This refactors the method generating the lb delete flow and
removes redundant code between cascade and the normal delete.
It also removed the listener delete from the non-cascade flow
thus speeding up the deletion.
Change-Id: I6133e9b5f1c4c440a56bf75a1e3369424971f33a
This patch adds a prelude to the stein release notes and fixes some
formatting issues in previous Stein release notes.
Change-Id: Ic0e8d9e70eb61ef471304ecfd9985c8da0725b3d
This is the base patch that updates octavia to use the new octavia-lib.
It is backwards compatible by using debtcollector moves.
It adds a new controller process called the "driver-agent".
This patch also adds unit test coverage for a few additional modules.
Depends-On: https://review.openstack.org/#/c/641180/
Change-Id: I438e1548ec0fb6111d1ab85b05015007d9d0a006
This was from when we thought Anchor was the future of our internal cert
authority configuration. Self-signed certs are perfectly acceptable for
production deployments.
Change-Id: I5351a3bc4f1d80846ecbc7e1a77a47d9b91d7de7
Recent patches have missed some updates to the provider driver guide.
This patch corrects those oversights.
Change-Id: Ibf6c4bbfe56bd398e01043486406f3c4aef9db95
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1
Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.
This patch adds an new option 'redirect_http_code' to L7Policy API.
Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
If the Tls option of Pool is True, we default configure a sni option in
the associated members configuration, which is "sni ssl_fc_sni".
Story: 2003858
Task: 26684
Change-Id: Id61e0302dac3a5471b4fcb526b4edec50ec1a6fc
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
A recent patch[1] introduced parallel network configuration on load
balancer boot. However, this patch has a race condition between the
parallel booting amphora.
This patch corrects this by making the get amphora network configurations
task to work on a single amphora if one is presented to the task.
Change-Id: Ideb050a215b0b0335ea94163650959994f987008
Story: 2005080
Task: 29659
This patch add 4 new types for SSL connection ACL configuration.
Which are:
L7RULE_TYPE_SSL_CONN_HAS_CERT
L7RULE_TYPE_VERIFY_RESULT
L7RULE_TYPE_DN_FIELD
The first type can just accept the compare type "EQUAL_TO" and value
"True" string.
The second can just accept the int value string to check the certificate
verify result, also just support "EQUAL_TO" compare type.
The third can accept key, the distinguished name field and a match string,
this one supports all kind compare types.
Story: 2002165
Task: 20025
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I71b57d0f32d4839a770396645d2b9945d24f2853
Add new ssl headers:
'X-SSL-Client-Verify', 'X-SSL-Client-Has-Cert', 'X-SSL-Client-DN',
'X-SSL-Client-CN', 'X-SSL-Issuer', 'X-SSL-Client-SHA1',
'X-SSL-Client-Not-Before', 'X-SSL-Client-Not-After'
Allow users to send to the backend with multiple choices when
tls_terminated is enabled for client certificate.
Story: 2002165
Task: 20020
Change-Id: I112936ee85c9e0dcfb87b962176ba7d623989a30
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
The listener delete method could remove access to barbican secrets that
are used on multiple listeners, in different roles.
It is also not thread safe and was un-tested.
This patch removes the "unset_acls" calls from the listener delete method.
Change-Id: Ic832fcd2a5a45993f8414b7514b1a58dcec13de3
Story: 2005041
Task: 29536
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).
There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.
To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.
Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
