From 9a5941291391f7718a14a9bb8ae506a7c293bc68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ram=C3=B3n=20Lobillo?= <rlobillo@redhat.com>
Date: Tue, 22 Oct 2024 14:46:20 +0200
Subject: [PATCH] Add osasinfra-ipv6 network-values template

.. and also disabling ipv6_rpfilter so VMs can reach OSP API
---
 reproducer.yml                                |  17 ++-
 .../network-values/values.yaml.j2             | 131 ++++++++++++++++++
 2 files changed, 146 insertions(+), 2 deletions(-)
 create mode 100644 roles/ci_gen_kustomize_values/templates/osasinfra-ipv6/network-values/values.yaml.j2

diff --git a/reproducer.yml b/reproducer.yml
index b3e1b54a2d..536d159d18 100644
--- a/reproducer.yml
+++ b/reproducer.yml
@@ -78,8 +78,21 @@
     - name: Allow traffic from OSP VMs to OSP API (needed for shiftstack)
       become: true
       when: cifmw_allow_vms_to_reach_osp_api | default ('false') | bool
-      ansible.builtin.command: # noqa: command-instead-of-module
-        cmd: iptables -I LIBVIRT_FWI 1 -o ocpbm -j ACCEPT
+      block:
+        - name: Allow traffic from OSP VMs to OSP API for ipv4
+          ansible.builtin.command: # noqa: command-instead-of-module
+            cmd: iptables -I LIBVIRT_FWI 1 -o ocpbm -j ACCEPT
+
+        - name: Allow traffic from OSP VMs to OSP API for ipv6
+          ansible.builtin.lineinfile:
+            path: /etc/firewalld/firewalld.conf
+            regexp: '^IPv6_rpfilter='
+            line: 'IPv6_rpfilter=no'
+
+        - name: Restart firewalld.service
+          ansible.builtin.systemd_service:
+            name: firewalld
+            state: restarted
 
     - name: Run deployment if instructed to
       when:
diff --git a/roles/ci_gen_kustomize_values/templates/osasinfra-ipv6/network-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/osasinfra-ipv6/network-values/values.yaml.j2
new file mode 100644
index 0000000000..4db10941c9
--- /dev/null
+++ b/roles/ci_gen_kustomize_values/templates/osasinfra-ipv6/network-values/values.yaml.j2
@@ -0,0 +1,131 @@
+---
+# source: osasinfra-ipv6/network-values/values.yaml.j2
+{% set _ipv = cifmw_ci_gen_kustomize_values_ip_version_var_mapping %}
+{% set ns = namespace(interfaces={},
+                      ocp_index=0,
+                      lb_tools={}) %}
+data:
+{% for host in cifmw_networking_env_definition.instances.keys() -%}
+{%   if host is match('^(ocp|crc).*') %}
+  node_{{ ns.ocp_index }}:
+{%     set ns.ocp_index = ns.ocp_index+1 %}
+    name: {{ cifmw_networking_env_definition.instances[host]['hostname'] }}
+{# FIXEME: (hjensas): We need to ensure the OCP cluster_name and base_domain is available here #}
+{#                    Because devscripts use fqdn for node names when ipv6                     #}
+    node_name: {{ cifmw_networking_env_definition.instances[host]['hostname'] }}.ocp.openstack.lab
+{%     for network in cifmw_networking_env_definition.instances[host]['networks'].values() %}
+{%     set ns.interfaces = ns.interfaces |
+                           combine({network.network_name: (network.parent_interface |
+                                                           default(network.interface_name)
+                                                          )
+                                   },
+                                   recursive=true) %}
+    {{ network.network_name }}_ip: {{ network[_ipv.ip_vX] }}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
+
+{% for network in cifmw_networking_env_definition.networks.values() %}
+{% set ns.lb_tools = {} %}
+  {{ network.network_name }}:
+    dnsDomain: {{ network.search_domain }}
+{%  if network.tools is defined and network.tools.keys() | length > 0 %}
+    subnets:
+{%    for tool in network.tools.keys() %}
+{%      if tool is match('.*lb$') %}
+{%        set _ = ns.lb_tools.update({tool: []}) %}
+{%      endif %}
+{%    endfor %}
+      - allocationRanges:
+{%    for range in network.tools.netconfig[_ipv.ipvX_ranges] %}
+        - end: {{ range.end }}
+          start: {{ range.start }}
+{%    endfor %}
+        cidr: {{ network[_ipv.network_vX] }}
+{%    if network[_ipv.gw_vX] is defined  %}
+        gateway: {{ network[_ipv.gw_vX] }}
+{%    endif %}
+        name: subnet1
+{%    if network.vlan_id is defined  %}
+        vlan: {{ network.vlan_id }}
+{%    endif %}
+{%    if ns.lb_tools | length > 0 %}
+    lb_addresses:
+{%      for tool in ns.lb_tools.keys() %}
+{%        for lb_range in network.tools[tool][_ipv.ipvX_ranges] %}
+      - {{ lb_range.start }}-{{ lb_range.end }}
+{%          set _ = ns.lb_tools[tool].append(lb_range.start) %}
+{%        endfor %}
+    endpoint_annotations:
+      {{ tool }}.universe.tf/address-pool: {{ network.network_name }}
+      {{ tool }}.universe.tf/allow-shared-ip: {{ network.network_name }}
+      {{ tool }}.universe.tf/loadBalancerIPs: {{ ','.join(ns.lb_tools[tool]) }}
+{%      endfor %}
+{%    endif %}
+{%  endif %}
+    prefix-length: {{ network[_ipv.network_vX] | ansible.utils.ipaddr('prefix') }}
+    mtu: {{ network.mtu | default(1500) }}
+{%  if network.vlan_id is defined  %}
+    vlan: {{ network.vlan_id }}
+{%    if ns.interfaces[network.network_name] is defined %}
+    iface: {{ network.network_name }}
+    base_iface: {{ ns.interfaces[network.network_name] }}
+{%    endif %}
+{%  else %}
+{%    if ns.interfaces[network.network_name] is defined %}
+    iface: {{ ns.interfaces[network.network_name] }}
+{%    endif %}
+{%  endif %}
+{%  if network.tools.multus is defined %}
+    net-attach-def: |
+      {
+        "cniVersion": "0.3.1",
+        "name": "{{ network.network_name }}",
+        "type": "macvlan",
+{%  if network.vlan_id is defined%}
+        "master": "{{ network.network_name }}",
+{%  elif network.network_name == "ctlplane" %}
+        "master": "ospbr",
+{%  else %}
+        "master": "{{ ns.interfaces[network.network_name] }}",
+{%  endif %}
+        "ipam": {
+          "type": "whereabouts",
+          "range": "{{ network[_ipv.network_vX] }}",
+          "range_start": "{{ network.tools.multus[_ipv.ipvX_ranges].0.start }}",
+          "range_end": "{{ network.tools.multus[_ipv.ipvX_ranges].0.end }}"
+        }
+      }
+{%  endif %}
+{% endfor %}
+
+  dns-resolver:
+    config:
+      server:
+        - "{{ cifmw_networking_env_definition.networks.ctlplane[_ipv.gw_vX] }}"
+      search: []
+    options:
+      - key: server
+        values:
+          - {{ cifmw_networking_env_definition.networks.ctlplane[_ipv.gw_vX] }}
+{% for nameserver in cifmw_ci_gen_kustomize_values_nameservers %}
+      - key: server
+        values:
+          - {{ nameserver }}
+{% endfor %}
+
+  routes:
+    config: []
+
+# Hardcoding the last IP bit since we don't have support for endpoint_annotations in the networking_mapper output
+  rabbitmq:
+    endpoint_annotations:
+      metallb.universe.tf/address-pool: internalapi
+      metallb.universe.tf/loadBalancerIPs: {{ cifmw_networking_env_definition.networks['internalapi'][_ipv.network_vX]  | ansible.utils.ipmath(85) }}
+  rabbitmq-cell1:
+    endpoint_annotations:
+      metallb.universe.tf/address-pool: internalapi
+      metallb.universe.tf/loadBalancerIPs: {{ cifmw_networking_env_definition.networks['internalapi'][_ipv.network_vX]  | ansible.utils.ipmath(86) }}
+
+  lbServiceType: LoadBalancer
+  storageClass: {{ cifmw_ci_gen_kustomize_values_storage_class }}