[NSX] Add SNAT support (#8100)

* In progress add source NAT

* Fix after merge

* Fix tests

* Fix NPE on isolated network deletion

* Reserve source NAT IP when its not passed for NSX VPC

* Create source NAT rule on VR NIC allocation

* Fix update VPC and remove VPC to update and remove SNAT rule

* Fix packaging

* Address review comment

* Fix build

* fix build - unused import

* Add defensive checks

* Add missing design to NSX public guru

---------

Co-authored-by: Pearl Dsilva <pearl1594@gmail.com>

Author: nvazquez

api/src/main/java/com/cloud/network/NetworkService.java

@@ -19,6 +19,7 @@
 import java.util.List;
 import java.util.Map;
 
+import com.cloud.dc.DataCenter;
 import org.apache.cloudstack.api.command.admin.address.ReleasePodIpCmdByAdmin;
 import org.apache.cloudstack.api.command.admin.network.DedicateGuestVlanRangeCmd;
 import org.apache.cloudstack.api.command.admin.network.ListDedicatedGuestVlanRangesCmd;
@@ -85,6 +86,8 @@ IpAddress allocateIP(Account ipOwner, long zoneId, Long networkId, Boolean displ
 
     IpAddress reserveIpAddress(Account account, Boolean displayIp, Long ipAddressId) throws ResourceAllocationException;
 
+    IpAddress reserveIpAddressWithVlanDetail(Account account, DataCenter zone, Boolean displayIp, String vlanDetailKey) throws ResourceAllocationException;
+
     boolean releaseReservedIpAddress(long ipAddressId) throws InsufficientAddressCapacityException;
 
     boolean releaseIpAddress(long ipAddressId) throws InsufficientAddressCapacityException;

engine/orchestration/src/main/java/org/apache/cloudstack/engine/orchestration/NetworkOrchestrator.java

@@ -39,6 +39,8 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import com.cloud.dc.VlanDetailsVO;
+import com.cloud.dc.dao.VlanDetailsDao;
 import org.apache.cloudstack.acl.ControlledEntity.ACLType;
 import org.apache.cloudstack.annotation.AnnotationService;
 import org.apache.cloudstack.annotation.dao.AnnotationDao;
@@ -57,6 +59,7 @@
 import org.apache.cloudstack.network.dao.NetworkPermissionDao;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
@@ -340,6 +343,8 @@ public class NetworkOrchestrator extends ManagerBase implements NetworkOrchestra
     Ipv6Service ipv6Service;
     @Inject
     RouterNetworkDao routerNetworkDao;
+    @Inject
+    private VlanDetailsDao vlanDetailsDao;
 
     List<NetworkGuru> networkGurus;
 
@@ -1029,6 +1034,12 @@ public Pair<NicProfile, Integer> allocateNic(final NicProfile requested, final N
         if (profile == null) {
             return null;
         }
+        // TODO: Fix with the public network PR
+        if (isNicAllocatedForNsxPublicNetworkOnVR(network, profile, vm)) {
+            String guruName = "NsxPublicNetworkGuru";
+            NetworkGuru nsxGuru = AdapterBase.getAdapterByName(networkGurus, guruName);
+            nsxGuru.allocate(network, profile, vm);
+        }
 
         if (isDefaultNic != null) {
             profile.setDefaultNic(isDefaultNic);
@@ -1062,6 +1073,27 @@ public Pair<NicProfile, Integer> allocateNic(final NicProfile requested, final N
         return new Pair<NicProfile, Integer>(vmNic, Integer.valueOf(deviceId));
     }
 
+    private boolean isNicAllocatedForNsxPublicNetworkOnVR(Network network, NicProfile requested, VirtualMachineProfile vm) {
+        if (ObjectUtils.anyNull(network, requested, vm)) {
+            return false;
+        }
+        boolean isVirtualRouter = vm.getType() == Type.DomainRouter;
+        boolean isPublicTraffic = network.getTrafficType() == TrafficType.Public;
+        if (!isVirtualRouter || !isPublicTraffic || requested.getIPv4Address() == null) {
+            return false;
+        }
+        IPAddressVO ip = _ipAddressDao.findByIp(requested.getIPv4Address());
+        if (ip == null) {
+            return false;
+        }
+        VlanDetailsVO vlanDetail = vlanDetailsDao.findDetail(ip.getVlanId(), ApiConstants.NSX_DETAIL_KEY);
+        if (vlanDetail == null) {
+            return false;
+        }
+        boolean isForNsx = vlanDetail.getValue().equalsIgnoreCase("true");
+        return isForNsx && ip.isSourceNat() && !ip.isForSystemVms();
+    }
+
     private void setMtuDetailsInVRNic(final Pair<NetworkVO, VpcVO> networks, Network network, NicVO vo) {
         if (TrafficType.Public == network.getTrafficType()) {
             if (networks == null) {

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/CreateNsxTier1GatewayCommand.java

@@ -19,16 +19,20 @@
 import java.util.Objects;
 
 public class CreateNsxTier1GatewayCommand extends NsxCommand {
+
     private Long networkResourceId;
     private String networkResourceName;
     private boolean isResourceVpc;
+    private boolean sourceNatEnabled;
 
     public CreateNsxTier1GatewayCommand(long domainId, long accountId, long zoneId,
-                                        Long networkResourceId, String networkResourceName, boolean isResourceVpc) {
+                                        Long networkResourceId, String networkResourceName, boolean isResourceVpc,
+                                        boolean sourceNatEnabled) {
         super(domainId, accountId, zoneId);
         this.networkResourceId = networkResourceId;
         this.networkResourceName = networkResourceName;
         this.isResourceVpc = isResourceVpc;
+        this.sourceNatEnabled = sourceNatEnabled;
     }
 
     public Long getNetworkResourceId() {
@@ -43,6 +47,10 @@ public String getNetworkResourceName() {
         return networkResourceName;
     }
 
+    public boolean isSourceNatEnabled() {
+        return sourceNatEnabled;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/agent/api/CreateNsxTier1NatRuleCommand.java

@@ -0,0 +1,50 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.agent.api;
+
+public class CreateNsxTier1NatRuleCommand extends NsxCommand {
+
+    private String tier1GatewayName;
+    private String action;
+    private String translatedIpAddress;
+    private String natRuleId;
+
+    public CreateNsxTier1NatRuleCommand(long domainId, long accountId, long zoneId,
+                                        String tier1GatewayName, String action, String translatedIpAddress, String natRuleId) {
+        super(domainId, accountId, zoneId);
+        this.tier1GatewayName = tier1GatewayName;
+        this.action = action;
+        this.translatedIpAddress = translatedIpAddress;
+        this.natRuleId = natRuleId;
+    }
+
+    public String getTier1GatewayName() {
+        return tier1GatewayName;
+    }
+
+    public String getAction() {
+        return action;
+    }
+
+    public String getTranslatedIpAddress() {
+        return translatedIpAddress;
+    }
+
+    public String getNatRuleId() {
+        return natRuleId;
+    }
+}

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java

@@ -41,6 +41,7 @@
 import org.apache.cloudstack.agent.api.CreateNsxSegmentCommand;
 import org.apache.cloudstack.agent.api.CreateNsxStaticNatCommand;
 import org.apache.cloudstack.agent.api.CreateNsxTier1GatewayCommand;
+import org.apache.cloudstack.agent.api.CreateNsxTier1NatRuleCommand;
 import org.apache.cloudstack.agent.api.DeleteNsxLoadBalancerRuleCommand;
 import org.apache.cloudstack.agent.api.DeleteNsxSegmentCommand;
 import org.apache.cloudstack.agent.api.DeleteNsxNatRuleCommand;
@@ -110,6 +111,8 @@ public Answer executeRequest(Command cmd) {
             return executeRequest((CreateNsxTier1GatewayCommand) cmd);
         } else if (cmd instanceof CreateNsxDhcpRelayConfigCommand) {
             return executeRequest((CreateNsxDhcpRelayConfigCommand) cmd);
+        } else if (cmd instanceof CreateNsxTier1NatRuleCommand) {
+            return executeRequest((CreateNsxTier1NatRuleCommand) cmd);
         } else if (cmd instanceof CreateNsxStaticNatCommand) {
             return executeRequest((CreateNsxStaticNatCommand) cmd);
         } else if (cmd instanceof DeleteNsxNatRuleCommand) {
@@ -226,6 +229,22 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         return true;
     }
 
+    private Answer executeRequest(CreateNsxTier1NatRuleCommand cmd) {
+        String tier1GatewayName = cmd.getTier1GatewayName();
+        String action = cmd.getAction();
+        String translatedIpAddress = cmd.getTranslatedIpAddress();
+        String natRuleId = cmd.getNatRuleId();
+        String natId = "USER";
+        try {
+            nsxApiClient.createTier1NatRule(tier1GatewayName, natId, natRuleId, action, translatedIpAddress);
+        } catch (CloudRuntimeException e) {
+            String msg = String.format("Error creating the NAT rule with ID %s on Tier1 Gateway %s: %s", natRuleId, tier1GatewayName, e.getMessage());
+            LOGGER.error(msg, e);
+            return new NsxAnswer(cmd, e);
+        }
+        return new NsxAnswer(cmd, true, "");
+    }
+
     private Answer executeRequest(CreateNsxDhcpRelayConfigCommand cmd) {
         long zoneId = cmd.getZoneId();
         long domainId = cmd.getDomainId();
@@ -271,8 +290,9 @@ private Answer executeRequest(ReadyCommand cmd) {
 
     private Answer executeRequest(CreateNsxTier1GatewayCommand cmd) {
         String name = NsxControllerUtils.getTier1GatewayName(cmd.getDomainId(), cmd.getAccountId(), cmd.getZoneId(), cmd.getNetworkResourceId(), cmd.isResourceVpc());
+        boolean sourceNatEnabled = cmd.isSourceNatEnabled();
         try {
-            nsxApiClient.createTier1Gateway(name, tier0Gateway, edgeCluster);
+            nsxApiClient.createTier1Gateway(name, tier0Gateway, edgeCluster, sourceNatEnabled);
             return new NsxAnswer(cmd, true, "");
         } catch (CloudRuntimeException e) {
             String msg = String.format("Cannot create tier 1 gateway %s (%s: %s): %s", name,

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxApiClient.java

@@ -16,7 +16,6 @@
 // under the License.
 package org.apache.cloudstack.service;
 
-import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.network.Network;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.vmware.nsx.model.TransportZone;
@@ -46,6 +45,7 @@
 import com.vmware.nsx_policy.model.LBVirtualServerListResult;
 import com.vmware.nsx_policy.model.LocaleServicesListResult;
 import com.vmware.nsx_policy.model.PolicyNatRule;
+import com.vmware.nsx_policy.model.PolicyNatRuleListResult;
 import com.vmware.nsx_policy.model.Segment;
 import com.vmware.nsx_policy.model.SegmentSubnet;
 import com.vmware.nsx_policy.model.ServiceListResult;
@@ -68,6 +68,7 @@
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.log4j.Logger;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Objects;
@@ -162,6 +163,16 @@ public NsxApiClient(String hostname, String port, String username, char[] passwo
         nsxService = apiClient::createStub;
     }
 
+    public void createTier1NatRule(String tier1GatewayName, String natId, String natRuleId,
+                                   String action, String translatedIp) {
+        NatRules natRulesService = (NatRules) nsxService.apply(NatRules.class);
+        PolicyNatRule natPolicy = new PolicyNatRule.Builder()
+                .setAction(action)
+                .setTranslatedNetwork(translatedIp)
+                .build();
+        natRulesService.patch(tier1GatewayName, natId, natRuleId, natPolicy);
+    }
+
     public void createDhcpRelayConfig(String dhcpRelayConfigName, List<String> addresses) {
         try {
             DhcpRelayConfigs service = (DhcpRelayConfigs) nsxService.apply(DhcpRelayConfigs.class);
@@ -238,21 +249,34 @@ private void createTier1LocaleServices(String tier1Id, String edgeCluster, Strin
         }
     }
 
-    public void createTier1Gateway(String name, String tier0Gateway, String edgeCluster) {
+    private List<String> getRouterAdvertisementTypeList(boolean sourceNatEnabled) {
+        List<String> types = new ArrayList<>();
+        types.add(RouteAdvertisementType.TIER1_IPSEC_LOCAL_ENDPOINT.name());
+        types.add(RouteAdvertisementType.TIER1_NAT.name());
+        if (!sourceNatEnabled) {
+            types.add(RouteAdvertisementType.TIER1_CONNECTED.name());
+        }
+        return types;
+    }
+
+    public void createTier1Gateway(String name, String tier0Gateway, String edgeCluster, boolean sourceNatEnabled) {
         String tier0GatewayPath = TIER_0_GATEWAY_PATH_PREFIX + tier0Gateway;
         Tier1 tier1 = getTier1Gateway(name);
         if (tier1 != null) {
-            throw new InvalidParameterValueException(String.format("VPC network with name %s exists in NSX zone", name));
+            LOGGER.info(String.format("VPC network with name %s exists in NSX zone", name));
+            return;
         }
 
+        List<String> routeAdvertisementTypes = getRouterAdvertisementTypeList(sourceNatEnabled);
+
         Tier1s tier1service = (Tier1s) nsxService.apply(Tier1s.class);
         tier1 = new Tier1.Builder()
                 .setTier0Path(tier0GatewayPath)
                 .setResourceType(TIER_1_RESOURCE_TYPE)
                 .setPoolAllocation(PoolAllocation.ROUTING.name())
                 .setHaMode(HAMode.ACTIVE_STANDBY.name())
                 .setFailoverMode(FailoverMode.PREEMPTIVE.name())
-                .setRouteAdvertisementTypes(List.of(RouteAdvertisementType.TIER1_CONNECTED.name(), RouteAdvertisementType.TIER1_IPSEC_LOCAL_ENDPOINT.name()))
+                .setRouteAdvertisementTypes(routeAdvertisementTypes)
                 .setId(name)
                 .setDisplayName(name)
                 .build();
@@ -270,11 +294,28 @@ public void createTier1Gateway(String name, String tier0Gateway, String edgeClus
     public void deleteTier1Gateway(String tier1Id) {
         com.vmware.nsx_policy.infra.tier_1s.LocaleServices localeService = (com.vmware.nsx_policy.infra.tier_1s.LocaleServices)
                 nsxService.apply(com.vmware.nsx_policy.infra.tier_1s.LocaleServices.class);
+        removeTier1GatewayNatRules(tier1Id);
         localeService.delete(tier1Id, Tier_1_LOCALE_SERVICE_ID);
         Tier1s tier1service = (Tier1s) nsxService.apply(Tier1s.class);
         tier1service.delete(tier1Id);
     }
 
+    private void removeTier1GatewayNatRules(String tier1Id) {
+        NatRules natRulesService = (NatRules) nsxService.apply(NatRules.class);
+        String natId = "USER";
+        PolicyNatRuleListResult result = natRulesService.list(tier1Id, natId, null, false, null, null, null, null);
+        List<PolicyNatRule> natRules = result.getResults();
+        if (CollectionUtils.isEmpty(natRules)) {
+            LOGGER.debug(String.format("Didn't find any NAT rule to remove on the Tier 1 Gateway %s", tier1Id));
+        } else {
+            for (PolicyNatRule natRule : natRules) {
+                LOGGER.debug(String.format("Removing NAT rule %s from Tier 1 Gateway %s", natRule.getId(), tier1Id));
+                natRulesService.delete(tier1Id, natId, natRule.getId());
+            }
+        }
+
+    }
+
     public SiteListResult getSites() {
         try {
             Sites sites = (Sites) nsxService.apply(Sites.class);
@@ -327,7 +368,7 @@ public void createSegment(String segmentName, String tier1GatewayName, String ga
         }
     }
 
-    public void deleteSegment(long zoneId, long domainId, long accountId, long vpcId, long networkId, String segmentName) {
+    public void deleteSegment(long zoneId, long domainId, long accountId, Long vpcId, long networkId, String segmentName) {
         try {
             Segments segmentService = (Segments) nsxService.apply(Segments.class);
             LOGGER.debug(String.format("Removing the segment with ID %s", segmentName));

plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/service/NsxElement.java

@@ -67,6 +67,7 @@
 import com.cloud.network.vpc.PrivateGateway;
 import com.cloud.network.vpc.StaticRouteProfile;
 import com.cloud.network.vpc.Vpc;
+import com.cloud.network.vpc.dao.VpcOfferingServiceMapDao;
 import com.cloud.network.vpc.VpcVO;
 import com.cloud.network.vpc.dao.VpcDao;
 import com.cloud.offering.NetworkOffering;
@@ -129,6 +130,7 @@ public class NsxElement extends AdapterBase implements  DhcpServiceProvider, Dns
     @Inject
     DomainDao domainDao;
     @Inject
+    protected VpcOfferingServiceMapDao vpcOfferingServiceMapDao;
     IPAddressDao ipAddressDao;
     @Inject
     VMInstanceDao vmInstanceDao;
@@ -331,9 +333,7 @@ public boolean implementVpc(Vpc vpc, DeployDestination dest, ReservationContext
         if (Boolean.TRUE.equals(isNsxAndAccount.first()) && Objects.isNull(isNsxAndAccount.second())) {
             throw new InvalidParameterValueException(String.format("Failed to find account with id %s", vpc.getAccountId()));
         }
-        Account account = isNsxAndAccount.second();
-        DomainVO domain = getDomainFromAccount(account);
-        return nsxService.createVpcNetwork(vpc.getZoneId(), account.getId(), domain.getId(), vpc.getId(), vpc.getName());
+        return true;
     }
 
     @Override