Bring in OVN metadata agent

Change-Id: I6bf172b47c6838811f6b485cfe1da65d8a0f6170
diff --git a/.kitchen.yml b/.kitchen.yml
index 222d4e0..2b5e840 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -27,6 +27,9 @@
     - name: keystone
       repo: git
       source: https://github.com/salt-formulas/salt-formula-keystone
+    - name: oslo_templates
+      repo: git
+      source: https://github.com/salt-formulas/salt-formula-oslo-templates
   state_top:
     base:
       "*":
diff --git a/README.rst b/README.rst
index f108a5b..42ad76b 100644
--- a/README.rst
+++ b/README.rst
@@ -853,6 +853,7 @@
           ovn:
             ovn_l3_scheduler: leastloaded # valid options: chance, leastloaded
             neutron_sync_mode: repair # valid options: log, off, repair
+            metadata_enabled: True
         ovn_ctl_opts:
           db-nb-create-insecure-remote: 'yes'
           db-sb-create-insecure-remote: 'yes'
@@ -868,6 +869,13 @@
         external_access: false
         backend:
           engine: ovn
+          ovsdb_connection: tcp:127.0.0.1:6640
+        metadata:
+          enabled: true
+          ovsdb_server_iface: ptcp:6640:127.0.0.1
+          host: 10.1.0.101
+          password: unsegreto
+
 
 Neutron L2 Gateway
 ----------------
diff --git a/metadata/service/compute/ovn/single.yml b/metadata/service/compute/ovn/single.yml
index 4697876..1665ac8 100644
--- a/metadata/service/compute/ovn/single.yml
+++ b/metadata/service/compute/ovn/single.yml
@@ -18,6 +18,12 @@
       external_bridge: ${_param:ovn_external_bridge}
       backend:
         engine: ovn
+        ovsdb_connection: tcp:127.0.0.1:6640
+      metadata:
+        enabled: true
+        ovsdb_server_iface: ptcp:6640:127.0.0.1
+        host: ${_param:cluster_vip_address}
+        password: ${_param:metadata_password}
       logging:
         log_appender: ${_param:openstack_log_appender}
         log_handlers:
diff --git a/neutron/agents/ovn_metadata.sls b/neutron/agents/ovn_metadata.sls
new file mode 100644
index 0000000..f2e755b
--- /dev/null
+++ b/neutron/agents/ovn_metadata.sls
@@ -0,0 +1,38 @@
+{%- from "neutron/map.jinja" import compute with context %}
+{%- if compute.metadata.enabled|default(False) %}
+
+/lib/systemd/system/ovn-metadata-agent.service:
+  file.managed:
+  - source: salt://neutron/files/{{ compute.version }}/ovn/metadata-agent.systemd
+
+/etc/neutron/plugins/ovn/metadata-agent.ini:
+  file.managed:
+  - source: salt://neutron/files/{{ compute.version }}/ovn/metadata-agent.ini
+  - template: jinja
+  - makedirs: true
+  - require:
+    - pkg: ovn_packages
+
+/etc/neutron/neutron.conf:
+  file.managed:
+  - source: salt://neutron/files/{{ compute.version }}/neutron-generic.conf
+  - template: jinja
+  - require:
+    - pkg: ovn_packages
+
+{%- if not grains.get('noservices', False) %}
+
+ovs_set_manager:
+  cmd.run:
+  - name: 'ovs-vsctl set-manager {{ compute.metadata.ovsdb_server_iface }}'
+  - unless: 'ovs-vsctl get-manager | fgrep -qx {{ compute.metadata.ovsdb_server_iface }}'
+
+ovn-metadata-agent:
+  service.running:
+  - enable: true
+  - watch:
+    - file: /etc/neutron/plugins/ovn/metadata-agent.ini
+    - file: /etc/neutron/neutron.conf
+
+{%- endif %}
+{%- endif %}
diff --git a/neutron/compute.sls b/neutron/compute.sls
index c831a37..5b1e3cf 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -93,6 +93,10 @@
   - require:
     - pkg: ovn_packages
     - sls: neutron._ssl.rabbitmq
+
+      {%- if compute.metadata is defined %}
+        {%- include "neutron/agents/ovn_metadata.sls" %}
+      {%- endif %}
     {%- endif %}
 
   {%- endif %}
diff --git a/neutron/files/queens/ml2_conf.ini b/neutron/files/queens/ml2_conf.ini
index 9bc6906..53b118b 100644
--- a/neutron/files/queens/ml2_conf.ini
+++ b/neutron/files/queens/ml2_conf.ini
@@ -249,6 +249,7 @@
 ovn_nb_connection = tcp:{{ server.controller_vip }}:6641
 ovn_sb_connection = tcp:{{ server.controller_vip }}:6642
 ovn_l3_scheduler = {{ _ovn.ovn_l3_scheduler|default('leastloaded') }}
+ovn_metadata_enabled = {{ _ovn.metadata_enabled|default('false') }}
 neutron_sync_mode = {{ _ovn.neutron_sync_mode|default('repair') }}
 enable_distributed_floating_ip = {{ server.dvr|default('false') }}
 {%- endif %}
diff --git a/neutron/files/queens/neutron-generic.conf b/neutron/files/queens/neutron-generic.conf
index 9b8c819..6025078 100644
--- a/neutron/files/queens/neutron-generic.conf
+++ b/neutron/files/queens/neutron-generic.conf
@@ -323,8 +323,10 @@
 {%- endif %}
 
 
+{%- if neutron.message_queue|default(none) is not none %}
 {%- set _data = neutron.message_queue %}
 {%- include "oslo_templates/files/queens/oslo/messaging/_default.conf" %}
+{%- endif %}
 
 {%- set _data = {} %}
 {%- include "oslo_templates/files/queens/oslo/service/_wsgi_default.conf" %}
@@ -417,7 +419,7 @@
 {%- include "oslo_templates/files/queens/oslo/_concurrency.conf" %}
 
 
-{%- if neutron.message_queue is defined %}
+{%- if neutron.message_queue|default(none) is not none %}
 {%- set _data = neutron.message_queue %}
 {%- if _data.engine == 'rabbitmq' %}
     {%- set messaging_engine = 'rabbit' %}
diff --git a/neutron/files/queens/ovn/metadata-agent.ini b/neutron/files/queens/ovn/metadata-agent.ini
new file mode 100644
index 0000000..8a65292
--- /dev/null
+++ b/neutron/files/queens/ovn/metadata-agent.ini
@@ -0,0 +1,97 @@
+{%- from "neutron/map.jinja" import compute with context -%}
+[DEFAULT]
+
+#
+# From networking_ovn.metadata.agent
+#
+
+# Location for Metadata Proxy UNIX domain socket. (string value)
+#metadata_proxy_socket = $state_path/metadata_proxy
+
+# User (uid or name) running metadata proxy after its initialization
+# (if empty: agent effective user). (string value)
+#metadata_proxy_user =
+
+# Group (gid or name) running metadata proxy after its initialization
+# (if empty: agent effective group). (string value)
+#metadata_proxy_group =
+
+# Name of Open vSwitch bridge to use (string value)
+#ovs_integration_bridge = br-int
+
+# Certificate Authority public key (CA cert) file for ssl (string
+# value)
+#auth_ca_cert = <None>
+
+# IP address or DNS name of Nova metadata server. (unknown value)
+# Deprecated group/name - [DEFAULT]/nova_metadata_ip
+nova_metadata_host = {{ compute.metadata.host }}
+
+# TCP Port used by Nova metadata server. (port value)
+# Minimum value: 0
+# Maximum value: 65535
+#nova_metadata_port = 8775
+
+# When proxying metadata requests, Neutron signs the Instance-ID
+# header with a shared secret to prevent spoofing. You may select any
+# string for a secret, but it must match here and in the configuration
+# used by the Nova Metadata Server. NOTE: Nova uses the same config
+# key, but in [neutron] section. (string value)
+metadata_proxy_shared_secret = {{ compute.metadata.password }}
+
+# Protocol to access nova metadata, http or https (string value)
+# Possible values:
+# http - <No description provided>
+# https - <No description provided>
+#nova_metadata_protocol = http
+
+# Allow to perform insecure SSL (https) requests to nova metadata
+# (boolean value)
+#nova_metadata_insecure = false
+
+# Client certificate for nova metadata api server. (string value)
+#nova_client_cert =
+
+# Private key of client certificate. (string value)
+#nova_client_priv_key =
+
+# Metadata Proxy UNIX domain socket mode, 4 values allowed: 'deduce':
+# deduce mode from metadata_proxy_user/group values, 'user': set
+# metadata proxy socket mode to 0o644, to use when metadata_proxy_user
+# is agent effective user or root, 'group': set metadata proxy socket
+# mode to 0o664, to use when metadata_proxy_group is agent effective
+# group or root, 'all': set metadata proxy socket mode to 0o666, to
+# use otherwise. (string value)
+# Possible values:
+# deduce - <No description provided>
+# user - <No description provided>
+# group - <No description provided>
+# all - <No description provided>
+#metadata_proxy_socket_mode = deduce
+
+# Number of separate worker processes for metadata server (defaults to
+# half of the number of CPUs) (integer value)
+#metadata_workers = 16
+
+# Number of backlog requests to configure the metadata server socket
+# with (integer value)
+#metadata_backlog = 4096
+
+[ovs]
+
+#
+# From networking_ovn.metadata.agent
+#
+
+# The connection string for the native OVSDB backend.
+# Use tcp:IP:PORT for TCP connection.
+# Use unix:FILE for unix domain socket connection. (string value)
+#ovsdb_connection = unix:/usr/local/var/run/openvswitch/db.sock
+
+# Timeout in seconds for the OVSDB connection transaction (integer
+# value)
+#ovsdb_connection_timeout = 180
+
+[ovn]
+
+ovn_sb_connection = tcp:{{ compute.controller_vip }}:6642
diff --git a/neutron/files/queens/ovn/metadata-agent.systemd b/neutron/files/queens/ovn/metadata-agent.systemd
new file mode 100644
index 0000000..552f7d7
--- /dev/null
+++ b/neutron/files/queens/ovn/metadata-agent.systemd
@@ -0,0 +1,22 @@
+[Unit]
+Description=OpenStack Networking OVN Metadata Agent
+After=rsyslog.target networking.target openvswitch-switch.service
+Requires=openvswitch-switch.service
+
+[Service]
+Type=simple
+User=neutron
+Group=neutron
+PermissionsStartOnly=true
+WorkingDirectory=/var/lib/neutron
+ExecStartPre=/bin/mkdir -p /var/lock/neutron /var/log/neutron /var/lib/neutron
+ExecStartPre=/bin/chown neutron:neutron /var/lock/neutron /var/lib/neutron
+ExecStartPre=/bin/chown neutron:adm /var/log/neutron
+ExecStart=/usr/bin/networking-ovn-metadata-agent --config-file /etc/neutron/plugins/ovn/metadata-agent.ini --config-file /etc/neutron/neutron.conf --log-file /var/log/neutron/ovn-metadata-agent.log
+PrivateTmp=false
+KillMode=process
+Restart=on-failure
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
diff --git a/neutron/map.jinja b/neutron/map.jinja
index d4004a1..8070183 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -6,11 +6,18 @@
     'enabled': false }
 %}
 
+{%- if grains.os_family == "Debian" %}
+{%- set compute_pkgs_ovn = ['ovn-common', 'ovn-host'] %}
+{%- if pillar.neutron.compute is defined and pillar.neutron.compute.metadata is defined %}
+{%- do compute_pkgs_ovn.extend(['neutron-common', 'python-networking-ovn', 'haproxy']) %}
+{%- endif %}
+{%- endif %}
+
 {% set compute = salt['grains.filter_by']({
     'BaseDefaults': default_params,
     'Debian': {
         'pkgs': ['neutron-openvswitch-agent', 'python-pycadf'],
-        'pkgs_ovn': ['ovn-common', 'ovn-host'],
+        'pkgs_ovn': compute_pkgs_ovn,
         'pkgs_bagpipe': ['python-networking-bagpipe'],
         'services': ['neutron-openvswitch-agent'],
         'services_ovn': ['ovn-host'],
diff --git a/tests/pillar/compute_ovn.sls b/tests/pillar/compute_ovn.sls
index 0f4b580..487faa3 100644
--- a/tests/pillar/compute_ovn.sls
+++ b/tests/pillar/compute_ovn.sls
@@ -1,9 +1,23 @@
 neutron:
   compute:
     enabled: true
-    version: ocata
+    version: queens
     local_ip: 10.2.0.105
     controller_vip: 10.1.0.101
     external_access: false
     backend:
       engine: ovn
+      ovsdb_connection: tcp:127.0.0.1:6640
+    metadata:
+      enabled: true
+      ovsdb_server_iface: ptcp:6640:127.0.0.1
+      host: 10.1.0.101
+      password: unsegreto
+linux:
+  system:
+    enabled: true
+    repo:
+      mirantis_openstack_queens:
+        source: "deb http://mirror.fuel-infra.org/mcp-repos/queens/xenial queens main"
+        architectures: amd64
+        key_url: "http://mirror.fuel-infra.org/mcp-repos/queens/xenial/archive-mcpqueens.key"
diff --git a/tests/pillar/control_ovn.sls b/tests/pillar/control_ovn.sls
index 9d4794b..f5348fa 100644
--- a/tests/pillar/control_ovn.sls
+++ b/tests/pillar/control_ovn.sls
@@ -1,7 +1,7 @@
 neutron:
   server:
     enabled: true
-    version: ocata
+    version: queens
     api_workers: 2
     rpc_workers: 2
     rpc_state_report_workers: 2
@@ -15,6 +15,7 @@
       ovn:
         ovn_l3_scheduler: chance
         neutron_sync_mode: off
+        metadata_enabled: true
     controller_vip: 172.16.10.101
     dvr: false
     l3_ha: false
@@ -60,7 +61,7 @@
   system:
     enabled: true
     repo:
-      mirantis_openstack_ocata:
-        source: "deb http://mirror.fuel-infra.org/mcp-repos/ocata/xenial ocata main"
+      mirantis_openstack_queens:
+        source: "deb http://mirror.fuel-infra.org/mcp-repos/queens/xenial queens main"
         architectures: amd64
-        key_url: "http://mirror.fuel-infra.org/mcp-repos/ocata/xenial/archive-mcpocata.key"
+        key_url: "http://mirror.fuel-infra.org/mcp-repos/queens/xenial/archive-mcpqueens.key"