Merge "Add cluster-pod network to cluster-host firewall in IPv4"

sysinv/sysinv/sysinv/sysinv/puppet/platform_firewall.py

@@ -264,33 +264,35 @@ class PlatformFirewallPuppet(base.BasePuppet):
         ip_version = IPAddress(f"{addr_pool.network}").version
         self._add_source_net_filter(gnp_config["spec"]["ingress"],
                                     f"{addr_pool.network}/{addr_pool.prefix}")
+
+        # add cluster-pod to cover the cases where there is no tunneling, the pod traffic goes
+        # directly in the cluster-host interface
+        cpod_net = self.dbapi.network_get_by_type(constants.NETWORK_TYPE_CLUSTER_POD)
+        if cpod_net:
+            cpod_pool = self.dbapi.address_pool_get(cpod_net.pool_uuid)
+            cpod_ip_version = IPAddress(f"{cpod_pool.network}").version
+            if (cpod_ip_version == ip_version):
+                self._add_source_net_filter(gnp_config["spec"]["ingress"],
+                                            f"{cpod_pool.network}/{cpod_pool.prefix}")
+        else:
+            LOG.info("Cannot find cluster-pod network to add to cluster-host firewall")
+
+        # copy the TCP rule and do the same for SCTP
+        sctp_egr_rule = copy.deepcopy(gnp_config["spec"]["egress"][0])
+        sctp_egr_rule["protocol"] = "SCTP"
+        sctp_egr_rule["metadata"]["annotations"]["name"] = \
+            f"stx-egr-{host.personality}-{network.type}-sctp{ip_version}"
+        gnp_config["spec"]["egress"].append(sctp_egr_rule)
+        sctp_ingr_rule = copy.deepcopy(gnp_config["spec"]["ingress"][0])
+        sctp_ingr_rule["protocol"] = "SCTP"
+        sctp_ingr_rule["metadata"]["annotations"]["name"] = \
+            f"stx-ingr-{host.personality}-{network.type}-sctp{ip_version}"
+        gnp_config["spec"]["ingress"].append(sctp_ingr_rule)
+
         if (ip_version == 6):
-            # add cluster-pod since in IPv6 there is no tunneling, the pod traffic goes directly
-            # in the cluster-host interface
-            cpod_net = self.dbapi.network_get_by_type(constants.NETWORK_TYPE_CLUSTER_POD)
-            if cpod_net:
-                cpod_pool = self.dbapi.address_pool_get(cpod_net.pool_uuid)
-                cpod_ip_version = IPAddress(f"{cpod_pool.network}").version
-                if (cpod_ip_version == 6):
-                    self._add_source_net_filter(gnp_config["spec"]["ingress"],
-                                                f"{cpod_pool.network}/{cpod_pool.prefix}")
-            else:
-                LOG.info("In IPv6 cannot find cluster-pod network to add to cluster-host firewall")
             # add link-local network too
             self._add_source_net_filter(gnp_config["spec"]["ingress"], "fe80::/64")
 
-            # copy the TCP rule and do the same for SCTP
-            sctp_egr_rule = copy.deepcopy(gnp_config["spec"]["egress"][0])
-            sctp_egr_rule["protocol"] = "SCTP"
-            sctp_egr_rule["metadata"]["annotations"]["name"] = \
-                f"stx-egr-{host.personality}-{network.type}-sctp{ip_version}"
-            gnp_config["spec"]["egress"].append(sctp_egr_rule)
-            sctp_ingr_rule = copy.deepcopy(gnp_config["spec"]["ingress"][0])
-            sctp_ingr_rule["protocol"] = "SCTP"
-            sctp_ingr_rule["metadata"]["annotations"]["name"] = \
-                f"stx-ingr-{host.personality}-{network.type}-sctp{ip_version}"
-            gnp_config["spec"]["ingress"].append(sctp_ingr_rule)
-
         if (ip_version == 4):
             # add rule to allow DHCP requests (dhcp-offer have src addr == 0.0.0.0)
             rule = self._get_dhcp_rule(host.personality, "UDP", ip_version)

sysinv/sysinv/sysinv/sysinv/tests/puppet/test_platform_firewall.py

@@ -324,9 +324,11 @@ class PlatformFirewallTestCaseMixin(base.PuppetTestCaseMixin):
         self.assertEqual(gnp['spec']['ingress'][2]['source']['nets'][0],
                          f"{addr_pool.network}/{addr_pool.prefix}")
 
+        cpod_net = db_api.network_get_by_type(constants.NETWORK_TYPE_CLUSTER_POD)
+        cpod_pool = db_api.address_pool_get(cpod_net.pool_uuid)
+
         if (ip_version == 4 and (net_type == constants.NETWORK_TYPE_PXEBOOT
                 or net_type == constants.NETWORK_TYPE_MGMT
-                or net_type == constants.NETWORK_TYPE_CLUSTER_HOST
                 or net_type == constants.NETWORK_TYPE_STORAGE)):
             self.assertEqual(gnp['spec']['ingress'][3]['metadata']['annotations']['name'],
                     f"stx-ingr-{self.host.personality}-dhcp-udp{ip_version}")
@@ -334,9 +336,38 @@ class PlatformFirewallTestCaseMixin(base.PuppetTestCaseMixin):
             self.assertEqual(gnp['spec']['ingress'][3]['ipVersion'], ip_version)
             self.assertEqual(gnp['spec']['ingress'][3]['destination']['ports'], [67])
 
+        if (ip_version == 4 and (net_type == constants.NETWORK_TYPE_CLUSTER_HOST)):
+            self.assertEqual(gnp['spec']['ingress'][0]['source']['nets'][1],
+                             f"{cpod_pool.network}/{cpod_pool.prefix}")
+            self.assertEqual(gnp['spec']['ingress'][1]['source']['nets'][1],
+                             f"{cpod_pool.network}/{cpod_pool.prefix}")
+            self.assertEqual(gnp['spec']['ingress'][2]['source']['nets'][1],
+                             f"{cpod_pool.network}/{cpod_pool.prefix}")
+
+            # check that SCTP rule was added for egress cluster-host in IPv6
+            self.assertEqual(gnp['spec']['egress'][3]['protocol'], "SCTP")
+            self.assertEqual(gnp['spec']['egress'][3]['metadata']['annotations']['name'],
+                    f"stx-egr-{self.host.personality}-{net_type}-sctp{ip_version}")
+            self.assertEqual(gnp['spec']['egress'][3]['ipVersion'], ip_version)
+            self.assertFalse('destination' in gnp['spec']['egress'][3].keys())
+            self.assertFalse('source' in gnp['spec']['egress'][3].keys())
+            # check that SCTP rule was added for ingress cluster-host in IPv4
+            self.assertEqual(gnp['spec']['ingress'][3]['protocol'], "SCTP")
+            self.assertEqual(gnp['spec']['ingress'][3]['metadata']['annotations']['name'],
+                    f"stx-ingr-{self.host.personality}-{net_type}-sctp{ip_version}")
+            self.assertEqual(gnp['spec']['ingress'][3]['ipVersion'], ip_version)
+            self.assertEqual(gnp['spec']['ingress'][3]['source']['nets'][0],
+                            f"{addr_pool.network}/{addr_pool.prefix}")
+            self.assertEqual(gnp['spec']['ingress'][3]['source']['nets'][1],
+                             f"{cpod_pool.network}/{cpod_pool.prefix}")
+
+            self.assertEqual(gnp['spec']['ingress'][4]['metadata']['annotations']['name'],
+                    f"stx-ingr-{self.host.personality}-dhcp-udp{ip_version}")
+            self.assertEqual(gnp['spec']['ingress'][4]['protocol'], "UDP")
+            self.assertEqual(gnp['spec']['ingress'][4]['ipVersion'], ip_version)
+            self.assertEqual(gnp['spec']['ingress'][4]['destination']['ports'], [67])
+
         if (ip_version == 6 and (net_type == constants.NETWORK_TYPE_CLUSTER_HOST)):
-            cpod_net = db_api.network_get_by_type(constants.NETWORK_TYPE_CLUSTER_POD)
-            cpod_pool = db_api.address_pool_get(cpod_net.pool_uuid)
             self.assertEqual(gnp['spec']['ingress'][0]['source']['nets'][1],
                              f"{cpod_pool.network}/{cpod_pool.prefix}")
             self.assertEqual(gnp['spec']['ingress'][0]['source']['nets'][2], "fe80::/64")
@@ -355,7 +386,7 @@ class PlatformFirewallTestCaseMixin(base.PuppetTestCaseMixin):
             self.assertFalse('destination' in gnp['spec']['egress'][3].keys())
             self.assertFalse('source' in gnp['spec']['egress'][3].keys())
 
-            # check that SCTP rule was added for egress cluster-host in IPv6
+            # check that SCTP rule was added for ingress cluster-host in IPv6
             self.assertEqual(gnp['spec']['ingress'][3]['protocol'], "SCTP")
             self.assertEqual(gnp['spec']['ingress'][3]['metadata']['annotations']['name'],
                     f"stx-ingr-{self.host.personality}-{net_type}-sctp{ip_version}")
@@ -524,7 +555,7 @@ class PlatformFirewallTestCaseControllerNonDc_Setup01(PlatformFirewallTestCaseMi
         self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::pxeboot::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::pxeboot::config'],
@@ -634,7 +665,7 @@ class PlatformFirewallTestCaseControllerNonDc_Setup02(PlatformFirewallTestCaseMi
         self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::pxeboot::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::pxeboot::config'],
@@ -829,7 +860,7 @@ class PlatformFirewallTestCaseControllerNonDc_Setup04(PlatformFirewallTestCaseMi
         self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::pxeboot::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::pxeboot::config'],
@@ -935,7 +966,7 @@ class PlatformFirewallTestCaseControllerNonDc_Setup05(PlatformFirewallTestCaseMi
         self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::pxeboot::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::pxeboot::config'],
@@ -1235,7 +1266,7 @@ class PlatformFirewallTestCaseControllerDcSubcloud_Setup01(PlatformFirewallTestC
         self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::mgmt::config'],
@@ -1484,7 +1515,7 @@ class PlatformFirewallTestCaseControllerDcSysCtrl_Setup01(PlatformFirewallTestCa
         self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::mgmt::config'],
@@ -1635,7 +1666,7 @@ class PlatformFirewallTestCaseControllerDcSubcloud_Setup02(PlatformFirewallTestC
         self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::mgmt::config'],
@@ -1749,15 +1780,15 @@ class PlatformFirewallTestCaseWorkerNonDc_Setup01(PlatformFirewallTestCaseMixin,
         self.assertFalse(hiera_data['platform::firewall::calico::storage::config'])
 
         # these GNPs are filled
-        self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
+        self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::mgmt::config'],
                                constants.NETWORK_TYPE_MGMT, self.dbapi,
                                egress_size=3, ingress_size=4)
 
-        self.assertTrue(hiera_data['platform::firewall::calico::mgmt::config'])
+        self.assertTrue(hiera_data['platform::firewall::calico::cluster_host::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::cluster_host::config'],
                                constants.NETWORK_TYPE_CLUSTER_HOST, self.dbapi,
-                               egress_size=3, ingress_size=4)
+                               egress_size=4, ingress_size=5)
 
         self.assertTrue(hiera_data['platform::firewall::calico::pxeboot::config'])
         self._check_gnp_values(hiera_data['platform::firewall::calico::pxeboot::config'],