Workaround peer name starting with hyphen

The base64_sha_string method is used to set a base64-encoded peer name
in HAProxy. There are cases where the peer name can start with
an hypen which is troublesome when used in HAProxy CLI. Specifically,
HAProxy fails to reload when local peer name starts with '-x' [1]. When
this is the case, an amphora goes to provisioning status ERROR and later
is scheduled for failover by the Octavia Health Manager service. A new
amphora UUUID is assigned and base64 encoded, hopefully not starting
with '-x' again. However, this is far from being ideal -- we incur in a
dataplane disruption (single topology) or reduce HA capabilities
(active-standby topology) for some time.

Four possible options:

a) add prefix to peer name
b) change b64encode altchars
c) quote peer name in haproxy CLI command
d) substitute first character if hyphen

Option a) and b) are not backward compatible with running amphorae. Peer
names of existing amphorae that do not start with hypen but contain
hyphen at any other position would get different peer names.

Option c) would nonetheless still require an amphora image update to add
quotes in the HAProxy init service file. Continuing to generate peer
names with hyphens at begininng of the string is avoidable and
recommended.

Option d), while also requiring an amphora image update, it would get
rid of hyphens in begining of the peer names. It is also backward
compatible with all running amphorae, except for those starting with
hyphen but are broken anyways.

This patch takes option d). It substitutes hyphen with 'x' character.

[1] https://github.com/haproxy/haproxy/issues/644

Task: 39850
Story: 2007714

Change-Id: Ib0fc26877710dea423a5ebcf1f71077665404377
(cherry picked from commit acc38391de)
(cherry picked from commit df36c2c8ca)
(cherry picked from commit e0b53b2cc7)

octavia/common/utils.py

@@ -20,6 +20,7 @@
 
 import base64
 import hashlib
+import re
 import socket
 
 import netaddr
@@ -45,7 +46,9 @@ def base64_sha1_string(string_to_hash):
     # break backwards compatibility with existing loadbalancers.
     hash_str = hashlib.sha1(string_to_hash.encode('utf-8')).digest()  # nosec
     b64_str = base64.b64encode(hash_str, str.encode('_-', 'ascii'))
-    return b64_str.decode('UTF-8')
+    b64_sha1 = b64_str.decode('UTF-8')
+    # https://github.com/haproxy/haproxy/issues/644
+    return re.sub(r"^-", "x", b64_sha1)
 
 
 def get_network_driver():

octavia/tests/unit/common/test_utils.py

@@ -60,3 +60,18 @@ class TestConfig(base.TestCase):
                          utils.ip_netmask_to_cidr('10.0.0.1', '255.255.240.0'))
         self.assertEqual('10.0.0.0/30', utils.ip_netmask_to_cidr(
             '10.0.0.1', '255.255.255.252'))
+
+    def test_base64_sha1_string(self):
+        str_to_sha1 = [
+            # no special cases str (no altchars)
+            ('77e7d60d-e137-4246-8a84-a25db33571cd',
+             'iVZVQ5AKmk2Ae0uGLP0Ue4OseRM='),
+            # backward compat amphorae with - in str[1:]
+            ('9c6e5f27-a0da-4ceb-afe5-5a81230be42e',
+             'NjrNgt3Egl-H5ScbYM5ChtUH3M8='),
+            # sha1 would start with -, now replaced with x
+            ('4db4a3cf-9fef-4057-b1fd-b2afbf7a8a0f',
+             'xxqntK8jJ_gE3QEmh-D1-XgCW_E=')
+        ]
+        for str, sha1 in str_to_sha1:
+            self.assertEqual(sha1, utils.base64_sha1_string(str))

releasenotes/notes/fix-peer-name-prefix-hypen-e74a87e9a01b4f4c.yaml

@@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    An amphora image update is recommended to pick up a workaround to an
+    HAProxy issue where it would fail to reload on configuration change should
+    the local peer name start with "-x".
+fixes:
+  - |
+    Workaround an HAProxy issue where it would fail to reload on configuration
+    change should the local peer name start with "-x".