diff --git a/releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml b/releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml new file mode 100644 index 000000000..c4c2812c6 --- /dev/null +++ b/releasenotes/notes/add-security-groups-support-to-tosca-template-b4d9dec71400eebf.yaml @@ -0,0 +1,4 @@ +--- +features: + - Added support for security groups in TOSCA template for + type tosca.nodes.nfv.CP.Tacker. diff --git a/samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml b/samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml new file mode 100644 index 000000000..76e8db5e5 --- /dev/null +++ b/samples/tosca-templates/vnfd/tosca-vnfd-secgroups.yaml @@ -0,0 +1,45 @@ +tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0 + +description: Demo example with key_name + +metadata: + template_name: sample-tosca-vnfd-secgroups + +topology_template: + node_templates: + VDU1: + type: tosca.nodes.nfv.VDU.Tacker + capabilities: + nfv_compute: + properties: + num_cpus: 1 + mem_size: 512 MB + disk_size: 1 GB + properties: + image: cirros-0.3.4-x86_64-uec + availability_zone: nova + mgmt_driver: noop + key_name: userKey + config: | + param0: key1 + param1: key2 + + CP1: + type: tosca.nodes.nfv.CP.Tacker + properties: + management: true + anti_spoofing_protection: true + security_groups: + - default + - test_secgrp + requirements: + - virtualLink: + node: VL1 + - virtualBinding: + node: VDU1 + + VL1: + type: tosca.nodes.nfv.VL + properties: + network_name: net_mgmt + vendor: Tacker diff --git a/tacker/tests/contrib/post_test_hook.sh b/tacker/tests/contrib/post_test_hook.sh index 43916fd27..9c9ded0ca 100755 --- a/tacker/tests/contrib/post_test_hook.sh +++ b/tacker/tests/contrib/post_test_hook.sh @@ -63,6 +63,7 @@ then fixup_quota add_key + add_secgrp fi # Set owner permissions according to job's requirements. diff --git a/tacker/tests/contrib/post_test_hook_lib.sh b/tacker/tests/contrib/post_test_hook_lib.sh index f5b04175c..53b70543f 100644 --- a/tacker/tests/contrib/post_test_hook_lib.sh +++ b/tacker/tests/contrib/post_test_hook_lib.sh @@ -44,3 +44,37 @@ function add_key { userId=$(openstack user list | awk '/\ nfv_user\ / {print $2}') nova keypair-add userKey --user $userId > ${PRIVATE_KEY_FILE} } + +# Adding nova security groups (#1591372). +function _create_secgrps { + openstack security group create --project nfv --description "tacker functest security group" test_secgrp + openstack security group rule create --project nfv --ingress --protocol icmp test_secgrp + openstack security group rule create --project nfv --ingress --protocol tcp --dst-port 22 test_secgrp +} + +function _check_secgrps { + openstack security group show test_secgrp + if [[ "$?" != "0" ]]; then + echo "Warning: security group is not created correctly" + fi +} + +function add_secgrp_if_not_exist { + echo "Adding nova security group" + source $DEVSTACK_DIR/openrc admin admin + openstack security group show test_secgrp + if [[ "$?" != "0" ]]; then + _create_secgrps + _check_secgrps + else + echo "Nova security group already exists" + fi +} + +# Adding nova security groups (#1591372). +function add_secgrp { + echo "Adding nova security group" + source $DEVSTACK_DIR/openrc admin admin + _create_secgrps + _check_secgrps +} diff --git a/tacker/tests/etc/samples/sample-tosca-vnfd.yaml b/tacker/tests/etc/samples/sample-tosca-vnfd.yaml index c5ca840b8..a2b753fa3 100644 --- a/tacker/tests/etc/samples/sample-tosca-vnfd.yaml +++ b/tacker/tests/etc/samples/sample-tosca-vnfd.yaml @@ -34,7 +34,9 @@ topology_template: properties: name: {get_input : cp-name} management: true - anti_spoofing_protection: false + anti_spoofing_protection: true + security_groups: + - test_secgrp requirements: - virtualLink: node: VL1 diff --git a/tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml b/tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml new file mode 100644 index 000000000..19757af8b --- /dev/null +++ b/tacker/tests/unit/vm/infra_drivers/heat/data/hot_tosca_security_groups.yaml @@ -0,0 +1,38 @@ +heat_template_version: 2013-05-23 + +description: > + SecurityGroup Template + +outputs: + mgmt_ip-VDU1: + value: + get_attr: [CP1, fixed_ips, 0, ip_address] + +parameters: {} +resources: + VDU1: + type: OS::Nova::Server + properties: + config_drive: false + flavor: m1.nano + image: {get_resource: VDU1_image} + networks: + - port: + get_resource: CP1 + user_data_format: SOFTWARE_CONFIG + CP1: + type: OS::Neutron::Port + properties: + network: existing_network_1 + port_security_enabled: true + security_groups: + - default + - test_secgrp + + VDU1_image: + type: OS::Glance::Image + properties: + container_format: bare + disk_format: raw + location: http://URL/vRouterVNF.qcow2 + name: vm_image diff --git a/tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml b/tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml new file mode 100644 index 000000000..13f4629c3 --- /dev/null +++ b/tacker/tests/unit/vm/infra_drivers/heat/data/test_tosca_security_groups.yaml @@ -0,0 +1,46 @@ +tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0 + +description: SecurityGroup Template + +metadata: + template_name: SecurityGroup + +topology_template: + node_templates: + + VDU1: + type: tosca.nodes.nfv.VDU.Tacker + artifacts: + vm_image: + type: tosca.artifacts.Deployment.Image.VM + file: http://URL/vRouterVNF.qcow2 + properties: + flavor: m1.nano + mgmt_driver: noop + monitoring_policy: + name: ping + actions: + failure: respawn + parameters: + count: 3 + interval: 10 + + CP1: + type: tosca.nodes.nfv.CP.Tacker + properties: + management: true + anti_spoofing_protection: true + security_groups: + - default + - test_secgrp + requirements: + - virtualLink: + node: VL1 + - virtualBinding: + node: VDU1 + + VL1: + type: tosca.nodes.nfv.VL + properties: + network_name: existing_network_1 + vendor: ACME diff --git a/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py b/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py index ca89060c2..cdc99cdb3 100644 --- a/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py +++ b/tacker/tests/unit/vm/infra_drivers/heat/test_heat.py @@ -440,3 +440,9 @@ class TestDeviceHeat(base.TestCase): plugin=None, context=self.context, vnf_info=vnf_obj, auth_attr=utils.get_vim_auth_obj(), region_name=None) + + def test_create_port_with_security_groups(self): + self._test_assert_equal_for_tosca_templates( + 'test_tosca_security_groups.yaml', + 'hot_tosca_security_groups.yaml' + ) diff --git a/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml b/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml index be921250d..5b3ca20ec 100644 --- a/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml +++ b/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml @@ -230,6 +230,9 @@ node_types: anti_spoofing_protection: type: boolean required: false + security_groups: + type: list + required: false type: type: string required: false diff --git a/tools/prepare_functional_test.sh b/tools/prepare_functional_test.sh index 725765b65..966a6fc52 100755 --- a/tools/prepare_functional_test.sh +++ b/tools/prepare_functional_test.sh @@ -16,3 +16,4 @@ source ${TACKER_DIR}/tacker/tests/contrib/post_test_hook_lib.sh fixup_quota add_key_if_not_exist +add_secgrp_if_not_exist