commit d70a69169cdffe7fd37b5c462d6f14aeb35421d6
author Mohammed Naser <mnaser@vexxhost.com> Wed Jul 03 00:09:44 2024 -0400
committer GitHub <noreply@github.com> Wed Jul 03 04:09:44 2024 +0000
tree 52928065876af2779ad9dac3feac4e10c27e6532
parent af55d7a127d15ef852efbe4064cf923d699184ea

[stable/2024.1] feat: add neutron_policy_server support (#1486)

Depends-On https://github.com/vexxhost/neutron-policy-server/pull/1\n\nCloses #1482

roles/neutron/defaults/main.yml

diff --git a/roles/neutron/defaults/main.yml b/roles/neutron/defaults/main.yml
index c304bb8..1cb4215 100644
--- a/roles/neutron/defaults/main.yml
+++ b/roles/neutron/defaults/main.yml
@@ -27,3 +27,7 @@
 
 # Enable dns integration
 neutron_designate_integration_enabled: false
+
+# Enable neutron policy server to force external
+# policy check neutron port and address pairs actions.
+neutron_policy_server_integration_enabled: true

roles/neutron/tasks/main.yml

diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index aae6b5c..eabe333 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -26,6 +26,11 @@
   ansible.builtin.set_fact:
     _neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_ovn_helm_values, recursive=True) }}"
 
+- name: Append Helm values (neutron_policy_server)
+  when: neutron_policy_server_integration_enabled | bool
+  ansible.builtin.set_fact:
+    _neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_policy_server_helm_values, recursive=True) }}"
+
 - name: Deploy Helm chart
   run_once: true
   kubernetes.core.helm:

roles/neutron/vars/main.yml

diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 98a66e2..fc58750 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -23,6 +23,8 @@
     replicas:
       server: 3
       rpc_server: 3
+    sidecars:
+      neutron_policy_server: true
   conf:
     neutron:
       DEFAULT:
@@ -101,3 +103,10 @@
     daemonset_ovn_metadata_agent: true
     daemonset_ovs_agent: false
     deployment_rpc_server: false
+
+__neutron_policy_server_helm_values:
+  conf:
+    policy:
+      delete_port: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete"
+      update_port:mac_address: "((rule:admin_only) or (rule:service_api)) and http://neutron-server:9697/port-update"
+      update_port:fixed_ips: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner) and http://neutron-server:9697/port-update"