Add standalone ovn-controller role

This change adds a new playbook to configure OVS
for use with ML2/OVN.
This will allow us to leverage Ansible instead of
puppet-vswitch and puppet-ovn on Compute nodes.
Note that this task is currently only targeting
Compute nodes. Controllers would require additional
work to render config files and configure the
DBS bundle + northd.

Change-Id: I36fee8e79f71204f3126208d416e8df47a1f6bf8

doc/source/roles/role-tripleo_ovn.rst

@@ -0,0 +1,6 @@
+===========================
+Role - tripleo_ovn
+===========================
+
+.. ansibleautoplugin::
+  :role: tripleo_ansible/roles/tripleo_ovn

tripleo_ansible/roles/tripleo_ovn/defaults/main.yml

@@ -1,2 +1,46 @@
 ---
 # defaults file for tripleo_ovn
+tripleo_ovn_bridge: br-int
+tripleo_ovn_bridge_mappings: ["datacentre:br-ex"]
+tripleo_ovn_encap_type: geneve
+tripleo_ovn_dbs: []
+tripleo_enable_dvr: True
+tripleo_enable_hw_offload: False
+tripleo_ovn_multi_rhel: False
+tripleo_enable_internal_tls: False
+tripleo_ovn_sb_server_port: 6642
+tripleo_ovn_of_probe_interval: 60
+tripleo_ovn_remote_probe_interval: 60000
+tripleo_ovn_controller_image: "quay.io/tripleomastercentos9/openstack-ovn-controller:current-tripleo"
+tripleo_ovn_encap_ip: "{{ tenant_ip }}"
+tripleo_ovn_protocol: "{% if tripleo_enable_internal_tls | bool %}ssl{% else %}tcp{% endif %}"
+
+tripleo_ovn_controller_common_volumes:
+  - /lib/modules:/lib/modules:ro
+  - /run:/run
+  - /var/lib/openvswitch/ovn:/run/ovn:shared,z
+  - /var/log/containers/openvswitch:/var/log/openvswitch:z
+  - /var/log/containers/openvswitch:/var/log/ovn:z
+  - /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
+
+tripleo_ovn_controller_tls_volumes:
+  - /etc/pki/tls/certs/:/etc/pki/tls/certs/
+  - /etc/pki/tls/private/:/etc/pki/tls/private/
+
+# Set external_id data from provided variables
+tripleo_ovn_ovs_external_ids:
+  hostname: "{{ ansible_facts['fqdn'] }}"
+  ovn-bridge: "{{ tripleo_ovn_bridge }}"
+  ovn-bridge-mappings: "{{ tripleo_ovn_bridge_mappings|join(', ') }}"
+  ovn-encap-ip: "{{ tripleo_ovn_encap_ip }}"
+  ovn-encap-type: "{{ tripleo_ovn_encap_type }}"
+  ovn-match-northd-version: True
+  ovn-monitor-all: True
+  ovn-openflow-probe-interval: "{{ tripleo_ovn_of_probe_interval }}"
+  ovn-remote: "{% set db_addresses = [] %}{% for host in tripleo_ovn_dbs %}{{ db_addresses.append([tripleo_ovn_protocol, host, tripleo_ovn_sb_server_port] | join(':')) }}{% endfor %}{{ db_addresses | join(',') }}"
+  ovn-remote-probe-interval: "{{ tripleo_ovn_remote_probe_interval }}"
+  rundir: "/var/run/openvswitch"
+
+# Set openvswitch other_config.
+tripleo_ovn_ovs_other_config:
+  vlan-limit: 0

tripleo_ansible/roles/tripleo_ovn/molecule/default/converge.yml

@@ -18,4 +18,4 @@
   hosts: all
   gather_facts: true
   roles:
-    - role: "tripleo_ovn"
+    - role: "tripleo_ovn"

tripleo_ansible/roles/tripleo_ovn/tasks/bootstrap.yml

@@ -0,0 +1,20 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Ensure the OVS service is running
+  ansible.builtin.systemd:
+    name: openvswitch
+    state: started

tripleo_ansible/roles/tripleo_ovn/tasks/cleanup.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Cleanup hw-offload when no longer required
+  ansible.builtin.shell: >
+    ovs-vsctl remove open . other_config hw-offload
+  when: not tripleo_enable_hw_offload | bool
+
+- name: Cleanup enable-chassis-as-gw when DVR not enabled
+  ansible.builtin.shell: >
+    ovs-vsctl remove open . external_ids ovn-cms-options
+  when: not tripleo_enable_dvr | bool

tripleo_ansible/roles/tripleo_ovn/tasks/configure.yml

@@ -0,0 +1,47 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Set DVR setting when enabled
+  block:
+    - name: Set enable-chassis-as-gw
+      set_fact:
+        cms_options:
+          ovn-cms-options: "enable-chassis-as-gw"
+
+    - name: Append CMS options to external_ids
+      set_fact:
+        tripleo_ovn_ovs_external_ids: "{{ tripleo_ovn_ovs_external_ids | combine(cms_options) }}"
+  when: tripleo_enable_dvr|default(true)
+
+- name: Configure hw-offload when required
+  block:
+    - name: Add hw-offload if enabled
+      set_fact:
+        hw_offload:
+          hw-offload: True
+
+    - name: append other_config with hw-offload
+      set_fact:
+         other_config: "{{ tripleo_ovn_ovs_other_config | combine(hw_offload) }}"
+  when: tripleo_enable_hw_offload|default(false)
+
+- name: Configure OVS external_ids
+  ansible.builtin.shell: >
+    ovs-vsctl set open . {% for key, value in tripleo_ovn_ovs_external_ids.items() %} external_ids:{{ key }}={{ value }} {% endfor %}
+
+- name: Configure OVS other_config
+  ansible.builtin.shell: >
+    ovs-vsctl set open . {% for key, value in tripleo_ovn_ovs_other_config.items() %} other_config:{{ key }}={{ value }} {% endfor %}

tripleo_ansible/roles/tripleo_ovn/tasks/externaldeploy.yml

@@ -20,5 +20,5 @@
     stack_name: "{{ stack_name }}"
     role_name: "{{ tripleo_role_name }}"
     server_resource_names: "{{ groups[tripleo_role_name] }}"
-    ovn_bridge_mappings: "{{ ovn_bridge_mappings }}"
+    ovn_bridge_mappings: "{{ tripleo_ovn_bridge_mappings | join(', ') }}"
     ovn_static_bridge_mac_mappings: "{{ ovn_static_bridge_mac_mappings }}"

tripleo_ansible/roles/tripleo_ovn/tasks/main.yml

@@ -14,7 +14,16 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 - name: Include host prep tasks
-  include_tasks: install.yml
+  import_tasks: install.yml
 
-- name: Include external deploy tasks
-  include_tasks: externaldeploy.yml
+- name: Include bootstrap tasks
+  import_tasks: bootstrap.yml
+
+- name: Configure OVS
+  import_tasks: configure.yml
+
+- name: Ensure ovn_controller is running
+  import_tasks: run.yml
+
+- name: Cleanup unwanted OVS keys
+  import_tasks: cleanup.yml

tripleo_ansible/roles/tripleo_ovn/tasks/run.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run ovn_controller container
+  include_role:
+    name: tripleo_container_standalone
+  vars:
+    tripleo_container_standalone_service: ovn_controller
+    tripleo_container_standalone_container_defs:
+      ovn_controller: "{{ lookup('template', 'ovn_controller.yaml.j2') | from_yaml }}"
+    tripleo_container_standalone_kolla_config_files:
+      ovn_controller: "{{ lookup('template', 'kolla_ovn_controller.yaml.j2') | from_yaml }}"

tripleo_ansible/roles/tripleo_ovn/templates/kolla_ovn_controller.yaml.j2

@@ -0,0 +1,8 @@
+command: "/usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock {% if tripleo_enable_internal_tls | bool %} -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C {{ tripleo_internal_tls_ca_file }} {% endif %}"
+permissions:
+  - path: /var/log/openvswitch
+    owner: root:root
+    recurse: true
+  - path: /var/log/ovn
+    owner: root:root
+    recurse: true

tripleo_ansible/roles/tripleo_ovn/templates/ovn_controller.yaml.j2

@@ -0,0 +1,27 @@
+start_order: 1
+image: "{{ tripleo_ovn_controller_image }}"
+net: host
+privileged: true
+user: root
+restart: always
+depends_on:
+  - openvswitch.service
+{% if tripleo_ovn_cpu_set|default(false) %}
+cpuset_cpus: "{{ tripleo_ovn_cpu_set }}"
+{% endif -%}
+healthcheck:
+  test: '/openstack/healthcheck {{ tripleo_ovn_sb_server_port }}'
+volumes:
+  {% set tripleo_ovn_controller_volumes = [] %}
+  {%- set tripleo_ovn_controller_volumes =
+          tripleo_ovn_controller_volumes +
+          tripleo_ovn_controller_common_volumes %}
+  {%- if tripleo_enable_internal_tls|bool -%}
+  {%- set tripleo_ovn_controller_volumes =
+         tripleo_ovn_controller_volumes +
+         tripleo_ovn_controller_common_volumes +
+         tripleo_ovn_controller_tls_volumes -%}
+  {% endif %}
+  {{ tripleo_ovn_controller_volumes }}
+environment:
+  KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

zuul.d/molecule.yaml

@@ -53,6 +53,7 @@
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_image_cache
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_libvirt
       - tripleo-ansible-centos-stream-molecule-tripleo_nvdimm
+      - tripleo-ansible-centos-stream-molecule-tripleo_ovn
       - tripleo-ansible-centos-stream-molecule-tripleo_ovn_cluster
       - tripleo-ansible-centos-stream-molecule-tripleo_ovs_dpdk
       - tripleo-ansible-centos-stream-molecule-tripleo_packages
@@ -126,6 +127,7 @@
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_image_cache
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_libvirt
       - tripleo-ansible-centos-stream-molecule-tripleo_nvdimm
+      - tripleo-ansible-centos-stream-molecule-tripleo_ovn
       - tripleo-ansible-centos-stream-molecule-tripleo_ovn_cluster
       - tripleo-ansible-centos-stream-molecule-tripleo_ovs_dpdk
       - tripleo-ansible-centos-stream-molecule-tripleo_packages
@@ -198,6 +200,7 @@
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_image_cache
       - tripleo-ansible-centos-stream-molecule-tripleo_nova_libvirt
       - tripleo-ansible-centos-stream-molecule-tripleo_nvdimm
+      - tripleo-ansible-centos-stream-molecule-tripleo_ovn
       - tripleo-ansible-centos-stream-molecule-tripleo_ovn_cluster
       - tripleo-ansible-centos-stream-molecule-tripleo_ovs_dpdk
       - tripleo-ansible-centos-stream-molecule-tripleo_packages
@@ -593,6 +596,13 @@
     parent: tripleo-ansible-centos-stream-base
     vars:
       tripleo_role_name: tripleo_nvdimm
+- job:
+    files:
+    - ^tripleo_ansible/roles/tripleo_ovn/(?!meta).*
+    name: tripleo-ansible-centos-stream-molecule-tripleo_ovn
+    parent: tripleo-ansible-centos-stream-base
+    vars:
+      tripleo_role_name: tripleo_ovn
 - job:
     files:
     - ^tripleo_ansible/roles/tripleo_ovn_cluster/(?!meta).*