Create external bridge on Compute nodes by default for OVN with DVR

OVN is used by default, which includes DVR and requires a Neutron
external network bridge on the Compute nodes. This change adds the
tag 'external_bridge' to the Controller roles and modifies the
overcloud-resource-registry-puppet.j2.yaml file to set the default
NIC configuration to net-config-bridge.yaml when this tag is set.
This will cause both Controller and Compute nodes to have an
external bridge by default if no specific NIC configuration files
are specified for both roles since the 'external_bridge' tag is set
in roles_data.yaml.

This change also stops using net-config-bridge.yaml when the role
includes the 'controller' tag, since the 'external_bridge' tag is
used instead. A release note explains the change. This change is
being backported from the Victoria master branch.

Closes-bug: 1890337
Change-Id: I69c32d33a516c629303e87c8e9a0e4b8fe58c669
(cherry picked from commit bc5b6133f1)

network/config/multiple-nics-vlans/role.role.j2.yaml

@@ -42,7 +42,7 @@ parameters:
       guaranteed to pass through the data path of the segments in the network.
       (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
     type: number
-{% for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{% for network in networks if network.enabled|default(true) and network.name in _role_networks %}
   {{network.name}}IpSubnet:
     default: ''
     description: IP address/subnet on the {{network.name_lower}} network
@@ -74,7 +74,7 @@ parameters:
       from the subnet host_routes attribute.
     type: json
 {%- endfor %}
-{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in role.networks %}
+{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in _role_networks %}
   {{network.name}}Mtu:
     default: {{network.mtu|default('1500')}}
     description: The maximum transmission unit (MTU) size(in bytes) that is

network/config/multiple-nics/role.role.j2.yaml

@@ -42,7 +42,7 @@ parameters:
       guaranteed to pass through the data path of the segments in the network.
       (The parameter is automatically resolved from the ctlplane network's mtu attribute.)
     type: number
-{% for network in networks if network.enabled|default(true) and network.name in role.networks %}
+{% for network in networks if network.enabled|default(true) and network.name in _role_networks %}
   {{network.name}}IpSubnet:
     default: ''
     description: IP address/subnet on the {{network.name_lower}} network
@@ -74,7 +74,7 @@ parameters:
       from the subnet host_routes attribute.
     type: json
 {%- endfor %}
-{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in role.networks %}
+{% for network in networks if network.name == "External" and 'external_bridge' in role.tags and not network.name in _role_networks %}
   {{network.name}}Mtu:
     default: {{network.mtu|default('1500')}}
     description: The maximum transmission unit (MTU) size(in bytes) that is
@@ -156,7 +156,7 @@ resources:
 {%-             endif %}
 {%-         endif %}
 {#- We need bridge also for ComputeDVR and Computes with OVN #}
-{%-     elif network.name in role.networks or 'external_bridge' in role.tags %}
+{%-     elif network.name in _role_networks or 'external_bridge' in role.tags %}
               - type: ovs_bridge
 {%-         if network.name == "External" %}
                 name: bridge_name

overcloud-resource-registry-puppet.j2.yaml

@@ -19,13 +19,14 @@ resource_registry:
   {%- for network in networks if network.enabled|default(true) and network.name in role.networks|default([]) %}
   OS::TripleO::{{role.name}}::Ports::{{network.name}}Port: network/ports/noop.yaml
   {%- endfor %}
+  {%- if 'external_bridge' in role.tags %}
+  # Create Neutron external bridge for floating IPs and/or SNAT
+  OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-bridge.yaml
+  {%- else %}
   OS::TripleO::{{role.name}}::Net::SoftwareConfig: net-config-noop.yaml
+  {%- endif %}
 {% endfor %}
 
-  # This resource registry entry will override the one generated by default
-  # in the jinja loop
-  OS::TripleO::Controller::Net::SoftwareConfig: net-config-bridge.yaml
-
 {% for role in roles %}
   OS::TripleO::{{role.name}}ServiceServerMetadataHook: OS::Heat::None
 {%- endfor %}

releasenotes/notes/external-bridge-by-default-on-compute-f3ff6bf46ab80640.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    This change updates the multiple-nics and multiple-nics-vlans templates so
+    that an external bridge is created if either the role uses the External
+    network or the "external_bridge" tag is set in the role definition. This
+    is done instead of checking if the role name is "Controller". This
+    change also assigns the "external_bridge" tag to the Controller as well
+    as the Compute roles so that both roles can access the Neutron external
+    bridge for floating IPs or SNAT by default so that OVN can use DVR.
+upgrade:
+  - |
+    The "external_bridge" tag is now used for the Compute node. An external
+    network bridge is required on the compute nodes in order to host floating
+    IPs when using DVR. OVN deploys with DVR by default.

roles/Controller.yaml

@@ -9,6 +9,9 @@
   tags:
     - primary
     - controller
+    # Create external Neutron bridge for SNAT (and floating IPs when using
+    # ML2/OVS without DVR)
+    - external_bridge
   networks:
     External:
       subnet: external_subnet

roles_data.yaml

@@ -12,6 +12,9 @@
   tags:
     - primary
     - controller
+    # Create external Neutron bridge for SNAT (and floating IPs when using
+    # ML2/OVS without DVR)
+    - external_bridge
   networks:
     External:
       subnet: external_subnet