A user came to the IRC channel with CLI errors:
"Client-side error: Validation failure: Missing project ID in
request where one is required."
The root cause was the [api_settings] auth_strategy was set to
"noauth" instead of "keystone".
This patch adds a warning log message to the API process that
warns users that typically the auth_strategy should be set to
keystone.
It also points the user to have an administrator check the keystone
settings in the octavia.conf.
Change-Id: I7793d7a9113b23ac88e7c53d5dc292a70b9453b5
This patch creates an Amphora v2 provider driver as well as a
V2 controller worker.
This is in preparation for having the amphora driver use the new
provider driver data models and rely less on native Octavia database
access.
It is also a prepartion step for enabling TaskFlow JobBoard as
this work will move to storing dictionaries in the flows instead
of database models.
Change-Id: Ia65539a8c39560e2276750d8e79a637be4c0f265
Story: 2005072
Task: 30806
The current health monitor API does not properly handle
clearing/reseting values on update. Some integer only fields,
such as max_retries_down, will accept null, but will store the
value as "None". These will will cause failures updating the
amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the health monitor parameters.
Change-Id: Ida1d544933aec9e5cd556aef57a06e9f19f1b255
Story: 2005374
Task: 33533
The current member API does not properly handle clearing/reseting
values on update. Some integer only fields, such as weight,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the member parameters.
Change-Id: I41038b1d8d882efa19d991c07dca47f06dcbb5ca
Story: 2005374
Task: 33523
The current pool API does not properly handle clearing/reseting
values on update. There was a case where removing the CA and CRL
at the same time could be refused, requiring you to remove the
CRL first, then the CA reference. This patch resolves that issue.
This patch corrects this to appropriately handle None/null updates
to the pool parameters.
Change-Id: Iee8a12b693a09e96e59313e58beffe1b1985084f
Story: 2005374
Task: 31007
This resolves extranous "improper escape sequence" warnings on
python 3.6+[1].
Note, this does not resolve those warnings from pylint. There
is already another proposed patch to address pylint[2].
[1] https://review.opendev.org/494322
[2] https://review.opendev.org/635236
Change-Id: Ie160436913e4d935bab118d31ba10193ac38bd8f
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.
Story: 2004073
Task: 27434
Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
The current listener API does not properly handle clearing/reseting
values on update. Some integer only fields, such as connection-limit,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the listener parameters.
Change-Id: I41c9bedd8a3452513af3d409fbacd65ea287f02a
Story: 2005374
Task: 30352
Load balancers were going in to ERROR when updating vip_qos_policy_id in
two different cases:
- QoS extension enabled: the VIP DB data model was incorrectly
constructed ('vip_qos_policy_id' where it should have been
'qos_policy_id')
- QoS extension disabled: setting an UUID or None would fail in the LB
update flow as the extension is disabled, and the API would return
HTTP 202 to the user.
Story: 2004602
Task: 28512
Change-Id: Ie974afa52fe70cbab72b7e7f75bf7ee1015e148c
In some edge cases, when a request comes in to update a child
resource (member, HM, or l7rule), the API would not always make
sure the parent object (pool or l7policy) was in a mutable status.
This patch fixes this by checking the parent provisioning_status
before allowing a muttable change on a child object.
It also resolves two cases where a parent object status was not being
reset on a reverted flow.
Change-Id: I86f76bebce0993215fd34ccd33251ba1e6c325a9
Story: 2005249
Task: 30043
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1
Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.
This patch adds an new option 'redirect_http_code' to L7Policy API.
Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
Add new ssl headers:
'X-SSL-Client-Verify', 'X-SSL-Client-Has-Cert', 'X-SSL-Client-DN',
'X-SSL-Client-CN', 'X-SSL-Issuer', 'X-SSL-Client-SHA1',
'X-SSL-Client-Not-Before', 'X-SSL-Client-Not-After'
Allow users to send to the backend with multiple choices when
tls_terminated is enabled for client certificate.
Story: 2002165
Task: 20020
Change-Id: I112936ee85c9e0dcfb87b962176ba7d623989a30
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
The listener delete method could remove access to barbican secrets that
are used on multiple listeners, in different roles.
It is also not thread safe and was un-tested.
This patch removes the "unset_acls" calls from the listener delete method.
Change-Id: Ic832fcd2a5a45993f8414b7514b1a58dcec13de3
Story: 2005041
Task: 29536
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
Load balancers in ERROR provisioning status could not be failed over.
One possible scenario where LBs go into ERROR is when services are
started before compute nodes are up on a cluster reboot:
- Octavia services are started
- Health Manager does not receive heartbeat and triggers failover
- Failover fails due to lack of availabble compute nodes to spawn
amphora VMs
Story: 2005078
Task: 29657
Change-Id: Ic4b4516cd6b2a254ea32939668c906486066da42
This patch adds an API that allows operators to query a provider driver
for the list of supported flavor capabilities.
Change-Id: Ia3d62acdc3b1af2e666f58d32a06d2238706dee6
This patch adds support for flavor metadata validation by the amphora driver
and support for setting the load balancer topology via a flavor.
It also adds "flavor_id" to the load balancer table in the database.
Change-Id: I8eae870abdb20dc32917957e32606deef387ec88
This patch adds flavor and flavor_profile tables.
It also implements flavors and flavorprofiles apis.
Partially-Implements: Blueprint octavia-lbaas-flavors
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I99a673438458757d0acdaa46dd8ee041edb3be9c
Operators want to have the ability to see amphora flavor information.
But they haven't access permisson of octavia configuration file. So
it is necessary to show amphora flavor information as part of command
'openstack loadbalancer amphora list/show'.
Story: 2002896
Task: 22986
Change-Id: Ib3ca05d816747d08ef7055ec532b81746468cbf9
Add tags support for all lb related resources. It includes:
load balancer, listener, member, pool, L7rule, L7policy
and health-monitor
Change-Id: Ib33a002b3b59820db29897454e9d4303c73310b2
Story: 2003890
Task: 26757
Default timeouts for backend member and frontend
client can be set now via config file.
Timeouts exposed in config in section haproxy_amphora:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: I6e1be42c5c15c4171b012734e4c2a1fded51dbc7
Partial-Bug: 1797130
Story: 2004042
Task: 27046
Zuul