From e9794721abb7796cdcd3efa4a0aea98188fd6a23 Mon Sep 17 00:00:00 2001
From: howardlee <lihongweibj@inspur.com>
Date: Tue, 2 Apr 2024 16:55:53 +0800
Subject: [PATCH] Re-add the neutron-fwaas

neutron-fwaas has become active again

Depends-On: https://review.opendev.org/c/openstack/kolla/+/914855

Change-Id: Ie5a7b2da9a351e8f47a1ae830bb2fee0a8e35e38
---
 ansible/group_vars/all.yml                    |  2 ++
 ansible/roles/horizon/defaults/main.yml       |  1 +
 ansible/roles/neutron/defaults/main.yml       |  6 +++++
 ansible/roles/neutron/tasks/config.yml        | 22 +++++++++++++++++++
 .../neutron/templates/fwaas_driver.ini.j2     | 11 ++++++++++
 .../templates/neutron-l3-agent-wrapper.sh.j2  |  6 ++++-
 .../templates/neutron-l3-agent.json.j2        |  8 ++++++-
 .../neutron/templates/neutron-server.json.j2  | 10 ++++++++-
 .../networking/neutron-extensions.rst         | 21 +++++++++++++++++-
 etc/kolla/globals.yml                         |  2 ++
 ...re-add-neutron-fwaas-fb2211cf78ba2eb7.yaml |  5 +++++
 11 files changed, 90 insertions(+), 4 deletions(-)
 create mode 100644 ansible/roles/neutron/templates/fwaas_driver.ini.j2
 create mode 100644 releasenotes/notes/re-add-neutron-fwaas-fb2211cf78ba2eb7.yaml

diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index c9196ad917..e8cdca9f83 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -770,6 +770,7 @@ enable_horizon: "{{ enable_openstack_core | bool }}"
 enable_horizon_blazar: "{{ enable_blazar | bool }}"
 enable_horizon_cloudkitty: "{{ enable_cloudkitty | bool }}"
 enable_horizon_designate: "{{ enable_designate | bool }}"
+enable_horizon_fwaas: "{{ enable_neutron_fwaas | bool }}"
 enable_horizon_heat: "{{ enable_heat | bool }}"
 enable_horizon_ironic: "{{ enable_ironic | bool }}"
 enable_horizon_magnum: "{{ enable_magnum | bool }}"
@@ -806,6 +807,7 @@ enable_neutron_vpnaas: "no"
 enable_neutron_sriov: "no"
 enable_neutron_mlnx: "no"
 enable_neutron_dvr: "no"
+enable_neutron_fwaas: "no"
 enable_neutron_qos: "no"
 enable_neutron_agent_ha: "no"
 enable_neutron_bgp_dragent: "no"
diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml
index dcf4b52631..04bf1763ac 100644
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -9,6 +9,7 @@ horizon_services:
       ENABLE_BLAZAR: "{{ 'yes' if enable_horizon_blazar | bool else 'no' }}"
       ENABLE_CLOUDKITTY: "{{ 'yes' if enable_horizon_cloudkitty | bool else 'no' }}"
       ENABLE_DESIGNATE: "{{ 'yes' if enable_horizon_designate | bool else 'no' }}"
+      ENABLE_FWAAS: "{{ 'yes' if enable_horizon_fwaas | bool else 'no' }}"
       ENABLE_HEAT: "{{ 'yes' if enable_horizon_heat | bool else 'no' }}"
       ENABLE_IRONIC: "{{ 'yes' if enable_horizon_ironic | bool else 'no' }}"
       ENABLE_MAGNUM: "{{ 'yes' if enable_horizon_magnum | bool else 'no' }}"
diff --git a/ansible/roles/neutron/defaults/main.yml b/ansible/roles/neutron/defaults/main.yml
index fe01a5fc82..4dd8213b34 100644
--- a/ansible/roles/neutron/defaults/main.yml
+++ b/ansible/roles/neutron/defaults/main.yml
@@ -656,6 +656,8 @@ neutron_metadata_workers: "{{ openstack_service_workers }}"
 # Subprojects
 ####################
 neutron_subprojects:
+  - name: "neutron-fwaas"
+    enabled: "{{ enable_neutron_fwaas | bool }}"
   - name: "networking-sfc"
     enabled: "{{ enable_neutron_sfc | bool }}"
   - name: "neutron-dynamic-routing"
@@ -725,6 +727,8 @@ neutron_modules_extra: []
 # Service Plugins
 ####################
 service_plugins:
+  - name: "firewall_v2"
+    enabled: "{{ enable_neutron_fwaas | bool }}"
   - name: "flow_classifier"
     enabled: "{{ enable_neutron_sfc | bool }}"
   - name: "metering"
@@ -783,6 +787,8 @@ agent_extensions:
 neutron_agent_extensions: "{{ agent_extensions | selectattr('enabled', 'equalto', true) | list }}"
 
 l3_agent_extensions:
+  - name: "fwaas_v2"
+    enabled: "{{ enable_neutron_fwaas | bool }}"
   - name: "vpnaas"
     enabled: "{{ enable_neutron_vpnaas | bool }}"
   - name: "port_forwarding"
diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml
index 707f30072d..ef5055e378 100644
--- a/ansible/roles/neutron/tasks/config.yml
+++ b/ansible/roles/neutron/tasks/config.yml
@@ -323,6 +323,28 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over fwaas_driver.ini
+  become: true
+  vars:
+    service_name: "{{ item.key }}"
+    services_need_fwaas_driver_ini:
+      - "neutron-server"
+      - "neutron-l3-agent"
+  merge_configs:
+    sources:
+      - "{{ role_path }}/templates/fwaas_driver.ini.j2"
+      - "{{ node_custom_config }}/neutron/fwaas_driver.ini"
+    dest: "{{ node_config_directory }}/{{ service_name }}/fwaas_driver.ini"
+    mode: "0660"
+  when:
+    - enable_neutron_fwaas | bool
+    - item.key in services_need_fwaas_driver_ini
+    - item.value.enabled | bool
+    - item.value.host_in_groups | bool
+  with_dict: "{{ neutron_services }}"
+  notify:
+    - "Restart {{ item.key }} container"
+
 - name: Copying over metadata_agent.ini
   become: true
   vars:
diff --git a/ansible/roles/neutron/templates/fwaas_driver.ini.j2 b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
new file mode 100644
index 0000000000..b0df0858fb
--- /dev/null
+++ b/ansible/roles/neutron/templates/fwaas_driver.ini.j2
@@ -0,0 +1,11 @@
+[fwaas]
+enabled = True
+{% if neutron_plugin_agent == 'vmware_nsxv' %}
+driver = vmware_nsxv_edge
+{% else %}
+agent_version = v2
+driver = iptables_v2
+
+[service_providers]
+service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
+{% endif %}
diff --git a/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2 b/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2
index 6960ae4bb4..028988e93d 100644
--- a/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent-wrapper.sh.j2
@@ -7,10 +7,14 @@ set -o errexit
 neutron-netns-cleanup \
         --config-file /etc/neutron/neutron.conf \
         --config-file /etc/neutron/l3_agent.ini \
+{% if enable_neutron_fwaas | bool %}
+        --config-file /etc/neutron/fwaas_driver.ini \
+{% endif %}
         --force --agent-type l3
 {% endif %}
 
 neutron-l3-agent \
         --config-file /etc/neutron/neutron.conf \
         --config-file /etc/neutron/neutron_vpnaas.conf \
-        --config-file /etc/neutron/l3_agent.ini \
+        --config-file /etc/neutron/l3_agent.ini{% if enable_neutron_fwaas | bool %} \
+        --config-file /etc/neutron/fwaas_driver.ini{% endif %}
diff --git a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2 b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
index 5c1d79c330..cd36548419 100644
--- a/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
+++ b/ansible/roles/neutron/templates/neutron-l3-agent.json.j2
@@ -18,7 +18,13 @@
             "dest": "/etc/neutron/neutron_vpnaas.conf",
             "owner": "neutron",
             "perm": "0600"
-        },
+        }{% if enable_neutron_fwaas | bool %},
+        {
+            "source": "{{ container_config_directory }}/fwaas_driver.ini",
+            "dest": "/etc/neutron/fwaas_driver.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        }{% endif %},
         {
             "source": "{{ container_config_directory }}/l3_agent.ini",
             "dest": "/etc/neutron/l3_agent.ini",
diff --git a/ansible/roles/neutron/templates/neutron-server.json.j2 b/ansible/roles/neutron/templates/neutron-server.json.j2
index 8d6904eac1..1fe3b349f5 100644
--- a/ansible/roles/neutron/templates/neutron-server.json.j2
+++ b/ansible/roles/neutron/templates/neutron-server.json.j2
@@ -1,5 +1,5 @@
 {
-    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}",
+    "command": "neutron-server --config-file /etc/neutron/neutron.conf {% if neutron_plugin_agent in ['openvswitch', 'linuxbridge', 'ovn'] %} --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_vpnaas.conf {% elif neutron_plugin_agent in ['vmware_nsxv', 'vmware_nsxv3', 'vmware_nsxp', 'vmware_dvs'] %} --config-file /etc/neutron/plugins/vmware/nsx.ini {% endif %}{% if enable_neutron_fwaas | bool %}--config-file /etc/neutron/fwaas_driver.ini{% endif %}",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/neutron.conf",
@@ -7,6 +7,14 @@
             "owner": "neutron",
             "perm": "0600"
         },
+{% if enable_neutron_fwaas | bool %}
+        {
+            "source": "{{ container_config_directory }}/fwaas_driver.ini",
+            "dest": "/etc/neutron/fwaas_driver.ini",
+            "owner": "neutron",
+            "perm": "0600"
+        },
+{% endif %}
         {
             "source": "{{ container_config_directory }}/neutron_vpnaas.conf",
             "dest": "/etc/neutron/neutron_vpnaas.conf",
diff --git a/doc/source/reference/networking/neutron-extensions.rst b/doc/source/reference/networking/neutron-extensions.rst
index 8a8dbab05a..2e8be4b138 100644
--- a/doc/source/reference/networking/neutron-extensions.rst
+++ b/doc/source/reference/networking/neutron-extensions.rst
@@ -23,6 +23,25 @@ For setting up a testbed environment and creating a port chain, please refer
 to :networking-sfc-doc:`networking-sfc documentation
 <contributor/system_design_and_workflow.html>`.
 
+Neutron FWaaS (Firewall-as-a-Service)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Preparation and deployment
+--------------------------
+
+.. warning::
+
+   FWaaS has currently no support for OVN.
+
+Modify the ``/etc/kolla/globals.yml`` file as the following example shows:
+
+.. code-block:: yaml
+
+   enable_neutron_fwaas: "yes"
+
+For more information on FWaaS in Neutron refer to the
+:neutron-doc:`Neutron FWaaS docs <admin/fwaas.html>`.
+
 Neutron VPNaaS (VPN-as-a-Service)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -90,7 +109,7 @@ For more information on this and VPNaaS in Neutron refer to the
 and the `OpenStack wiki <https://wiki.openstack.org/wiki/Neutron/VPNaaS>`_.
 
 Trunking
---------
+~~~~~~~~
 
 The network trunk service allows multiple networks to be connected to an
 instance using a single virtual NIC (vNIC). Multiple networks can be presented
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index ee2aebf876..a7ba2ebb23 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -360,6 +360,7 @@ workaround_ansible_issue_8743: yes
 #enable_horizon_blazar: "{{ enable_blazar | bool }}"
 #enable_horizon_cloudkitty: "{{ enable_cloudkitty | bool }}"
 #enable_horizon_designate: "{{ enable_designate | bool }}"
+#enable_horizon_fwaas: "{{ enable_neutron_fwaas | bool }}"
 #enable_horizon_heat: "{{ enable_heat | bool }}"
 #enable_horizon_ironic: "{{ enable_ironic | bool }}"
 #enable_horizon_magnum: "{{ enable_magnum | bool }}"
@@ -392,6 +393,7 @@ workaround_ansible_issue_8743: yes
 #enable_neutron_vpnaas: "no"
 #enable_neutron_sriov: "no"
 #enable_neutron_dvr: "no"
+#enable_neutron_fwaas: "no"
 #enable_neutron_qos: "no"
 #enable_neutron_agent_ha: "no"
 #enable_neutron_bgp_dragent: "no"
diff --git a/releasenotes/notes/re-add-neutron-fwaas-fb2211cf78ba2eb7.yaml b/releasenotes/notes/re-add-neutron-fwaas-fb2211cf78ba2eb7.yaml
new file mode 100644
index 0000000000..c513e4684b
--- /dev/null
+++ b/releasenotes/notes/re-add-neutron-fwaas-fb2211cf78ba2eb7.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Re-added support for neutron-fwaas v2. Set ``enable_neutron_fwaas: yes``
+    to enable.