Deprecate old NeutronFirewallDriver option

This option was used to configure firewall driver in the neutron server's config. That isn't really used in Neutron since around Newton release as since Newton agents are reporting to the server what firewall driver they are using and that is used in neutron ML2 plugin. Firewall driver can be configured on the agent's side using ``NeutronOVSFirewallDriver`` option which is still here. Neutron removes usage of this option on the server side with patch https://review.opendev.org/#/c/726351/ Change-Id: Ifd1527503926b9f86ed567d9396e696d86457715 (cherry picked from commit d9bae4c556)
2020-05-15 15:31:11 +02:00 · 2020-05-15 15:31:11 +02:00 · 7436ab8db3
parent 9e751c820d
commit 7436ab8db3
3 changed files with 21 additions and 6 deletions
--- a/deployment/neutron/neutron-plugin-ml2.yaml
+++ b/deployment/neutron/neutron-plugin-ml2.yaml
@ -72,10 +72,6 @@ parameters:
    default: 'geneve'
    description: The tenant network type for Neutron.
    type: comma_delimited_list
-  NeutronFirewallDriver:
-    description: Firewall driver for realizing neutron security group function
-    type: string
-    default: 'iptables_hybrid'
  NeutronOverlayIPVersion:
    default: 4
    description: IP version used for all overlay network endpoints.
@ -103,6 +99,14 @@ parameters:
        administratively prohibited by the SR-IOV mechanism driver.
    type: comma_delimited_list
    default: ""
+  # DEPRECATED: the NeutronFirewallDriver option is deprecated and is currently
+  # maintained for backwards compatibility. It has no any effect on the
+  # deployment and will be removed in the W release.
+  # Please use NeutronOVSFirewallDriver to configure driver in the ovs agent.
+  NeutronFirewallDriver:
+    description: Firewall driver for realizing neutron security group function
+    type: string
+    default: ''

 parameter_groups:
 - label: deprecated
@ -145,7 +149,6 @@ outputs:
            neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges}
            neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges}
            neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
-            neutron::plugins::ml2::firewall_driver: {get_param: NeutronFirewallDriver}
            neutron::plugins::ml2::ovs_driver::vnic_type_blacklist: {get_param: NeutronOvsVnicTypeBlacklist}
            neutron::plugins::ml2::sriov_driver::vnic_type_blacklist: {get_param: NeutronSriovVnicTypeBlacklist}
            neutron::plugins::ml2::overlay_ip_version:
--- a/environments/undercloud.yaml
+++ b/environments/undercloud.yaml
@ -153,7 +153,7 @@ parameter_defaults:
  NeutronMechanismDrivers: ['openvswitch', 'baremetal']
  NeutronNetworkVLANRanges: 'physnet1:1000:2999'
  NeutronPluginExtensions: port_security,dns_domain_ports
-  NeutronFirewallDriver: ''
+  NeutronOVSFirewallDriver: ''
  NeutronNetworkType: ['local','flat','vlan','gre','vxlan']
  NeutronTunnelIdRanges: '20:100'
  NeutronTypeDrivers: ['local','flat','vlan','gre','vxlan']
--- a/releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml
+++ b/releasenotes/notes/Remove-NeutronFirewallDriver-option-f4289b404abcc0b3.yaml
@ -0,0 +1,12 @@
+---
+deprecations:
+  - |
+    Usage of the option ``NeutronFirewallDriver`` which was used to set
+    ``firewall_driver`` config option in the Neutron server's config is now
+    deprecated.
+    Firewall driver should be set per agent in the agent's config.
+    It can be done using ``NeutronOVSFirewallDriver`` option.
+    Option in the Neutron server was in there just for backward
+    compatybility reasons but since Newton release all Neutron agents are
+    reporting to the server what firewall driver is used so there is no need to
+    keep this legacy, server side option anymore.