This patch refactors the failover flows to improve the performance
and reliability of failovers in Octavia.
Specific improvements are:
* More tasks and flows will retry when other OpenStack services are
failing.
* Failover can now succeed even when all of the amphora are missing
for a given load balancer.
* It will check and repair the load balancer VIP should the VIP
port(s) become corrupted in neutron.
* It will cleanup extra resources that may be associated with a
load balancer in the event of a cloud service failure.
This patch also removes some dead code.
Change-Id: I04cb2f1f10ec566298834f81df0cf8b100ca916c
Story: 2003084
Task: 23166
Story: 2004440
Task: 28108
Recent additions to the Octavia API did not update the Octavia API
CADF audit map. This patch corrects that by adding the new API
paths.
Change-Id: I22107317837e68e54a29f8a4051c464120b29809
There was a bug in the CADF audit map file for the "failover" action.
This patch corrects the audit map file to handle "failover" correctly
and stop keystonemiddleware from raising an exception.
Change-Id: If3954ba34740e26937dba10bdd8061acde758c88
Story: 2007831
Task: 40116
Assertions were using the same expressions on both side: optionals and
lb_listener are both parameters to the API (and the lb_listener dict
contains all optionals items).
Those assertions should compare the parameters to the API results.
Change-Id: I6f372a3f82fdf4f41e661e640e4a983cf484ed6d
We run the octavia scenario test failed when the OpenStack env
enable TLS. So we need add the verify for the session.
Story: 2007662
Task: 39754
Closes-Bug: #1877818
Change-Id: Ie71db27dc383c93496c1dfd69f486a4fd02b597e
In-line with devstack patch [1], switch invocations to find uwsgi in the
path.
[1] https://review.opendev.org/#/c/577779/
Change-Id: I5e6aee49f434820881051874c9ad2628b4fcada7
Change I7ebf4137feb04827490dffc0dac3d6e4c8888075 added 'set -e' in
devstack/plugin.sh, but on devstack cleanup, some commands may fail
because of non-working services (i.e after a reboot).
This commit allows 'openstack keypair delete' to fail on clean up.
Change-Id: Ic782faba3eb907d29b6735ac0a6d6a8a2e104e00
The basic cookbook document implied that pools without a health
monitor would eventually remove a failed member from the pool.
This will not happen as if there is not health monitor, the members
are assumed as ONLINE.
Change-Id: I6c52f163d8ac0456b4faf7d9bf5cc4a19ee6eeb7
This patch changes 'defiend' to 'defined'
in the explanatory notes in octavia/
tests/functional/db/test_repositories.py
Change-Id: Ibb7f0f416a013b98edf72a5803aada71015cfade
The mock third party library was needed for mock support in py2
runtimes. Since we now only support py36 and later, we can use the
standard lib unittest.mock module instead.
Also added and enabled a hacking check that would have caught this.
Change-Id: Idb10f84fd32c50db24f844352cb85de452181439
In https://review.opendev.org/#/c/613709/ octavia was
changed to use octavia-lib for a lot of API driver-related
code and deprecation warnings put in place. Now that
we're in Victoria remove all the deprecation shims and
use octavia-lib exclusively.
Change-Id: If92988150479a7daf465af5f8df22818664a0fce
Oslo.policy is moving away from using json format policy files[1].
This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.
Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.
[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
Even though the API and database schema enforce a pool to have a load
balancing algorithm set and validate its value, the auxiliary transform
pool method had an invalid default value 'roundrobin'. Round robin in
LVS is 'rr'.
Change-Id: I72b669e7755c0851867453977946891d7074d92b
SNI certificates were not being set in the database on listener update.
A listener GET would not show the certificates in the sni_container_refs
attribute. Also, the API was allowing set of SNI certs on non
TERMINATED_HTTPS listeners.
Task: 39042
Story: 2007421
Story: 2007430
Change-Id: If5b6411a0b7c75441a406234c2792ea68d35d0fe
Current octavia has no l7policy and l7rule quota definitions. But
they are necessary for some scenarios. For example, implement
product design compatible with Neutron Lbaas.
Story: 2003382
Task: 24457
Change-Id: I09ee23dcb83f5f08a56e25cc05ff77caa3ad4230
We missed updating the provider driver feature matrix for a few
new Octavia features. This patch updates the matrix.
Change-Id: I328830df19fb8df6ea93cee2ad2f0dbda03279a1
A previous patch[1] missed batch_member_update when adding database
repository "get" method retries for new object creation actions.
This patch fixes batch member create to retry the database get call
when new members are being created via batch member update.
This issue only impacts the v1 amphora driver as the v2 driver
does not need to get these objects from the database.
Story: 2007581
Task: 39503
[1] 48e85569f7
Change-Id: Ia3476ab7b24dc3fd6e29ff2abe6eb6bacd9908ed
Add new configuration option "minimum_tls_versions" to octavia.conf.
Listeners, pools, or the default values for either will be blocked from
using lower versions.
Change-Id: Ifa0d695c2227772d6b37987a7857fe58ca660dc8
Story: 2006733
Task: 37171
Depends-On: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Fast forward upgrade (FFU) is an upgrade strategy that does in-place
upgrade and skips intermediary releases (e.g. N -> N+3).
This new periodic job fast forwards a cloud from Stein to master.
Please note that ideally a distro upgrade should also be performed but
Grenade does not support that today. For example, Bionic is a tested
Linux distribution on Stein, whereas on Victoria it is Focal.
Change-Id: I792f42468c37b6849c8fc085172841434d6a1376
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_listener_tls_versions in octavia.conf.
Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.
Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
Python versions supported by OpenStack change over time, and for minor
versions of Python 3 it is tedious to keep this file updated.
Since this does not impact zuul jobs in any way, nor prevent local
tests against py37, it should be safe to simply make this more easily
compatible for users that don't care about the specific Python versions
and just need basic tests to run.
The *only* thing this does is changes the default versions tested if none
are explicitly provided with `-e`.
Change-Id: I2372178351e961eeed5a819f39e75d54ba148798
Signed-off-by: Sean McGinnis <sean.mcginnis@gmail.com>
Fixes failing unit tests in
octavia.tests.unit.certificates.manager.test_barbican_legacy.TestBarbicanManager
for Python 3.8
Some of the tests fail setting up a mock.Mock(spec=secrets.Secret)
because a ValueError exception is raised unexpectedly.
The reason is that test_get_cert_no_registration_raise_on_secret_access_failure
patches the `payload` property of barbicanclient.v1.secrets.Secret to
raise a ValueError.
When a subsequent test tries to set up a mock.Mock(spec=secrets.Secret)
in Python 3.8 the Mock class will try to look at the properties of the spec
class and accessing `payload` doesn't behave normally anymore: it raises
ValueError now.
Fixed by using a different approach of mocking `payload` in
test_get_cert_no_registration_raise_on_secret_access_failure
so that it does not influence subsequent tests.
Change-Id: Ic534a4715c85c2216c7251209507acf74a999153
Story: 2007490
Task: 39212
