Add allowed_address_pairs support in tacker CP

Currently the tacker connection point (CP) support Virtural IP only if the security group is off (via anti_spoofing_protection off). But it's good to have both by supporting allowed_address_pairs. This RFE is for this purpose. Closes-Bug: #1664805 Change-Id: I9fa1d4b69f8cbf51b047110cd6cfa61fb91a0bf0
6 years ago · e1bc853b72
parent 324a443806
commit e1bc853b72
7 changed files with 313 additions and 0 deletions
--- a/releasenotes/notes/add-allowed_address_pairs-support-for-Tacker-73f5d476a54b4182.yaml
+++ b/releasenotes/notes/add-allowed_address_pairs-support-for-Tacker-73f5d476a54b4182.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - Add allowed_address_pairs support in CP's properties,
+    so Virtual IP is enabled via Tacker.
--- a/samples/tosca-templates/vnfd/tosca-vnfd-vip.yaml
+++ b/samples/tosca-templates/vnfd/tosca-vnfd-vip.yaml
@ -0,0 +1,94 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: |
+   Demo example with virtural IP.
+   The VCP is used to grab an IP which will be used as an virtual IP as CP1 and CP2.
+
+metadata:
+  template_name: sample-tosca-vnfd-vip
+
+topology_template:
+  node_templates:
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      capabilities:
+        nfv_compute:
+          properties:
+            num_cpus: 1
+            mem_size: 512 MB
+            disk_size: 1 GB
+      properties:
+        image: cirros-0.3.5-x86_64-disk
+        availability_zone: nova
+        mgmt_driver: noop
+        config: |
+          param0: key1
+          param1: key2
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+        ip_address: 10.10.1.11
+        order: 0
+        allowed_address_pairs:
+          - ip_address: 10.10.1.13
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+
+    VDU2:
+      type: tosca.nodes.nfv.VDU.Tacker
+      capabilities:
+        nfv_compute:
+          properties:
+            num_cpus: 1
+            mem_size: 512 MB
+            disk_size: 1 GB
+      properties:
+        image: cirros-0.3.5-x86_64-disk
+        availability_zone: nova
+        mgmt_driver: noop
+        config: |
+          param0: key1
+          param1: key2
+
+    CP2:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+        ip_address: 10.10.1.12
+        order: 0
+        allowed_address_pairs:
+          - ip_address: 10.10.1.13
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU2
+
+    VCP:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+        ip_address: 10.10.1.13
+      requirements:
+        - virtualLink:
+            node: VL1
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: net1
+        vendor: Tacker
--- a/tacker/tests/unit/vm/infra_drivers/openstack/data/hot_tosca_allowed_address_pairs.yaml
+++ b/tacker/tests/unit/vm/infra_drivers/openstack/data/hot_tosca_allowed_address_pairs.yaml
@ -0,0 +1,88 @@
+heat_template_version: 2013-05-23
+
+description: >
+  VIP Template
+
+outputs:
+  mgmt_ip-VDU1:
+    value:
+      get_attr: [CP2, fixed_ips, 0, ip_address]
+
+parameters: {}
+resources:
+  VDU1:
+    type: OS::Nova::Server
+    properties:
+      config_drive: false
+      flavor: m1.nano
+      image: {get_resource: VDU1_image}
+      networks:
+        - port:
+            get_resource: CP1
+        - port:
+            get_resource: CP2
+      user_data_format: SOFTWARE_CONFIG
+  CP1:
+    type: OS::Neutron::Port
+    properties:
+      fixed_ips:
+        - ip_address: 10.10.1.11
+      allowed_address_pairs:
+        - ip_address: 10.10.1.12
+      network: existing_network_1
+      port_security_enabled: true
+      security_groups:
+        - default
+
+  VCP1:
+    type: OS::Neutron::Port
+    properties:
+      fixed_ips:
+        - ip_address: 10.10.1.12
+      network: existing_network_1
+      port_security_enabled: true
+      security_groups:
+        - default
+
+  CP2:
+    type: OS::Neutron::Port
+    properties:
+      fixed_ips:
+        - ip_address: 10.10.2.21
+      allowed_address_pairs:
+        - ip_address: 10.10.2.22
+        - ip_address: 10.10.2.23
+          mac_address: fe:1a:29:d9:36:45
+      mac_address: fe:1a:29:d9:36:45
+      network: existing_network_2
+      port_security_enabled: true
+      security_groups:
+        - default
+
+  VCP2:
+    type: OS::Neutron::Port
+    properties:
+      fixed_ips:
+        - ip_address: 10.10.2.22
+      network: existing_network_2
+      port_security_enabled: true
+      security_groups:
+        - default
+
+  VCP3:
+    type: OS::Neutron::Port
+    properties:
+      fixed_ips:
+        - ip_address: 10.10.2.23
+      network: existing_network_2
+      port_security_enabled: true
+      security_groups:
+        - default
+
+  VDU1_image:
+    type: OS::Glance::Image
+    properties:
+      container_format: bare
+      disk_format: raw
+      location: http://URL/vRouterVNF.qcow2
+      name: vm_image
--- a/tacker/tests/unit/vm/infra_drivers/openstack/data/test_tosca_allowed_address_pairs.yaml
+++ b/tacker/tests/unit/vm/infra_drivers/openstack/data/test_tosca_allowed_address_pairs.yaml
@ -0,0 +1,105 @@
+tosca_definitions_version: tosca_simple_profile_for_nfv_1_0_0
+
+description: VIP Template
+
+metadata:
+  template_name: vipTemplate
+
+topology_template:
+  node_templates:
+
+    VDU1:
+      type: tosca.nodes.nfv.VDU.Tacker
+      artifacts:
+        vm_image:
+          type: tosca.artifacts.Deployment.Image.VM
+          file: http://URL/vRouterVNF.qcow2
+      properties:
+        flavor: m1.nano
+        mgmt_driver: noop
+        monitoring_policy:
+          name: ping
+          actions:
+            failure: respawn
+          parameters:
+            count: 3
+            interval: 10
+
+    CP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        ip_address: 10.10.1.11
+        anti_spoofing_protection: true
+        allowed_address_pairs:
+          - ip_address: 10.10.1.12
+        security_groups:
+          - default
+      requirements:
+        - virtualLink:
+            node: VL1
+        - virtualBinding:
+            node: VDU1
+    VCP1:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        ip_address: 10.10.1.12
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+      requirements:
+        - virtualLink:
+            node: VL1
+    CP2:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        mac_address: fe:1a:29:d9:36:45
+        ip_address: 10.10.2.21
+        anti_spoofing_protection: true
+        allowed_address_pairs:
+          - ip_address: 10.10.2.22
+          - ip_address: 10.10.2.23
+            mac_address: fe:1a:29:d9:36:45
+        security_groups:
+          - default
+      requirements:
+        - virtualLink:
+            node: VL2
+        - virtualBinding:
+            node: VDU1
+    VCP2:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        ip_address: 10.10.2.22
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+      requirements:
+        - virtualLink:
+            node: VL2
+    VCP3:
+      type: tosca.nodes.nfv.CP.Tacker
+      properties:
+        management: true
+        ip_address: 10.10.2.23
+        anti_spoofing_protection: true
+        security_groups:
+          - default
+      requirements:
+        - virtualLink:
+            node: VL2
+
+    VL1:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: existing_network_1
+        vendor: Tacker
+
+    VL2:
+      type: tosca.nodes.nfv.VL
+      properties:
+        network_name: existing_network_2
+        vendor: Tacker
--- a/tacker/tests/unit/vnfm/infra_drivers/openstack/test_openstack.py
+++ b/tacker/tests/unit/vnfm/infra_drivers/openstack/test_openstack.py
@ -398,6 +398,12 @@ class TestOpenStack(base.TestCase):
            'hot_tosca_security_groups.yaml'
        )

+    def test_create_port_with_allowed_address_pairs(self):
+        self._test_assert_equal_for_tosca_templates(
+            'test_tosca_allowed_address_pairs.yaml',
+            'hot_tosca_allowed_address_pairs.yaml'
+        )
+
    def test_create_port_with_mac_and_ip(self):
        self._test_assert_equal_for_tosca_templates(
            'test_tosca_mac_ip.yaml',
--- a/tacker/vnfm/tosca/lib/tacker_defs.yaml
+++ b/tacker/vnfm/tosca/lib/tacker_defs.yaml
@ -72,6 +72,17 @@ data_types:
        type: map
        required: false

+  tosca.datatypes.tacker.VirtualIP:
+    properties:
+      ip_address:
+        type: string
+        required: true
+        description: The virtual IP address allowed to be paired with.
+      mac_address:
+        type: string
+        required: false
+        description: The mac address allowed to be paired with specific virtual IP.
+
 policy_types:
  tosca.policies.tacker.Placement:
    derived_from: tosca.policies.Root
--- a/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml
+++ b/tacker/vnfm/tosca/lib/tacker_nfv_defs.yaml
@ -233,6 +233,11 @@ node_types:
      anti_spoofing_protection:
        type: boolean
        required: false
+      allowed_address_pairs:
+        type: list
+        entry_schema:
+          type: tosca.datatypes.tacker.VirtualIP
+        required: false
      security_groups:
        type: list
        required: false