2989 Commits

Author SHA1 Message Date
Michael Johnson
7fcef817ec Fix issues with unavailable secrets
Previously, if a secret became unavailable in barbican, the user saw
a generic error raised from the barbican client and was unable to delete
load balancer resources. This patch corrects both of those issues.

Change-Id: I97bd1b2a97a44d0a0566ae56167fa4f2e503ee2d
Story: 2006676
Task: 37012
Task: 37077
2019-10-19 01:09:07 +00:00
Zuul
2f1987ccbe Merge "Revert "Clean up requirements.txt from tox.ini"" 2019-10-19 01:02:47 +00:00
Michael Johnson
fce2cd4f49 Revert "Clean up requirements.txt from tox.ini"
It appears that these are required to have the upper constraints properly applied. We need to revert this change.

This reverts commit 7b8e6de1b8230e5d31ca36624e7fdfba25e3e077.

Change-Id: I4941df3894148482c597d30f3a8db70659fd1b7a
2019-10-18 20:55:45 +00:00
Michael Johnson
076c3adc36 Add backend re-encryption to the LB cookbook
This patch adds a cookbook section for creating backend re-encryption
pools with optional client authentication.

Change-Id: If2a732d7b692f3cd6c422efbb1f71103ffecc4c9
2019-10-15 15:00:10 -07:00
Michael Johnson
4b4638e67d Add client authentication to the LB cookbook
This patch adds a cookbook section for creating client authentication
enabled listeners.

It also removes two references to granting access to secrets in
barbican that are no longer required.

Change-Id: Iaada1b5d519bfc57528aa15bae8c0ee2b55f0567
2019-10-15 13:45:55 -07:00
Zuul
25c31fe6d2 Merge "Use bandit block in tox.ini" 2019-10-14 22:50:27 +00:00
Zuul
3177aade97 Merge "Clean up requirements.txt from tox.ini" 2019-10-14 13:43:39 +00:00
Zuul
bbbf4fbe5c Merge "Switch to openstack-python3-ussuri-jobs" 2019-10-12 12:40:43 +00:00
Zuul
e842d739a2 Merge "Update the load balancing cookbook" 2019-10-12 12:40:40 +00:00
Zuul
95d35539bc Merge "Set neutron client logging to INFO" 2019-10-12 12:40:39 +00:00
Zuul
72c2527b7b Merge "Add bash script style checker to pep8 check" 2019-10-12 11:20:09 +00:00
Zuul
1876d42970 Merge "Add the Amphora image building guide to the docs" 2019-10-12 09:49:27 +00:00
Brian Haley
5934280e03 Switch to openstack-python3-ussuri-jobs
Octavia was using train jobs template: openstack-python3-train-jobs
but now we are in Ussuri cycle so let's switch to new template.
Modeled after neutron change https://review.opendev.org/#/c/688104/

Change-Id: I824c3ed541cfd42e3c8f02be5da694f42f40d7c2
2019-10-11 13:27:50 -04:00
Jim Rollenhagen
7b8e6de1b8 Clean up requirements.txt from tox.ini
Since the base testenv tox target sets `usedevelop=True`, tox will
install the application (Octavia) into the virtualenv as well. Since
installing Octavia will install everything in requirements.txt, we don't
need to specify it again in tox.ini.

Change-Id: I31bdb2956ae37d1116069c2b37656ce2ee3c2dd5
2019-10-10 18:40:58 -07:00
Brian Haley
65905cdb99 Use bandit block in tox.ini
Use the bandit testenv block in tox.ini instead of inlining
it. Also changed the call back to '-x tests' since that is
correct syntax, it was just broken in version 1.6.0, which
is now in the blacklist.

Change-Id: Id0bf1c6b1633ffb4143c7628b722434faf433d7d
2019-10-10 14:01:40 -04:00
Brian Haley
98448dce44 Add bash script style checker to pep8 check
Added the bashate script style checker to the pep8
check target in tox.ini. It actually found two valid
issues - a bad function declaration and a local variable
issue, but mostly just indentation noise. Fixed all the
complaints.

Change-Id: I43b60e7dcf53acf259c8a52b248fbb8c63d3c8d4
2019-10-10 13:54:58 -04:00
Brian Haley
e6cd43d6cc Remove duplicate keys in sample config files
W0109: Duplicate key 'protocol' in dictionary (duplicate-key)

Trivialfix

Change-Id: Ic194a030edd84106217eb5ac02f9b3190d3a7ba6
2019-10-09 21:19:58 -04:00
Michael Johnson
9be2e4d4d2 Add the Amphora image building guide to the docs
This patch adds the Amphora image building guide from the
diskimage-create README.rst to the Administration documentation.
It also re-organizes the Adminstration guides to be broken down
by category as the old page was becoming a long list of guides.
(I like that kind of problem)
The diskimage-create README has a few formating corrections to make
it render better for the documentation.

Change-Id: Ice4071e1f872c8c0d0595427cff6f02ffbcf7968
2019-10-09 15:33:41 -07:00
Zuul
ca80bc9e03 Merge "Bump diskimage-builder minimum to 2.24.0" 2019-10-09 01:32:49 +00:00
Adam Harwell
b0c2cd7b4c Fix urgent amphora two-way auth security bug
The value of gunicorn's option 'cert_reqs` for client-cert requirement
does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.

Story: 2006660
Task: 36916

SecurityImpact: CVE-2019-17134

Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
2019-10-04 13:14:38 -07:00
Zuul
cb214ad13e Merge "Fix healthmonitor message v2 for UDP listeners" 2019-10-01 08:51:55 +00:00
Zuul
dfde453ea7 Merge "Update master for stable/train" 2019-10-01 08:51:52 +00:00
Zuul
8883660c7c Merge "Fix certificate directory creation" 2019-10-01 08:51:50 +00:00
Gregory Thiemonge
c7f4b4a9db Fix certificate directory creation
When calling ./stack.sh twice, octavia devstack plugin fails because
local certificate directory already exists.

This commit deletes the directory each time a certificate creation
script is called and when the user cleans up his devstack's
installation.

Change-Id: I21dfffa9b30274fa0fa9f365a88222b8f4c89e29
2019-09-27 09:40:08 +02:00
61532a0977 Update master for stable/train
Add file to the reno documentation build to show release notes for
stable/train.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/train.

Change-Id: I7240d59e81529cd787a3975cc834208ec5db3deb
Sem-Ver: feature
2019-09-26 19:54:38 +00:00
Maciej Józefczyk
d7f0c819e3 Validate supported LB algorithm in Amphora provider drivers
This patch adds supported LB algorithm validation in
Amphora provider drivers.

Change-Id: Ifc995ebe6165dbb57b8eb40bcc3c7e2a0eba94dc
Story: 2006264
Task: 35971
2019-09-26 07:03:18 +00:00
Gregory Thiemonge
d5ffd2ca40 Fix new pep8/pylint errors
With new pylint release (2.4.1), new warnings were triggered:
- unnecessary-comprehension
- no-else-break
- no-else-continue
- import-outside-toplevel

Change-Id: I301cc9fc6b41e9e97f051df29d768b172cade636
2019-09-25 15:36:55 +02:00
Zuul
8c8f447d29 Merge "Add unit test for failover of spare amphorae" 2019-09-23 23:01:48 +00:00
Zuul
4dd8bd65ea Merge "loadbalancer vip-network-id IP availability check" 2019-09-23 22:30:48 +00:00
Zuul
e97e360b76 Merge "Improve the error message for bad pkcs12 bundles" 2019-09-21 05:53:31 +00:00
Michael Johnson
a0f4335c38 Improve the error message for bad pkcs12 bundles
When a user loads a bad pkcs12 bundle or one with a pass phrase into
barbican and then uses it for a TLS-TERMINATED listener, the error
we return the user is misleading[1].
This patch improves the error message to point out that we got the
bundle from barbican, but that it is unreadable and/or protected
with a pass phrase.

[1] Could not retrieve certificate: [ ... ] (HTTP 400)

Change-Id: I6ad0349dba62b1141be07bfb0e40171e9f7a91b9
Story: 2006587
Task: 36713
2019-09-20 08:26:58 -07:00
Austin Russell
cf90153967 loadbalancer vip-network-id IP availability check
The existing code selects the first IPv4 subnet in the network without
any consideration of ip availability.  If not enough IPs are available,
the loadbalancer creations fails.  This patch uses neutron ip
availability API to check the quantity of free IPs when creating
loadbalancer with vip-network-id and skips subnets that do not have
enough IPs for a loadbalancer on multi subnet networks.

Change-Id: If3c3cf9be085bb95b4ebbaf71e24f92d42b8d6e0
Task: 36004
Story: 2006293
2019-09-20 10:22:34 -04:00
Zuul
3ab36c8a15 Merge "Generate PDF documentation" 2019-09-20 07:05:15 +00:00
Michael Johnson
97058e925b Generate PDF documentation
This patch sets up PDF document generation for Octavia.

Story: 2006101
Task: 35146
Change-Id: I076335d08d5411fd629c3e8860f14980b0dbcb5a
2019-09-19 13:12:37 -07:00
Zuul
3ae9acb4f5 Merge "Fix building configs for multiple listeners" 2019-09-19 19:51:21 +00:00
Zuul
49ea96df73 Merge "Validate server_certs_key_passphrase is 32 chars" 2019-09-19 09:03:28 +00:00
Michael Johnson
fbe328397b Fix the diskimage-create tox "build" environment
The recently added tox "build" environment had a few problems:
1. It was not honoring the DIB_* environment variables which meant
in always built a master branch image.
2. It also failed to run repeatedly due to a cache directory path issue.
3. The built images were stored in a hidden folder ".amp_tox_test".

This patch fixes those issues, resolves a confusing
"dpkg Broken pipe" message, and adds a "Successfully built" message
at the end of the built that highlights which branch the image was
built against (master, stable/stein, etc.).

Change-Id: I826c5f753f159b2d5dee97d4e2922826444ea6da
2019-09-19 04:12:37 +00:00
Nir Magnezi
a77667339d Validate server_certs_key_passphrase is 32 chars
Fernet checks[1] for 32 characters long key, so Octavia should validate
the value provided for server_certs_key_passphrase, to reject an invalid
passphrase as early as possible.

This[2] Red Hat Bug showed a case in which an invalid passphrase got
configured, and as a result, Octavia was unable to create any
load balancers.

Related-bug: #1833942

[1] 784676de33/src/cryptography/fernet.py (L36)
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1723051

Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139
2019-09-19 04:12:24 +00:00
Zuul
a498823789 Merge "Fix the amphora no-op driver" 2019-09-19 00:17:24 +00:00
Zuul
f3cfe89df0 Merge "Fix the tips job for octavia-lib" 2019-09-19 00:04:21 +00:00
Zuul
38ff0be1dc Merge "Fix 'additive_only' parameter api-ref" 2019-09-18 08:59:39 +00:00
Zuul
5325f90a08 Merge "Use dual intermediate CAs for devstack" 2019-09-18 08:59:37 +00:00
Zuul
efb9009cd4 Merge "Work around strptime threading issue" 2019-09-18 08:59:36 +00:00
Zuul
e848f8e3a4 Merge "Fix base (VRRP) port abandoned on revert" 2019-09-18 08:15:25 +00:00
Michael Johnson
b9d357ac76 Fix 'additive_only' parameter api-ref
The 'additive_only' patch was missing the "min_version" parameter
in the api-ref. This patch fixes that so users will know which API
version supports this parameter.

Change-Id: I05439ea1dd01c35bedcfc3eaa5d17ed8dd2ca348
2019-09-18 05:50:00 +00:00
Gregory Thiemonge
cad80a6c7d Fix healthmonitor message v2 for UDP listeners
Multi-listener LB commit (Idaccbcfa0126f1e26fbb3ad770c65c9266cfad5b)
introduced a v2 message for octavia healthmonitor.

This commit fixes an issue with healthmonitor messages for UDP
listeners, they didn't follow the v2 message specification: pools
dictionaries were stored in listener objects (v1 format) instead of
being stored as in the root dictionary of the message.

Story: 2005736
Task: 33394

Change-Id: I93e5eb5bc69fe4de4c450c09367b319769ef07db
2019-09-17 11:57:03 +02:00
Michael Johnson
5defc1e8a4 Fix the amphora no-op driver
The amphora no-op driver had the wrong method signature for the
update_amphora_agent_config method.

This patch corrects that issue.

Change-Id: Ib1b0df3b7227d8a8dd68276e279cae1c4974ded2
2019-09-17 00:13:09 +00:00
Gregory Thiemonge
926179c97d Fix openstack port show content handling
openstackclient 4.0.0 introduced in
I9878f327e39f56852cc0fb6e4eee9105b7141da9 a new format for displaying
columns with complex python types.

It breaks our devstack plugin because we rely on 'openstack port show -c
fixed_ips -f value' to find the ip address of our management port.
This commit fixes the parsing of openstack port show command.

Change-Id: I6c5ebdea8149166f8d0ebb69cfe63692892f5ab9
2019-09-16 17:08:35 -07:00
Michael Johnson
e795406343 Set neutron client logging to INFO
The neutron client will post debug messages with the word "Error"
which is misleading. In reality it is a simple 404 that an extension
is not enabled.
This patch raises the default logging level for the neutron client to
INFO to suppress these messages.

Change-Id: Iacee63120a0d60e312cc85c7fcb8e7351688af3d
2019-09-13 16:09:29 -07:00
Michael Johnson
8685bba5ce Fix the tips job for octavia-lib
Change-Id: Ic6c97e78f579612b4b9207a24624e7a2e1c06723
2019-09-13 13:03:08 -07:00