Add boolean tls_enabled option into Pool

Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.

Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe

api-ref/source/parameters.yaml

@@ -1374,6 +1374,22 @@ tls_container_ref-optional:
   min_version: 2.8
   required: false
   type: string
+tls_enabled:
+  description: |
+    When ``true`` connections to backend member servers will use TLS
+    encryption. Default is ``false``.
+  in: body
+  min_version: 2.8
+  required: true
+  type: boolean
+tls_enabled-optional:
+  description: |
+    When ``true`` connections to backend member servers will use TLS
+    encryption. Default is ``false``.
+  in: body
+  min_version: 2.8
+  required: false
+  type: boolean
 total_connections:
   description: |
     The total connections handled.

api-ref/source/v2/examples/pool-create-curl

@@ -1 +1 @@
-curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"ROUND_ROBIN","protocol":"HTTP","description":"Super Round Robin Pool","admin_state_up":true,"session_persistence":{"cookie_name":"ChocolateChip","type":"APP_COOKIE"},"listener_id":"023f2e34-7806-443b-bfae-16c324569a3d","name":"super-pool","tags":["test_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6","ca_tls_container_ref":"http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb","crl_container_ref":"http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"}}' http://198.51.100.10:9876/v2/lbaas/pools
+curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"ROUND_ROBIN","protocol":"HTTP","description":"Super Round Robin Pool","admin_state_up":true,"session_persistence":{"cookie_name":"ChocolateChip","type":"APP_COOKIE"},"listener_id":"023f2e34-7806-443b-bfae-16c324569a3d","name":"super-pool","tags":["test_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6","ca_tls_container_ref":"http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb","crl_container_ref":"http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b","tls_enabled":true}}' http://198.51.100.10:9876/v2/lbaas/pools

api-ref/source/v2/examples/pool-create-request.json

@@ -13,6 +13,7 @@
         "tags": ["test_tag"],
         "tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
         "ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
-        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
+        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b",
+        "tls_enabled": true
     }
 }

api-ref/source/v2/examples/pool-create-response.json

@@ -30,6 +30,7 @@
         "tags": ["test_tag"],
         "tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
         "ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
-        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
+        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b",
+        "tls_enabled": true
     }
 }

api-ref/source/v2/examples/pool-show-response.json

@@ -30,6 +30,7 @@
         "tags": ["test_tag"],
         "tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
         "ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
-        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
+        "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b",
+        "tls_enabled": false
     }
 }

api-ref/source/v2/examples/pool-update-curl

@@ -1 +1 @@
-curl -X PUT -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"LEAST_CONNECTIONS","session_persistence":{"type":"SOURCE_IP"},"description":"second description","name":"second_name","tags":["updated_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929","ca_tls_container_ref":null,"crl_container_ref":null}}' http://198.51.100.10:9876/v2/lbaas/pools/4029d267-3983-4224-a3d0-afb3fe16a2cd
+curl -X PUT -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"pool":{"lb_algorithm":"LEAST_CONNECTIONS","session_persistence":{"type":"SOURCE_IP"},"description":"second description","name":"second_name","tags":["updated_tag"],"tls_container_ref":"http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929","ca_tls_container_ref":null,"crl_container_ref":null,"tls_enabled":false}}' http://198.51.100.10:9876/v2/lbaas/pools/4029d267-3983-4224-a3d0-afb3fe16a2cd

api-ref/source/v2/examples/pool-update-request.json

@@ -9,6 +9,7 @@
         "tags": ["updated_tag"],
         "tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929",
         "ca_tls_container_ref": null,
-        "crl_container_ref": null
+        "crl_container_ref": null,
+        "tls_enabled": false
     }
 }

api-ref/source/v2/examples/pool-update-response.json

@@ -30,6 +30,7 @@
         "tags": ["updated_tag"],
         "tls_container_ref": "http://198.51.100.10:9311/v1/containers/c1cd501d-3cf9-4873-a11b-a74bebcde929",
         "ca_tls_container_ref": null,
-        "crl_container_ref": null
+        "crl_container_ref": null,
+        "tls_enabled": false
     }
 }

api-ref/source/v2/examples/pools-list-response.json

@@ -36,7 +36,8 @@
             "tags": ["test_tag"],
             "tls_container_ref": "http://198.51.100.10:9311/v1/containers/4073846f-1d5e-42e1-a4cf-a7046419d0e6",
             "ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/5f0d5540-fae6-4646-85d6-8a84883807fb",
-            "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b"
+            "crl_container_ref": "http://198.51.100.10:9311/v1/containers/6faf0a01-6892-454c-aaac-650282820c0b",
+            "tls_enabled": true
         }
     ]
 }

api-ref/source/v2/pool.inc

@@ -64,6 +64,7 @@ Response Parameters
    - session_persistence: session_persistence
    - tags: tags
    - tls_container_ref: tls_container_ref
+   - tls_enabled: tls_enabled
    - updated_at: updated_at
 
 Response Example
@@ -174,6 +175,7 @@ Request
    - protocol: protocol-pools
    - session_persistence: session_persistence-optional
    - tags: tags-optional
+   - tls_enabled: tls_enabled-optional
    - tls_container_ref: tls_container_ref-optional
 
 .. _session_persistence:
@@ -254,6 +256,7 @@ Response Parameters
    - provisioning_status: provisioning_status
    - session_persistence: session_persistence
    - tags: tags
+   - tls_enabled: tls_enabled
    - tls_container_ref: tls_container_ref
    - updated_at: updated_at
 
@@ -324,6 +327,7 @@ Response Parameters
    - provisioning_status: provisioning_status
    - session_persistence: session_persistence
    - tags: tags
+   - tls_enabled: tls_enabled
    - tls_container_ref: tls_container_ref
    - updated_at: updated_at
 
@@ -375,6 +379,7 @@ Request
    - pool_id: path-pool-id
    - session_persistence: session_persistence-optional
    - tags: tags-optional
+   - tls_enabled: tls_enabled-optional
    - tls_container_ref: tls_container_ref-optional
 
 Request Example
@@ -412,6 +417,7 @@ Response Parameters
    - provisioning_status: provisioning_status
    - session_persistence: session_persistence
    - tags: tags
+   - tls_enabled: tls_enabled
    - tls_container_ref: tls_container_ref
    - updated_at: updated_at
 

doc/source/contributor/guides/providers.rst

@@ -691,6 +691,9 @@ contain the following:
 | tls_container_ref     | string | The reference to the secrets             |
 |                       |        | container.                               |
 +-----------------------+--------+------------------------------------------+
+| tls_enabled           | bool   | True when backend re-encryption is       |
+|                       |        | enabled.                                 |
++-----------------------+--------+------------------------------------------+
 
 Delete
 ^^^^^^
@@ -754,6 +757,9 @@ contain the following:
 | tls_container_ref     | string | The reference to the secrets             |
 |                       |        | container.                               |
 +-----------------------+--------+------------------------------------------+
+| tls_enabled           | bool   | True when backend re-encryption is       |
+|                       |        | enabled.                                 |
++-----------------------+--------+------------------------------------------+
 
 The pool will be in the ``PENDING_UPDATE`` provisioning_status when it is
 passed to the driver. The driver will update the provisioning_status of the

octavia/api/drivers/data_models.py

@@ -173,7 +173,7 @@ class Pool(BaseDataModel):
                  session_persistence=Unset, tls_container_ref=Unset,
                  tls_container_data=Unset, ca_tls_container_ref=Unset,
                  ca_tls_container_data=Unset, crl_container_ref=Unset,
-                 crl_container_data=Unset):
+                 crl_container_data=Unset, tls_enabled=Unset):
 
         self.admin_state_up = admin_state_up
         self.description = description
@@ -192,6 +192,7 @@ class Pool(BaseDataModel):
         self.ca_tls_container_data = ca_tls_container_data
         self.crl_container_ref = crl_container_ref
         self.crl_container_data = crl_container_data
+        self.tls_enabled = tls_enabled
 
 
 class Member(BaseDataModel):

octavia/api/v2/controllers/load_balancer.py

@@ -432,8 +432,9 @@ class LoadBalancersController(base.BaseController):
                     detail='Pools must be named when creating a fully '
                            'populated loadbalancer.')
             # If a pool has more than a name, assume it's a full specification
-            # (but use >2 because it will also have "enabled" as default)
+            # (but use >3 because it will also have "enabled" and "tls_enabled"
-            if default_pool and len(default_pool) > 2:
+            # as default)
+            if default_pool and len(default_pool) > 3:
                 pools.append(default_pool)
                 l['default_pool'] = {'name': pool_name}
             # Otherwise, it's a reference and we record it and move on
@@ -450,8 +451,9 @@ class LoadBalancersController(base.BaseController):
                         detail='Pools must be named when creating a fully '
                                'populated loadbalancer.')
                 # If a pool has more than a name, assume it's a full spec
-                # (but use >2 because it will also have "enabled" as default)
+                # (but use >2 because it will also have "enabled" and
-                if redirect_pool and len(redirect_pool) > 2:
+                # "tls_enabled" as default)
+                if redirect_pool and len(redirect_pool) > 3:
                     pool_name = redirect_pool['name']
                     policy['redirect_pool'] = {'name': pool_name}
                     pools.append(redirect_pool)

octavia/api/v2/types/pool.py

@@ -82,6 +82,7 @@ class PoolResponse(BasePoolType):
     tls_container_ref = wtypes.wsattr(wtypes.StringType())
     ca_tls_container_ref = wtypes.wsattr(wtypes.StringType())
     crl_container_ref = wtypes.wsattr(wtypes.StringType())
+    tls_enabled = wtypes.wsattr(bool)
 
     @classmethod
     def from_data_model(cls, data_model, children=False):
@@ -156,6 +157,7 @@ class PoolPOST(BasePoolType):
         wtypes.StringType(max_length=255))
     ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
     crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
+    tls_enabled = wtypes.wsattr(bool, default=False)
 
 
 class PoolRootPOST(types.BaseType):
@@ -174,6 +176,7 @@ class PoolPUT(BasePoolType):
     tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
     ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
     crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
+    tls_enabled = wtypes.wsattr(bool)
 
 
 class PoolRootPut(types.BaseType):
@@ -195,6 +198,7 @@ class PoolSingleCreate(BasePoolType):
     tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
     ca_tls_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
     crl_container_ref = wtypes.wsattr(wtypes.StringType(max_length=255))
+    tls_enabled = wtypes.wsattr(bool, default=False)
 
 
 class PoolStatusResponse(BasePoolType):

octavia/common/data_models.py

@@ -264,7 +264,8 @@ class Pool(BaseDataModel):
                  load_balancer=None, listeners=None, l7policies=None,
                  created_at=None, updated_at=None, provisioning_status=None,
                  tags=None, tls_certificate_id=None,
-                 ca_tls_certificate_id=None, crl_container_id=None):
+                 ca_tls_certificate_id=None, crl_container_id=None,
+                 tls_enabled=None):
         self.id = id
         self.project_id = project_id
         self.name = name
@@ -287,6 +288,7 @@ class Pool(BaseDataModel):
         self.tls_certificate_id = tls_certificate_id
         self.ca_tls_certificate_id = ca_tls_certificate_id
         self.crl_container_id = crl_container_id
+        self.tls_enabled = tls_enabled
 
     def update(self, update_dict):
         for key, value in update_dict.items():

octavia/common/jinja/haproxy/jinja_cfg.py

@@ -297,7 +297,8 @@ class JinjaTemplater(object):
             constants.HTTP_REUSE: feature_compatibility.get(
                 constants.HTTP_REUSE, False),
             'ca_tls_path': '',
-            'crl_path': ''
+            'crl_path': '',
+            'tls_enabled': pool.tls_enabled
         }
         members = [self._transform_member(x, feature_compatibility)
                    for x in pool.members]

octavia/common/jinja/haproxy/templates/macros.j2

@@ -210,28 +210,26 @@ frontend {{ listener.id }}
     {% else %}
         {% set member_enabled_opt = " disabled" %}
     {% endif %}
-    {% if pool.client_cert or pool.ca_cert %}
+    {% if pool.tls_enabled %}
         {% set def_opt_prefix = " ssl" %}
     {% else %}
         {% set def_opt_prefix = "" %}
     {% endif %}
-    {% if pool.client_cert %}
+    {% if pool.client_cert and pool.tls_enabled %}
         {% set def_crt_opt = " crt %s"|format(pool.client_cert) %}
     {% else %}
         {% set def_crt_opt = "" %}
     {% endif %}
-    {% if pool.ca_cert %}
+    {% if pool.ca_cert and pool.tls_enabled %}
         {% set ca_opt = " ca-file %s"|format(pool.ca_cert) %}
         {% set def_verify_opt = " verify required" %}
         {% if pool.crl %}
             {% set crl_opt = " crl-file %s"|format(pool.crl) %}
         {% else %}
-            {% set crl_opt = "" %}
+            {% set def_verify_opt = "" %}
         {% endif %}
-    {% else %}
+    {% elif pool.tls_enabled %}
-        {% set ca_opt = "" %}
+        {% set def_verify_opt = " verify none" %}
-        {% set def_verify_opt = "" %}
-        {% set crl_opt = "" %}
     {% endif %}
     {{ "server %s %s:%d weight %s%s%s%s%s%s%s%s%s%s%s"|e|format(
         member.id, member.address, member.protocol_port, member.weight,

octavia/db/migration/alembic_migrations/versions/a7f187cd221f_add_tls_boolean_type_for_reencryption.py

@@ -0,0 +1,37 @@
+# Copyright 2018 Huawei
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""Add tls boolean type for backend re-encryption
+
+Revision ID: a7f187cd221f
+Revises: 74aae261694c
+Create Date: 2018-11-01 20:47:52.405865
+
+"""
+
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = 'a7f187cd221f'
+down_revision = '74aae261694c'
+
+
+def upgrade():
+    op.add_column(u'pool',
+                  sa.Column(u'tls_enabled', sa.Boolean(),
+                            server_default=sa.sql.expression.false(),
+                            nullable=False))

octavia/db/models.py

@@ -331,6 +331,7 @@ class Pool(base_models.BASE, base_models.IdMixin, base_models.ProjectMixin,
     tls_certificate_id = sa.Column(sa.String(255), nullable=True)
     ca_tls_certificate_id = sa.Column(sa.String(255), nullable=True)
     crl_container_id = sa.Column(sa.String(255), nullable=True)
+    tls_enabled = sa.Column(sa.Boolean, default=False, nullable=False)
 
     # This property should be a unique list of any listeners that reference
     # this pool as its default_pool and any listeners referenced by enabled

octavia/tests/functional/api/v2/test_pool.py

@@ -859,6 +859,26 @@ class TestPool(base.BaseAPITest):
             pool_prov_status=constants.PENDING_CREATE,
             pool_op_status=constants.OFFLINE)
 
+    def test_create_with_tls_enabled_only(self):
+        api_pool = self.create_pool(
+            self.lb_id,
+            constants.PROTOCOL_HTTP,
+            constants.LB_ALGORITHM_ROUND_ROBIN,
+            listener_id=self.listener_id,
+            tls_enabled=True).get(self.root_tag)
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=api_pool.get('id'),
+            lb_prov_status=constants.PENDING_UPDATE,
+            listener_prov_status=constants.PENDING_UPDATE,
+            pool_prov_status=constants.PENDING_CREATE,
+            pool_op_status=constants.OFFLINE)
+        self.set_lb_status(self.lb_id)
+        self.assertTrue(api_pool.get('tls_enabled'))
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=api_pool.get('id'))
+
     @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
     def test_create_with_tls_container_ref(self, mock_cert_data):
         tls_container_ref = uuidutils.generate_uuid()
@@ -1315,6 +1335,79 @@ class TestPool(base.BaseAPITest):
             self.assert_correct_status(
                 lb_id=self.udp_lb_id, listener_id=self.udp_listener_id)
 
+    def test_update_with_tls_enabled_only(self):
+        api_pool = self.create_pool(
+            self.lb_id,
+            constants.PROTOCOL_HTTP,
+            constants.LB_ALGORITHM_ROUND_ROBIN,
+            listener_id=self.listener_id).get(self.root_tag)
+        self.set_lb_status(lb_id=self.lb_id)
+        self.assertFalse(api_pool['tls_enabled'])
+        new_pool = {'tls_enabled': True}
+        self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
+                 self._build_body(new_pool))
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=api_pool.get('id'),
+            lb_prov_status=constants.PENDING_UPDATE,
+            listener_prov_status=constants.PENDING_UPDATE,
+            pool_prov_status=constants.PENDING_UPDATE)
+        self.set_lb_status(self.lb_id)
+        response = self.get(self.POOL_PATH.format(
+            pool_id=api_pool.get('id'))).json.get(self.root_tag)
+        self.assertTrue(response.get('tls_enabled'))
+        self.assertIsNotNone(response.get('created_at'))
+        self.assertIsNotNone(response.get('updated_at'))
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=response.get('id'))
+
+    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
+    def test_update_with_tls_enabled_only_on_pool_certs_exist(
+            self, mock_cert_data):
+        tls_container_ref = uuidutils.generate_uuid()
+        ca_tls_container_ref = uuidutils.generate_uuid()
+        crl_container_ref = uuidutils.generate_uuid()
+        pool_cert = data_models.TLSContainer(certificate='pool cert')
+        mock_cert_data.return_value = {'tls_cert': pool_cert,
+                                       'sni_certs': [],
+                                       'client_ca_cert': None}
+        self.cert_manager_mock().get_secret.side_effect = [
+            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
+            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
+            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
+        api_pool = self.create_pool(
+            self.lb_id,
+            constants.PROTOCOL_HTTP,
+            constants.LB_ALGORITHM_ROUND_ROBIN,
+            listener_id=self.listener_id,
+            tls_container_ref=tls_container_ref,
+            ca_tls_container_ref=ca_tls_container_ref,
+            crl_container_ref=crl_container_ref).get(self.root_tag)
+        self.set_lb_status(lb_id=self.lb_id)
+        self.assertFalse(api_pool['tls_enabled'])
+
+        new_pool = {'tls_enabled': True}
+        self.cert_manager_mock().get_cert.reset_mock()
+        self.cert_manager_mock().get_secret.reset_mock()
+        self.put(self.POOL_PATH.format(pool_id=api_pool.get('id')),
+                 self._build_body(new_pool))
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=api_pool.get('id'),
+            lb_prov_status=constants.PENDING_UPDATE,
+            listener_prov_status=constants.PENDING_UPDATE,
+            pool_prov_status=constants.PENDING_UPDATE)
+        self.set_lb_status(self.lb_id)
+        response = self.get(self.POOL_PATH.format(
+            pool_id=api_pool.get('id'))).json.get(self.root_tag)
+        self.assertTrue(response.get('tls_enabled'))
+        self.assertIsNotNone(response.get('created_at'))
+        self.assertIsNotNone(response.get('updated_at'))
+        self.assert_correct_status(
+            lb_id=self.lb_id, listener_id=self.listener_id,
+            pool_id=response.get('id'))
+
     @mock.patch(
         'octavia.common.tls_utils.cert_parser.load_certificates_data')
     def test_update_with_tls_container_ref(self, mock_cert_data):

octavia/tests/functional/db/test_models.py

@@ -87,7 +87,8 @@ class ModelTestMixin(object):
                   'lb_algorithm': constants.LB_ALGORITHM_LEAST_CONNECTIONS,
                   'provisioning_status': constants.ACTIVE,
                   'operating_status': constants.ONLINE,
-                  'enabled': True}
+                  'enabled': True,
+                  'tls_enabled': False}
         kwargs.update(overrides)
         return self._insert(session, models.Pool, kwargs)
 

octavia/tests/functional/db/test_repositories.py

@@ -180,7 +180,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
                 'id': uuidutils.generate_uuid(),
                 'provisioning_status': constants.ACTIVE,
                 'tags': ['test_tag'],
-                'tls_certificate_id': uuidutils.generate_uuid()}
+                'tls_certificate_id': uuidutils.generate_uuid(),
+                'tls_enabled': False}
         pool_dm = self.repos.create_pool_on_load_balancer(
             self.session, pool, listener_id=self.listener.id)
         pool_dm_dict = pool_dm.to_dict()
@@ -211,7 +212,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
                 'id': uuidutils.generate_uuid(),
                 'provisioning_status': constants.ACTIVE,
                 'tags': ['test_tag'],
-                'tls_certificate_id': uuidutils.generate_uuid()}
+                'tls_certificate_id': uuidutils.generate_uuid(),
+                'tls_enabled': False}
         sp = {'type': constants.SESSION_PERSISTENCE_HTTP_COOKIE,
               'cookie_name': 'cookie_monster',
               'pool_id': pool['id'],
@@ -254,7 +256,7 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
                 'project_id': uuidutils.generate_uuid(),
                 'id': uuidutils.generate_uuid(),
                 'provisioning_status': constants.ACTIVE,
-                'tags': ['test_tag']}
+                'tags': ['test_tag'], 'tls_enabled': False}
         pool_dm = self.repos.create_pool_on_load_balancer(
             self.session, pool, listener_id=self.listener.id)
         update_pool = {'protocol': constants.PROTOCOL_TCP, 'name': 'up_pool'}
@@ -288,7 +290,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
                 'id': uuidutils.generate_uuid(),
                 'provisioning_status': constants.ACTIVE,
                 'tags': ['test_tag'],
-                'tls_certificate_id': uuidutils.generate_uuid()}
+                'tls_certificate_id': uuidutils.generate_uuid(),
+                'tls_enabled': False}
         sp = {'type': constants.SESSION_PERSISTENCE_HTTP_COOKIE,
               'cookie_name': 'cookie_monster',
               'pool_id': pool['id'],
@@ -391,7 +394,8 @@ class AllRepositoriesTest(base.OctaviaDBTestBase):
                 'enabled': True, 'operating_status': constants.ONLINE,
                 'project_id': uuidutils.generate_uuid(),
                 'id': uuidutils.generate_uuid(),
-                'provisioning_status': constants.ACTIVE}
+                'provisioning_status': constants.ACTIVE,
+                'tls_enabled': False}
         pool_dm = self.repos.create_pool_on_load_balancer(
             self.session, pool, listener_id=self.listener.id)
         update_pool = {'tls_certificate_id': uuidutils.generate_uuid()}

octavia/tests/unit/api/drivers/amphora_driver/test_amphora_driver.py

@@ -178,8 +178,11 @@ class TestAmphoraDriver(base.TestRpc):
         old_provider_pool = driver_dm.Pool(
             pool_id=self.sample_data.pool1_id)
         provider_pool = driver_dm.Pool(
-            pool_id=self.sample_data.pool1_id, name='Great pool')
+            pool_id=self.sample_data.pool1_id, name='Great pool',
-        pool_dict = {'name': 'Great pool'}
+            admin_state_up=True, tls_enabled=True)
+        pool_dict = {'name': 'Great pool',
+                     'enabled': True,
+                     'tls_enabled': True}
         self.amp_driver.pool_update(old_provider_pool, provider_pool)
         payload = {consts.POOL_ID: self.sample_data.pool1_id,
                    consts.POOL_UPDATES: pool_dict}

octavia/tests/unit/api/drivers/sample_data_models.py

@@ -214,7 +214,8 @@ class SampleDriverDataModels(object):
                                 'ca_tls_certificate_id':
                                     self.pool_ca_container_ref,
                                 'crl_container_id':
-                                    self.pool_crl_container_ref}
+                                    self.pool_crl_container_ref,
+                                'tls_enabled': True}
 
         self.test_pool1_dict.update(self._common_test_dict)
 
@@ -257,7 +258,8 @@ class SampleDriverDataModels(object):
             'ca_tls_container_ref': self.pool_ca_container_ref,
             'ca_tls_container_data': pool_ca_file_content,
             'crl_container_ref': self.pool_crl_container_ref,
-            'crl_container_data': pool_crl_file_content
+            'crl_container_data': pool_crl_file_content,
+            'tls_enabled': True
         }
 
         self.provider_pool2_dict = copy.deepcopy(self.provider_pool1_dict)

octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py

@@ -768,10 +768,11 @@ class TestHaproxyCfg(base.TestCase):
               "check inter 30s fall 3 rise 2 cookie sample_member_id_2 "
               "{opts}\n\n").format(
             maxconn=constants.HAPROXY_MAX_MAXCONN,
-            opts="%s %s %s" % ("ssl", "crt", cert_file_path))
+            opts="ssl crt %s verify none" % cert_file_path)
         rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
             sample_configs.sample_amphora_tuple(),
-            sample_configs.sample_listener_tuple(pool_cert=True),
+            sample_configs.sample_listener_tuple(
+                pool_cert=True, tls_enabled=True),
             pool_tls_certs={
                 'sample_pool_id_1':
                     {'client_cert': cert_file_path,
@@ -810,7 +811,8 @@ class TestHaproxyCfg(base.TestCase):
         rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
             sample_configs.sample_amphora_tuple(),
             sample_configs.sample_listener_tuple(
-                pool_cert=True, pool_ca_cert=True, pool_crl=True),
+                pool_cert=True, pool_ca_cert=True, pool_crl=True,
+                tls_enabled=True),
             pool_tls_certs={
                 'sample_pool_id_1':
                     {'client_cert': pool_client_cert,

octavia/tests/unit/common/sample_configs/sample_configs.py

@@ -121,7 +121,8 @@ RET_POOL_1 = {
     'stick_size': '10k',
     constants.HTTP_REUSE: False,
     'ca_tls_path': '',
-    'crl_path': ''}
+    'crl_path': '',
+    'tls_enabled': False}
 
 RET_POOL_2 = {
     'id': 'sample_pool_id_2',
@@ -135,7 +136,8 @@ RET_POOL_2 = {
     'stick_size': '10k',
     constants.HTTP_REUSE: False,
     'ca_tls_path': '',
-    'crl_path': ''}
+    'crl_path': '',
+    'tls_enabled': False}
 
 
 RET_DEF_TLS_CONT = {'id': 'cont_id_1', 'allencompassingpem': 'imapem',
@@ -534,7 +536,8 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                           timeout_tcp_inspect=0,
                           client_ca_cert=False, client_crl_cert=False,
                           ssl_type_l7=False, pool_cert=False,
-                          pool_ca_cert=False, pool_crl=False):
+                          pool_ca_cert=False, pool_crl=False,
+                          tls_enabled=False):
     proto = 'HTTP' if proto is None else proto
     if be_proto is None:
         be_proto = 'HTTP' if proto is 'TERMINATED_HTTPS' else proto
@@ -560,14 +563,14 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                 persistence_cookie=persistence_cookie,
                 monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
                 pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
-                pool_crl=pool_crl),
+                pool_crl=pool_crl, tls_enabled=tls_enabled),
             sample_pool_tuple(
                 proto=be_proto, monitor=monitor, persistence=persistence,
                 persistence_type=persistence_type,
                 persistence_cookie=persistence_cookie, sample_pool=2,
                 monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
                 pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
-                pool_crl=pool_crl)]
+                pool_crl=pool_crl, tls_enabled=tls_enabled)]
         l7policies = [
             sample_l7policy_tuple('sample_l7policy_id_1', sample_policy=1),
             sample_l7policy_tuple('sample_l7policy_id_2', sample_policy=2),
@@ -588,7 +591,7 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                 monitor_ip_port=monitor_ip_port, monitor_proto=monitor_proto,
                 backup_member=backup_member, disabled_member=disabled_member,
                 pool_cert=pool_cert, pool_ca_cert=pool_ca_cert,
-                pool_crl=pool_crl)]
+                pool_crl=pool_crl, tls_enabled=tls_enabled)]
         l7policies = []
     return in_listener(
         id='sample_listener_id_1',
@@ -608,7 +611,8 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
             monitor_proto=monitor_proto,
             pool_cert=pool_cert,
             pool_ca_cert=pool_ca_cert,
-            pool_crl=pool_crl
+            pool_crl=pool_crl,
+            tls_enabled=tls_enabled
         ) if alloc_default_pool else '',
         connection_limit=connection_limit,
         tls_certificate_id='cont_id_1' if tls else '',
@@ -683,14 +687,15 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
                       sample_pool=1, monitor_ip_port=False,
                       monitor_proto=None, backup_member=False,
                       disabled_member=False, has_http_reuse=True,
-                      pool_cert=False, pool_ca_cert=False, pool_crl=False):
+                      pool_cert=False, pool_ca_cert=False, pool_crl=False,
+                      tls_enabled=False):
     proto = 'HTTP' if proto is None else proto
     monitor_proto = proto if monitor_proto is None else monitor_proto
     in_pool = collections.namedtuple(
         'pool', 'id, protocol, lb_algorithm, members, health_monitor, '
                 'session_persistence, enabled, operating_status, '
                 'tls_certificate_id, ca_tls_certificate_id, '
-                'crl_container_id, ' + constants.HTTP_REUSE)
+                'crl_container_id, tls_enabled, ' + constants.HTTP_REUSE)
     if (proto == constants.PROTOCOL_UDP and
             persistence_type == constants.SESSION_PERSISTENCE_SOURCE_IP):
         kwargs = {'persistence_type': persistence_type,
@@ -729,7 +734,8 @@ def sample_pool_tuple(proto=None, monitor=True, persistence=True,
         operating_status='ACTIVE', has_http_reuse=has_http_reuse,
         tls_certificate_id='pool_cont_1' if pool_cert else None,
         ca_tls_certificate_id='pool_ca_1' if pool_ca_cert else None,
-        crl_container_id='pool_crl' if pool_crl else None)
+        crl_container_id='pool_crl' if pool_crl else None,
+        tls_enabled=tls_enabled)
 
 
 def sample_member_tuple(id, ip, enabled=True, operating_status='ACTIVE',

releasenotes/notes/Add-pool-tls_enabled-f189677c0e13c447.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    You can now enable TLS backend re-encryption for connections to member
+    servers by enabling tls_enabled option on pools.