[stable/zed] feat: add neutron_policy_server support (#1489)
Depends-On vexxhost/neutron-policy-server#1
Reviewed-by: Mohammed Naser mnaser@vexxhost.com
diff --git a/roles/defaults/vars/main.yml b/roles/defaults/vars/main.yml
index 2a506fa..f9f18cc 100644
--- a/roles/defaults/vars/main.yml
+++ b/roles/defaults/vars/main.yml
@@ -142,6 +142,7 @@
neutron_server: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
neutron_sriov_agent_init: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
neutron_sriov_agent: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
+ neutron_policy_server: "registry.atmosphere.dev/library/neutron:{{ atmosphere_release }}"
node_feature_discovery: registry.k8s.io/nfd/node-feature-discovery:v0.11.2
nova_api: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
nova_archive_deleted_rows: "registry.atmosphere.dev/library/nova:{{ atmosphere_release }}"
diff --git a/roles/neutron/defaults/main.yml b/roles/neutron/defaults/main.yml
index c304bb8..1cb4215 100644
--- a/roles/neutron/defaults/main.yml
+++ b/roles/neutron/defaults/main.yml
@@ -27,3 +27,7 @@
# Enable dns integration
neutron_designate_integration_enabled: false
+
+# Enable neutron policy server to force external
+# policy check neutron port and address pairs actions.
+neutron_policy_server_integration_enabled: true
diff --git a/roles/neutron/tasks/main.yml b/roles/neutron/tasks/main.yml
index dbdb4ab..44beec9 100644
--- a/roles/neutron/tasks/main.yml
+++ b/roles/neutron/tasks/main.yml
@@ -50,6 +50,11 @@
ansible.builtin.set_fact:
_neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_ovn_helm_values, recursive=True) }}"
+- name: Append Helm values (neutron_policy_server)
+ when: neutron_policy_server_integration_enabled | bool
+ ansible.builtin.set_fact:
+ _neutron_helm_values: "{{ _neutron_helm_values | combine(__neutron_policy_server_helm_values, recursive=True) }}"
+
- name: Deploy Helm chart
run_once: true
kubernetes.core.helm:
diff --git a/roles/neutron/vars/main.yml b/roles/neutron/vars/main.yml
index 0a929c3..9aa30aa 100644
--- a/roles/neutron/vars/main.yml
+++ b/roles/neutron/vars/main.yml
@@ -22,6 +22,8 @@
pod:
replicas:
server: 3
+ sidecars:
+ neutron_policy_server: true
conf:
neutron:
DEFAULT:
@@ -99,3 +101,10 @@
daemonset_metadata_agent: false
daemonset_ovn_metadata_agent: true
daemonset_ovs_agent: false
+
+__neutron_policy_server_helm_values:
+ conf:
+ policy:
+ delete_port: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s) and http://neutron-server:9697/port-delete"
+ update_port:mac_address: "((rule:admin_only) or (rule:service_api)) and http://neutron-server:9697/port-update"
+ update_port:fixed_ips: "((rule:admin_only) or (rule:service_api) or role:member and rule:network_owner) and http://neutron-server:9697/port-update"