centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/docs/por/T022-novanet-control-plane/task.yaml
centra a7ec7e2158 Add T026 practical test + k8shost to flake + workspace files 
- Created T026-practical-test task.yaml for MVP smoke testing
- Added k8shost-server to flake.nix (packages, apps, overlays)
- Staged all workspace directories for nix flake build
- Updated flake.nix shellHook to include k8shost

Resolves: T026.S1 blocker (R8 - nix submodule visibility)
2025-12-09 06:07:50 +09:00

148 lines
5.4 KiB
YAML
Raw Blame History

id: T022
name: NovaNET Control-Plane Hooks
goal: Deepen NovaNET with DHCP, gateway/routing, and full ACL rule translation for production-ready overlay networking
status: complete
priority: P1
owner: peerA (strategy) + peerB (implementation)
created: 2025-12-08
depends_on: [T019]
context: |
T019 established NovaNET with OVN integration (mock/real modes):
- Logical Switch (VPC) lifecycle
- Logical Switch Port create/delete
- Basic ACL create/delete
Missing for production use:
- DHCP: VMs need automatic IP assignment within subnets
- Gateway router: External connectivity (SNAT/DNAT, floating IPs)
- BGP: Route advertisement for external reachability
- ACL deepening: Current ACL is basic "allow-related"; need full rule translation
POR.md Next: "T022 NovaNET spec deepening + control-plane hooks (DHCP/BGP/ACL)"
acceptance:
- DHCP options configured on OVN logical switches
- Gateway router for external connectivity (SNAT at minimum)
- ACL rules properly translate SecurityGroupRule → OVN ACL (protocol, port, CIDR)
- Integration test validates DHCP + gateway flow
- cargo test passes
steps:
- step: S1
name: DHCP Options Integration
done: OVN DHCP options configured per subnet, VMs receive IP via DHCP
status: complete
owner: peerB
outputs:
- path: novanet/crates/novanet-types/src/dhcp.rs
note: DhcpOptions type with defaults (63L, 2 tests)
- path: novanet/crates/novanet-server/src/ovn/client.rs
note: DHCP methods - create/delete/bind (3 methods, 3 tests)
- path: novanet/crates/novanet-server/src/ovn/mock.rs
note: Mock DHCP support for testing
- path: novanet/crates/novanet-types/src/subnet.rs
note: Added dhcp_options field to Subnet
notes: |
OVN native DHCP support:
- ovn-nbctl dhcp-options-create <cidr>
- Set options: router, dns_server, lease_time
- Associate with logical switch ports
Implementation:
1. Add DhcpOptions type to novanet-types
2. Extend OvnClient with configure_dhcp_options()
3. Wire subnet creation to auto-configure DHCP
4. Unit test with mock OVN state
- step: S2
name: Gateway Router + SNAT
done: Logical router connects VPC to external network, SNAT for outbound traffic
status: complete
owner: peerB
outputs:
- path: novanet/crates/novanet-server/src/ovn/client.rs
note: Router methods (create/delete/add_port/snat) +410L, 7 tests
- path: novanet/crates/novanet-server/src/ovn/mock.rs
note: Mock router state tracking (MockRouter, MockSnatRule)
notes: |
Implemented:
- create_logical_router(name) -> UUID
- add_router_port(router_id, switch_id, cidr, mac) -> port_id
- configure_snat(router_id, external_ip, logical_ip_cidr)
- delete_logical_router(router_id) with cascade cleanup
OVN command flow:
1. lr-add <router>
2. lrp-add <router> <port> <mac> <network>
3. lsp-add <switch> <port> (switch side)
4. lsp-set-type <port> router
5. lr-nat-add <router> snat <external-ip> <logical-cidr>
Tests: 39/39 passing (7 new router tests)
Traffic flow: VM → gateway (router port) → SNAT → external
- step: S3
name: ACL Rule Translation
done: SecurityGroupRule fully translated to OVN ACL (protocol, port range, CIDR)
status: complete
owner: peerB
outputs:
- path: novanet/crates/novanet-server/src/ovn/acl.rs
note: ACL translation module (428L, 10 tests)
notes: |
Implemented:
- build_acl_match(): SecurityGroupRule → OVN match expression
- build_port_match(): port ranges (single, range, min-only, max-only, any)
- rule_direction_to_ovn(): ingress→to-lport, egress→from-lport
- calculate_priority(): specificity-based priority (600-1000)
- Full docstrings with examples
OVN ACL format:
ovn-nbctl acl-add <switch> <direction> <priority> "<match>" <action>
Match examples:
"tcp && tcp.dst == 80"
"ip4.src == 10.0.0.0/8"
"icmp4"
- step: S4
name: BGP Integration (Optional)
done: External route advertisement via BGP (or defer with design doc)
status: deferred
priority: P2
owner: peerB
notes: |
Deferred to P2 - not required for MVP-Beta. Options for future:
A) OVN + FRRouting integration (ovn-bgp-agent)
B) Dedicated BGP daemon (gobgp, bird)
C) Static routing for initial implementation
- step: S5
name: Integration Test
done: E2E test validates DHCP → IP assignment → gateway → external reach
status: complete
owner: peerB
outputs:
- path: novanet/crates/novanet-server/tests/control_plane_integration.rs
note: E2E control-plane integration tests (534L, 9 tests)
notes: |
Implemented:
- Full control-plane flow: VPC → Subnet+DHCP → Port → SecurityGroup → ACL → Router → SNAT
- Multi-tenant isolation validation
- Mock OVN state verification at each step
- 9 comprehensive test scenarios covering all acceptance criteria
blockers: []
evidence: []
notes: |
Priority within T022:
- P0: S1 (DHCP), S3 (ACL) - Required for VM network bootstrap
- P1: S2 (Gateway) - Required for external connectivity
- P2: S4 (BGP) - Design-only acceptable; implementation can defer
OVN reference:
- https://docs.ovn.org/en/latest/ref/ovn-nb.5.html
- DHCP_Options, Logical_Router, NAT tables
Reference in a new issue View git blame Copy permalink