Previously, if a secret became unavailable in barbican, the user saw
a generic error raised from the barbican client and was unable to delete
load balancer resources. This patch corrects both of those issues.
Change-Id: I97bd1b2a97a44d0a0566ae56167fa4f2e503ee2d
Story: 2006676
Task: 37012
Task: 37077
It appears that these are required to have the upper constraints properly applied. We need to revert this change.
This reverts commit 7b8e6de1b8230e5d31ca36624e7fdfba25e3e077.
Change-Id: I4941df3894148482c597d30f3a8db70659fd1b7a
This patch adds a cookbook section for creating backend re-encryption
pools with optional client authentication.
Change-Id: If2a732d7b692f3cd6c422efbb1f71103ffecc4c9
This patch adds a cookbook section for creating client authentication
enabled listeners.
It also removes two references to granting access to secrets in
barbican that are no longer required.
Change-Id: Iaada1b5d519bfc57528aa15bae8c0ee2b55f0567
Octavia was using train jobs template: openstack-python3-train-jobs
but now we are in Ussuri cycle so let's switch to new template.
Modeled after neutron change https://review.opendev.org/#/c/688104/
Change-Id: I824c3ed541cfd42e3c8f02be5da694f42f40d7c2
Since the base testenv tox target sets `usedevelop=True`, tox will
install the application (Octavia) into the virtualenv as well. Since
installing Octavia will install everything in requirements.txt, we don't
need to specify it again in tox.ini.
Change-Id: I31bdb2956ae37d1116069c2b37656ce2ee3c2dd5
Use the bandit testenv block in tox.ini instead of inlining
it. Also changed the call back to '-x tests' since that is
correct syntax, it was just broken in version 1.6.0, which
is now in the blacklist.
Change-Id: Id0bf1c6b1633ffb4143c7628b722434faf433d7d
Added the bashate script style checker to the pep8
check target in tox.ini. It actually found two valid
issues - a bad function declaration and a local variable
issue, but mostly just indentation noise. Fixed all the
complaints.
Change-Id: I43b60e7dcf53acf259c8a52b248fbb8c63d3c8d4
This patch adds the Amphora image building guide from the
diskimage-create README.rst to the Administration documentation.
It also re-organizes the Adminstration guides to be broken down
by category as the old page was becoming a long list of guides.
(I like that kind of problem)
The diskimage-create README has a few formating corrections to make
it render better for the documentation.
Change-Id: Ice4071e1f872c8c0d0595427cff6f02ffbcf7968
The value of gunicorn's option 'cert_reqs` for client-cert requirement
does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
Story: 2006660
Task: 36916
SecurityImpact: CVE-2019-17134
Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
When calling ./stack.sh twice, octavia devstack plugin fails because
local certificate directory already exists.
This commit deletes the directory each time a certificate creation
script is called and when the user cleans up his devstack's
installation.
Change-Id: I21dfffa9b30274fa0fa9f365a88222b8f4c89e29
Add file to the reno documentation build to show release notes for
stable/train.
Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.
Change-Id: I7240d59e81529cd787a3975cc834208ec5db3deb
Sem-Ver: feature
With new pylint release (2.4.1), new warnings were triggered:
- unnecessary-comprehension
- no-else-break
- no-else-continue
- import-outside-toplevel
Change-Id: I301cc9fc6b41e9e97f051df29d768b172cade636
When a user loads a bad pkcs12 bundle or one with a pass phrase into
barbican and then uses it for a TLS-TERMINATED listener, the error
we return the user is misleading[1].
This patch improves the error message to point out that we got the
bundle from barbican, but that it is unreadable and/or protected
with a pass phrase.
[1] Could not retrieve certificate: [ ... ] (HTTP 400)
Change-Id: I6ad0349dba62b1141be07bfb0e40171e9f7a91b9
Story: 2006587
Task: 36713
The existing code selects the first IPv4 subnet in the network without
any consideration of ip availability. If not enough IPs are available,
the loadbalancer creations fails. This patch uses neutron ip
availability API to check the quantity of free IPs when creating
loadbalancer with vip-network-id and skips subnets that do not have
enough IPs for a loadbalancer on multi subnet networks.
Change-Id: If3c3cf9be085bb95b4ebbaf71e24f92d42b8d6e0
Task: 36004
Story: 2006293
The recently added tox "build" environment had a few problems:
1. It was not honoring the DIB_* environment variables which meant
in always built a master branch image.
2. It also failed to run repeatedly due to a cache directory path issue.
3. The built images were stored in a hidden folder ".amp_tox_test".
This patch fixes those issues, resolves a confusing
"dpkg Broken pipe" message, and adds a "Successfully built" message
at the end of the built that highlights which branch the image was
built against (master, stable/stein, etc.).
Change-Id: I826c5f753f159b2d5dee97d4e2922826444ea6da
Fernet checks[1] for 32 characters long key, so Octavia should validate
the value provided for server_certs_key_passphrase, to reject an invalid
passphrase as early as possible.
This[2] Red Hat Bug showed a case in which an invalid passphrase got
configured, and as a result, Octavia was unable to create any
load balancers.
Related-bug: #1833942
[1] 784676de33/src/cryptography/fernet.py (L36)
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1723051
Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139
The 'additive_only' patch was missing the "min_version" parameter
in the api-ref. This patch fixes that so users will know which API
version supports this parameter.
Change-Id: I05439ea1dd01c35bedcfc3eaa5d17ed8dd2ca348
Multi-listener LB commit (Idaccbcfa0126f1e26fbb3ad770c65c9266cfad5b)
introduced a v2 message for octavia healthmonitor.
This commit fixes an issue with healthmonitor messages for UDP
listeners, they didn't follow the v2 message specification: pools
dictionaries were stored in listener objects (v1 format) instead of
being stored as in the root dictionary of the message.
Story: 2005736
Task: 33394
Change-Id: I93e5eb5bc69fe4de4c450c09367b319769ef07db
The amphora no-op driver had the wrong method signature for the
update_amphora_agent_config method.
This patch corrects that issue.
Change-Id: Ib1b0df3b7227d8a8dd68276e279cae1c4974ded2
openstackclient 4.0.0 introduced in
I9878f327e39f56852cc0fb6e4eee9105b7141da9 a new format for displaying
columns with complex python types.
It breaks our devstack plugin because we rely on 'openstack port show -c
fixed_ips -f value' to find the ip address of our management port.
This commit fixes the parsing of openstack port show command.
Change-Id: I6c5ebdea8149166f8d0ebb69cfe63692892f5ab9
The neutron client will post debug messages with the word "Error"
which is misleading. In reality it is a simple 404 that an extension
is not enabled.
This patch raises the default logging level for the neutron client to
INFO to suppress these messages.
Change-Id: Iacee63120a0d60e312cc85c7fcb8e7351688af3d