ui: surface OVN as a guest isolation method in the Add Zone wizard

Without this, an operator standing up a new OVN-backed zone has to
either pick a different isolation method (forcing the OVN provider
into a no-op posture) or fall back to provisioning the zone via the
API and registering the OVN provider with addOvnProvider out-of-band.
Both Netris and NSX have a dedicated wizard step for the same flow;
this commit gives OVN the equivalent.

ZoneWizardPhysicalNetworkSetupStep.vue and PhysicalNetworksTab.vue:
add "OVN" to the isolation-method dropdown for KVM zones (matching
how "Netris" is gated to KVM today). Other hypervisors keep their
existing options unchanged.

ZoneWizardNetworkSetupStep.vue:
- new isOvnZone computed (mirrors isNetrisZone) flips on whenever any
  declared physical network selects "OVN".
- new "ovn" step inserted into allSteps() right after the netris
  step, between the physical-network grid and the public-traffic
  configuration.
- new ovnFields list mirrors AddOvnProviderCmd's parameters:
    name, nbConnection (required)
    sbConnection, externalBridge, localnetName,
    cacertpath, clientcertpath, clientprivatekeypath (optional).
  Required-vs-optional matches the Java side; the operator can leave
  the TLS / bridge-mapping fields blank for simple labs.
- ovnSetupDescription points at a new i18n key that explains the
  bridge mapping requirement on the ovn-controller side.

ZoneWizardLaunchZone.vue:
- stepData.isOvnZone is set in the existing physical-network creation
  loop using the same gating as Netris/NSX (only when the OVN physnet
  carries public or guest traffic - storage-only physnets do not
  need a provider entry).
- stepNetworkingProviderOrStorageTraffic dispatches to the new
  stepAddOvnProvider when the zone is OVN.
- stepAddOvnProvider posts to addOvnProvider with the prefillContent
  collected by the wizard. Optional fields are only forwarded when
  the operator filled them in, so a minimal OVN deployment that uses
  default ovsdb ports / no TLS does not have to clear ghost values.
- addOvnProvider is the postAPI wrapper, parallel to addNetrisProvider
  / addNsxController.

ui/public/locales/en.json:
- 9 new label.* / message.* keys for the OVN provider step (form
  labels, install-wizard tooltips, the description shown on the step,
  and the "Add OVN Provider" header used by the launch progress
  panel). Tooltip text spells out the connection-string format
  (tcp/ssl + host + port) and the relationship between the localnet
  name and ovn-bridge-mappings on the hypervisors.

Author: msinhore

ui/public/locales/en.json

@@ -1694,6 +1694,15 @@
 "label.netris.provider.tenant.name": "Netris provider Admin Tenant name",
 "label.netris.provider.tag": "Netris Tag",
 "label.netris.provider.url": "Netris provider URL",
+"label.ovn.provider": "OVN Provider",
+"label.ovn.provider.name": "OVN provider name",
+"label.ovn.provider.nb.connection": "OVN Northbound DB connection",
+"label.ovn.provider.sb.connection": "OVN Southbound DB connection",
+"label.ovn.provider.external.bridge": "OVN external bridge",
+"label.ovn.provider.localnet.name": "OVN localnet (physical network mapping)",
+"label.ovn.provider.ca.cert.path": "OVN TLS CA certificate path",
+"label.ovn.provider.client.cert.path": "OVN TLS client certificate path",
+"label.ovn.provider.client.private.key.path": "OVN TLS client private key path",
 "label.netscaler": "NetScaler",
 "label.netscaler.mpx": "NetScaler MPX LoadBalancer",
 "label.netscaler.sdx": "NetScaler SDX LoadBalancer",
@@ -1788,7 +1797,6 @@
 "label.nsx.supports.internal.lb": "Enable NSX internal LB service",
 "label.nsx.supports.lb": "Enable NSX LB service",
 "label.ovn": "OVN",
-"label.ovn.provider": "OVN Provider",
 "label.ovnnbconnection": "OVN Northbound connection",
 "label.ovnsbconnection": "OVN Southbound connection",
 "label.ovnexternalbridge": "OVN external bridge",
@@ -3115,6 +3123,7 @@
 "message.add.latest.kubernetes.iso.failed": "Failed to add latest Kubernetes ISO",
 "message.add.minimum.required.compute.offering.kubernetes.cluster.failed": "Failed to add minimum required Compute Offering for Kubernetes cluster nodes",
 "message.add.netris.controller": "Add Netris Provider",
+"message.add.ovn.controller": "Add OVN Provider",
 "message.add.nsx.controller": "Add NSX Provider",
 "message.add.network": "Add a new network for Zone: <b><span id=\"zone_name\"></span></b>",
 "message.add.network.acl.failed": "Adding network ACL failed.",
@@ -3630,6 +3639,7 @@
 "message.info.cloudian.console": "Cloudian Management Console should open in another window.",
 "message.installwizard.cloudstack.helptext.website": " * Project website:\t ",
 "message.infra.setup.netris.description": "This zone must contain a Netris provider because the isolation method is Netris",
+"message.infra.setup.ovn.description": "This zone must contain an OVN provider because the isolation method is OVN. Provide the OVN central NB/SB endpoints and the bridge mapping used by ovn-controller on the hypervisors.",
 "message.infra.setup.nsx.description": "This Zone must contain an NSX provider because the isolation method is NSX",
 "message.infra.setup.tungsten.description": "This Zone must contain a Tungsten-Fabric provider because the isolation method is TF",
 "message.installwizard.cloudstack.helptext.document": " * Documentation:\t ",
@@ -3654,6 +3664,14 @@
 "message.installwizard.tooltip.netris.provider.site": "Netris Provider Site name not provided",
 "message.installwizard.tooltip.netris.provider.tag": "Netris Tag to be assigned to vNets",
 "message.installwizard.tooltip.netris.provider.tenant.name": "Netris Provider Admin Tenant name not provided",
+"message.installwizard.tooltip.ovn.provider.name": "Friendly name for this OVN provider entry, e.g. 'ovn-central-1'",
+"message.installwizard.tooltip.ovn.provider.nb.connection": "OVN Northbound DB connection string. Examples: tcp:10.0.0.10:6641, ssl:nb.ovn.example:6641",
+"message.installwizard.tooltip.ovn.provider.sb.connection": "OVN Southbound DB connection string (recommended). Used to enumerate live Chassis for Gateway_Chassis pinning. Example: tcp:10.0.0.10:6642",
+"message.installwizard.tooltip.ovn.provider.external.bridge": "OVS bridge that ovn-controller uses for the public network. Example: br-ex",
+"message.installwizard.tooltip.ovn.provider.localnet.name": "Logical network name used in ovn-bridge-mappings on each hypervisor. Example: physnet1 (matches ovn-bridge-mappings=physnet1:br-ex)",
+"message.installwizard.tooltip.ovn.provider.ca.cert.path": "Filesystem path to the CA certificate used by OVN OVSDB SSL endpoints. Required only when nb/sb connection uses ssl://",
+"message.installwizard.tooltip.ovn.provider.client.cert.path": "Filesystem path to the client certificate used by CloudStack to authenticate to OVN OVSDB. Required only when ssl:// is in use",
+"message.installwizard.tooltip.ovn.provider.client.private.key.path": "Filesystem path to the client private key paired with the client certificate. Required only when ssl:// is in use",
 "message.installwizard.tooltip.nsx.provider.hostname": "NSX Provider hostname / IP address not provided",
 "message.installwizard.tooltip.nsx.provider.username": "NSX Provider username not provided",
 "message.installwizard.tooltip.nsx.provider.password": "NSX Provider password not provided",

ui/src/views/infra/zone/ZoneWizardLaunchZone.vue

@@ -493,6 +493,13 @@ export default {
                 physicalNetwork.traffics.findIndex(traffic => traffic.type === 'public' || traffic.type === 'guest') > -1) {
                 this.stepData.isNetrisZone = true
               }
+              // Same gating as Netris/NSX: only flag the zone as OVN when the physical
+              // network actually carries public or guest traffic. Storage- or management-
+              // only physnets that happen to be tagged OVN do not need a provider entry.
+              if (physicalNetwork.isolationMethod.toLowerCase() === 'ovn' &&
+                physicalNetwork.traffics.findIndex(traffic => traffic.type === 'public' || traffic.type === 'guest') > -1) {
+                this.stepData.isOvnZone = true
+              }
             } else {
               this.stepData.physicalNetworkReturned = this.stepData.physicalNetworkItem['createPhysicalNetwork' + index]
             }
@@ -910,6 +917,8 @@ export default {
         await this.stepAddNsxController()
       } else if (this.stepData.isNetrisZone) {
         await this.stepAddNetrisProvider()
+      } else if (this.stepData.isOvnZone) {
+        await this.stepAddOvnProvider()
       } else {
         await this.stepConfigureStorageTraffic()
       }
@@ -1157,6 +1166,54 @@ export default {
         this.setStepStatus(STATUS_FAILED)
       }
     },
+    async stepAddOvnProvider () {
+      // Mirror of stepAddNetrisProvider: register the OVN central (NB/SB) endpoints with
+      // the zone via addOvnProvider so OvnGuestNetworkGuru can resolve the provider when
+      // a network is implemented. Only `name` and `nbconnection` are mandatory; the rest
+      // are optional and skipped when the operator left the field blank in the wizard.
+      this.setStepStatus(STATUS_FINISH)
+      this.currentStep++
+      this.addStep('message.add.ovn.controller', 'ovn')
+      if (this.stepData.stepMove.includes('ovn')) {
+        await this.stepConfigureStorageTraffic()
+        return
+      }
+      try {
+        if (!this.stepData.stepMove.includes('addOvnProvider')) {
+          const providerParams = {}
+          providerParams.zoneid = this.stepData.zoneReturned.id
+          providerParams.name = this.prefillContent?.ovnName || ''
+          providerParams.nbconnection = this.prefillContent?.ovnNbConnection || ''
+          if (this.prefillContent?.ovnSbConnection) {
+            providerParams.sbconnection = this.prefillContent.ovnSbConnection
+          }
+          if (this.prefillContent?.ovnExternalBridge) {
+            providerParams.externalbridge = this.prefillContent.ovnExternalBridge
+          }
+          if (this.prefillContent?.ovnLocalnetName) {
+            providerParams.localnetname = this.prefillContent.ovnLocalnetName
+          }
+          if (this.prefillContent?.ovnCaCertPath) {
+            providerParams.cacertpath = this.prefillContent.ovnCaCertPath
+          }
+          if (this.prefillContent?.ovnClientCertPath) {
+            providerParams.clientcertpath = this.prefillContent.ovnClientCertPath
+          }
+          if (this.prefillContent?.ovnClientPrivateKeyPath) {
+            providerParams.clientprivatekeypath = this.prefillContent.ovnClientPrivateKeyPath
+          }
+
+          await this.addOvnProvider(providerParams)
+          this.stepData.stepMove.push('addOvnProvider')
+        }
+        this.stepData.stepMove.push('ovn')
+        await this.stepConfigureStorageTraffic()
+      } catch (e) {
+        this.messageError = e
+        this.processStatus = STATUS_FAILED
+        this.setStepStatus(STATUS_FAILED)
+      }
+    },
     async stepConfigureStorageTraffic () {
       let targetNetwork = false
       this.prefillContent.physicalNetworks.forEach(physicalNetwork => {
@@ -2339,6 +2396,16 @@ export default {
         })
       })
     },
+    addOvnProvider (args) {
+      return new Promise((resolve, reject) => {
+        postAPI('addOvnProvider', args).then(json => {
+          resolve()
+        }).catch(error => {
+          const message = error.response.headers['x-description']
+          reject(message)
+        })
+      })
+    },
     configTungstenFabricService (args) {
       return new Promise((resolve, reject) => {
         postAPI('configTungstenFabricService', args).then(json => {

ui/src/views/infra/zone/ZoneWizardNetworkSetupStep.vue

@@ -102,6 +102,18 @@
       :isFixError="isFixError"
     />
 
+    <static-inputs-form
+      v-if="steps && steps[currentStep].formKey === 'ovn'"
+      @nextPressed="nextPressed"
+      @backPressed="handleBack"
+      @fieldsChanged="fieldsChanged"
+      @submitLaunchZone="submitLaunchZone"
+      :fields="ovnFields"
+      :prefillContent="prefillContent"
+      :description="ovnSetupDescription"
+      :isFixError="isFixError"
+    />
+
     <static-inputs-form
       v-if="steps && steps[currentStep].formKey === 'pod'"
       @nextPressed="nextPressed"
@@ -237,6 +249,15 @@ export default {
       }
       return isNetris
     },
+    isOvnZone () {
+      // The physical-network grid stores the user's selection as the literal label of the
+      // dropdown option. The OVN option is registered as value="OVN" in
+      // ZoneWizardPhysicalNetworkSetupStep.vue, so match on that exact string.
+      if (!this.prefillContent.physicalNetworks) {
+        return false
+      }
+      return this.prefillContent.physicalNetworks.findIndex(network => network.isolationMethod === 'OVN') > -1
+    },
     allSteps () {
       const steps = []
       steps.push({
@@ -261,6 +282,12 @@ export default {
           formKey: 'netris'
         })
       }
+      if (this.isOvnZone) {
+        steps.push({
+          title: 'label.ovn.provider',
+          formKey: 'ovn'
+        })
+      }
       if (this.havingNetscaler) {
         steps.push({
           title: 'label.netScaler',
@@ -523,6 +550,68 @@ export default {
       ]
       return fields
     },
+    ovnFields () {
+      // Mirrors the AddOvnProviderCmd parameters in
+      // plugins/network-elements/ovn/.../api/command/AddOvnProviderCmd.java.
+      // Only `name` and `nbConnection` are mandatory on the API; everything else is
+      // optional but operator-recommended for a usable zone:
+      //   - sbConnection lets us prune stale Gateway_Chassis rows (PR-2a/PR-2b)
+      //   - externalBridge / localnetName are how the public LS bridges to the
+      //     physical network via ovn-bridge-mappings
+      //   - the three TLS paths are required when the operator has secured the
+      //     OVSDB endpoints with TLS (NB/SB on ssl:host:6641|6642).
+      const fields = [
+        {
+          title: 'label.ovn.provider.name',
+          key: 'ovnName',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.name',
+          required: true
+        },
+        {
+          title: 'label.ovn.provider.nb.connection',
+          key: 'ovnNbConnection',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.nb.connection',
+          required: true
+        },
+        {
+          title: 'label.ovn.provider.sb.connection',
+          key: 'ovnSbConnection',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.sb.connection',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.external.bridge',
+          key: 'ovnExternalBridge',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.external.bridge',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.localnet.name',
+          key: 'ovnLocalnetName',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.localnet.name',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.ca.cert.path',
+          key: 'ovnCaCertPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.ca.cert.path',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.client.cert.path',
+          key: 'ovnClientCertPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.client.cert.path',
+          required: false
+        },
+        {
+          title: 'label.ovn.provider.client.private.key.path',
+          key: 'ovnClientPrivateKeyPath',
+          placeHolder: 'message.installwizard.tooltip.ovn.provider.client.private.key.path',
+          required: false
+        }
+      ]
+      return fields
+    },
     guestTrafficFields () {
       const fields = [
         {
@@ -594,6 +683,7 @@ export default {
       tungstenSetupDescription: 'message.infra.setup.tungsten.description',
       nsxSetupDescription: 'message.infra.setup.nsx.description',
       netrisSetupDescription: 'message.infra.setup.netris.description',
+      ovnSetupDescription: 'message.infra.setup.ovn.description',
       netscalerSetupDescription: 'label.please.specify.netscaler.info',
       storageTrafficDescription: 'label.zonewizard.traffictype.storage',
       podFields: [