openstack
/
kuryr-kubernetes
Code Issues Proposed changes

Update lbaasv2 driver to use OpenStackSDK. 

Change-Id: I4d9f754e30e66825711d21d9e5f711f8dc870783
Implements: blueprint switch-to-openstacksdk
This commit is contained in:
Roman Dobosz 2019-11-28 17:09:36 +01:00
parent c7b8816c35
commit 687642eef5
2 changed files with 181 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
kuryr_kubernetes/controller/drivers/lbaasv2.py
View File

@ -19,7 +19,6 @@ import time
import requests import requests
from neutronclient.common import exceptions as n_exc
from openstack import exceptions as os_exc from openstack import exceptions as os_exc
from openstack.load_balancer.v2 import l7_policy as o_l7p from openstack.load_balancer.v2 import l7_policy as o_l7p
from openstack.load_balancer.v2 import l7_rule as o_l7r from openstack.load_balancer.v2 import l7_rule as o_l7r
@ -155,7 +154,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
return response return response
def release_loadbalancer(self, loadbalancer): def release_loadbalancer(self, loadbalancer):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
lbaas = clients.get_loadbalancer_client() lbaas = clients.get_loadbalancer_client()
self._release( self._release(
loadbalancer, loadbalancer,
@ -169,54 +168,42 @@ class LBaaSv2Driver(base.LBaaSDriver):
# Note: reusing activation timeout as deletion timeout # Note: reusing activation timeout as deletion timeout
self._wait_for_deletion(loadbalancer, _ACTIVATION_TIMEOUT) self._wait_for_deletion(loadbalancer, _ACTIVATION_TIMEOUT)
try: try:
neutron.delete_security_group(sg_id) os_net.delete_security_group(sg_id)
except n_exc.NotFound: except os_exc.SDKException:
LOG.debug('Security group %s already deleted', sg_id)
except n_exc.NeutronClientException:
LOG.exception('Error when deleting loadbalancer security ' LOG.exception('Error when deleting loadbalancer security '
'group. Leaving it orphaned.') 'group. Leaving it orphaned.')
def _create_lb_security_group_rule(self, loadbalancer, listener): def _create_lb_security_group_rule(self, loadbalancer, listener):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
sg_id = self._find_listeners_sg(loadbalancer) sg_id = self._find_listeners_sg(loadbalancer)
# if an SG for the loadbalancer has not being created, create one # if an SG for the loadbalancer has not being created, create one
if not sg_id: if not sg_id:
sg = neutron.create_security_group({ sg = os_net.create_security_group(
'security_group': { name=loadbalancer.name, project_id=loadbalancer.project_id)
'name': loadbalancer.name, c_utils.tag_neutron_resources('security-groups', [sg.id])
'project_id': loadbalancer.project_id, loadbalancer.security_groups.append(sg.id)
},
})
sg_id = sg['security_group']['id']
c_utils.tag_neutron_resources('security-groups', [sg_id])
loadbalancer.security_groups.append(sg_id)
vip_port = self._get_vip_port(loadbalancer) vip_port = self._get_vip_port(loadbalancer)
neutron.update_port( os_net.update_port(vip_port.id, security_groups=[sg.id])
vip_port.get('id'), sg_id = sg.id
{'port': {
'security_groups': [sg_id]}})
try: try:
neutron.create_security_group_rule({ os_net.create_security_group_rule(direction='ingress',
'security_group_rule': { port_range_min=listener.port,
'direction': 'ingress', port_range_max=listener.port,
'port_range_min': listener.port, protocol=listener.protocol,
'port_range_max': listener.port, security_group_id=sg_id,
'protocol': listener.protocol, description=listener.name)
'security_group_id': sg_id, except os_exc.ConflictException:
'description': listener.name, pass
}, except os_exc.SDKException:
}) LOG.exception('Failed when creating security group rule for '
except n_exc.NeutronClientException as ex: 'listener %s.', listener.name)
if ex.status_code != requests.codes.conflict:
LOG.exception('Failed when creating security group rule '
'for listener %s.', listener.name)
def _create_listeners_acls(self, loadbalancer, port, target_port, def _create_listeners_acls(self, loadbalancer, port, target_port,
protocol, lb_sg, new_sgs, listener_id): protocol, lb_sg, new_sgs, listener_id):
all_pod_rules = [] all_pod_rules = []
add_default_rules = False add_default_rules = False
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
if new_sgs: if new_sgs:
sgs = new_sgs sgs = new_sgs
@ -232,25 +219,24 @@ class LBaaSv2Driver(base.LBaaSDriver):
# default listener rules # default listener rules
add_default_rules = True add_default_rules = True
break break
rules = neutron.list_security_group_rules( rules = os_net.security_group_rules(security_group_id=sg)
security_group_id=sg) for rule in rules:
for rule in rules['security_group_rules']:
# NOTE(ltomasbo): NP sg can only have rules with # NOTE(ltomasbo): NP sg can only have rules with
# or without remote_ip_prefix. Rules with remote_group_id # or without remote_ip_prefix. Rules with remote_group_id
# are not possible, therefore only applying the ones # are not possible, therefore only applying the ones
# with or without remote_ip_prefix. # with or without remote_ip_prefix.
if rule.get('remote_group_id'): if rule.remote_group_id:
continue continue
if (rule['protocol'] == protocol.lower() and if (rule.protocol == protocol.lower() and
rule['direction'] == 'ingress'): rule.direction == 'ingress'):
# If listener port not in allowed range, skip # If listener port not in allowed range, skip
min_port = rule.get('port_range_min') min_port = rule.port_range_min
max_port = rule.get('port_range_max') max_port = rule.port_range_max
if (min_port and target_port not in range(min_port, if (min_port and target_port not in range(min_port,
max_port+1)): max_port+1)):
continue continue
if rule.get('remote_ip_prefix'): if rule.remote_ip_prefix:
all_pod_rules.append(rule['remote_ip_prefix']) all_pod_rules.append(rule.remote_ip_prefix)
else: else:
add_default_rules = True add_default_rules = True
@ -265,7 +251,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
protocol, sg_rule_name, listener_id, protocol, sg_rule_name, listener_id,
new_sgs=None): new_sgs=None):
LOG.debug("Applying members security groups.") LOG.debug("Applying members security groups.")
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
lb_sg = None lb_sg = None
if CONF.octavia_defaults.sg_mode == 'create': if CONF.octavia_defaults.sg_mode == 'create':
if new_sgs: if new_sgs:
@ -276,7 +262,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
else: else:
vip_port = self._get_vip_port(loadbalancer) vip_port = self._get_vip_port(loadbalancer)
if vip_port: if vip_port:
lb_sg = vip_port.get('security_groups')[0] lb_sg = vip_port.security_group_ids[0]
# NOTE (maysams) It might happen that the update of LBaaS SG # NOTE (maysams) It might happen that the update of LBaaS SG
# has been triggered and the LBaaS SG was not created yet. # has been triggered and the LBaaS SG was not created yet.
@ -289,8 +275,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
protocol, lb_sg, new_sgs, listener_id) protocol, lb_sg, new_sgs, listener_id)
return return
lbaas_sg_rules = neutron.list_security_group_rules( lbaas_sg_rules = os_net.security_group_rules(security_group_id=lb_sg)
security_group_id=lb_sg)
all_pod_rules = [] all_pod_rules = []
add_default_rules = False add_default_rules = False
@ -308,20 +293,19 @@ class LBaaSv2Driver(base.LBaaSDriver):
# default listener rules # default listener rules
add_default_rules = True add_default_rules = True
break break
rules = neutron.list_security_group_rules( rules = os_net.security_group_rules(security_group_id=sg)
security_group_id=sg) for rule in rules:
for rule in rules['security_group_rules']:
# copying ingress rules with same protocol onto the # copying ingress rules with same protocol onto the
# loadbalancer sg rules # loadbalancer sg rules
# NOTE(ltomasbo): NP sg can only have rules with # NOTE(ltomasbo): NP sg can only have rules with
# or without remote_ip_prefix. Rules with remote_group_id # or without remote_ip_prefix. Rules with remote_group_id
# are not possible, therefore only applying the ones # are not possible, therefore only applying the ones
# with or without remote_ip_prefix. # with or without remote_ip_prefix.
if (rule['protocol'] == protocol.lower() and if (rule.protocol == protocol.lower() and
rule['direction'] == 'ingress'): rule.direction == 'ingress'):
# If listener port not in allowed range, skip # If listener port not in allowed range, skip
min_port = rule.get('port_range_min') min_port = rule.port_range_min
max_port = rule.get('port_range_max') max_port = rule.port_range_max
if (min_port and target_port not in range(min_port, if (min_port and target_port not in range(min_port,
max_port+1)): max_port+1)):
continue continue
@ -329,147 +313,126 @@ class LBaaSv2Driver(base.LBaaSDriver):
try: try:
LOG.debug("Creating LBaaS sg rule for sg: %r", LOG.debug("Creating LBaaS sg rule for sg: %r",
lb_sg) lb_sg)
neutron.create_security_group_rule({ os_net.create_security_group_rule(
'security_group_rule': { direction='ingress',
'direction': 'ingress', port_range_min=port,
'port_range_min': port, port_range_max=port,
'port_range_max': port, protocol=protocol,
'protocol': protocol, remote_ip_prefix=rule.remote_ip_prefix,
'remote_ip_prefix': rule[ security_group_id=lb_sg,
'remote_ip_prefix'], description=sg_rule_name)
'security_group_id': lb_sg, except os_exc.ConflictException:
'description': sg_rule_name, pass
}, except os_exc.SDKException:
}) LOG.exception('Failed when creating security '
except n_exc.NeutronClientException as ex: 'group rule for listener %s.',
if ex.status_code != requests.codes.conflict: sg_rule_name)
LOG.exception('Failed when creating security '
'group rule for listener %s.',
sg_rule_name)
# Delete LBaaS sg rules that do not match NP # Delete LBaaS sg rules that do not match NP
for rule in lbaas_sg_rules['security_group_rules']: for rule in lbaas_sg_rules:
if (rule.get('protocol') != protocol.lower() or if (rule.protocol != protocol.lower() or
rule.get('port_range_min') != port or rule.port_range_min != port or
rule.get('direction') != 'ingress'): rule.direction != 'ingress'):
if all_pod_rules and self._is_default_rule(rule): if all_pod_rules and self._is_default_rule(rule):
LOG.debug("Removing default LBaaS sg rule for sg: %r", LOG.debug("Removing default LBaaS sg rule for sg: %r",
lb_sg) lb_sg)
neutron.delete_security_group_rule(rule['id']) os_net.delete_security_group_rule(rule.id)
continue continue
self._delete_rule_if_no_match(rule, all_pod_rules) self._delete_rule_if_no_match(rule, all_pod_rules)
if add_default_rules: if add_default_rules:
try: try:
LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg) LOG.debug("Restoring default LBaaS sg rule for sg: %r", lb_sg)
neutron.create_security_group_rule({ os_net.create_security_group_rule(direction='ingress',
'security_group_rule': { port_range_min=port,
'direction': 'ingress', port_range_max=port,
'port_range_min': port, protocol=protocol,
'port_range_max': port, security_group_id=lb_sg,
'protocol': protocol, description=sg_rule_name)
'security_group_id': lb_sg, except os_exc.ConflictException:
'description': sg_rule_name, pass
}, except os_exc.SDKException:
}) LOG.exception('Failed when creating security group rule for '
except n_exc.NeutronClientException as ex: 'listener %s.', sg_rule_name)
if ex.status_code != requests.codes.conflict:
LOG.exception('Failed when creating security '
'group rule for listener %s.',
sg_rule_name)
def _delete_rule_if_no_match(self, rule, all_pod_rules): def _delete_rule_if_no_match(self, rule, all_pod_rules):
for pod_rule in all_pod_rules: for pod_rule in all_pod_rules:
if pod_rule['remote_ip_prefix'] == rule['remote_ip_prefix']: if pod_rule['remote_ip_prefix'] == rule['remote_ip_prefix']:
return return
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
LOG.debug("Deleting sg rule: %r", rule['id']) LOG.debug("Deleting sg rule: %r", rule.id)
neutron.delete_security_group_rule(rule['id']) os_net.delete_security_group_rule(rule.id)
def _is_default_rule(self, rule): def _is_default_rule(self, rule):
if (rule.get('direction') == 'ingress' and return (rule.get('direction') == 'ingress' and
not rule.get('remote_ip_prefix') and not rule.get('remote_ip_prefix') and
'network-policy' not in rule.get('description')): 'network-policy' not in rule.get('description'))
return True
return False
def _remove_default_octavia_rules(self, sg_id, listener): def _remove_default_octavia_rules(self, sg_id, listener):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
for remaining in self._provisioning_timer( for remaining in self._provisioning_timer(
_ACTIVATION_TIMEOUT, _LB_STS_POLL_SLOW_INTERVAL): _ACTIVATION_TIMEOUT, _LB_STS_POLL_SLOW_INTERVAL):
listener_rules = neutron.list_security_group_rules( listener_rules = os_net.security_group_rules(
security_group_id=sg_id, security_group_id=sg_id,
protocol=listener.protocol, protocol=listener.protocol,
port_range_min=listener.port, port_range_min=listener.port,
port_range_max=listener.port, port_range_max=listener.port,
direction='ingress') direction='ingress')
for rule in listener_rules['security_group_rules']: for rule in listener_rules:
if not (rule.get('remote_group_id') or if not (rule.remote_group_id or rule.remote_ip_prefix):
rule.get('remote_ip_prefix')):
# remove default sg rules # remove default sg rules
neutron.delete_security_group_rule(rule['id']) os_net.delete_security_group_rule(rule.id)
return return
def _extend_lb_security_group_rules(self, loadbalancer, listener): def _extend_lb_security_group_rules(self, loadbalancer, listener):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
if CONF.octavia_defaults.sg_mode == 'create': if CONF.octavia_defaults.sg_mode == 'create':
sg_id = self._find_listeners_sg(loadbalancer) sg_id = self._find_listeners_sg(loadbalancer)
# if an SG for the loadbalancer has not being created, create one # if an SG for the loadbalancer has not being created, create one
if not sg_id: if not sg_id:
sg = neutron.create_security_group({ sg = os_net.create_security_group(
'security_group': { name=loadbalancer.name, project_id=loadbalancer.project_id)
'name': loadbalancer.name, c_utils.tag_neutron_resources('security-groups', [sg.id])
'project_id': loadbalancer.project_id, loadbalancer.security_groups.append(sg.id)
},
})
sg_id = sg['security_group']['id']
c_utils.tag_neutron_resources('security-groups', [sg_id])
loadbalancer.security_groups.append(sg_id)
vip_port = self._get_vip_port(loadbalancer) vip_port = self._get_vip_port(loadbalancer)
neutron.update_port( os_net.update_port(
vip_port.get('id'), vip_port.id,
{'port': { security_groups=loadbalancer.security_groups)
'security_groups': loadbalancer.security_groups}})
else: else:
sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0] sg_id = self._get_vip_port(loadbalancer).security_group_ids[0]
# wait until octavia adds default sg rules # wait until octavia adds default sg rules
self._remove_default_octavia_rules(sg_id, listener) self._remove_default_octavia_rules(sg_id, listener)
for sg in loadbalancer.security_groups: for sg in loadbalancer.security_groups:
if sg != sg_id: if sg != sg_id:
try: try:
neutron.create_security_group_rule({ os_net.create_security_group_rule(
'security_group_rule': { direction='ingress',
'direction': 'ingress', port_range_min=listener.port,
'port_range_min': listener.port, port_range_max=listener.port,
'port_range_max': listener.port, protocol=listener.protocol,
'protocol': listener.protocol, security_group_id=sg_id,
'security_group_id': sg_id, remote_group_id=sg,
'remote_group_id': sg, description=listener.name)
'description': listener.name, except os_exc.ConflictException:
}, pass
}) except os_exc.SDKException:
except n_exc.NeutronClientException as ex: LOG.exception('Failed when creating security group '
if ex.status_code != requests.codes.conflict: 'rule for listener %s.', listener.name)
LOG.exception('Failed when creating security group '
'rule for listener %s.', listener.name)
# ensure routes have access to the services # ensure routes have access to the services
service_subnet_cidr = utils.get_subnet_cidr(loadbalancer.subnet_id) service_subnet_cidr = utils.get_subnet_cidr(loadbalancer.subnet_id)
try: try:
# add access from service subnet # add access from service subnet
neutron.create_security_group_rule({ os_net.create_security_group_rule(
'security_group_rule': { direction='ingress',
'direction': 'ingress', port_range_min=listener.port,
'port_range_min': listener.port, port_range_max=listener.port,
'port_range_max': listener.port, protocol=listener.protocol,
'protocol': listener.protocol, security_group_id=sg_id,
'security_group_id': sg_id, remote_ip_prefix=service_subnet_cidr,
'remote_ip_prefix': service_subnet_cidr, description=listener.name)
'description': listener.name,
},
})
# add access from worker node VM subnet for non-native route # add access from worker node VM subnet for non-native route
# support # support
@ -478,26 +441,23 @@ class LBaaSv2Driver(base.LBaaSDriver):
try: try:
worker_subnet_cidr = utils.get_subnet_cidr( worker_subnet_cidr = utils.get_subnet_cidr(
worker_subnet_id) worker_subnet_id)
neutron.create_security_group_rule({ os_net.create_security_group_rule(
'security_group_rule': { direction='ingress',
'direction': 'ingress', port_range_min=listener.port,
'port_range_min': listener.port, port_range_max=listener.port,
'port_range_max': listener.port, protocol=listener.protocol,
'protocol': listener.protocol, security_group_id=sg_id,
'security_group_id': sg_id, remote_ip_prefix=worker_subnet_cidr,
'remote_ip_prefix': worker_subnet_cidr, description=listener.name)
'description': listener.name,
},
})
except os_exc.ResourceNotFound: except os_exc.ResourceNotFound:
LOG.exception('Failed when creating security group rule ' LOG.exception('Failed when creating security group rule '
'due to nonexistent worker_subnet_id: %s', 'due to nonexistent worker_subnet_id: %s',
worker_subnet_id) worker_subnet_id)
except n_exc.NeutronClientException as ex: except os_exc.ConflictException:
if ex.status_code != requests.codes.conflict: pass
LOG.exception('Failed when creating security group rule ' except os_exc.SDKException:
'to enable routes for listener %s.', LOG.exception('Failed when creating security group rule to '
listener.name) 'enable routes for listener %s.', listener.name)
def _ensure_security_group_rules(self, loadbalancer, listener, def _ensure_security_group_rules(self, loadbalancer, listener,
service_type): service_type):
@ -534,7 +494,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
return result return result
def release_listener(self, loadbalancer, listener): def release_listener(self, loadbalancer, listener):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
lbaas = clients.get_loadbalancer_client() lbaas = clients.get_loadbalancer_client()
self._release(loadbalancer, listener, self._release(loadbalancer, listener,
lbaas.delete_listener, lbaas.delete_listener,
@ -543,14 +503,13 @@ class LBaaSv2Driver(base.LBaaSDriver):
if CONF.octavia_defaults.sg_mode == 'create': if CONF.octavia_defaults.sg_mode == 'create':
sg_id = self._find_listeners_sg(loadbalancer) sg_id = self._find_listeners_sg(loadbalancer)
else: else:
sg_id = self._get_vip_port(loadbalancer).get('security_groups')[0] sg_id = self._get_vip_port(loadbalancer).security_group_ids[0]
if sg_id: if sg_id:
rules = neutron.list_security_group_rules( rules = os_net.security_group_rules(security_group_id=sg_id,
security_group_id=sg_id, description=listener.name) description=listener.name)
rules = rules['security_group_rules'] try:
if len(rules): os_net.delete_security_group_rule(next(rules).id)
neutron.delete_security_group_rule(rules[0]['id']) except StopIteration:
else:
LOG.warning('Cannot find SG rule for %s (%s) listener.', LOG.warning('Cannot find SG rule for %s (%s) listener.',
listener.id, listener.name) listener.id, listener.name)
@ -614,19 +573,19 @@ class LBaaSv2Driver(base.LBaaSDriver):
member.pool_id) member.pool_id)
def _get_vip_port(self, loadbalancer): def _get_vip_port(self, loadbalancer):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
try: try:
fixed_ips = ['subnet_id=%s' % str(loadbalancer.subnet_id), fixed_ips = ['subnet_id=%s' % str(loadbalancer.subnet_id),
'ip_address=%s' % str(loadbalancer.ip)] 'ip_address=%s' % str(loadbalancer.ip)]
ports = neutron.list_ports(fixed_ips=fixed_ips) ports = os_net.ports(fixed_ips=fixed_ips)
except n_exc.NeutronClientException: except os_exc.SDKException:
LOG.error("Port with fixed ips %s not found!", fixed_ips) LOG.error("Port with fixed ips %s not found!", fixed_ips)
raise raise
if ports['ports']: try:
return ports['ports'][0] return next(ports)
except StopIteration:
return None return None
def _post_lb_resource(self, resource, request, **kwargs): def _post_lb_resource(self, resource, request, **kwargs):
# FIXME(dulek): openstacksdk doesn't support Octavia tags until version # FIXME(dulek): openstacksdk doesn't support Octavia tags until version
@ -664,7 +623,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
response = self._post_lb_resource(o_lb.LoadBalancer, request) response = self._post_lb_resource(o_lb.LoadBalancer, request)
loadbalancer.id = response.id loadbalancer.id = response.id
loadbalancer.port_id = self._get_vip_port(loadbalancer).get("id") loadbalancer.port_id = self._get_vip_port(loadbalancer).id
if (loadbalancer.provider is not None and if (loadbalancer.provider is not None and
loadbalancer.provider != response.provider): loadbalancer.provider != response.provider):
LOG.error("Request provider(%s) != Response provider(%s)", LOG.error("Request provider(%s) != Response provider(%s)",
@ -684,7 +643,7 @@ class LBaaSv2Driver(base.LBaaSDriver):
try: try:
os_lb = next(response) # openstacksdk returns a generator os_lb = next(response) # openstacksdk returns a generator
loadbalancer.id = os_lb.id loadbalancer.id = os_lb.id
loadbalancer.port_id = self._get_vip_port(loadbalancer).get("id") loadbalancer.port_id = self._get_vip_port(loadbalancer).id
loadbalancer.provider = os_lb.provider loadbalancer.provider = os_lb.provider
if os_lb.provisioning_status == 'ERROR': if os_lb.provisioning_status == 'ERROR':
self.release_loadbalancer(loadbalancer) self.release_loadbalancer(loadbalancer)
@ -909,27 +868,32 @@ class LBaaSv2Driver(base.LBaaSDriver):
time.sleep(interval) time.sleep(interval)
def _find_listeners_sg(self, loadbalancer, lb_name=None): def _find_listeners_sg(self, loadbalancer, lb_name=None):
neutron = clients.get_neutron_client() os_net = clients.get_network_client()
if lb_name: if lb_name:
sgs = neutron.list_security_groups( sgs = os_net.security_groups(name=lb_name,
name=lb_name, project_id=loadbalancer.project_id) project_id=loadbalancer.project_id)
# NOTE(ltomasbo): lb_name parameter is only passed when sg_mode # NOTE(ltomasbo): lb_name parameter is only passed when sg_mode
# is 'create' and in that case there is only one sg associated # is 'create' and in that case there is only one sg associated
# to the loadbalancer # to the loadbalancer
try: try:
sg_id = sgs['security_groups'][0]['id'] sg_id = next(sgs).id
except IndexError: except StopIteration:
sg_id = None sg_id = None
LOG.debug("Security Group not created yet for LBaaS.") LOG.debug("Security Group not created yet for LBaaS.")
return sg_id return sg_id
try: try:
sgs = neutron.list_security_groups( sgs = os_net.security_groups(name=loadbalancer.name,
name=loadbalancer.name, project_id=loadbalancer.project_id) project_id=loadbalancer.project_id)
for sg in sgs['security_groups']: for sg in sgs:
sg_id = sg['id'] try:
if sg_id in loadbalancer.security_groups: if sg.id in loadbalancer.security_groups:
return sg_id return sg.id
except n_exc.NeutronClientException: except TypeError:
LOG.exception('Loadbalancer %s does not have '
'security_groups defined.',
loadbalancer.name)
raise
except os_exc.SDKException:
LOG.exception('Cannot list security groups for loadbalancer %s.', LOG.exception('Cannot list security groups for loadbalancer %s.',
loadbalancer.name) loadbalancer.name)

45
kuryr_kubernetes/tests/unit/controller/drivers/test_lbaasv2.py
View File

@ -14,10 +14,10 @@
# under the License. # under the License.
import mock import mock
import requests import munch
from neutronclient.common import exceptions as n_exc from neutronclient.common import exceptions as n_exc
from openstack import exceptions as o_exc from openstack import exceptions as os_exc
from openstack.load_balancer.v2 import l7_policy as o_l7p from openstack.load_balancer.v2 import l7_policy as o_l7p
from openstack.load_balancer.v2 import l7_rule as o_l7r from openstack.load_balancer.v2 import l7_rule as o_l7r
from openstack.load_balancer.v2 import listener as o_lis from openstack.load_balancer.v2 import listener as o_lis
@ -25,6 +25,7 @@ from openstack.load_balancer.v2 import load_balancer as o_lb
from openstack.load_balancer.v2 import member as o_mem from openstack.load_balancer.v2 import member as o_mem
from openstack.load_balancer.v2 import pool as o_pool from openstack.load_balancer.v2 import pool as o_pool
from oslo_config import cfg from oslo_config import cfg
import requests
from kuryr_kubernetes.controller.drivers import lbaasv2 as d_lbaasv2 from kuryr_kubernetes.controller.drivers import lbaasv2 as d_lbaasv2
from kuryr_kubernetes import exceptions as k_exc from kuryr_kubernetes import exceptions as k_exc
@ -155,7 +156,7 @@ class TestLBaaSv2Driver(test_base.TestCase):
sg_ids, 'ClusterIP') sg_ids, 'ClusterIP')
def test_cascade_release_loadbalancer(self): def test_cascade_release_loadbalancer(self):
self.useFixture(k_fix.MockNeutronClient()).client self.useFixture(k_fix.MockNetworkClient()).client
lbaas = self.useFixture(k_fix.MockLBaaSClient()).client lbaas = self.useFixture(k_fix.MockLBaaSClient()).client
lbaas.lbaas_loadbalancer_path = "boo %s" lbaas.lbaas_loadbalancer_path = "boo %s"
cls = d_lbaasv2.LBaaSv2Driver cls = d_lbaasv2.LBaaSv2Driver
@ -216,21 +217,20 @@ class TestLBaaSv2Driver(test_base.TestCase):
loadbalancer = obj_lbaas.LBaaSLoadBalancer( loadbalancer = obj_lbaas.LBaaSLoadBalancer(
id=loadbalancer_id, name=name, project_id=project_id, id=loadbalancer_id, name=name, project_id=project_id,
subnet_id=subnet_id, ip=ip, provider=provider) subnet_id=subnet_id, ip=ip, provider=provider)
m_driver._ensure_provisioned.side_effect = o_exc.BadRequestException m_driver._ensure_provisioned.side_effect = os_exc.BadRequestException
resp = cls.ensure_listener(m_driver, loadbalancer, resp = cls.ensure_listener(m_driver, loadbalancer,
protocol, port) protocol, port)
self.assertIsNone(resp) self.assertIsNone(resp)
def test_release_listener(self): def test_release_listener(self):
neutron = self.useFixture(k_fix.MockNeutronClient()).client os_net = self.useFixture(k_fix.MockNetworkClient()).client
lbaas = self.useFixture(k_fix.MockLBaaSClient()).client lbaas = self.useFixture(k_fix.MockLBaaSClient()).client
neutron.list_security_group_rules.return_value = { os_net.security_group_rules.return_value = (x for x in [])
'security_group_rules': []}
cls = d_lbaasv2.LBaaSv2Driver cls = d_lbaasv2.LBaaSv2Driver
m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver) m_driver = mock.Mock(spec=d_lbaasv2.LBaaSv2Driver)
m_driver._get_vip_port.return_value = { m_driver._get_vip_port.return_value = munch.Munch({
'security_groups': [mock.sentinel.sg_id]} 'security_group_ids': [mock.sentinel.sg_id]})
loadbalancer = mock.Mock() loadbalancer = mock.Mock()
listener = mock.Mock() listener = mock.Mock()
@ -340,7 +340,8 @@ class TestLBaaSv2Driver(test_base.TestCase):
} }
resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy') resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy')
m_driver._post_lb_resource.return_value = resp m_driver._post_lb_resource.return_value = resp
m_driver._get_vip_port.return_value = {'id': mock.sentinel.port_id} m_driver._get_vip_port.return_value = munch.Munch(
{'id': mock.sentinel.port_id})
ret = cls._create_loadbalancer(m_driver, loadbalancer) ret = cls._create_loadbalancer(m_driver, loadbalancer)
m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer, m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer,
@ -368,7 +369,8 @@ class TestLBaaSv2Driver(test_base.TestCase):
} }
resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='amphora') resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='amphora')
m_driver._post_lb_resource.return_value = resp m_driver._post_lb_resource.return_value = resp
m_driver._get_vip_port.return_value = {'id': mock.sentinel.port_id} m_driver._get_vip_port.return_value = munch.Munch(
{'id': mock.sentinel.port_id})
ret = cls._create_loadbalancer(m_driver, loadbalancer) ret = cls._create_loadbalancer(m_driver, loadbalancer)
m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer, m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer,
@ -396,7 +398,8 @@ class TestLBaaSv2Driver(test_base.TestCase):
} }
resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy') resp = o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy')
m_driver._post_lb_resource.return_value = resp m_driver._post_lb_resource.return_value = resp
m_driver._get_vip_port.return_value = {'id': mock.sentinel.port_id} m_driver._get_vip_port.return_value = munch.Munch(
{'id': mock.sentinel.port_id})
ret = cls._create_loadbalancer(m_driver, loadbalancer) ret = cls._create_loadbalancer(m_driver, loadbalancer)
m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer, m_driver._post_lb_resource.assert_called_once_with(o_lb.LoadBalancer,
@ -415,7 +418,8 @@ class TestLBaaSv2Driver(test_base.TestCase):
resp = iter([o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy', resp = iter([o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy',
provisioning_status='ACTIVE')]) provisioning_status='ACTIVE')])
lbaas.load_balancers.return_value = resp lbaas.load_balancers.return_value = resp
m_driver._get_vip_port.return_value = {'id': mock.sentinel.port_id} m_driver._get_vip_port.return_value = munch.Munch(
{'id': mock.sentinel.port_id})
ret = cls._find_loadbalancer(m_driver, loadbalancer) ret = cls._find_loadbalancer(m_driver, loadbalancer)
lbaas.load_balancers.assert_called_once_with( lbaas.load_balancers.assert_called_once_with(
@ -459,7 +463,8 @@ class TestLBaaSv2Driver(test_base.TestCase):
resp = iter([o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy', resp = iter([o_lb.LoadBalancer(id=loadbalancer_id, provider='haproxy',
provisioning_status='ERROR')]) provisioning_status='ERROR')])
lbaas.load_balancers.return_value = resp lbaas.load_balancers.return_value = resp
m_driver._get_vip_port.return_value = {'id': mock.sentinel.port_id} m_driver._get_vip_port.return_value = munch.Munch(
{'id': mock.sentinel.port_id})
ret = cls._find_loadbalancer(m_driver, loadbalancer) ret = cls._find_loadbalancer(m_driver, loadbalancer)
lbaas.load_balancers.assert_called_once_with( lbaas.load_balancers.assert_called_once_with(
@ -755,11 +760,11 @@ class TestLBaaSv2Driver(test_base.TestCase):
def test_ensure_with_conflict(self): def test_ensure_with_conflict(self):
self._verify_ensure_with_exception( self._verify_ensure_with_exception(
o_exc.ConflictException(http_status=409)) os_exc.ConflictException(http_status=409))
def test_ensure_with_internalservererror(self): def test_ensure_with_internalservererror(self):
self._verify_ensure_with_exception( self._verify_ensure_with_exception(
o_exc.HttpException(http_status=500)) os_exc.HttpException(http_status=500))
def test_ensure_with_httperrors(self): def test_ensure_with_httperrors(self):
resp = requests.Response() resp = requests.Response()
@ -837,7 +842,7 @@ class TestLBaaSv2Driver(test_base.TestCase):
m_delete = mock.Mock() m_delete = mock.Mock()
timer = [mock.sentinel.t0, mock.sentinel.t1] timer = [mock.sentinel.t0, mock.sentinel.t1]
m_driver._provisioning_timer.return_value = timer m_driver._provisioning_timer.return_value = timer
m_delete.side_effect = [o_exc.BadRequestException, None] m_delete.side_effect = [os_exc.BadRequestException, None]
cls._release(m_driver, loadbalancer, obj, m_delete) cls._release(m_driver, loadbalancer, obj, m_delete)
@ -853,7 +858,7 @@ class TestLBaaSv2Driver(test_base.TestCase):
m_delete = mock.Mock() m_delete = mock.Mock()
timer = [mock.sentinel.t0, mock.sentinel.t1] timer = [mock.sentinel.t0, mock.sentinel.t1]
m_driver._provisioning_timer.return_value = timer m_driver._provisioning_timer.return_value = timer
m_delete.side_effect = o_exc.NotFoundException m_delete.side_effect = os_exc.NotFoundException
cls._release(m_driver, loadbalancer, obj, m_delete) cls._release(m_driver, loadbalancer, obj, m_delete)
@ -868,7 +873,7 @@ class TestLBaaSv2Driver(test_base.TestCase):
m_delete = mock.Mock() m_delete = mock.Mock()
timer = [mock.sentinel.t0, mock.sentinel.t1] timer = [mock.sentinel.t0, mock.sentinel.t1]
m_driver._provisioning_timer.return_value = timer m_driver._provisioning_timer.return_value = timer
m_delete.side_effect = o_exc.ConflictException m_delete.side_effect = os_exc.ConflictException
self.assertRaises(k_exc.ResourceNotReady, cls._release, m_driver, self.assertRaises(k_exc.ResourceNotReady, cls._release, m_driver,
loadbalancer, obj, m_delete) loadbalancer, obj, m_delete)
@ -1032,7 +1037,7 @@ class TestLBaaSv2Driver(test_base.TestCase):
lbaas.get_load_balancer.return_value = resp lbaas.get_load_balancer.return_value = resp
requested_uuid = '00EE9E11-91C2-41CF-8FD4-7970579EFFFF' requested_uuid = '00EE9E11-91C2-41CF-8FD4-7970579EFFFF'
lbaas.get_load_balancer.side_effect = o_exc.ResourceNotFound lbaas.get_load_balancer.side_effect = os_exc.ResourceNotFound
ret = cls.get_lb_by_uuid(m_driver, requested_uuid) ret = cls.get_lb_by_uuid(m_driver, requested_uuid)
lbaas.get_load_balancer.assert_called_once() lbaas.get_load_balancer.assert_called_once()