2694 Commits

Author SHA1 Message Date
German Eichberger
6a6e0d243b Refactors LB delete flow and removes listener delete
This refactors the method generating the lb delete flow and
removes redundant code between cascade and the normal delete.
It also removed the listener delete from the non-cascade flow
thus speeding up the deletion.

Change-Id: I6133e9b5f1c4c440a56bf75a1e3369424971f33a
2019-03-14 10:29:26 +00:00
Zuul
c6eb595796 Merge "Set octavia available in tempest config" 2019-03-12 12:37:36 +00:00
Zuul
93baf20b7d Merge "Resolve amphora agent read timeout issue" 2019-03-12 12:35:53 +00:00
Zuul
f935cab208 Merge "Fix an amphora driver bug for TLS client auth" 2019-03-11 18:56:43 +00:00
Zuul
404607b705 Merge "Fix parallel plug vip" 2019-03-11 18:56:38 +00:00
Zuul
7fc5406bd2 Merge "Fix performance of housekeeping DB clean up" 2019-03-11 18:56:32 +00:00
Zuul
5b3b0c6b16 Merge "Add a prelude to the Stein release notes" 2019-03-10 10:13:36 +00:00
Zuul
6e1ecac44d Merge "Fix updates to the provider driver guide." 2019-03-09 08:54:56 +00:00
Michael Johnson
4c0fd91dcc Add a prelude to the Stein release notes
This patch adds a prelude to the stein release notes and fixes some
formatting issues in previous Stein release notes.

Change-Id: Ic0e8d9e70eb61ef471304ecfd9985c8da0725b3d
2019-03-09 00:07:06 +00:00
Zuul
ff1a4761be Merge "Updates Octavia to support octavia-lib" 2019-03-08 13:29:07 +00:00
Zuul
6362aa4a2a Merge "Fix health monitor exception" 2019-03-08 01:29:47 +00:00
Michael Johnson
8997def2b5 Updates Octavia to support octavia-lib
This is the base patch that updates octavia to use the new octavia-lib.
It is backwards compatible by using debtcollector moves.

It adds a new controller process called the "driver-agent".

This patch also adds unit test coverage for a few additional modules.

Depends-On: https://review.openstack.org/#/c/641180/

Change-Id: I438e1548ec0fb6111d1ab85b05015007d9d0a006
2019-03-07 14:40:22 +01:00
Adam Harwell
838719a09a Remove outdated/incorrect certificate advice
This was from when we thought Anchor was the future of our internal cert
authority configuration. Self-signed certs are perfectly acceptable for
production deployments.

Change-Id: I5351a3bc4f1d80846ecbc7e1a77a47d9b91d7de7
2019-03-06 15:27:35 -08:00
Zuul
c00faa7edd Merge "Trivial: Remove unused OCTAVIA_AMP_SUBNET_ID" 2019-03-06 21:00:27 +00:00
Zuul
564659a3d0 Merge "Support Host header inject for healthmonitor HTTP 1.1 health check" 2019-03-06 18:49:32 +00:00
Michael Johnson
128d05b4c4 Fix updates to the provider driver guide.
Recent patches have missed some updates to the provider driver guide.
This patch corrects those oversights.

Change-Id: Ibf6c4bbfe56bd398e01043486406f3c4aef9db95
2019-03-06 10:29:59 -08:00
Zuul
e74f19bc0b Merge "Encrypt certs and keys" 2019-03-06 02:38:21 +00:00
ZhaoBo
44833d5d5e Support Host header inject for healthmonitor HTTP 1.1 health check
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1

Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
2019-03-06 01:24:31 +00:00
Kenichi Omichi
309ef2fb43 Trivial: Remove unused OCTAVIA_AMP_SUBNET_ID
OCTAVIA_AMP_SUBNET_ID is not used at all anywhere as
http://codesearch.openstack.org/?q=OCTAVIA_AMP_SUBNET_ID&i=nope&files=&repos=
In addition, near OCTAVIA_AMP_NETWORK_ID also is unused.
So let's remove them for cleanup.

Change-Id: I3c52ed2154aac9ba4476c718ae921c7f2fbe4fba
2019-03-06 00:48:11 +00:00
Adit Sarfaty
f941ca741a Fix health monitor exception
expected_codes validation raised the wrong error

Change-Id: Iebe5331e549d5313a0b71907a0f628e79666eab8
2019-03-05 15:05:00 +02:00
ZhaoBo
25fb7e4c32 Support L7policy redirect http code
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.

This patch adds an new option 'redirect_http_code' to L7Policy API.

Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
2019-03-04 15:04:53 -08:00
Zuul
24e80ba44c Merge "Amp driver support sni option to send the hostname to backend" 2019-03-02 14:01:14 +00:00
Zuul
5942aacf02 Merge "Add boolean tls_enabled option into Pool" 2019-03-02 11:57:22 +00:00
Zuul
51e93fe4fd Merge "Add 2 new fields into Pool API for support re-encryption" 2019-03-02 08:13:23 +00:00
Zuul
d719a1f359 Merge "Pool support sni cert for backend re-encryption" 2019-03-02 04:16:15 +00:00
Michael Johnson
ac8e0c8f40 Fix an amphora driver bug for TLS client auth
There was a missing translation for TLS client authentication update
calls.

Change-Id: I52cacaed4759599210e2e2c7390460124391861d
2019-02-28 16:38:54 -08:00
ZhaoBo
acf6c36633 Amp driver support sni option to send the hostname to backend
If the Tls option of Pool is True, we default configure a sni option in
the associated members configuration, which is "sni ssl_fc_sni".

Story: 2003858
Task: 26684
Change-Id: Id61e0302dac3a5471b4fcb526b4edec50ec1a6fc
2019-03-01 00:20:58 +00:00
ZhaoBo
e0e9af3b51 Add boolean tls_enabled option into Pool
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.

Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
2019-03-01 00:20:38 +00:00
ZhaoBo
7aa115a553 Add 2 new fields into Pool API for support re-encryption
Add tls_ca_container_id and crl_container_id into Pool API.

Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
2019-02-28 16:20:09 -08:00
ZhaoBo
aa7ac7ab73 Pool support sni cert for backend re-encryption
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.

Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
2019-02-28 11:36:48 -08:00
Michael Johnson
1f709e3355 Fix parallel plug vip
A recent patch[1] introduced parallel network configuration on load
balancer boot. However, this patch has a race condition between the
parallel booting amphora.
This patch corrects this by making the get amphora network configurations
task to work on a single amphora if one is presented to the task.

Change-Id: Ideb050a215b0b0335ea94163650959994f987008
Story: 2005080
Task: 29659
2019-02-27 14:55:52 -08:00
Zuul
612b042e64 Merge "L7rule support client certificate cases" 2019-02-26 11:07:35 +00:00
Zuul
486eee5862 Merge "Add new ssl header into Listener for client certificate" 2019-02-26 11:07:30 +00:00
Zuul
f9bb294206 Merge "Add crl-file option for certification" 2019-02-26 11:07:29 +00:00
Zuul
4f00f7f520 Merge "Add an option to the Octavia V2 listener API for client cert" 2019-02-26 11:04:52 +00:00
Zuul
a569a6e935 Merge "Add client_ca_tls_container_ref to listener API" 2019-02-26 10:54:59 +00:00
Michael Johnson
b6bf419885 Set octavia available in tempest config
This patch updates the octavia devstack plugin to set the
"[service_available]" octavia = True.

Change-Id: Ia6d31e0ba1c569af7ab6d1ec39fe691c2a491ea8
2019-02-25 08:39:13 -08:00
Zuul
6008859476 Merge "Fix the loss of access to barbican secrets" 2019-02-25 06:22:43 +00:00
ZhaoBo
f77d7d0220 L7rule support client certificate cases
This patch add 4 new types for SSL connection ACL configuration.
Which are:
L7RULE_TYPE_SSL_CONN_HAS_CERT
L7RULE_TYPE_VERIFY_RESULT
L7RULE_TYPE_DN_FIELD

The first type can just accept the compare type "EQUAL_TO" and value
"True" string.
The second can just accept the int value string to check the certificate
verify result, also just support "EQUAL_TO" compare type.
The third can accept key, the distinguished name field and a match string,
this one supports all kind compare types.

Story: 2002165
Task: 20025
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I71b57d0f32d4839a770396645d2b9945d24f2853
2019-02-24 23:31:09 +00:00
ZhaoBo
aa1bca0271 Add new ssl header into Listener for client certificate
Add new ssl headers:
'X-SSL-Client-Verify', 'X-SSL-Client-Has-Cert', 'X-SSL-Client-DN',
'X-SSL-Client-CN', 'X-SSL-Issuer', 'X-SSL-Client-SHA1',
'X-SSL-Client-Not-Before', 'X-SSL-Client-Not-After'

Allow users to send to the backend with multiple choices when
tls_terminated is enabled for client certificate.

Story: 2002165
Task: 20020

Change-Id: I112936ee85c9e0dcfb87b962176ba7d623989a30
2019-02-24 23:30:59 +00:00
ZhaoBo
20509e2337 Add crl-file option for certification
Add crl-file in Listener side.

Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
2019-02-24 15:29:59 -08:00
Michael Johnson
72b382b46d Fix the loss of access to barbican secrets
The listener delete method could remove access to barbican secrets that
are used on multiple listeners, in different roles.
It is also not thread safe and was un-tested.
This patch removes the "unset_acls" calls from the listener delete method.

Change-Id: Ic832fcd2a5a45993f8414b7514b1a58dcec13de3
Story: 2005041
Task: 29536
2019-02-24 10:57:46 -08:00
Nir Magnezi
ae7c87f54a Encrypt certs and keys
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).

There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.

To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.

Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
2019-02-24 15:41:20 +02:00
ZhaoBo
7a8eb3ce22 Add an option to the Octavia V2 listener API for client cert
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options

Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
2019-02-24 01:52:20 +00:00
ZhaoBo
0cc546a7c7 Add client_ca_tls_container_ref to listener API
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.

Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
2019-02-24 01:51:35 +00:00
Carlos Goncalves
68b86f85f5 Enable debug for Octavia services in grenade job
Change-Id: I9333e8f58006efb48d076e24c0f6dc4673674a95
2019-02-23 00:19:03 +00:00
Zuul
6e0bed1c54 Merge "Set the default retries down to 120" 2019-02-21 09:31:50 +00:00
Zuul
f309139324 Merge "Fix oslo messaging connection leakage" 2019-02-21 08:41:35 +00:00
Zuul
dae35c56b5 Merge "Update json module to jsonutils" 2019-02-21 07:53:31 +00:00
Zuul
372ff99a03 Merge "Fix auto setup Barbican's ACL in the legacy driver." 2019-02-21 06:10:08 +00:00