nova05: ext net for tests accessing VMs via FIP

This DCN setup doesn't work with DVR (distributed FIP) because ext net
VLAN 269 isn't extended cross-site.

Add external NAD definition with VLAN to DT nncp/values.yaml.
Add customServiceConfig to disable distributed FIPs in DT cp yaml.
Update DT README with external network / centralized FIP notes.
Update scenario-vars.yaml with external NAD for Tempest access to FIP.

Make ctlplane routed with FIP public provider net so that
any pod with just ctlplane NAD (like AnsibleTest used by gpu-validation)
will have a route to the FIP subnet via the ctlplane gateway - same
pattern as the storage route for Ceph RGW applied earlier.

Signed-off-by: Bohdan Dobrelia <bdobreli@redhat.com>

Author: bogdando

dt/nova/nova05epsilon/networking/external-nad.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: k8s.cni.cncf.io/v1
+kind: NetworkAttachmentDefinition
+metadata:
+  name: external
+  labels:
+    osp/net: external
+    osp/net-attach-def-type: standard

dt/nova/nova05epsilon/networking/kustomization.yaml

@@ -25,6 +25,7 @@ components:
 resources:
   - storagemgmt-nad.yaml
   - storagemgmt-metallb.yaml
+  - external-nad.yaml
 
 # Add storagemgmt network template, as it is needed for CephHCI
 patches:
@@ -122,3 +123,15 @@ replacements:
           name: ctlplane
         fieldPaths:
           - spec.interfaces.0
+
+  # External NAD for provider network FIP access
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.external.net-attach-def
+    targets:
+      - select:
+          kind: NetworkAttachmentDefinition
+          name: external
+        fieldPaths:
+          - spec.config

dt/nova/nova05epsilon/networking/nncp/kustomization.yaml

@@ -47,86 +47,86 @@ patches:
     patch: |-
       - op: remove
         path: /spec/nodeSelector/node-role.kubernetes.io~1worker
-  # Optional: add storagemgmt VLAN interface to the SNO node.
-  # Uncomment this patch AND node_0.storagemgmt_ip in values.yaml.
-  # Not required for CephHCI (Ceph uses storage network for OSD traffic).
-  # - target:
-  #     kind: NodeNetworkConfigurationPolicy
-  #     name: node-0
-  #   patch: |-
-  #     - op: add
-  #       path: /spec/desiredState/interfaces/-
-  #       value:
-  #         description: storagemgmt vlan host interface
-  #         name: storagemgmt
-  #         state: up
-  #         type: vlan
-  #         mtu: _replaced_
-  #         ipv4:
-  #           address:
-  #           - ip: _replaced_
-  #             prefix-length: _replaced_
-  #           dhcp: false
-  #           enabled: true
-  #         ipv6:
-  #           enabled: false
-  #         vlan:
-  #           base-iface: _replaced_
-  #           id: _replaced_
 
-# Uncomment these replacements together with the storagemgmt patch above
-# replacements:
-#   - source:
-#       kind: ConfigMap
-#       name: network-values
-#       fieldPath: data.node_0.storagemgmt_ip
-#     targets:
-#       - select:
-#           kind: NodeNetworkConfigurationPolicy
-#           name: node-0
-#         fieldPaths:
-#           - spec.desiredState.interfaces.[name=storagemgmt].ipv4.address.0.ip
-#   - source:
-#       kind: ConfigMap
-#       name: network-values
-#       fieldPath: data.storagemgmt.base_iface
-#     targets:
-#       - select:
-#           kind: NodeNetworkConfigurationPolicy
-#         fieldPaths:
-#           - spec.desiredState.interfaces.[name=storagemgmt].vlan.base-iface
-#         options:
-#           create: true
-#   - source:
-#       kind: ConfigMap
-#       name: network-values
-#       fieldPath: data.storagemgmt.vlan
-#     targets:
-#       - select:
-#           kind: NodeNetworkConfigurationPolicy
-#         fieldPaths:
-#           - spec.desiredState.interfaces.[name=storagemgmt].vlan.id
-#         options:
-#           create: true
-#   - source:
-#       kind: ConfigMap
-#       name: network-values
-#       fieldPath: data.storagemgmt.mtu
-#     targets:
-#       - select:
-#           kind: NodeNetworkConfigurationPolicy
-#         fieldPaths:
-#           - spec.desiredState.interfaces.[name=storagemgmt].mtu
-#         options:
-#           create: true
-#   - source:
-#       kind: ConfigMap
-#       name: network-values
-#       fieldPath: data.storagemgmt.prefix-length
-#     targets:
-#       - select:
-#           kind: NodeNetworkConfigurationPolicy
-#         fieldPaths:
-#           - spec.desiredState.interfaces.[name=storagemgmt].ipv4.address.0.prefix-length
-#         options:
-#           create: true
+  # Add external VLAN interface on ospbr for OVN provider network access.
+  # Required for centralized floating IPs in DCN scenarios where the
+  # external VLAN is carried over the datacentre bridge.
+  - target:
+      kind: NodeNetworkConfigurationPolicy
+      name: node-0
+    patch: |-
+      - op: add
+        path: /spec/desiredState/interfaces/-
+        value:
+          description: external vlan interface on ospbr
+          name: external
+          state: up
+          type: vlan
+          mtu: _replaced_
+          ipv4:
+            address:
+            - ip: _replaced_
+              prefix-length: _replaced_
+            dhcp: false
+            enabled: true
+          ipv6:
+            enabled: false
+          vlan:
+            base-iface: _replaced_
+            id: _replaced_
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.node_0.external_ip
+    targets:
+      - select:
+          kind: NodeNetworkConfigurationPolicy
+          name: node-0
+        fieldPaths:
+          - spec.desiredState.interfaces.[name=external].ipv4.address.0.ip
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.external.base_iface
+    targets:
+      - select:
+          kind: NodeNetworkConfigurationPolicy
+        fieldPaths:
+          - spec.desiredState.interfaces.[name=external].vlan.base-iface
+        options:
+          create: true
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.external.vlan
+    targets:
+      - select:
+          kind: NodeNetworkConfigurationPolicy
+        fieldPaths:
+          - spec.desiredState.interfaces.[name=external].vlan.id
+        options:
+          create: true
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.external.mtu
+    targets:
+      - select:
+          kind: NodeNetworkConfigurationPolicy
+        fieldPaths:
+          - spec.desiredState.interfaces.[name=external].mtu
+        options:
+          create: true
+  - source:
+      kind: ConfigMap
+      name: network-values
+      fieldPath: data.external.prefix-length
+    targets:
+      - select:
+          kind: NodeNetworkConfigurationPolicy
+        fieldPaths:
+          - spec.desiredState.interfaces.[name=external].ipv4.address.0.prefix-length
+        options:
+          create: true

examples/dt/nova/nova05epsilon/README.md

@@ -120,3 +120,36 @@ The dataplane stages (pre-ceph nodeset, pre-ceph deployment, Ceph
 install, post-ceph nodeset, post-ceph deployment) must be repeated
 for each DCN site with site-specific values. Each site's computes
 should reference the appropriate cell, subnet, and AZ.
+
+## External Network and Floating IPs
+
+This topology deploys an `external` VLAN interface on `ospbr` to
+provide L2 access to the OpenStack provider (external) network.
+The external VLAN is the same segment that OVN uses for `datacentre`
+bridge mapping, so tagged frames for the external network appear
+on `ospbr`. A macvlan-based `NetworkAttachmentDefinition` in
+`bridge` mode gives pods (e.g. Tempest) direct access to floating
+IPs on that segment.
+
+### Centralized Floating IPs
+
+In DCN scenarios where the external VLAN is only available at the
+control-plane site (not extended to remote compute sites), OVN
+distributed floating IPs do not work because the compute node
+cannot ARP-respond for the FIP on a VLAN it cannot reach. Neutron
+is configured with `enable_distributed_floating_ip = false` in
+`service-values.yaml` to force centralized NAT through the OVN
+gateway chassis on the control-plane node.
+
+### CHANGEME values for the external network
+
+In `control-plane/networking/nncp/values.yaml`, fill in:
+- `CHANGEME_SNO_EXTERNAL_*`: IP range, CIDR, gateway, VLAN for
+  the control-plane site's external subnet.
+- `CHANGEME_EDPM_EXTERNAL_*`: The same for the compute site.
+- `CHANGEME_SNO_EXTERNAL_IP`: IP address assigned to the `external`
+  VLAN interface on the OCP node (must not overlap with NAD IPAM
+  or OpenStack FIP allocation pools).
+- `CHANGEME_SNO_EXTERNAL_NAD_START/END`: IPAM range for pods
+  attached via the `external` NAD (must not overlap with OpenStack
+  FIP allocation pools).

examples/dt/nova/nova05epsilon/control-plane/networking/nncp/values.yaml

@@ -33,7 +33,8 @@ data:
                   "range_end": "CHANGEME_SNO_CTLPLANE_NAD_END",
                   "routes": [
                     { "dst": "CHANGEME_EDPM_CTLPLANE_CIDR", "gw": "CHANGEME_SNO_CTLPLANE_GW" },
-                    { "dst": "CHANGEME_EDPM_STORAGE_CIDR", "gw": "CHANGEME_SNO_CTLPLANE_GW" }
+                    { "dst": "CHANGEME_EDPM_STORAGE_CIDR", "gw": "CHANGEME_SNO_CTLPLANE_GW" },
+                    { "dst": "CHANGEME_EDPM_EXTERNAL_CIDR", "gw": "CHANGEME_SNO_CTLPLANE_GW" }
                   ]
                 }
               }, {
@@ -61,6 +62,10 @@ data:
                   # to reach Ceph RGW on the remote storage network.
                   - destination: CHANGEME_EDPM_STORAGE_CIDR
                     nexthop: CHANGEME_SNO_CTLPLANE_GW
+                  # Pods without external NAD (e.g. ansibletest) need this
+                  # to reach floating IPs on the EDPM external subnet.
+                  - destination: CHANGEME_EDPM_EXTERNAL_CIDR
+                    nexthop: CHANGEME_SNO_CTLPLANE_GW
             # CHANGEME: site4 EDPM computes -- replace CIDRs/gateway/VLAN
             - allocationRanges:
                   - end: CHANGEME_EDPM_CTLPLANE_END
@@ -98,8 +103,31 @@ data:
               values:
                   - CHANGEME_SNO_DNS_SERVER
     external:
+        base_iface: ospbr
         dnsDomain: external.example.com
+        iface: external
         mtu: 1500
+        net-attach-def: |
+            {
+              "cniVersion": "0.4.0",
+              "name": "external",
+              "plugins": [{
+                "type": "macvlan",
+                "master": "external",
+                "mode": "bridge",
+                "ipam": {
+                  "type": "whereabouts",
+                  "range": "CHANGEME_SNO_EXTERNAL_CIDR",
+                  "range_start": "CHANGEME_SNO_EXTERNAL_NAD_START",
+                  "range_end": "CHANGEME_SNO_EXTERNAL_NAD_END"
+                }
+              }, {
+                "type": "tuning",
+                "sysctl": {
+                  "net.ipv6.conf.IFNAME.accept_ra": "0"
+                }
+              }]
+            }
         prefix-length: 24
         subnets:
             - allocationRanges:
@@ -180,6 +208,7 @@ data:
     # SNO: single OCP node only
     node_0:
         ctlplane_ip: CHANGEME_SNO_CTLPLANE_IP
+        external_ip: CHANGEME_SNO_EXTERNAL_IP
         internalapi_ip: CHANGEME_SNO_INTAPI_IP
         name: CHANGEME_SNO_NODE_NAME
         storage_ip: CHANGEME_SNO_STORAGE_IP

examples/dt/nova/nova05epsilon/control-plane/service-values.yaml

@@ -14,3 +14,9 @@ data:
     cluster: rabbitmq
   tls:
     caBundleSecretName: ""
+  neutron:
+    customServiceConfig: |
+      [ml2]
+      mechanism_drivers = ovn
+      [ovn]
+      enable_distributed_floating_ip = false