openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Add support for ovn bgp agent 

Conflict:
    deployment/frr/frr-container-ansible.yaml

Depends-On: https://review.opendev.org/c/openstack/tripleo-ansible/+/834144
Change-Id: Iba6492dad085cec94a93acf119666b0d5c67306e
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
Co-Authored-By: Luis Tomas Bolivar <ltomasbo@redhat.com>
(cherry picked from commit 0fa959acb8)
This commit is contained in:
Michele Baldessari 2021-04-09 17:25:31 +02:00 committed by Luis Tomas Bolivar
parent 89f6aec9c3
commit 5096c4757f
2 changed files with 178 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
deployment/frr/frr-container-ansible.yaml
View File

@ -7,6 +7,9 @@ parameters:
ContainerFrrImage:
description: The container image for Frr
type: string
ContainerOvnBgpAgentImage:
description: The container image for the BGP Agent
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
@ -30,6 +33,24 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnBgpAgentCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
FrrBfdEnabled:
default: false
description: Enable Bidirectional Forwarding Detection
@ -136,10 +157,56 @@ parameters:
description: Either peer with internal (iBGP) or external (eBGP) neighbors.
constraints:
- allowed_values: ['internal', 'external']
NeutronBridgeMappings:
description: >
The OVS logical->physical bridge mappings to use. See the Neutron
documentation for details. Defaults to mapping br-ex - the external
bridge on hosts - to a physical name 'datacentre' which can be used
to create provider networks (and we use this for the default floating
network) - if changing this either use different post-install network
scripts or be sure to keep 'datacentre' as a mapping network name.
type: comma_delimited_list
default: "datacentre:br-ex"
tags:
- role_specific
FrrOvnBgpAgentDriver:
description: >
Configures how VM IPs are advertised via BGP. EVPN driver exposes VM IPs
on provider networks and FIPs associated to VMs on tenant networks via
MP-BGP IPv4 and IPv6 unicast. BGP driver exposes VM IPs on the tenant
networks via MP-BGP EVPN VXLAN.
type: string
default: 'ovn_evpn_driver'
constraints:
- allowed_values: [ 'ovn_bgp_driver', 'ovn_evpn_driver' ]
tags:
- role_specific
FrrOvnBgpAgentExposeTenantNetworks:
description: >
Exposes VM IPs on tenant networks via MP-BGP IPv4 and IPv6 unicast.
Requires the BGP driver (see THT parameter FrrOvnBgpAgentDriver).
type: boolean
default: false
FrrOvnBgpAgentAsn:
default: 64999
description: >
Autonomous System Number to be used by the agent when running in BGP
mode.
type: number
FrrOvnBgpAgentOvsdbConnection:
default: 'tcp:127.0.0.1:6640'
description: >
The connection string for the native OVSDB backend. Use tcp:IP:PORT
for TCP connection.
type: string
conditions:
key_size_override_set:
not: {equals: [{get_param: OvnBgpAgentCertificateKeySize}, '']}
outputs:
role_data:
description: Role data for the FRR service
description: Role data for the FRR and OVN BGP Agent services
value:
service_name: frr
config_settings:
@ -181,7 +248,34 @@ outputs:
- path: /run/frr
owner: frr:frrvty
recurse: true
/var/lib/kolla/config_files/ovn_bgp_agent.json:
command: /usr/bin/ovn-bgp-agent --config-dir /etc/ovn-bgp-agent
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /etc/ovn-bgp-agent
owner: neutron:neutron
recurse: true
- path: /var/log/ovn-bgp-agent
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/ovn_bgp_agent.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_bgp_agent.key
owner: neutron:neutron
optional: true
perm: '0640'
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- - service: ovn_bgp_agent
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
docker_config:
# NOTE: Create container-startup-config file in step 0 so that TripleO
# does not auto-start the FRR container (it does so for containers in
@ -217,6 +311,76 @@ outputs:
- /run/frr:/run/frr:shared,z
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
step_5:
ovn_bgp_agent:
start_order: 0
image: {get_param: ContainerOvnBgpAgentImage}
net: host
pid: host
cgroupns: host
restart: always
privileged: true
healthcheck:
test: /openstack/healthcheck
# We cannot bind mount the InternalTLSCAFile as freeipa might not
# be reachable without frr
volumes:
list_concat:
-
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- /dev/log:/dev/log
- /etc/iproute2:/etc/iproute2
# OpenSSL trusted CAs
- /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
- /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro
- /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
- /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
- /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
- /var/lib/kolla/config_files/ovn_bgp_agent.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/ansible-generated/ovn-bgp-agent:/var/lib/kolla/config_files/src:ro
- /run/frr:/run/frr:shared,z
- /run/openvswitch:/run/openvswitch:shared,z
- if:
- {get_param: EnableInternalTLS}
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/ovn_bgp_agent.crt:/etc/pki/tls/certs/ovn_bgp_agent.crt
- /etc/pki/tls/private/ovn_bgp_agent.key:/etc/pki/tls/private/ovn_bgp_agent.key
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ovn_bgp_agent
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_bgp_agent/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_set
- {get_param: OvnBgpAgentCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
host_prep_tasks:
- name: create persistent directories
file:
@ -228,6 +392,8 @@ outputs:
- { 'path': /var/log/containers/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /run/frr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/config-data/ansible-generated/ovn-bgp-agent, 'setype': container_file_t, 'mode': '0750' }
pre_deploy_step_tasks:
- name: Configure FRR
import_role:
@ -253,6 +419,12 @@ outputs:
tripleo_frr_bgp_l2vpn_uplink_activate: {get_param: FrrBgpL2VpnUplinkActivate}
tripleo_frr_bgp_l2vpn_peers: {get_param: FrrBgpL2VpnPeers}
tripleo_frr_bgp_l2vpn_peers_scope: {get_param: FrrBgpL2vpnPeersScope}
tripleo_frr_ovn_bgp_agent_bridge_mappings: {get_param: NeutronBridgeMappings}
tripleo_frr_ovn_bgp_agent_internal_tls_enable: {get_param: EnableInternalTLS}
tripleo_frr_ovn_bgp_agent_driver: {get_param: FrrOvnBgpAgentDriver}
tripleo_frr_ovn_bgp_agent_expose_tenant_networks: {get_param: FrrOvnBgpAgentExposeTenantNetworks}
tripleo_frr_ovn_bgp_agent_bgp_as: {get_param: FrrOvnBgpAgentAsn}
tripleo_frr_ovn_bgp_agent_ovsdb_connection: {get_param: FrrOvnBgpAgentOvsdbConnection}
- name: Start FRR
include_role:
name: tripleo_container_manage

4
environments/services/frr.yaml
View File

@ -7,3 +7,7 @@ parameter_defaults:
# that early in the deployment (i.e. BGP needs to be up and functional for that to work)
ValidateControllersIcmp: false
ValidateGatewaysIcmp: false
# Needed for the BGP Agent
KernelIpForward: 1
KernelIpv6ConfAllForwarding: 1
KernelIpv4ConfAllRpFilter: 2