This patch adds a project_id field to all of the provider driver data
model objects.
This is useful for drivers to track/associate objects on the backend.
Change-Id: I8f509677da463bc5d0a7649f2f609045cf9b2dd7
A user came to the IRC channel with CLI errors:
"Client-side error: Validation failure: Missing project ID in
request where one is required."
The root cause was the [api_settings] auth_strategy was set to
"noauth" instead of "keystone".
This patch adds a warning log message to the API process that
warns users that typically the auth_strategy should be set to
keystone.
It also points the user to have an administrator check the keystone
settings in the octavia.conf.
Change-Id: I7793d7a9113b23ac88e7c53d5dc292a70b9453b5
This patch creates an Amphora v2 provider driver as well as a
V2 controller worker.
This is in preparation for having the amphora driver use the new
provider driver data models and rely less on native Octavia database
access.
It is also a prepartion step for enabling TaskFlow JobBoard as
this work will move to storing dictionaries in the flows instead
of database models.
Change-Id: Ia65539a8c39560e2276750d8e79a637be4c0f265
Story: 2005072
Task: 30806
The current health monitor API does not properly handle
clearing/reseting values on update. Some integer only fields,
such as max_retries_down, will accept null, but will store the
value as "None". These will will cause failures updating the
amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the health monitor parameters.
Change-Id: Ida1d544933aec9e5cd556aef57a06e9f19f1b255
Story: 2005374
Task: 33533
The current member API does not properly handle clearing/reseting
values on update. Some integer only fields, such as weight,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the member parameters.
Change-Id: I41038b1d8d882efa19d991c07dca47f06dcbb5ca
Story: 2005374
Task: 33523
octavia_lib driver exceptions were not cought by call_provider
This patch add those exceptions, and also handles the native NotImplementedError
which does nto have all the expected fields.
Change-Id: I1a566353b7fb125184849b3a0f864d3ef6896d94
The current pool API does not properly handle clearing/reseting
values on update. There was a case where removing the CA and CRL
at the same time could be refused, requiring you to remove the
CRL first, then the CA reference. This patch resolves that issue.
This patch corrects this to appropriately handle None/null updates
to the pool parameters.
Change-Id: Iee8a12b693a09e96e59313e58beffe1b1985084f
Story: 2005374
Task: 31007
This resolves extranous "improper escape sequence" warnings on
python 3.6+[1].
Note, this does not resolve those warnings from pylint. There
is already another proposed patch to address pylint[2].
[1] https://review.opendev.org/494322
[2] https://review.opendev.org/635236
Change-Id: Ie160436913e4d935bab118d31ba10193ac38bd8f
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.
Story: 2004073
Task: 27434
Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
Includes some updates to docs and configs and related files to remove
references to neutron-lbaas. Also remove handlers.
Change-Id: I3082962841d3b645f3cbd1a6b41fc7fb28dcf7e6
The current listener API does not properly handle clearing/reseting
values on update. Some integer only fields, such as connection-limit,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the listener parameters.
Change-Id: I41c9bedd8a3452513af3d409fbacd65ea287f02a
Story: 2005374
Task: 30352
Load balancers were going in to ERROR when updating vip_qos_policy_id in
two different cases:
- QoS extension enabled: the VIP DB data model was incorrectly
constructed ('vip_qos_policy_id' where it should have been
'qos_policy_id')
- QoS extension disabled: setting an UUID or None would fail in the LB
update flow as the extension is disabled, and the API would return
HTTP 202 to the user.
Story: 2004602
Task: 28512
Change-Id: Ie974afa52fe70cbab72b7e7f75bf7ee1015e148c
In some edge cases, when a request comes in to update a child
resource (member, HM, or l7rule), the API would not always make
sure the parent object (pool or l7policy) was in a mutable status.
This patch fixes this by checking the parent provisioning_status
before allowing a muttable change on a child object.
It also resolves two cases where a parent object status was not being
reset on a reverted flow.
Change-Id: I86f76bebce0993215fd34ccd33251ba1e6c325a9
Story: 2005249
Task: 30043
This is the base patch that updates octavia to use the new octavia-lib.
It is backwards compatible by using debtcollector moves.
It adds a new controller process called the "driver-agent".
This patch also adds unit test coverage for a few additional modules.
Depends-On: https://review.openstack.org/#/c/641180/
Change-Id: I438e1548ec0fb6111d1ab85b05015007d9d0a006
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1
Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.
This patch adds an new option 'redirect_http_code' to L7Policy API.
Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
Add new ssl headers:
'X-SSL-Client-Verify', 'X-SSL-Client-Has-Cert', 'X-SSL-Client-DN',
'X-SSL-Client-CN', 'X-SSL-Issuer', 'X-SSL-Client-SHA1',
'X-SSL-Client-Not-Before', 'X-SSL-Client-Not-After'
Allow users to send to the backend with multiple choices when
tls_terminated is enabled for client certificate.
Story: 2002165
Task: 20020
Change-Id: I112936ee85c9e0dcfb87b962176ba7d623989a30
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
The listener delete method could remove access to barbican secrets that
are used on multiple listeners, in different roles.
It is also not thread safe and was un-tested.
This patch removes the "unset_acls" calls from the listener delete method.
Change-Id: Ic832fcd2a5a45993f8414b7514b1a58dcec13de3
Story: 2005041
Task: 29536
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
Load balancers in ERROR provisioning status could not be failed over.
One possible scenario where LBs go into ERROR is when services are
started before compute nodes are up on a cluster reboot:
- Octavia services are started
- Health Manager does not receive heartbeat and triggers failover
- Failover fails due to lack of availabble compute nodes to spawn
amphora VMs
Story: 2005078
Task: 29657
Change-Id: Ic4b4516cd6b2a254ea32939668c906486066da42
This patch adds a new flavor capability to the amphora driver called
'compute_flavor'. This allows an amphora flavor to specify a compute
(nova) flavor to be used for the load balancer instances.
Change-Id: I8626eebd906c935a47d3e3510d1dfefae307c4e9
Zuul