Add IPv6 address of metadata service to sg rules

[sven-rosenzweig]

So far only DHCPv6 and ICMPv6 traffic is refelcted in the default infrastructure rules of NSX-T. The IPv6 address of the metadata service requires clearing as well.

In order to reflect those changes in NSX-T, it requires a check if the rule configuration has changed. So far only creation of missing policies is supported.

[github-actions]

Name                                                                      Stmts   Miss  Cover
---------------------------------------------------------------------------------------------
networking_nsxv3/api/rpc.py                                                 233    110    53%
networking_nsxv3/common/config.py                                            16      0   100%
networking_nsxv3/common/constants.py                                         23      0   100%
networking_nsxv3/common/locking.py                                           35     11    69%
networking_nsxv3/common/synchronization.py                                  180     49    73%
networking_nsxv3/db/db.py                                                    94     19    80%
networking_nsxv3/extensions/nsxtoperations.py                               104     40    62%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/agent.py                   162     52    68%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/cli.py                     299    195    35%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/client_nsx.py              187     49    74%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/constants_nsx.py             7      0   100%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/extensions/firewall.py      27      0   100%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/provider.py                169     10    94%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/provider_nsx_policy.py     783    111    86%
networking_nsxv3/plugins/ml2/drivers/nsxv3/agent/realization.py             203     33    84%
networking_nsxv3/plugins/ml2/drivers/nsxv3/driver.py                        129     74    43%
networking_nsxv3/prometheus/exporter.py                                      19      5    74%
networking_nsxv3/services/logapi/drivers/nsxv3/driver.py                     41      1    98%
networking_nsxv3/services/qos/drivers/nsxv3/qos.py                           34      4    88%
networking_nsxv3/services/trunk/drivers/nsxv3/trunk.py                       71      3    96%
---------------------------------------------------------------------------------------------
TOTAL                                                                      2816    766    73%

[sebageek]

If you like constants we have neutron_lib.constants.METADATA_V6_IP. There's also one for v4.

[sebageek]

What is this method? I haven't found it in the source. Do you want to call _check_infrastructure_rules_for_updates() here?

[sebageek]

What is sg_policy? is that security_policies but with a different name?

[sebageek]

[optional] I like using operators for set operations, but it depends of what you like yourself. For intersection you have the option of using &, so set(rule) & set(rule_policy) (the .keys() is implicit for dict-to-list-conversion but that's also a choice on how verbose you like to be, makes it more ovious that you're dealing with a dict).

[sebageek]

I'd pass the format attributes as arguments to LOG.info() instead of doing the formatting beforehand.

[sebageek]

Same here for the Log args.

[joroaf]

Should we update the default infra policy every time with the desired rules? What if the operator added his own rules? Is this the desired behaviour?

[sebageek]

[optional] Could get another name that denotes more what it does. IgnoreGivenKeys? DiffIgnoreKeys? You also could move it closer to where it's used scope wise, on the other hand maybe you'll need it some day and then you want it in that package directly accessible? Dunno. Both options make sense to me.

[sebageek]

would super().__contains__(key[1]) work as well?