From bc5b6133f1f192c7fe5330bc1fa13f8259eb9050 Mon Sep 17 00:00:00 2001
From: Dan Sneddon <dsneddon@redhat.com>
Date: Tue, 4 Aug 2020 14:08:01 -0700
Subject: [PATCH] Create external bridge on Compute nodes by default for OVN
 with DVR

OVN is used by default, which includes DVR and requires a Neutron
external network bridge on the Compute nodes. This change adds the
tag 'external_bridge' to the Controller roles and modifies the
overcloud-resource-registry-puppet.j2.yaml file to set the default
NIC configuration to net-config-bridge.yaml when this tag is set.
This will cause both Controller and Compute nodes to have an
external bridge by default if no specific NIC configuration files
are specified for both roles since the 'external_bridge' tag is set
in roles_data.yaml.

This change also stops using net-config-bridge.yaml when the role
includes the 'controller' tag, since the 'external_bridge' tag is
used instead. A release note explains the change.

Closes-bug: 1890337
Change-Id: I69c32d33a516c629303e87c8e9a0e4b8fe58c669
---
 .../config/multiple-nics-vlans/role.role.j2.yaml  |  4 ++--
 network/config/multiple-nics/role.role.j2.yaml    |  6 +++---
 overcloud-resource-registry-puppet.j2.yaml        |  9 +++++----
 ...ge-by-default-on-compute-f3ff6bf46ab80640.yaml | 15 +++++++++++++++
 roles/Controller.yaml                             |  3 +++
 roles_data.yaml                                   |  3 +++
 6 files changed, 31 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/external-bridge-by-default-on-compute-f3ff6bf46ab80640.yaml

diff --git a/network/config/multiple-nics-vlans/role.role.j2.yaml b/network/config/multiple-nics-vlans/role.role.j2.yaml
index 4e793f2979..39d2abe529 100644
--- a/network/config/multiple-nics-vlans/role.role.j2.yaml
+++ b/network/config/multiple-nics-vlans/role.role.j2.yaml
@@ -42,7 +42,7 @@ parameters:
       guaranteed to pass through the data path of the segments in the network.
       (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
     type: number
-{% for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{% for network in networks if network.enabled|default(true) and network.name in _role_networks %}
   {{network.name}}IpSubnet:
     default: ''
     description: IP address/subnet on the {{network.name_lower}} network
@@ -74,7 +74,7 @@ parameters:
       from the subnet host_routes attribute.
     type: json
 {%- endfor %}
-{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in role.networks %}
+{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in _role_networks %}
   {{network.name}}Mtu:
     default: {{network.mtu|default('1500')}}
     description: The maximum transmission unit (MTU) size(in bytes) that is
diff --git a/network/config/multiple-nics/role.role.j2.yaml b/network/config/multiple-nics/role.role.j2.yaml
index 6053125d56..57a5e361cb 100644
--- a/network/config/multiple-nics/role.role.j2.yaml
+++ b/network/config/multiple-nics/role.role.j2.yaml
@@ -42,7 +42,7 @@ parameters:
       guaranteed to pass through the data path of the segments in the network.
       (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
     type: number
-{% for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{% for network in networks if network.enabled|default(true) and network.name in _role_networks %}
   {{network.name}}IpSubnet:
     default: ''
     description: IP address/subnet on the {{network.name_lower}} network
@@ -74,7 +74,7 @@ parameters:
       from the subnet host_routes attribute.
     type: json
 {%- endfor %}
-{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in role.networks %}
+{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in _role_networks %}
   {{network.name}}Mtu:
     default: {{network.mtu|default('1500')}}
     description: The maximum transmission unit (MTU) size(in bytes) that is
@@ -156,7 +156,7 @@ resources:
 {%-             endif %}
 {%-         endif %}
 {#- We need bridge also for ComputeDVR and Computes with OVN #}
-{%-     elif network.name in role.networks or 'external_bridge' in role.tags %}
+{%-     elif network.name in _role_networks or 'external_bridge' in role.tags %}
               - type: ovs_bridge
 {%-         if network.name == "External" %}
                 name: bridge_name
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 873746238b..32d7aa1927 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -18,13 +18,14 @@ resource_registry:
   {%- for network in networks if network.enabled|default(true) and network.name in role.networks|default([]) %}
   OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: network/ports/noop.yaml
   {%- endfor %}
+  {%- if 'external_bridge' in role.tags %}
+  # Create Neutron external bridge for floating IPs and/or SNAT
+  OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-bridge.yaml
+  {%- else %}
   OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml
+  {%- endif %}
 {% endfor %}
 
-  # This resource registry entry will override the one generated by default
-  # in the jinja loop
-  OS::TripleO::Controller::Net::SoftwareConfig: net-config-bridge.yaml
-
 {% for role in roles %}
   OS::TripleO::{{role.name}}ServiceServerMetadataHook: OS::Heat::None
 {%- endfor %}
diff --git a/releasenotes/notes/external-bridge-by-default-on-compute-f3ff6bf46ab80640.yaml b/releasenotes/notes/external-bridge-by-default-on-compute-f3ff6bf46ab80640.yaml
new file mode 100644
index 0000000000..f3ced7f21f
--- /dev/null
+++ b/releasenotes/notes/external-bridge-by-default-on-compute-f3ff6bf46ab80640.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    This change updates the multiple-nics and multiple-nics-vlans templates so
+    that an external bridge is created if either the role uses the External
+    network or the "external_bridge" tag is set in the role definition. This
+    is done instead of checking if the role name is "Controller". This
+    change also assigns the "external_bridge" tag to the Controller as well
+    as the Compute roles so that both roles can access the Neutron external
+    bridge for floating IPs or SNAT by default so that OVN can use DVR.
+upgrade:
+  - |
+    The "external_bridge" tag is now used for the Compute node. An external
+    network bridge is required on the compute nodes in order to host floating
+    IPs when using DVR. OVN deploys with DVR by default.
diff --git a/roles/Controller.yaml b/roles/Controller.yaml
index 449dc62680..7af06e130c 100644
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@@ -9,6 +9,9 @@
   tags:
     - primary
     - controller
+    # Create external Neutron bridge for SNAT (and floating IPs when using
+    # ML2/OVS without DVR)
+    - external_bridge
   networks:
     External:
       subnet: external_subnet
diff --git a/roles_data.yaml b/roles_data.yaml
index 66190bc0d2..0a8dddfa3f 100644
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -12,6 +12,9 @@
   tags:
     - primary
     - controller
+    # Create external Neutron bridge for SNAT (and floating IPs when using
+    # ML2/OVS without DVR)
+    - external_bridge
   networks:
     External:
       subnet: external_subnet