Merge "Watch out for ml2 plugin config changes"
diff --git a/.kitchen.yml b/.kitchen.yml
index b762e23..ba95941 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -63,6 +63,11 @@
pillars-from-files:
neutron.sls: tests/pillar/compute_dvr.sls
+ - name: compute_dvr_fwaas_v1
+ provisioner:
+ pillars-from-files:
+ neutron.sls: tests/pillar/compute_dvr_fwaas_v1.sls
+
- name: compute_legacy
provisioner:
pillars-from-files:
@@ -104,11 +109,16 @@
pillars-from-files:
neutron.sls: tests/pillar/control_nodvr.sls
- - name: control_lbaas_octavia.sls
+ - name: control_lbaas_octavia
provisioner:
pillars-from-files:
neutron.sls: tests/pillar/control_lbaas_octavia.sls
+ - name: control_fwaas_v1
+ provisioner:
+ pillars-from-files:
+ neutron.sls: tests/pillar/control_fwaas_v1.sls
+
- name: control_single
provisioner:
pillars-from-files:
@@ -134,4 +144,9 @@
pillars-from-files:
neutron.sls: tests/pillar/gateway_qos.sls
+ - name: gateway_legacy_fwaas_v1
+ provisioner:
+ pillars-from-files:
+ neutron.sls: tests/pillar/gateway_legacy_fwaas_v1.sls
+
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.travis.yml b/.travis.yml
index 3925301..779286f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,12 +21,17 @@
- PLATFORM=trevorj/salty-whales:xenial SUITE=compute_dpdk
- PLATFORM=trevorj/salty-whales:trusty SUITE=compute_dvr
- PLATFORM=trevorj/salty-whales:xenial SUITE=compute_dvr
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=compute_dvr_fwaas_v1
- PLATFORM=trevorj/salty-whales:trusty SUITE=compute_legacy
- PLATFORM=trevorj/salty-whales:xenial SUITE=compute_legacy
- PLATFORM=trevorj/salty-whales:trusty SUITE=compute_nonexternal_dvr
- PLATFORM=trevorj/salty-whales:xenial SUITE=compute_nonexternal_dvr
- PLATFORM=trevorj/salty-whales:trusty SUITE=compute_sriov
- PLATFORM=trevorj/salty-whales:xenial SUITE=compute_sriov
+ - PLATFORM=trevorj/salty-whales:trusty SUITE=compute_qos_sriov
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=compute_qos_sriov
+ - PLATFORM=trevorj/salty-whales:trusty SUITE=compute_qos
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=compute_qos
- PLATFORM=trevorj/salty-whales:trusty SUITE=control_cluster
- PLATFORM=trevorj/salty-whales:xenial SUITE=control_cluster
- PLATFORM=trevorj/salty-whales:trusty SUITE=control_dvr
@@ -35,10 +40,17 @@
- PLATFORM=trevorj/salty-whales:xenial SUITE=control_nodvr
- PLATFORM=trevorj/salty-whales:trusty SUITE=control_single
- PLATFORM=trevorj/salty-whales:xenial SUITE=control_single
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=control_lbaas_octavia
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=control_fwaas_v1
+ - PLATFORM=trevorj/salty-whales:trusty SUITE=control_qos
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=control_qos
- PLATFORM=trevorj/salty-whales:trusty SUITE=gateway_dvr
- PLATFORM=trevorj/salty-whales:xenial SUITE=gateway_dvr
- PLATFORM=trevorj/salty-whales:trusty SUITE=gateway_legacy
- PLATFORM=trevorj/salty-whales:xenial SUITE=gateway_legacy
+ - PLATFORM=trevorj/salty-whales:trusty SUITE=gateway_qos
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=gateway_qos
+ - PLATFORM=trevorj/salty-whales:xenial SUITE=gateway_legacy_fwaas_v1
before_script:
- set -o pipefail
diff --git a/README.rst b/README.rst
index 66b2299..60eb58a 100644
--- a/README.rst
+++ b/README.rst
@@ -108,7 +108,21 @@
lbaas:
enabled: false
+
+Neutron FWaaSv1 enablement
+--------------------------
+
+.. code-block:: yaml
+
+ neutron:
+ fwaas:
+ enabled: true
+ version: ocata
+ api_version: v1
+
+
Enable CORS parameters
+----------------------
.. code-block:: yaml
@@ -722,6 +736,61 @@
virtual_host: '/openstack'
....
+Client-side RabbitMQ TLS configuration:
+
+|
+
+To enable TLS for oslo.messaging you need to provide the CA certificate.
+
+By default system-wide CA certs are used. Nothing should be specified except `ssl.enabled`.
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+
+
+
+Use `cacert_file` option to specify the CA-cert file path explicitly:
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert_file: /etc/ssl/rabbitmq-ca.pem
+
+To manage content of the `cacert_file` use the `cacert` option:
+
+.. code-block:: yaml
+
+ neutron:
+ server, gateway, compute:
+ ....
+ message_queue:
+ ssl:
+ enabled: True
+ cacert: |
+
+ -----BEGIN CERTIFICATE-----
+ ...
+ -----END CERTIFICATE-------
+
+ cacert_file: /etc/openstack/rabbitmq-ca.pem
+
+
+Notice:
+ * The `message_queue.port` is set to **5671** (AMQPS) by default if `ssl.enabled=True`.
+ * Use `message_queue.ssl.version` if you need to specify protocol version. By default is TLSv1 for python < 2.7.9 and TLSv1_2 for version above.
+
+
Enable auditing filter, ie: CADF
.. code-block:: yaml
@@ -884,6 +953,19 @@
Instance port in the stated subnet will be associated with the dynamically generated floating IP.
+
+Enable Neutron extensions (QoS, DNS, etc.)
+------------------------------------------
+.. code-block:: yaml
+
+ neutron:
+ server:
+ backend:
+ extension:
+ - dns
+ - qos
+
+
Documentation and Bugs
======================
diff --git a/metadata/service/fwaas/init.yml b/metadata/service/fwaas/init.yml
new file mode 100644
index 0000000..141af64
--- /dev/null
+++ b/metadata/service/fwaas/init.yml
@@ -0,0 +1,7 @@
+applications:
+ - neutron
+parameters:
+ neutron:
+ fwaas:
+ enabled: true
+ version: ${_param:neutron_version}
diff --git a/neutron/compute.sls b/neutron/compute.sls
index 9770b85..bb80f21 100644
--- a/neutron/compute.sls
+++ b/neutron/compute.sls
@@ -1,4 +1,4 @@
-{% from "neutron/map.jinja" import compute with context %}
+{% from "neutron/map.jinja" import compute, fwaas, system_cacerts_file with context %}
{%- if compute.enabled %}
neutron_compute_packages:
@@ -41,11 +41,19 @@
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
- file: /etc/neutron/plugins/ml2/sriov_agent.ini
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{% endif %}
{% if compute.dvr %}
+{%- if fwaas.get('enabled', False) %}
+include:
+- neutron.fwaas
+{%- endif %}
+
neutron_dvr_packages:
pkg.installed:
- names:
@@ -62,6 +70,12 @@
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/l3_agent.ini
- file: /etc/neutron/metadata_agent.ini
+ {%- if fwaas.get('enabled', False) %}
+ - file: /etc/neutron/fwaas_driver.ini
+ {% endif %}
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
- require:
- pkg: neutron_dvr_packages
@@ -99,5 +113,23 @@
- watch:
- file: /etc/neutron/neutron.conf
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
+ {%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
+
+
+{%- if compute.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if compute.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ compute.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:compute:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ compute.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
{%- endif %}
diff --git a/neutron/files/grafana_dashboards/neutron_openvswitch_prometheus.json b/neutron/files/grafana_dashboards/neutron_openvswitch_prometheus.json
index 4f05892..3cc03b4 100755
--- a/neutron/files/grafana_dashboards/neutron_openvswitch_prometheus.json
+++ b/neutron/files/grafana_dashboards/neutron_openvswitch_prometheus.json
@@ -22,8 +22,8 @@
"colorValue": true,
"colors": [
"rgba(245, 54, 54, 0.9)",
- "rgba(237, 129, 40, 0.89)",
- "rgba(50, 172, 45, 0.97)"
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)"
],
"datasource": "prometheus",
"format": "none",
@@ -80,7 +80,7 @@
"step": 60
}
],
- "thresholds": "1,0",
+ "thresholds": "0.5,1.5",
"title": "API Availability",
"type": "singlestat",
"valueFontSize": "80%",
@@ -92,13 +92,18 @@
},
{
"op": "=",
+ "text": "DOWN",
+ "value": "0"
+ },
+ {
+ "op": "=",
"text": "OK",
"value": "1"
},
{
"op": "=",
- "text": "DOWN",
- "value": "0"
+ "text": "UNKNOWN",
+ "value": "2"
}
],
"valueName": "current"
@@ -1625,7 +1630,7 @@
"tableColumn": "",
"targets": [
{
- "expr": "openstack_neutron_ports{owner=~\"compute:.*\"}",
+ "expr": "sum(openstack_neutron_ports{owner=~\"compute:.*\",state=\"active\"})",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
diff --git a/neutron/files/grafana_dashboards/neutron_prometheus.json b/neutron/files/grafana_dashboards/neutron_prometheus.json
index 91d4fa1..2285ede 100755
--- a/neutron/files/grafana_dashboards/neutron_prometheus.json
+++ b/neutron/files/grafana_dashboards/neutron_prometheus.json
@@ -22,8 +22,8 @@
"colorValue": true,
"colors": [
"rgba(245, 54, 54, 0.9)",
- "rgba(237, 129, 40, 0.89)",
- "rgba(50, 172, 45, 0.97)"
+ "rgba(50, 172, 45, 0.97)",
+ "rgba(237, 129, 40, 0.89)"
],
"datasource": "prometheus",
"format": "none",
@@ -80,7 +80,7 @@
"step": 60
}
],
- "thresholds": "1,0",
+ "thresholds": "0.5,1.5",
"title": "API Availability",
"type": "singlestat",
"valueFontSize": "80%",
@@ -92,13 +92,18 @@
},
{
"op": "=",
+ "text": "DOWN",
+ "value": "0"
+ },
+ {
+ "op": "=",
"text": "OK",
"value": "1"
},
{
"op": "=",
- "text": "DOWN",
- "value": "0"
+ "text": "UNKNOWN",
+ "value": "2"
}
],
"valueName": "current"
@@ -641,7 +646,7 @@
"tableColumn": "",
"targets": [
{
- "expr": "openstack_neutron_ports{owner=~\"compute:.*\",state=\"active\"}",
+ "expr": "sum(openstack_neutron_ports{owner=~\"compute:.*\",state=\"active\"})",
"format": "time_series",
"intervalFactor": 2,
"refId": "A",
diff --git a/neutron/files/mitaka/fwaas_driver.ini b/neutron/files/mitaka/fwaas_driver.ini
new file mode 100644
index 0000000..40442a4
--- /dev/null
+++ b/neutron/files/mitaka/fwaas_driver.ini
@@ -0,0 +1,25 @@
+{%- from "neutron/map.jinja" import fwaas with context %}
+
+[DEFAULT]
+
+[fwaas]
+
+#
+# From firewall.agent
+#
+
+# Name of the FWaaS Driver (string value)
+#driver =
+driver = {{ fwaas.get('driver', fwaas[fwaas.api_version].get('driver')) }}
+
+# Enable FWaaS (boolean value)
+#enabled = false
+enabled = {{ fwaas.get('enabled', 'False') }}
+
+# Firewall agent class (string value)
+#agent_version = v1
+agent_version = {{ fwaas.api_version }}
+
+# Name of the FWaaS Conntrack Driver (string value)
+#conntrack_driver = conntrack
+conntrack_driver = {{ fwaas.get('conntrack_driver', 'conntrack') }}
diff --git a/neutron/files/mitaka/l3_agent.ini b/neutron/files/mitaka/l3_agent.ini
index ad79623..3916ec3 100644
--- a/neutron/files/mitaka/l3_agent.ini
+++ b/neutron/files/mitaka/l3_agent.ini
@@ -3,6 +3,7 @@
{%- else %}
{%- from "neutron/map.jinja" import compute as neutron with context %}
{%- endif %}
+{%- from "neutron/map.jinja" import fwaas with context %}
[DEFAULT]
@@ -93,7 +94,7 @@
# Name of bridge used for external network traffic. This should be set to an empty value for the Linux Bridge. When this parameter is set,
# each L3 agent can be associated with no more than one external network. (string value)
#external_network_bridge = br-ex
-external_network_bridge =
+external_network_bridge =
# Seconds between running periodic tasks (integer value)
#periodic_interval = 40
@@ -228,3 +229,13 @@
# Log agent heartbeats (boolean value)
#log_agent_heartbeats = false
+{%- if fwaas.get('enabled', False) %}
+extensions = {{ fwaas[fwaas.api_version]['l3_extension'] }}
+{%- endif %}
+
+{%- if fwaas.get('enabled', False) %}
+[fwaas]
+driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
+enabled = {{ fwaas.get('enabled', 'False') }}
+agent_version = {{ fwaas.api_version }}
+{%- endif %}
diff --git a/neutron/files/mitaka/neutron-generic.conf.Debian b/neutron/files/mitaka/neutron-generic.conf.Debian
index 092fd56..36c7fc4 100644
--- a/neutron/files/mitaka/neutron-generic.conf.Debian
+++ b/neutron/files/mitaka/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -178,6 +178,7 @@
# value. Defaults to 1500, the standard value for Ethernet. (integer value)
# Deprecated group/name - [ml2]/segment_mtu
#global_physnet_mtu = 1500
+global_physnet_mtu = {{ neutron.get('global_physnet_mtu', '1500') }}
# Number of backlog requests to configure the socket with (integer value)
#backlog = 4096
@@ -1268,14 +1269,31 @@
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
#
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
rabbit_hosts = {% for member in neutron.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ neutron.message_queue.host }}
-rabbit_port = {{ neutron.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
rabbit_userid = {{ neutron.message_queue.user }}
diff --git a/neutron/files/mitaka/neutron-server.conf.Debian b/neutron/files/mitaka/neutron-server.conf.Debian
index c75d6a3..ad90ee9 100644
--- a/neutron/files/mitaka/neutron-server.conf.Debian
+++ b/neutron/files/mitaka/neutron-server.conf.Debian
@@ -1,4 +1,5 @@
-{%- from "neutron/map.jinja" import server with context %}
+{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
+
[DEFAULT]
#
@@ -37,9 +38,9 @@
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
-service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.metering.metering_plugin.MeteringPlugin{%- if server.lbaas is defined -%}
-,neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2
-{%- endif -%}
+service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.metering.metering_plugin.MeteringPlugin
+{%- if server.lbaas is defined -%},neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2{%- endif -%}
+{%- if fwaas.get('enabled', False) -%},{{ fwaas[fwaas.api_version]['service_plugin'] }}{%- endif -%}
{% endif %}
@@ -844,7 +845,7 @@
auth_protocol=http
revocation_cache_time = 10
{% if server.backend.engine == "contrail" %}
-# LBaaS contrail neutron plugin for versions 3.x expects auth_type to be
+# LBaaS contrail neutron plugin for versions 3.x expects auth_type to be
# 'keystone' or 'noauth'
# This behaviour is fixed after the release MCP1.0 by using auth_strategy
# instead of auth_type, until this is backported to MCP1.0 auth_type must be
@@ -1365,14 +1366,31 @@
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
#
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
rabbit_hosts = {% for member in server.message_queue.members -%}
- {{ member.host }}:{{ member.get('port', 5672) }}
+ {{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
{%- else %}
rabbit_host = {{ server.message_queue.host }}
-rabbit_port = {{ server.message_queue.port }}
+rabbit_port = {{ rabbit_port }}
+{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
{%- endif %}
rabbit_userid = {{ server.message_queue.user }}
diff --git a/neutron/files/newton/neutron-generic.conf.Debian b/neutron/files/newton/neutron-generic.conf.Debian
index 8c39aa6..3d8c5fb 100644
--- a/neutron/files/newton/neutron-generic.conf.Debian
+++ b/neutron/files/newton/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -178,6 +178,7 @@
# value. Defaults to 1500, the standard value for Ethernet. (integer value)
# Deprecated group/name - [ml2]/segment_mtu
#global_physnet_mtu = 1500
+global_physnet_mtu = {{ neutron.get('global_physnet_mtu', '1500') }}
# Number of backlog requests to configure the socket with (integer value)
#backlog = 4096
@@ -524,14 +525,16 @@
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url = <None>
+
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
transport_url = rabbit://{% for member in neutron.message_queue.members -%}
- {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ neutron.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ neutron.message_queue.port }}/{{ neutron.message_queue.virtual_host }}
+transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ rabbit_port }}/{{ neutron.message_queue.virtual_host }}
{%- endif %}
# The messaging driver to use, defaults to rabbit. Other drivers include amqp
@@ -1215,6 +1218,22 @@
# From oslo.messaging
#
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/newton/neutron-server.conf.Debian b/neutron/files/newton/neutron-server.conf.Debian
index 2aacbe3..76768ae 100644
--- a/neutron/files/newton/neutron-server.conf.Debian
+++ b/neutron/files/newton/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import server with context %}
+{%- from "neutron/map.jinja" import server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -551,14 +551,16 @@
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url = <None>
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# The messaging driver to use, defaults to rabbit. Other drivers include amqp
@@ -1301,6 +1303,22 @@
# From oslo.messaging
#
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/ocata/fwaas_driver.ini b/neutron/files/ocata/fwaas_driver.ini
new file mode 100644
index 0000000..40442a4
--- /dev/null
+++ b/neutron/files/ocata/fwaas_driver.ini
@@ -0,0 +1,25 @@
+{%- from "neutron/map.jinja" import fwaas with context %}
+
+[DEFAULT]
+
+[fwaas]
+
+#
+# From firewall.agent
+#
+
+# Name of the FWaaS Driver (string value)
+#driver =
+driver = {{ fwaas.get('driver', fwaas[fwaas.api_version].get('driver')) }}
+
+# Enable FWaaS (boolean value)
+#enabled = false
+enabled = {{ fwaas.get('enabled', 'False') }}
+
+# Firewall agent class (string value)
+#agent_version = v1
+agent_version = {{ fwaas.api_version }}
+
+# Name of the FWaaS Conntrack Driver (string value)
+#conntrack_driver = conntrack
+conntrack_driver = {{ fwaas.get('conntrack_driver', 'conntrack') }}
diff --git a/neutron/files/ocata/l3_agent.ini b/neutron/files/ocata/l3_agent.ini
index 41b87e6..7b386a5 100644
--- a/neutron/files/ocata/l3_agent.ini
+++ b/neutron/files/ocata/l3_agent.ini
@@ -3,6 +3,7 @@
{%- else %}
{%- from "neutron/map.jinja" import compute as neutron with context %}
{%- endif %}
+{%- from "neutron/map.jinja" import fwaas with context %}
[DEFAULT]
@@ -303,6 +304,9 @@
# Extensions list to use (list value)
#extensions =
+{%- if fwaas.get('enabled', False) %}
+extensions = {{ fwaas[fwaas.api_version]['l3_extension'] }}
+{%- endif %}
[ovs]
diff --git a/neutron/files/ocata/ml2_conf.ini b/neutron/files/ocata/ml2_conf.ini
index 0d48951..5ecafe3 100644
--- a/neutron/files/ocata/ml2_conf.ini
+++ b/neutron/files/ocata/ml2_conf.ini
@@ -137,7 +137,10 @@
# neutron.ml2.extension_drivers namespace. For example: extension_drivers =
# port_security,qos (list value)
#extension_drivers =
-extension_drivers = port_security{% if server.get('qos', 'True') %},qos{% endif %}
+{%- set tmp_ext_list = server.backend.get('extension', []) %}
+{%- do tmp_ext_list.append('port_security') if 'port_security' not in tmp_ext_list %}
+{%- do tmp_ext_list.append('qos') if server.get('qos', 'True') and 'qos' not in tmp_ext_list %}
+extension_drivers={{ tmp_ext_list|join(',') }}
# Maximum size of an IP packet (MTU) that can traverse the underlying physical
# network infrastructure without fragmentation when using an overlay/tunnel
diff --git a/neutron/files/ocata/neutron-generic.conf.Debian b/neutron/files/ocata/neutron-generic.conf.Debian
index 0dde78f..123386d 100644
--- a/neutron/files/ocata/neutron-generic.conf.Debian
+++ b/neutron/files/ocata/neutron-generic.conf.Debian
@@ -1,7 +1,7 @@
{%- if pillar.neutron.gateway is defined %}
-{%- from "neutron/map.jinja" import gateway as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, gateway as neutron with context %}
{%- else %}
-{%- from "neutron/map.jinja" import compute as neutron with context %}
+{%- from "neutron/map.jinja" import system_cacerts_file, compute as neutron with context %}
{%- endif %}
[DEFAULT]
@@ -142,6 +142,7 @@
# value. Defaults to 1500, the standard value for Ethernet. (integer value)
# Deprecated group/name - [ml2]/segment_mtu
#global_physnet_mtu = 1500
+global_physnet_mtu = {{ neutron.get('global_physnet_mtu', '1500') }}
# Number of backlog requests to configure the socket with (integer value)
#backlog = 4096
@@ -589,14 +590,16 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = <None>
+
+{%- set rabbit_port = neutron.message_queue.get('port', 5671 if neutron.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if neutron.message_queue.members is defined %}
transport_url = rabbit://{% for member in neutron.message_queue.members -%}
- {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ neutron.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ neutron.message_queue.port }}/{{ neutron.message_queue.virtual_host }}
+transport_url = rabbit://{{ neutron.message_queue.user }}:{{ neutron.message_queue.password }}@{{ neutron.message_queue.host }}:{{ rabbit_port }}/{{ neutron.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -1523,6 +1526,22 @@
# From oslo.messaging
#
+{%- if neutron.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if neutron.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ neutron.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if neutron.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ neutron.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/ocata/neutron-server.conf.Debian b/neutron/files/ocata/neutron-server.conf.Debian
index 229d342..049544b 100644
--- a/neutron/files/ocata/neutron-server.conf.Debian
+++ b/neutron/files/ocata/neutron-server.conf.Debian
@@ -1,4 +1,4 @@
-{%- from "neutron/map.jinja" import server with context %}
+{%- from "neutron/map.jinja" import fwaas, server, system_cacerts_file with context %}
[DEFAULT]
#
@@ -45,6 +45,7 @@
service_plugins =neutron.services.l3_router.l3_router_plugin.L3RouterPlugin,neutron.services.metering.metering_plugin.MeteringPlugin
{%- if server.lbaas is defined -%},lbaasv2{%- endif -%}
+{%- if fwaas.get('enabled', False) -%},{{ fwaas[fwaas.api_version]['service_plugin'] }}{%- endif -%}
{%- if server.get('qos', 'True') -%},neutron.services.qos.qos_plugin.QoSPlugin{%- endif -%}
{%- if server.get('vlan_aware_vms', False) -%},trunk{%- endif -%}
@@ -613,14 +614,16 @@
# A URL representing the messaging driver to use and its full configuration.
# (string value)
#transport_url = <None>
+
+{%- set rabbit_port = server.message_queue.get('port', 5671 if server.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}
{%- if server.message_queue.members is defined %}
transport_url = rabbit://{% for member in server.message_queue.members -%}
- {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port', 5672) }}
+ {{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ member.host }}:{{ member.get('port',rabbit_port) }}
{%- if not loop.last -%},{%- endif -%}
{%- endfor -%}
/{{ server.message_queue.virtual_host }}
{%- else %}
-transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ server.message_queue.port }}/{{ server.message_queue.virtual_host }}
+transport_url = rabbit://{{ server.message_queue.user }}:{{ server.message_queue.password }}@{{ server.message_queue.host }}:{{ rabbit_port }}/{{ server.message_queue.virtual_host }}
{%- endif %}
# DEPRECATED: The messaging driver to use, defaults to rabbit. Other drivers
@@ -1603,6 +1606,22 @@
# From oslo.messaging
#
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbit_use_ssl=true
+
+{%- if server.message_queue.ssl.version is defined %}
+kombu_ssl_version = {{ server.message_queue.ssl.version }}
+{%- elif salt['grains.get']('pythonversion') > [2,7,8] %}
+kombu_ssl_version = TLSv1_2
+{%- endif %}
+
+{%- if server.message_queue.ssl.cacert_file is defined %}
+kombu_ssl_ca_certs = {{ server.message_queue.ssl.cacert_file }}
+{%- else %}
+kombu_ssl_ca_certs={{ system_cacerts_file }}
+{%- endif %}
+{%- endif %}
+
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_durable_queues
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
diff --git a/neutron/files/ocata/openvswitch_agent.ini b/neutron/files/ocata/openvswitch_agent.ini
index 00c33b4..654fc76 100644
--- a/neutron/files/ocata/openvswitch_agent.ini
+++ b/neutron/files/ocata/openvswitch_agent.ini
@@ -195,9 +195,9 @@
#agent_type = Open vSwitch agent
# Extensions list to use (list value)
-{% if neutron.get('qos', 'True') %}
-extensions = qos
-{% endif %}
+{%- set tmp_ext_list = neutron.backend.get('extension', []) %}
+{%- do tmp_ext_list.append('qos') if neutron.get('qos', 'True') and 'qos' not in tmp_ext_list %}
+extensions={{ tmp_ext_list|join(',') }}
[ovs]
diff --git a/neutron/files/ocata/sriov_agent.ini b/neutron/files/ocata/sriov_agent.ini
index eebd662..9ba9c1a 100644
--- a/neutron/files/ocata/sriov_agent.ini
+++ b/neutron/files/ocata/sriov_agent.ini
@@ -122,9 +122,9 @@
#
# Extensions list to use (list value)
-{% if neutron.get('qos', 'True') %}
-extensions = qos
-{% endif %}
+{%- set tmp_ext_list = neutron.backend.get('extension', []) %}
+{%- do tmp_ext_list.append('qos') if neutron.get('qos', 'True') and 'qos' not in tmp_ext_list %}
+extensions={{ tmp_ext_list|join(',') }}
[sriov_nic]
diff --git a/neutron/fwaas.sls b/neutron/fwaas.sls
new file mode 100644
index 0000000..8b6f87d
--- /dev/null
+++ b/neutron/fwaas.sls
@@ -0,0 +1,18 @@
+{%- from "neutron/map.jinja" import compute, fwaas with context %}
+
+{%- if fwaas.get('enabled', False) %}
+
+neutron_fwaas_packages:
+ pkg.installed:
+ - names: {{ fwaas.pkgs }}
+
+{%- if pillar.neutron.gateway is defined or compute.get('enabled', False) and compute.dvr %}
+/etc/neutron/fwaas_driver.ini:
+ file.managed:
+ - source: salt://neutron/files/{{ fwaas.version }}/fwaas_driver.ini
+ - template: jinja
+ - require:
+ - pkg: neutron_fwaas_packages
+{%- endif %}
+
+{%- endif %}
diff --git a/neutron/gateway.sls b/neutron/gateway.sls
index a6e6586..96d7e9f 100644
--- a/neutron/gateway.sls
+++ b/neutron/gateway.sls
@@ -1,6 +1,11 @@
-{% from "neutron/map.jinja" import gateway with context %}
-{%- if gateway.enabled %}
+{% from "neutron/map.jinja" import gateway, fwaas, system_cacerts_file with context %}
+{%- if fwaas.get('enabled', False) %}
+include:
+- neutron.fwaas
+{%- endif %}
+
+{%- if gateway.enabled %}
neutron_gateway_packages:
pkg.installed:
- names: {{ gateway.pkgs }}
@@ -54,5 +59,26 @@
- file: /etc/neutron/metadata_agent.ini
- file: /etc/neutron/plugins/ml2/openvswitch_agent.ini
- file: /etc/neutron/dhcp_agent.ini
+ {%- if fwaas.get('enabled', False) %}
+ - file: /etc/neutron/fwaas_driver.ini
+ {%- endif %}
+ {%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
-{%- endif %}
\ No newline at end of file
+
+{%- if gateway.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if gateway.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ gateway.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:gateway:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ gateway.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
diff --git a/neutron/init.sls b/neutron/init.sls
index c12f434..811d852 100644
--- a/neutron/init.sls
+++ b/neutron/init.sls
@@ -1,5 +1,8 @@
include:
+{% if pillar.neutron.fwaas is defined %}
+- neutron.fwaas
+{% endif %}
{% if pillar.neutron.server is defined %}
- neutron.server
{% endif %}
diff --git a/neutron/map.jinja b/neutron/map.jinja
index 1dd5f2a..80aa94d 100644
--- a/neutron/map.jinja
+++ b/neutron/map.jinja
@@ -1,3 +1,7 @@
+{%- set system_cacerts_file = salt['grains.filter_by']({
+ 'Debian': '/etc/ssl/certs/ca-certificates.crt',
+ 'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
+})%}
{% set compute = salt['grains.filter_by']({
'Debian': {
@@ -65,6 +69,24 @@
},
}, merge=pillar.neutron.get('client', {})) %}
+{% set fwaas = salt['grains.filter_by']({
+ 'default': {
+ 'v1': {
+ 'driver': 'iptables',
+ 'l3_extension': 'fwaas',
+ 'service_plugin': 'firewall',
+ },
+ 'v2': {
+ 'driver': 'iptables_v2',
+ 'l3_extension': 'fwaas_v2',
+ 'service_plugin': 'firewall_v2',
+ },
+ 'pkgs': ['python-neutron-fwaas'],
+ 'api_version': 'v1',
+ },
+}, merge=pillar.neutron.get('fwaas', {}), base='default') %}
+
+
{% set monitoring = salt['grains.filter_by']({
'default': {
'error_log_rate': 0.2,
diff --git a/neutron/meta/prometheus.yml b/neutron/meta/prometheus.yml
index 9f747cb..28c2957 100644
--- a/neutron/meta/prometheus.yml
+++ b/neutron/meta/prometheus.yml
@@ -6,15 +6,26 @@
alert:
NeutronAPIDown:
if: >-
- max(openstack_api_check_status{service="neutron-api"}) == 0
+ openstack_api_check_status{service=~"neutron.*"} == 0
for: 2m
labels:
severity: down
service: "{{ $labels.service }}"
annotations:
- summary: "Endpoint check for '{{ $labels.service}}' is down"
+ summary: "Endpoint check for '{{ $labels.service }}' is down"
description: >-
- Endpoint check for '{{ $labels.service}}' is down for 2 minutes
+ Endpoint check for '{{ $labels.service }}' is down for 2 minutes
+ NeutronAPIServiceDown:
+ if: >-
+ http_response_status{service=~"neutron-api"} == 0
+ for: 2m
+ labels:
+ severity: down
+ service: "{{ $labels.service }}"
+ annotations:
+ summary: "HTTP check for '{{ $labels.service }}' down"
+ description: >-
+ The HTTP check for '{{ $labels.service }}' is down on {{ $labels.host }} for 2 minutes.
{%- endraw %}
{%- if server.get('backend', {}).engine is defined and server.backend.engine == "ml2" %}
{%- raw %}
@@ -28,7 +39,7 @@
annotations:
summary: "Some {{ $labels.service }} agents down"
description: >-
- {{ $value }} '{{ $labels.service}}' agent(s) is/are down for 2 minutes
+ {{ $value }} '{{ $labels.service }}' agent(s) is/are down for 2 minutes
NeutronOnlyOneAgentUp:
if: >-
openstack_neutron_agents{state="up"} == 1 and ignoring(state) openstack_neutron_agents{state=~"down|disabled"} > 0
@@ -39,7 +50,7 @@
annotations:
summary: "Only one {{ $labels.service }} agent up"
description: >-
- Only one '{{ $labels.service}}' agent is up for 2 minutes
+ Only one '{{ $labels.service }}' agent is up for 2 minutes
NeutronAllAgentsDown:
if: >-
openstack_neutron_agents{state="up"} == 0
@@ -50,7 +61,7 @@
annotations:
summary: "All {{ $labels.service }} agents down"
description: >-
- All '{{ $labels.service}}' agents are down for 2 minutes
+ All '{{ $labels.service }}' agents are down for 2 minutes
NeutronErrorLogsTooHigh:
{%- endraw %}
{%- set log_threshold = monitoring.error_log_rate|float %}
diff --git a/neutron/server.sls b/neutron/server.sls
index 1ce07ad..3c15b67 100644
--- a/neutron/server.sls
+++ b/neutron/server.sls
@@ -1,6 +1,11 @@
-{%- from "neutron/map.jinja" import server with context %}
-{%- if server.get('enabled', False) %}
+{%- from "neutron/map.jinja" import server, fwaas, system_cacerts_file with context %}
+{%- if fwaas.get('enabled', False) %}
+include:
+- neutron.fwaas
+{%- endif %}
+
+{%- if server.get('enabled', False) %}
{% if grains.os_family == 'Debian' %}
# This is here to avoid starting up wrongly configured service and to avoid
# issue with restart limits on systemd.
@@ -61,6 +66,9 @@
{%- endif %}
- watch:
- file: /etc/neutron/neutron.conf
+ {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{%- endif %}
@@ -211,6 +219,9 @@
{%- endif %}
- watch:
- file: /etc/neutron/neutron.conf
+ {%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+ - file: rabbitmq_ca
+ {%- endif %}
{%- if grains.get('virtual_subtype', None) == "Docker" %}
@@ -223,4 +234,19 @@
{%- endif %}
+
+{%- if server.message_queue.get('ssl',{}).get('enabled', False) %}
+rabbitmq_ca:
+{%- if server.message_queue.ssl.cacert is defined %}
+ file.managed:
+ - name: {{ server.message_queue.ssl.cacert_file }}
+ - contents_pillar: neutron:server:message_queue:ssl:cacert
+ - mode: 0444
+ - makedirs: true
+{%- else %}
+ file.exists:
+ - name: {{ server.message_queue.ssl.get('cacert_file', system_cacerts_file) }}
+{%- endif %}
+{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/compute_dvr_fwaas_v1.sls b/tests/pillar/compute_dvr_fwaas_v1.sls
new file mode 100644
index 0000000..a4b86d2
--- /dev/null
+++ b/tests/pillar/compute_dvr_fwaas_v1.sls
@@ -0,0 +1,28 @@
+neutron:
+ compute:
+ agent_mode: dvr
+ backend:
+ engine: ml2
+ tenant_network_types: "flat,vxlan"
+ mechanism:
+ ovs:
+ driver: openvswitch
+ dvr: true
+ enabled: true
+ external_access: true
+ local_ip: 10.1.0.105
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ metadata:
+ host: 127.0.0.1
+ password: password
+ version: ocata
+ fwaas:
+ enabled: true
+ version: ocata
+ api_version: v1
diff --git a/tests/pillar/control_fwaas_v1.sls b/tests/pillar/control_fwaas_v1.sls
new file mode 100644
index 0000000..5311d2f
--- /dev/null
+++ b/tests/pillar/control_fwaas_v1.sls
@@ -0,0 +1,56 @@
+neutron:
+ server:
+ backend:
+ engine: ml2
+ external_mtu: 1500
+ mechanism:
+ ovs:
+ driver: openvswitch
+ tenant_network_types: flat,vxlan
+ bind:
+ address: 172.16.10.101
+ port: 9696
+ compute:
+ host: 127.0.0.1
+ password: workshop
+ region: RegionOne
+ tenant: service
+ user: nova
+ database:
+ engine: mysql
+ host: 127.0.0.1
+ name: neutron
+ password: workshop
+ port: 3306
+ user: neutron
+ version: ocata
+ dns_domain: novalocal
+ dvr: false
+ enabled: true
+ global_physnet_mtu: 1500
+ identity:
+ engine: keystone
+ host: 127.0.0.1
+ password: workshop
+ port: 35357
+ region: RegionOne
+ tenant: service
+ user: neutron
+ endpoint_type: internal
+ l3_ha: false
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ plugin: ml2
+ policy:
+ create_subnet: 'rule:admin_or_network_owner'
+ 'get_network:queue_id': 'rule:admin_only'
+ 'create_network:shared':
+ fwaas:
+ enabled: true
+ version: ocata
+ api_version: v1
diff --git a/tests/pillar/gateway_legacy_fwaas_v1.sls b/tests/pillar/gateway_legacy_fwaas_v1.sls
new file mode 100644
index 0000000..34e921c
--- /dev/null
+++ b/tests/pillar/gateway_legacy_fwaas_v1.sls
@@ -0,0 +1,28 @@
+neutron:
+ gateway:
+ agent_mode: legacy
+ backend:
+ engine: ml2
+ tenant_network_types: "flat,vxlan"
+ mechanism:
+ ovs:
+ driver: openvswitch
+ dvr: false
+ enabled: true
+ external_access: True
+ local_ip: 10.1.0.110
+ message_queue:
+ engine: rabbitmq
+ host: 127.0.0.1
+ password: workshop
+ port: 5672
+ user: openstack
+ virtual_host: /openstack
+ metadata:
+ host: 127.0.0.1
+ password: password
+ version: ocata
+ fwaas:
+ enabled: true
+ version: ocata
+ api_version: v1
diff --git a/tests/pillar/ssl.sls b/tests/pillar/ssl.sls
new file mode 100644
index 0000000..3e79d83
--- /dev/null
+++ b/tests/pillar/ssl.sls
@@ -0,0 +1,9 @@
+include:
+ - .control_cluster
+
+neutron:
+ server:
+ message_queue:
+ port: 5671
+ ssl:
+ enabled: True