This patch moves the system scope configuration in the policy override example files out to a separate override file. This way the new default roles can be enabled independently of system scoped tokens. This helps us align to the changes in the secure-RBAC spec[1].
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Change-Id: I1b41780f3ca84ceca563d668ae8bb40011a60bf4
(cherry picked from commit 5ab6e3d30f6af23084782345845cad9bcdcd1953)
(cherry picked from commit c8dd836e9cc8f143c0be12bb34d1309ba1181c6e)
Openssl genrsa is deprecated in favor of genpkey, and fails in FIPS mode.
Update the relevant calls to use genpkey instead.
Change-Id: I1aab9faa8afe845e445e620d1800785d2e19ad1e
(cherry picked from commit 36a642d9d0b95b6337558144450bbc7802784c23)
Several edits from early January 2021.
Tech review edits from two devs incorporated. Thanks!
Additional comments from Brian added. Thanks!
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Iddcbe83dc4b3fec796ac94339f2839818890ab2f
Spare pool feature was deprecated in Victoria, we decided to remove it
during the Xena release cycle.
Change-Id: I830c6a4c49fa47105f788cf99a0f775e5dbdcaea
The healthcheck endpoint should cache results to reduce the potential load on the backend systems being tested.
This patch adds the caching and a configuration setting for the interval
between cache refreshes.
Change-Id: Ic97a991437144f3a220d9b96839cec5b63565f8c
Story: 2008203
Task: 40987
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:
1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.
2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.
[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html
Change-Id: I8b78c7b640ab18ddfc809cb4603decc739d494d1
Also removed a block of shell code in install-ubuntu.rst,
because the block triggered an error in the doc job and it was unused.
Change-Id: I41033e8cd9710a91b9502db11577b1f1cb85fa46
Add SCTP support in the Amphora (with keepalived).
Add amphora-health-checker script for customized SCTP health checks
(INIT/INIT-ACK/ABORT).
Change-Id: I30997ae6cc6b8ec724f0e9dcfdfe49356b320ff4
Story: 2007884
Task: 40932
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Pool API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference) to be advertised by load balancer to
members.
This patch also adds HTTP/2 over TLS support to TLS-enabled pools to the
Amphora provider driver, although default the pool ALPN protocol list
configuration setting has HTTP/2 disabled similarly to the default
listener ALPN protocol list value added in Victoria release.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: I91924486bab22601c15c538c8a5282ad8bc54700
Add SCTP support in the API for listeners, pools, health-monitors
resources.
Story: 2007884
Task: 40255
Change-Id: I57a3c528a20943724bdcd36422c689f496068330
Use of the spares pool was originally recommended to increase provisioning
speed, but since Nova's server groups do not support adding existing VMs,
Octavia cannot support use of the spares pool with the Active-Standby
topology. Since this is our recommended topology for production deployments,
and speed is less essential in development/testing environments (the
only place we could recommend the use of Single topology), the overhead of
maintaining spares pool support exceeds its theoretical usefulness.
Change-Id: I7375e9758c7ae80e2370189117e8e63c79446490
This patch adds support for the proxy protocol v2 on pools.
Depends-On: https://review.opendev.org/747296
Change-Id: Ic112c5e71ee9b6433b307fdf27059f217ba4136e
Story: 2005611
Task: 30858
As Octavia allows to use RedisTaskFlowDriver or
ZookeeperTaskFlowDriver we should install python clients that
allows to work with redis and zookeeper backends.
Story: 2007892
Change-Id: I7312c8c1057618e909339aa7a4dfeb836f4b8f33
This patch will update the amphora v2 code for the failover refactor[1].
[1] https://review.opendev.org/705317
Change-Id: I43803d0b750e8ca4722ababe296f2725148da405
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Listener API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference).
Presently, the amphora provider driver is limited to http/1.0 and
http/1.1 ALPN protocol IDs. Support for "h2" (HTTP/2 over TLS) depends
on HAProxy 2.0 or newer.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: If08a8169498cdfaa75440e8971ba0caff45ac4c4
This patch adds a new configuration setting to enable/disable jobboard
functionality in the amphorav2 provider. When disabled, the amphorav2
provider behaves similarly to the amphora v1 provider.
The default setting is jobboard disabled while jobboard remains an
experimental feature.
Change-Id: I063d832f5a049d7ae38378766200c7f82a35996d
The basic cookbook document implied that pools without a health
monitor would eventually remove a failed member from the pool.
This will not happen as if there is not health monitor, the members
are assumed as ONLINE.
Change-Id: I6c52f163d8ac0456b4faf7d9bf5cc4a19ee6eeb7
Oslo.policy is moving away from using json format policy files[1].
This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.
Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.
[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
We missed updating the provider driver feature matrix for a few
new Octavia features. This patch updates the matrix.
Change-Id: I328830df19fb8df6ea93cee2ad2f0dbda03279a1
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Change-Id: I87889f73207ecd940963fbe601ccbb79863b96ac
In the section about creating a key pair for the amphora instance, there
were a few small typos. This change fixes those.
TrivialFix
Change-Id: Ic6af32cc566abb6931ef61c979407780121e4bb6
Signed-off-by: Raimund Hook <openstack@sting-ray.za.net>
Introduce TaskFlowServiceController which uses taskflow
jobboard feature and saves jobs info into persistence backend.
Jobboard could be operated via RedisTaskFlowDriver or
ZookeeperTaskFlowDriver, that could be set via the config.
RedisTaskFlowDriver is intoduced as default backend for jobboard.
Usage of jobboard allows to resume jobs in case of restart/stop
of Octavia controller services.
Persistence backend saves state of flow tasks that required in
case of resuming job. SQLAlchemy backend is used here.
Bump taskflow version to 3.7.1 and add dependency to
SQLAlchemy-Utils (required for taskflow sqlalchemy
backend support).
Story: 2005072
Task: 30806
Task: 30816
Task: 30817
Change-Id: I92ee4e879e98e4718d2e9aba56486341223a9157
healthcheck middleware adds a /healthcheck url that allows
unauthenticated access to provide a simple check when running
octavia-api behind a load balancer
https://docs.openstack.org/oslo.middleware/latest/reference/healthcheck_plugins.html
Co-authored-by: Michael Johnson <johnsomor@gmail.com>
Change-Id: I10db6226750f7b7c703067d2ab82eea3a9875112
We missed a line when removing the requirement to grant Octavia
access to the secret in barbican.
This patch corrects that oversight.
Change-Id: I3c6459becc415d6dc0792c44ca75e717b239cd92
This patch adds a warning box to the load balancer cookbook clarifying
that the health monitor type of 'PING' should only be used in specific
cases.
This was called out in release notes, but was not clear in the cookbook.
Change-Id: I6b95891bec82e01c44b288cbe9796b1f87a07c32
Add a section to the basic cookbook that explains how to setup a UDP
load balancer with UDP-CONNECT health monitor.
And fix typos
Change-Id: Ib67a5c9437e3190f640a953c30f791cb34690910
