secgrp
+    openstack security group rule create --project nfv --ingress --protocol icmp test_secgrp
+    openstack security group rule create --project nfv --ingress --protocol tcp --dst-port 22 test_secgrp
+}
+
+function _check_secgrps {
+    openstack security group show test_secgrp
+    if [[ "$?" != "0" ]]; then
+        echo "Warning: security group is not created correctly"
+    fi
+}
+
+function add_secgrp_if_not_exist {
+    echo "Adding nova security group"
+    source $DEVSTACK_DIR/openrc admin admin
+    openstack security group show test_secgrp
+    if [[ "$?" != "0" ]]; then
+        _create_secgrps
+        _check_secgrps
+    else
+        echo "Nova security group already exists"
+    fi
+}
+
+# Adding nova security groups (#1591372).
+function add_secgrp {
+    echo "Adding nova security group"
+    source $DEVSTACK_DIR/openrc admin admin
+    _create_secgrps
+    _check_secgrps
+}
--- a/tacker/tests/etc/samples/sample-tosca-vnfd.yaml
+++ b/tacker/tests/etc/samples/sample-tosca-vnfd.yaml
@ -23,7 +23,9 @@ topology_template:
      type: tosca.nodes.nfv.CP.Tacker
      properties:
        management: true
-        anti_spoofing_protection: false
+        anti_spoofing_protection: true
+        security_groups:
+            - test_secgrp
      requirements:
        - virtualLink:
            node: VL1
--- a/tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml
+++ b/tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml
@ -0,0 +1,38 @@
+heat_template_version: 2013-05-23
+
+description: >
+  SecurityGroup Template
+
+outputs:
+  mgmt_ip-VDU1:
+    value:
+      get_attr: [CP1, fixed_ips, 0, ip_address]
+
+parameters: {}
+resources:
+  VDU1:
+    type: OS::Nova::Server
+    properties:
+      config_drive: false
+      flavor: m1.nano
+      image: {get_resource: VDU1_image}
+      networks:
+        - port:
+            get_resource: CP1
+      user_data_format: SOFTWARE_CONFIG
+  CP1:
+    type: OS::Neutron::Port
+    properties:
+      network: existing_network_1
+      port_security_enabled: true
+      security_groups:
+        - default
+        - test_secgrp
+
+  VDU1_image:
+    type: OS::Glance::Image
+    properties:
+      container_format: bare
+      disk_format: raw
+      location: http://URL/vRouterVNF.qcow2
+      name: vm_image
--- a/tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml
+++ b/tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml
@ -0,0 +1,46 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: SecurityGroup Template
+
+metadata:
+  template_name: SecurityGroup
+
+topology_template:
+  node_templates:
+
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      artifacts:
+        vm_image:
+          type: tosca.artifacts.Deployment.Image.VM
+          file: http://URL/vRouterVNF.qcow2
+      properties:
+        flavor: m1.nano
+        mgmt_driver: noop
+        monitoring_policy:
+          name: ping
+          actions:
+            failure: respawn
+          parameters:
+            count: 3
+            interval: 10
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+          - test_secgrp
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: existing_network_1
+        vendor: ACME
--- a/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py
+++ b/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py
@ -440,3 +440,9 @@ class TestDeviceHeat(base.TestCase):
                          plugin=None, context=self.context, vnf_info=vnf_obj,
                          auth_attr=utils.get_vim_auth_obj(),
                          region_name=None)
+
+    def test_create_port_with_security_groups(self):
+        self._test_assert_equal_for_tosca_templates(
+            'test_tosca_security_groups.yaml',
+            'hot_tosca_security_groups.yaml'
+        )
--- a/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml
+++ b/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml
@ -224,6 +224,9 @@ node_types:
      anti_spoofing_protection:
        type: boolean
        required: false
+      security_groups:
+        type: list
+        required: false
      type:
        type: string
        required: false
--- a/tools/prepare_functional_test.sh
+++ b/tools/prepare_functional_test.sh
@ -16,3 +16,4 @@ source ${TACKER_DIR}/tacker/tests/contrib/post_test_hook_lib.sh

 fixup_quota
 add_key_if_not_exist
+add_secgrp_if_not_exist