diff --git a/etc/octavia.conf b/etc/octavia.conf index cfa5676e68..994fec5ac7 100644 --- a/etc/octavia.conf +++ b/etc/octavia.conf @@ -40,6 +40,9 @@ # Enable/disable ability for users to create TLS Terminated listeners # allow_tls_terminated_listeners = True +# Enable/disable ability for users to create PING type Health Monitors +# allow_ping_health_monitors = True + [database] # This line MUST be changed to actually run the plugin. # Example: diff --git a/octavia/api/v2/controllers/health_monitor.py b/octavia/api/v2/controllers/health_monitor.py index 8ed3fb1eec..de21635d10 100644 --- a/octavia/api/v2/controllers/health_monitor.py +++ b/octavia/api/v2/controllers/health_monitor.py @@ -151,6 +151,12 @@ class HealthMonitorController(base.BaseController): """Creates a health monitor on a pool.""" context = pecan.request.context.get('octavia_context') health_monitor = health_monitor_.healthmonitor + + if (not CONF.api_settings.allow_ping_health_monitors and + health_monitor.type == constants.HEALTH_MONITOR_PING): + raise exceptions.DisabledOption( + option='type', value=constants.HEALTH_MONITOR_PING) + pool = self._get_db_pool(context.session, health_monitor.pool_id) health_monitor.project_id = pool.project_id diff --git a/octavia/common/config.py b/octavia/common/config.py index e69735f54a..a579fddbe8 100644 --- a/octavia/common/config.py +++ b/octavia/common/config.py @@ -100,6 +100,8 @@ api_opts = [ help=_("Expose the v2 API?")), cfg.BoolOpt('allow_tls_terminated_listeners', default=True, help=_("Allow users to create TLS Terminated listeners?")), + cfg.BoolOpt('allow_ping_health_monitors', default=True, + help=_("Allow users to create PING type Health Monitors?")), ] # Options only used by the amphora agent diff --git a/octavia/tests/functional/api/v2/test_health_monitor.py b/octavia/tests/functional/api/v2/test_health_monitor.py index 91b430d188..83353cfe61 100644 --- a/octavia/tests/functional/api/v2/test_health_monitor.py +++ b/octavia/tests/functional/api/v2/test_health_monitor.py @@ -740,6 +740,21 @@ class TestHealthMonitor(base.BaseAPITest): lb_id=self.lb_id, listener_id=self.listener_id, pool_id=self.pool_id) + def test_create_ping_when_ping_disabled(self): + self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF)) + self.conf.config(group='api_settings', + allow_ping_health_monitors=False) + req_dict = {'pool_id': self.pool_id, + 'type': constants.HEALTH_MONITOR_PING, + 'delay': 1, + 'timeout': 1, + 'max_retries_down': 1, + 'max_retries': 1} + self.post(self.HMS_PATH, self._build_body(req_dict), status=400) + self.assert_correct_status( + lb_id=self.lb_id, listener_id=self.listener_id, + pool_id=self.pool_id) + def test_create_with_bad_handler(self): self.handler_mock().health_monitor.create.side_effect = Exception() api_hm = self.create_health_monitor( diff --git a/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml b/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml new file mode 100644 index 0000000000..c51d273ca3 --- /dev/null +++ b/releasenotes/notes/allow-operators-to-disable-ping-healthchecks-42fd8c3b88edaf35.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Cloud deployers can set `api_settings.allow_ping_health_monitors = False` + in `octavia.conf` to disable the ability to create PING health monitors.