[stable/2024.1] feat: add neutron_policy_server support (#1486)
Depends-On https://github.com/vexxhost/neutron-policy-server/pull/1\n\nCloses #1482
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index bafab73..9c477c6 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -143,6 +143,7 @@
neutron_rpc_server: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
neutron_sriov_agent_init: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
neutron_sriov_agent: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
+ neutron_policy_server: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
node_feature_discovery: registry.k8s.io/nfd/node-feature-discovery:v0.15.4
nova_api: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
nova_archive_deleted_rows: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
diff --git a/roles/neutron/defaults/main.yml b/roles/neutron/defaults/main.yml
index c304bb8..1cb4215 100644
--- a/roles/neutron/defaults/main.yml
+++ b/roles/neutron/defaults/main.yml
@@ -27,3 +27,7 @@
# Enable dns integration
neutron_designate_integration_enabled: false
+
+# Enable neutron policy server to force external
+# policy check neutron port and address pairs actions.
+neutron_policy_server_integration_enabled: true
diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index aae6b5c..eabe333 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -26,6 +26,11 @@
ansible.builtin.set_fact:
_neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_ovn_helm_values, recursive=True) }}"
+- name: Append Helm values (neutron_policy_server)
+ when: neutron_policy_server_integration_enabled | bool
+ ansible.builtin.set_fact:
+ _neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_policy_server_helm_values, recursive=True) }}"
+
- name: Deploy Helm chart
run_once: true
kubernetes.core.helm:
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 98a66e2..fc58750 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -23,6 +23,8 @@
replicas:
server: 3
rpc_server: 3
+ sidecars:
+ neutron_policy_server: true
conf:
neutron:
DEFAULT:
@@ -101,3 +103,10 @@
daemonset_ovn_metadata_agent: true
daemonset_ovs_agent: false
deployment_rpc_server: false
+
+__neutron_policy_server_helm_values:
+ conf:
+ policy:
+ delete_port: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete"
+ update_port:mac_address: "((rule:admin_only) or (rule:service_api)) and http://neutron-server:9697/port-update"
+ update_port:fixed_ips: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner) and http://neutron-server:9697/port-update"