If the list of changes was empty, the worker would fail to fetch the
pool because it was retrieved implicitly from one of the changed
members. Pass it explicitly instead, and also short-circuit on NOOPs.
Story: 2006719
Task: 37090
Depends-On: https://review.opendev.org/#/c/688546/
Change-Id: I161a522abad4a2aa521ea46cb1065c5b05a2cd2e
Mocks were done slightly incorrectly for pyroute2, correct this and add
a missing mock for os.path.isfile since it only coincidentally worked.
Change-Id: Id178784ebb4a9da348d295201fd6aa715c5b4abe
This allows the Octavia devstack plugin to use IPv6 for the service
endpoint as well as for the lb-mgmt-net.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I87917440565ea953ec0d762a7e219d912c56c418
Previously, if a secret became unavailable in barbican, the user saw
a generic error raised from the barbican client and was unable to delete
load balancer resources. This patch corrects both of those issues.
Change-Id: I97bd1b2a97a44d0a0566ae56167fa4f2e503ee2d
Story: 2006676
Task: 37012
Task: 37077
It appears that these are required to have the upper constraints properly applied. We need to revert this change.
This reverts commit 7b8e6de1b8230e5d31ca36624e7fdfba25e3e077.
Change-Id: I4941df3894148482c597d30f3a8db70659fd1b7a
This patch adds a cookbook section for creating backend re-encryption
pools with optional client authentication.
Change-Id: If2a732d7b692f3cd6c422efbb1f71103ffecc4c9
This patch adds a cookbook section for creating client authentication
enabled listeners.
It also removes two references to granting access to secrets in
barbican that are no longer required.
Change-Id: Iaada1b5d519bfc57528aa15bae8c0ee2b55f0567
Octavia was using train jobs template: openstack-python3-train-jobs
but now we are in Ussuri cycle so let's switch to new template.
Modeled after neutron change https://review.opendev.org/#/c/688104/
Change-Id: I824c3ed541cfd42e3c8f02be5da694f42f40d7c2
Since the base testenv tox target sets `usedevelop=True`, tox will
install the application (Octavia) into the virtualenv as well. Since
installing Octavia will install everything in requirements.txt, we don't
need to specify it again in tox.ini.
Change-Id: I31bdb2956ae37d1116069c2b37656ce2ee3c2dd5
Use the bandit testenv block in tox.ini instead of inlining
it. Also changed the call back to '-x tests' since that is
correct syntax, it was just broken in version 1.6.0, which
is now in the blacklist.
Change-Id: Id0bf1c6b1633ffb4143c7628b722434faf433d7d
Added the bashate script style checker to the pep8
check target in tox.ini. It actually found two valid
issues - a bad function declaration and a local variable
issue, but mostly just indentation noise. Fixed all the
complaints.
Change-Id: I43b60e7dcf53acf259c8a52b248fbb8c63d3c8d4
CentOS sets a restrictive umask by default that will override the
rsyslog file permissions settings. This can cause our tempest tests
to no be able to read the log offload files in our CentOS gate jobs.
This patch clears this umask override in the devstack rsyslog
configuration.
Note: This is a global setting for rsyslog and you probably do not
want to set this outside of a testing environment.
Change-Id: I5962e335acff79152fa49c27c883aef2879593db
Re-factored code to not insert a log-format line in haproxy
config when 'no log' is set in the template. Adjusted tests
as necessary.
Story: 2006181
Task: 35706
Change-Id: I8a0cdf7ee912d39d9ac24244728094a1d1e15c63
This patch adds the Amphora image building guide from the
diskimage-create README.rst to the Administration documentation.
It also re-organizes the Adminstration guides to be broken down
by category as the old page was becoming a long list of guides.
(I like that kind of problem)
The diskimage-create README has a few formating corrections to make
it render better for the documentation.
Change-Id: Ice4071e1f872c8c0d0595427cff6f02ffbcf7968
The value of gunicorn's option 'cert_reqs` for client-cert requirement
does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
Story: 2006660
Task: 36916
SecurityImpact: CVE-2019-17134
Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
When calling ./stack.sh twice, octavia devstack plugin fails because
local certificate directory already exists.
This commit deletes the directory each time a certificate creation
script is called and when the user cleans up his devstack's
installation.
Change-Id: I21dfffa9b30274fa0fa9f365a88222b8f4c89e29
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: I7240d59e81529cd787a3975cc834208ec5db3deb
Sem-Ver: feature
With new pylint release (2.4.1), new warnings were triggered:
- unnecessary-comprehension
- no-else-break
- no-else-continue
- import-outside-toplevel
Change-Id: I301cc9fc6b41e9e97f051df29d768b172cade636
The job broke around mid June and has not been fixed since that time.
Plus, Fedora 28 is no longer supported by the Fedora project and is not
tested by any of our dsvm scenario jobs. It is time to delete the job
from the periodic queue.
The community is more than welcome to help restore Fedora-based amphora
image builds. One might be interested in picking help change
https://review.opendev.org/#/c/673173/ where the build was successful
but was did not pass the dsvm scenario job.
Change-Id: Ic07629adb9419c74d5ed957a0640fb1dc8253521
When a user loads a bad pkcs12 bundle or one with a pass phrase into
barbican and then uses it for a TLS-TERMINATED listener, the error
we return the user is misleading[1].
This patch improves the error message to point out that we got the
bundle from barbican, but that it is unreadable and/or protected
with a pass phrase.
[1] Could not retrieve certificate: [ ... ] (HTTP 400)
Change-Id: I6ad0349dba62b1141be07bfb0e40171e9f7a91b9
Story: 2006587
Task: 36713
The existing code selects the first IPv4 subnet in the network without
any consideration of ip availability. If not enough IPs are available,
the loadbalancer creations fails. This patch uses neutron ip
availability API to check the quantity of free IPs when creating
loadbalancer with vip-network-id and skips subnets that do not have
enough IPs for a loadbalancer on multi subnet networks.
Change-Id: If3c3cf9be085bb95b4ebbaf71e24f92d42b8d6e0
Task: 36004
Story: 2006293
