Pools can now be each be assigned an OpenSSL cipher string with the
field tls_ciphers. A new configuration option, default_pool_ciphers,
specifies what cipher string to use for new tls-enabled pools
if one is not explicitly specified at time of creation.
Change-Id: Iedb7774bfb8d70ea307d6a513248e1fe2389fa34
Depends-On: I77da6f14063877af0077f2c12df1aab5d5ead187
Story: 2006627
Task: 37172
A recent change in oslo.policy has made it register its cli opts on
the global config object. This was done to fix a bug where the opts
passed to the oslo.policy cli tools would get lost once it called
into project code because it was previously using a private config
object.
Octavia had already fixed this bug in a different way by filtering
the args in the enforcer code, which should no longer be necessary
now that the oslo.policy fix has merged.
However, the use of the global config object by the policy cli has
introduced a new problem, which is that after the config object is
initialized you can't register more cli opts. Because Octavia was
registering cli opts on import, this means that when the policy
tools call the Octavia policy entrypoint those opts get registered
and cause a failure.
To fix that, this change moves the cli opt registration into a
function that gets called from config.init so they will only get
registered when running an actual Octavia service. A separate
function was needed because they also need to be registered in
unit tests, and we don't want to actually initialize the entire
config object there. This way they can be initialized properly
in both scenarios.
Change-Id: I48ae260335f67e8ab1a188a94e44a7f1968e6fe9
Listeners will now be able to each be assigned their own OpenSSL
cipher string with a new field: tls_ciphers. There is also a new
configuration option, default_listener_ciphers, which specifies the
cipher string to assign to new listeners when one is not explicitly
specified.
Change-Id: I77da6f14063877af0077f2c12df1aab5d5ead187
Depends-On: Id5f4c20abd40dd092558a711987953012d4ae67f
Story: 2006627
Task: 36839
The repo is Python 3 now, so update hacking to version 3.0 which
supports Python 3.
Fix problems found.
Update local hacking checks for new flake8.
Add test-requirements.txt to doc building, hacking is now imported and
needed for autodoc.
Change-Id: I06211ef20131c64deba135123e53d87f3b5356a2
Red Hat/centos do not ship acpid for ppc64le, but others do.
This patch sets up a package map for DIB to exclude the acpid
package on Red Hat family image builds, while allowing it for the
other distros.
Change-Id: Iaef520e5f2a66833228e824ec4fb41f5915169af
Should have done "pad to 8 characters" on the hex conversion, but it was
instead hardcoded to pad a single `0`, which is right in a lot of cases
but not all.
For example:
>>> ip1 = ipaddress.ip_address('98.136.140.23')
>>> ip2 = ipaddress.ip_address('10.1.1.1')
>>> "%X" % ip1._ip
'62888C17'
>>> "%X" % ip2._ip
'A010101'
Change-Id: Ia9fec4e72c00f7086489b245d9dc50ed9c27f12a
healthcheck middleware adds a /healthcheck url that allows
unauthenticated access to provide a simple check when running
octavia-api behind a load balancer
https://docs.openstack.org/oslo.middleware/latest/reference/healthcheck_plugins.html
Co-authored-by: Michael Johnson <johnsomor@gmail.com>
Change-Id: I10db6226750f7b7c703067d2ab82eea3a9875112
Convert all code to not require six library and instead
use python 3.x logic.
Created one helper method in common.utils for binary
representation to limit code changes.
Change-Id: I2716ce93691d11100ee951a3a3f491329a4073f0
Change example string and depend on devstack change to
make sure we won't break.
Depends-on: https://review.opendev.org/#/c/711492
Change-Id: I5ca700b27c3c5be26dc5132fafd9b6cffade2b6b
We missed a line when removing the requirement to grant Octavia
access to the secret in barbican.
This patch corrects that oversight.
Change-Id: I3c6459becc415d6dc0792c44ca75e717b239cd92
On base operating systems that use DNF there can be a systemd timer
that attempts to call out and update the dnf cache every hour.
This patch adds an diskimage-builder element that disables this
timer as most amphora will not be successful in updating this cache
because they do not have network access or DNS services avaialable.
Change-Id: I5dec631d3e66e1dfb6b8741caea89938ee18a7d8
Story: 2007408
Task: 39019
Eventually hacking will move to 2.0.0 (diskimage-builder
is holding it back), and when it does there will be a few
errors to fix. We can get ahead of it so it doesn't
break us with some small changes for these items:
F601 dictionary key $item repeated with different values
F632 use ==/!= to compare str, bytes, and int literals
E501 line too long
While doing this noticed the lower-constraints.txt for
hacking was set at 0.12.0, when test-requirements.txt
had it at 1.1.0, so fixed that as well.
Change-Id: I80d2a5f97e7a4896a8fa765c1971c8bb7e72d211
Avoid getting the same amphora all the time if its loadbalancer
stuck in PENDING state and could not be failovered.
Story: 2007340
Task: 38877
Change-Id: I2f680a00be695c3828166e6803882765af79b79e
When only setting tags to an existing load balancer, the amphora driver
would try to apply QoS policy on VRRP ports even if no policy is
defined. This raised an NetworkException that led load balancers to go
into ERROR.
Task: 37589
Story: 2006922
Change-Id: I48315f8f293811e1d99584ea36da05c4211cf275
The network delta calculations were all based on the static configured
amp_boot_network_list which is not correct if it's overridden by the AZ.
Change-Id: Ia930e17c76cd601ac005de10fb03231a19f1a776
If the AZ system is being used and there is also a default boot network
set in the main config, the nova driver would not pick the right
interface when translating the amphora info for amps in custom AZs.
This affects the step that fetches the lb_network_ip (the management
address) from nova, immediately before the step that updates the
database with the correct IP. That IP is then used in the rest of the
amphora creation flow, which pulls in that address and uses it to
connect to the amp.
Change-Id: Ie4869035a557ebcddea2fce693067c82fbd2d2a9
The MapLoadbalancerToAmphora task performs some database queries but
doesn't catch any exception from it.
In case something goes wrong with the database or the query, this commit
catchs any exception from the DB call, logs it and then returns None to
switch to the next decider branch (boot a new amphora).
Story 2007320
Task 38831
Change-Id: Ifb6c34426e0927534d332a8bbf2c66aac6c002c5
Now that we are python3 only, we should move to using the built
in version of mock that supports all of our testing needs and
remove the dependency on the "mock" package.
This patch moves all references to "import mock" to
"from unittest import mock". It also cleans up some new line
inconsistency.
Change-Id: I72520a2ca010c2c27315d9dff839a4f9d7540b6b
This patch adds a warning box to the load balancer cookbook clarifying
that the health monitor type of 'PING' should only be used in specific
cases.
This was called out in release notes, but was not clear in the cookbook.
Change-Id: I6b95891bec82e01c44b288cbe9796b1f87a07c32
Add a section to the basic cookbook that explains how to setup a UDP
load balancer with UDP-CONNECT health monitor.
And fix typos
Change-Id: Ib67a5c9437e3190f640a953c30f791cb34690910
