Merge "TVD: Add VPNaaS wrapper driver"

doc/source/devstack.rst

@@ -302,3 +302,12 @@ Add neutron-dynamic-routing repo as an external repository and configure followi
     [[post-config|$NEUTRON_CONF]]
     [DEFAULT]
     api_extensions_path = $DEST/neutron-dynamic-routing/neutron_dynamic_routing/extensions
+
+Neutron VPNaaS
+~~~~~~~~~~~~~~
+
+Add neutron-vpnaas repo as an external repository and configure following flags in ``local.conf``::
+
+    [[local|localrc]]
+    enable_plugin neutron-vpnaas https://git.openstack.org/openstack/neutron-vpnaas
+    NEUTRON_VPNAAS_SERVICE_PROVIDER=VPN:vmware:vmware_nsx.services.vpnaas.nsx_tvd.ipsec_driver.NSXIPsecVpnDriver:default

vmware_nsx/plugins/nsx_v/plugin.py

@@ -3894,7 +3894,8 @@ class NsxVPluginV2(addr_pair_db.AllowedAddressPairsMixin,
             if vpn_plugin:
                 vpn_driver = vpn_plugin.drivers[vpn_plugin.default_provider]
                 vpn_rules = (
-                    vpn_driver._generate_ipsecvpn_firewall_rules(edge_id))
+                    vpn_driver._generate_ipsecvpn_firewall_rules(
+                        self.plugin_type(), context, edge_id=edge_id))
                 fw_rules.extend(vpn_rules)
 
         # Get the load balancer rules in case they are refreshed

vmware_nsx/plugins/nsx_v3/plugin.py

@@ -3658,7 +3658,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             vpn_driver = vpn_plugin.drivers[vpn_plugin.default_provider]
             vpn_rules = (
                 vpn_driver._generate_ipsecvpn_firewall_rules(
-                    context, router_id))
+                    self.plugin_type(), context, router_id=router_id))
             if vpn_rules:
                 extra_rules.extend(vpn_rules)
 

vmware_nsx/services/vpnaas/nsx_tvd/ipsec_driver.py

@@ -0,0 +1,100 @@
+# Copyright 2018 VMware, Inc.
+# All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_log import log as logging
+
+from neutron_lib.plugins import directory
+from neutron_vpnaas.services.vpn import service_drivers
+
+from vmware_nsx.common import exceptions as nsx_exc
+from vmware_nsx.extensions import projectpluginmap
+from vmware_nsx.plugins.nsx import utils as tvd_utils
+from vmware_nsx.services.vpnaas.nsx_tvd import ipsec_validator
+from vmware_nsx.services.vpnaas.nsxv import ipsec_driver as v_driver
+from vmware_nsx.services.vpnaas.nsxv3 import ipsec_driver as t_driver
+
+LOG = logging.getLogger(__name__)
+IPSEC = 'ipsec'
+
+
+class NSXIPsecVpnDriver(service_drivers.VpnDriver):
+    """Wrapper driver to select the relevant driver for each VPNaaS request"""
+    def __init__(self, service_plugin):
+        self.vpn_plugin = service_plugin
+        self._core_plugin = directory.get_plugin()
+        validator = ipsec_validator.IPsecValidator(service_plugin)
+        super(NSXIPsecVpnDriver, self).__init__(service_plugin, validator)
+
+        # supported drivers:
+        self.drivers = {}
+        try:
+            self.drivers[projectpluginmap.NsxPlugins.NSX_T] = (
+                t_driver.NSXv3IPsecVpnDriver(service_plugin))
+        except Exception as e:
+            LOG.error("NSXIPsecVpnDriver failed to initialize the NSX-T "
+                      "driver: %s", e)
+            self.drivers[projectpluginmap.NsxPlugins.NSX_T] = None
+        try:
+            self.drivers[projectpluginmap.NsxPlugins.NSX_V] = (
+                v_driver.NSXvIPsecVpnDriver(service_plugin))
+        except Exception as e:
+            LOG.error("NSXIPsecVpnDriver failed to initialize the NSX-V "
+                      "driver: %s", e)
+            self.drivers[projectpluginmap.NsxPlugins.NSX_V] = None
+
+    @property
+    def service_type(self):
+        return IPSEC
+
+    def _get_driver_for_project(self, project):
+        plugin_type = tvd_utils.get_tvd_plugin_type_for_project(project)
+        if not self.drivers.get(plugin_type):
+            msg = (_("Project %(project)s with plugin %(plugin)s has no "
+                     "support for VPNaaS"), {'project': project,
+                                             'plugin': plugin_type})
+            raise nsx_exc.NsxPluginException(err_msg=msg)
+        return self.drivers[plugin_type]
+
+    def create_ipsec_site_connection(self, context, ipsec_site_conn):
+        d = self._get_driver_for_project(ipsec_site_conn['tenant_id'])
+        return d.create_ipsec_site_connection(context, ipsec_site_conn)
+
+    def delete_ipsec_site_connection(self, context, ipsec_site_conn):
+        d = self._get_driver_for_project(ipsec_site_conn['tenant_id'])
+        return d.delete_ipsec_site_connection(context, ipsec_site_conn)
+
+    def update_ipsec_site_connection(self, context, old_ipsec_conn,
+                                     ipsec_site_conn):
+        d = self._get_driver_for_project(old_ipsec_conn['tenant_id'])
+        return d.update_ipsec_site_connection(context, old_ipsec_conn,
+                                              ipsec_site_conn)
+
+    def create_vpnservice(self, context, vpnservice):
+        d = self._get_driver_for_project(vpnservice['tenant_id'])
+        return d.create_vpnservice(context, vpnservice)
+
+    def update_vpnservice(self, context, old_vpnservice, vpnservice):
+        pass
+
+    def delete_vpnservice(self, context, vpnservice):
+        pass
+
+    def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
+                                          **kargs):
+        d = self.drivers.get(plugin_type)
+        if d:
+            return d._generate_ipsecvpn_firewall_rules(
+                plugin_type, context, **kargs)
+        return []

vmware_nsx/services/vpnaas/nsx_tvd/ipsec_validator.py

@@ -0,0 +1,112 @@
+# Copyright 2018 VMware, Inc.
+# All Rights Reserved
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from oslo_log import log as logging
+
+from neutron_vpnaas.db.vpn import vpn_validator
+
+from vmware_nsx._i18n import _
+from vmware_nsx.common import exceptions as nsx_exc
+from vmware_nsx.extensions import projectpluginmap
+from vmware_nsx.plugins.nsx import utils as tvd_utils
+from vmware_nsx.services.vpnaas.nsxv import ipsec_validator as v_validator
+from vmware_nsx.services.vpnaas.nsxv3 import ipsec_validator as t_validator
+
+LOG = logging.getLogger(__name__)
+
+
+class IPsecValidator(vpn_validator.VpnReferenceValidator):
+    """Wrapper validator for selecting the V/T validator to use"""
+    def __init__(self, service_plugin):
+        super(IPsecValidator, self).__init__()
+        self.vpn_plugin = service_plugin
+
+        # supported validatorss:
+        self.validators = {}
+        try:
+            self.validators[projectpluginmap.NsxPlugins.NSX_T] = (
+                t_validator.IPsecV3Validator(service_plugin))
+        except Exception as e:
+            LOG.error("IPsecValidator failed to initialize the NSX-T "
+                      "validator: %s", e)
+            self.validators[projectpluginmap.NsxPlugins.NSX_T] = None
+        try:
+            self.validators[projectpluginmap.NsxPlugins.NSX_V] = (
+                v_validator.IPsecValidator(service_plugin))
+        except Exception as e:
+            LOG.error("IPsecValidator failed to initialize the NSX-V "
+                      "validator: %s", e)
+            self.validators[projectpluginmap.NsxPlugins.NSX_V] = None
+
+    def _get_validator_for_project(self, project):
+        plugin_type = tvd_utils.get_tvd_plugin_type_for_project(project)
+        if not self.validators.get(plugin_type):
+            msg = (_("Project %(project)s with plugin %(plugin)s has no "
+                     "support for VPNaaS"), {'project': project,
+                                             'plugin': plugin_type})
+            raise nsx_exc.NsxPluginException(err_msg=msg)
+        return self.validators[plugin_type]
+
+    def validate_ipsec_site_connection(self, context, ipsec_site_conn):
+        if not ipsec_site_conn.get('tenant_id'):
+            # nothing we can do here.
+            return
+
+        v = self._get_validator_for_project(ipsec_site_conn['tenant_id'])
+
+        # first make sure the plugin is the same as the one of the vpnservice
+        srv_id = ipsec_site_conn.get('vpnservice_id')
+        srv = self.vpn_plugin._get_vpnservice(context, srv_id)
+        srv_validator = self._get_validator_for_project(srv['tenant_id'])
+        if v != srv_validator:
+            err_msg = _('VPN service should belong to the same plugin '
+                        'as the connection')
+            raise nsx_exc.NsxVpnValidationError(details=err_msg)
+
+        return v.validate_ipsec_site_connection(context, ipsec_site_conn)
+
+    def validate_vpnservice(self, context, vpnservice):
+        if not vpnservice.get('tenant_id'):
+            # This will happen during update.
+            # nothing significant like router or subnet can be changes
+            # so we can skip it.
+            return
+
+        v = self._get_validator_for_project(vpnservice['tenant_id'])
+
+        # first make sure the router&subnet plugin matches the vpnservice
+        router_id = vpnservice['router_id']
+        p = self.core_plugin._get_plugin_from_router_id(context, router_id)
+        if self.validators.get(p.plugin_type()) != v:
+            err_msg = _('Router & subnet should belong to the same plugin '
+                        'as the VPN service')
+            raise nsx_exc.NsxVpnValidationError(details=err_msg)
+        return v.validate_vpnservice(context, vpnservice)
+
+    def validate_ipsec_policy(self, context, ipsec_policy):
+        if not ipsec_policy.get('tenant_id'):
+            # nothing we can do here
+            return
+
+        v = self._get_validator_for_project(ipsec_policy['tenant_id'])
+        return v.validate_ipsec_policy(context, ipsec_policy)
+
+    def validate_ike_policy(self, context, ike_policy):
+        if not ike_policy.get('tenant_id'):
+            # nothing we can do here
+            return
+
+        v = self._get_validator_for_project(ike_policy['tenant_id'])
+        return v.validate_ike_policy(context, ike_policy)

vmware_nsx/services/vpnaas/nsxv/ipsec_driver.py

@@ -24,6 +24,7 @@ from vmware_nsx.common import exceptions as nsxv_exc
 from vmware_nsx.common import locking
 from vmware_nsx.common import nsxv_constants
 from vmware_nsx.db import nsxv_db
+from vmware_nsx.extensions import projectpluginmap
 from vmware_nsx.plugins.nsx_v.vshield.common import exceptions as vcns_exc
 from vmware_nsx.services.vpnaas.nsxv import ipsec_validator
 
@@ -35,6 +36,9 @@ class NSXvIPsecVpnDriver(service_drivers.VpnDriver):
 
     def __init__(self, service_plugin):
         self._core_plugin = directory.get_plugin()
+        if self._core_plugin.is_tvd_plugin():
+            self._core_plugin = self._core_plugin.get_plugin_by_type(
+                projectpluginmap.NsxPlugins.NSX_V)
         self._vcns = self._core_plugin.nsx_v.vcns
         validator = ipsec_validator.IPsecValidator(service_plugin)
         super(NSXvIPsecVpnDriver, self).__init__(service_plugin, validator)
@@ -111,7 +115,8 @@ class NSXvIPsecVpnDriver(service_drivers.VpnDriver):
         vse_sites.append(ipsec_site_conn)
         return vse_sites
 
-    def _generate_ipsecvpn_firewall_rules(self, edge_id):
+    def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
+                                          edge_id=None):
         ipsecvpn_configs = self._get_ipsec_config(edge_id)
         ipsec_vpn_fw_rules = []
         if ipsecvpn_configs[1]['enabled']:

vmware_nsx/services/vpnaas/nsxv3/ipsec_driver.py

@@ -26,6 +26,7 @@ from neutron_vpnaas.services.vpn import service_drivers
 
 from vmware_nsx.common import exceptions as nsx_exc
 from vmware_nsx.db import db
+from vmware_nsx.extensions import projectpluginmap
 from vmware_nsx.services.vpnaas.nsxv3 import ipsec_utils
 from vmware_nsx.services.vpnaas.nsxv3 import ipsec_validator
 from vmware_nsxlib.v3 import exceptions as nsx_lib_exc
@@ -41,6 +42,9 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver):
     def __init__(self, service_plugin):
         self.vpn_plugin = service_plugin
         self._core_plugin = directory.get_plugin()
+        if self._core_plugin.is_tvd_plugin():
+            self._core_plugin = self._core_plugin.get_plugin_by_type(
+                projectpluginmap.NsxPlugins.NSX_T)
         self._nsxlib = self._core_plugin.nsxlib
         self._nsx_vpn = self._nsxlib.vpn_ipsec
         validator = ipsec_validator.IPsecV3Validator(service_plugin)
@@ -66,7 +70,8 @@ class NSXv3IPsecVpnDriver(service_drivers.VpnDriver):
     def _translate_addresses_to_target(self, cidrs):
         return [self._translate_cidr(ip) for ip in cidrs]
 
-    def _generate_ipsecvpn_firewall_rules(self, context, router_id):
+    def _generate_ipsecvpn_firewall_rules(self, plugin_type, context,
+                                          router_id=None):
         """Return the firewall rules needed to allow vpn traffic"""
         fw_rules = []
         # get all the active services of this router

vmware_nsx/services/vpnaas/nsxv3/ipsec_validator.py

@@ -21,6 +21,7 @@ from neutron_vpnaas.db.vpn import vpn_validator
 
 from vmware_nsx._i18n import _
 from vmware_nsx.common import exceptions as nsx_exc
+from vmware_nsx.extensions import projectpluginmap
 from vmware_nsx.services.vpnaas.nsxv3 import ipsec_utils
 from vmware_nsxlib.v3 import nsx_constants as consts
 from vmware_nsxlib.v3 import vpn_ipsec
@@ -34,7 +35,13 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
     def __init__(self, service_plugin):
         super(IPsecV3Validator, self).__init__()
         self.vpn_plugin = service_plugin
-        self.nsxlib = self.core_plugin.nsxlib
+
+        self._core_plugin = self.core_plugin
+        if self._core_plugin.is_tvd_plugin():
+            self._core_plugin = self._core_plugin.get_plugin_by_type(
+                projectpluginmap.NsxPlugins.NSX_T)
+        self.nsxlib = self._core_plugin.nsxlib
+
         self.check_backend_version()
 
     def check_backend_version(self):
@@ -219,7 +226,7 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
         this_cidr = srv['subnet']['cidr']
 
         # get all subnets of no-snat routers
-        all_routers = self.core_plugin.get_routers(admin_con)
+        all_routers = self._core_plugin.get_routers(admin_con)
         nosnat_routers = [rtr for rtr in all_routers
                           if (rtr['id'] != this_router and
                               rtr.get('external_gateway_info') and
@@ -229,7 +236,7 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
             if rtr['id'] == this_router:
                 continue
             # go over the subnets of this router
-            subnets = self.core_plugin._find_router_subnets_cidrs(
+            subnets = self._core_plugin._find_router_subnets_cidrs(
                 admin_con, rtr['id'])
             if subnets and netaddr.IPSet(subnets) & netaddr.IPSet([this_cidr]):
                 msg = (_("Cannot create connection with overlapping local "
@@ -283,9 +290,10 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
                                                       ipsec_policy_id)
             self.validate_ipsec_policy(context, ipsecpolicy)
 
-        self._check_advertisment_overlap(context, ipsec_site_conn)
-        self._check_unique_addresses(context, ipsec_site_conn)
-        self._check_policy_rules_overlap(context, ipsec_site_conn)
+        if ipsec_site_conn.get('vpnservice_id'):
+            self._check_advertisment_overlap(context, ipsec_site_conn)
+            self._check_unique_addresses(context, ipsec_site_conn)
+            self._check_policy_rules_overlap(context, ipsec_site_conn)
 
         #TODO(asarfaty): IPv6 is not yet supported. add validation
 
@@ -293,15 +301,15 @@ class IPsecV3Validator(vpn_validator.VpnReferenceValidator):
         vpnservice = self.vpn_plugin._get_vpnservice(context,
                                                      vpnservice_id)
         router_id = vpnservice['router_id']
-        router_db = self.core_plugin.get_router(context, router_id)
+        router_db = self._core_plugin.get_router(context, router_id)
         gw = router_db['external_gateway_info']
         return gw['external_fixed_ips'][0]['ip_address']
 
     def _validate_router(self, context, router_id):
         # Verify that the router gw network is connected to an active-standby
         # Tier0 router
-        router_db = self.core_plugin._get_router(context, router_id)
-        tier0_uuid = self.core_plugin._get_tier0_uuid_by_router(context,
+        router_db = self._core_plugin._get_router(context, router_id)
+        tier0_uuid = self._core_plugin._get_tier0_uuid_by_router(context,
             router_db)
         # TODO(asarfaty): cache this result
         tier0_router = self.nsxlib.logical_router.get(tier0_uuid)