In https://review.opendev.org/#/c/613709/ octavia was
changed to use octavia-lib for a lot of API driver-related
code and deprecation warnings put in place. Now that
we're in Victoria remove all the deprecation shims and
use octavia-lib exclusively.
Change-Id: If92988150479a7daf465af5f8df22818664a0fce
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
E741 ambiguous variable name 'l'
Change 'l' to another variable in affected code.
Also had to set the latex_engine to 'xelatex' in doc/source/conf.py
in order to get past an openstackdocstheme change the broke the pdf
doc build.
Change-Id: Idd176e40ccf2a79832a5c99140bd30e5e1f9c0d8
Add new configuration option "tls_cipher_blacklist" to octavia.conf.
Blacklisted ciphers are blocked from being used in listeners, pools, or
default cipher strings.
Change-Id: I44fd4da1b47faee9cc01b9426898a28b6f13f223
Story: 2006627
Task: 37168
This patch introduces 2 macros in lvs.
1. Support HTTP GET, allow users create HTTP healthmonitor for udp pool.
2. Support TCP check, allow users create TCP healthmonitor for udp pool.
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: I61c7d8d4df54710a92b8c055be84bba29bf3d7e6
Story: 2003200
Task: 23356
Story: 2003199
Task: 23355
healthcheck middleware adds a /healthcheck url that allows
unauthenticated access to provide a simple check when running
octavia-api behind a load balancer
https://docs.openstack.org/oslo.middleware/latest/reference/healthcheck_plugins.html
Co-authored-by: Michael Johnson <johnsomor@gmail.com>
Change-Id: I10db6226750f7b7c703067d2ab82eea3a9875112
The pool and listener can't be combined arbitrarily. We need to add
some constraints in protocol side.
Story: 2003500
Tasks: 24777
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
Change-Id: Ifed862639d3fc3de23ace4c7ceaea1a4eca62749
API update calls were blocked if the load balancer had a TLS
terminated listener that the secret has been removed from barbican.
This patch corrects this problem allowing users to update the
certificate reference.
Change-Id: I96908e6cbdb523f95298aff463a749d15e98e1ad
Story: 2006676
Task: 37322
Previously, if a secret became unavailable in barbican, the user saw
a generic error raised from the barbican client and was unable to delete
load balancer resources. This patch corrects both of those issues.
Change-Id: I97bd1b2a97a44d0a0566ae56167fa4f2e503ee2d
Story: 2006676
Task: 37012
Task: 37077
With new pylint release (2.4.1), new warnings were triggered:
- unnecessary-comprehension
- no-else-break
- no-else-continue
- import-outside-toplevel
Change-Id: I301cc9fc6b41e9e97f051df29d768b172cade636
The current pool API does not properly handle clearing/reseting
values on update. There was a case where removing the CA and CRL
at the same time could be refused, requiring you to remove the
CRL first, then the CA reference. This patch resolves that issue.
This patch corrects this to appropriately handle None/null updates
to the pool parameters.
Change-Id: Iee8a12b693a09e96e59313e58beffe1b1985084f
Story: 2005374
Task: 31007
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.
Story: 2004073
Task: 27434
Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
This patch fixes the Octavia v2 API "list" performance regression.
It also corrects some database model forward reference issues.
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: Ic110e0e73938743c1aba01aa28f393bae7141cbd
Story: 2002933
Task: 22920
We added the configuration option for reserved IP addresses that cannot
be used for load balancer member addresses, but the validation for lb
graph creation is missing.
This patch should also be backported to stable branches.
Change-Id: I5ba30d29e7a35b370f21d9f68ec43efed74dd363
Story: 2003413
Task: 24555
1. Removes the misc_dynamic setting from the UDP-CONNECT health monitor
as our script does not use it.
2. Adds a release note for the UDP features.
3. Updates the API reference for UDP support.
4. Adds a comment to the keepalived config with the LB ID.
5. Updates the status message type to be the correct UDP protocol.
6. Fix error during deleting a listener if there are multiple amphoraes.
7. Refactors systemd service script handling.
Story: 2003306
Task: 24258
Change-Id: I09240023d066ac5a71836d01045cda6ce5678712
Add new types into db table.
Extending the existing API, including Listener, Pool, HealthMonitor for
UDP fields support.
For healthmonitor part, need to wait for other patch to fix the default
value.
Patch List:
[1] Finish keepalived LVS jinja template for UDP support
[2] Extend the ability of amp agent for upload/refresh the keepalived
process
[3] Extend the db model and db table with necessary fields for met the new
udp backend
[4] Add logic/workflow elements process in UDP cases
[5] Extend the existing API to access udp parameters in Listener API
[6] Extend the existing pool API to access the new option in
session_persistence fields
Story: 1657091
Task: 5484
Change-Id: If728705f142f4195fe624bd9ef17413722d54fe3
Commit Ide4beaf73bb99be5c3b4c71c12fecef3499f45d9 updated the drivers api spec.
This patch implements the new api for the update callbacks which needs the
original objet as well.
Change-Id: I530ec49acdc249a1f29e3e366eee70e29627a047
Commit Ide4beaf73bb99be5c3b4c71c12fecef3499f45d9 updated the drivers api spec.
This patch implements the new api for the delete callbacks.
Change-Id: Icbabe8b01864175112000b2b5aa769f750a9708b
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
This patch also updates pylint to 1.5.6 which is compatible with
python3.
In updating pylint we have some issues to correct, this patch addresses
those issues so the Octavia code passes pylint 1.5.6.
Change-Id: Iec21f4c803a427059d595612336d67a35ebf9585
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
This patch aligns all of Octavia to use oslo_log instead of the built
in python logging. This should provide consistent log formats.
It adds a hacking check to make sure "logging" doesn't come back into
the code.
Change-Id: I9b76c2bb5a5c396faf85df4606f2ca00f23de913
This patch addresses the following:
Fixes some unit tests.
Cleans up some code from the parent patches,
Adds a release note for the provider driver support.
Adds the "List providers" API.
Adds a document listing the know provider drivers.
Adds a provider driver development guide.
Change-Id: I90dc39e5e9d7d5839913dc2dbf187d935ee2b8b5
Story: 1655768
Task: 5165
This patch adds provider driver support to the Octavia v2
Pool API.
This patch also creates a provider driver for Octavia, fully
implementing the pool methods.
Story: 1655768
Task: 5165
Depends-On: https://review.openstack.org/565640
Change-Id: Id4bf209c202893c93b43fe723c02d03b8c207ab5
This patch adds provider driver support to the Octavia v2 API, starting
with the load balancer API.
This patch also creates a provider driver for Octavia, initially fully
implementing the load balancer methods.
Follow on patches will implement the remain parts of the API.
Change-Id: Ia15280827799d1800c23ed76d2af0e3596b9d2f7
Story: 1655768
Task: 5165
The LBaaSv2-API spec had this, and tempest seems to test for it.
We missed adding it when we implemented the v2 API in Pike.
Change-Id: I16c04b6f12fe4db9f1a2a0dc1d2b6fb54d24fd38
Backport-Candidate: Queens Pike
Fixes the v2 API returning "DELETED" records until the amphora_expiry_age
timeout expired. The API will now immediately return a 404 HTTP status
code when deleted objects are requested. The API version has been raised
to v2.1 to reflect this change.
Change-Id: Iaf150240b0de32f75ba8cfe605293e3af086cc78
Story: 2001557
Task: 6501
This patch adds validation to the pool session persistence options.
It validates the cookie_name specified and whether that option is valid
for the session persistence type specified.
Change-Id: I2f35a1a267bf2fc35bbb93a7f5390213ca20d1a8
Story: 2001818
Task: 12555
This patch fixes the API to return a 204 for object delete calls on objects
already in the "DELETED" provisioning_status.
It also enables a few API tests that were marked for "skip" but are now valid.
Change-Id: Id11e059321b6c76a21b652037905cecba5721003
Story: 2001537
Task: 6344
The error handling for duplicate records was not great, specifically
health monitors would return a 500 or a 409 with a bad error message.
This patch improves the errors the user gets back when creating a
duplicate entity.
Co-Authored-By: Jacky Hu <hudayou@hotmail.com>
Change-Id: I03ec527b42d67427541121e59e4433699e04aab8
Under certain conditions if an error occurred during an API request the
lock session could be left open. This patch corrects that by extending the
try block to include all calls with the lock open.
The test case was creating a second pool on a listener, which results in
a 409 conflict error, but the lock was left open.
Change-Id: I81e08775c515602f315aa8da32ff342f96c4a676
Also fix an incorrect exposure of /healthmonitors on /pools and a badly
ordered flow for member updates.
Change-Id: Id256ea94293519b75983f7a44945ac9bbbf25cd1
Implements: blueprint member-put-list
This patch implements API filtering based off of
query parameters passed to the Octavia API. Additonally
this patch implements field selection for the Octavia
API.
Change-Id: I9fe26abe37f464d9c028b8c476485007143d3b5c
This patch adds policies and enforcement to the Octavia v2 API for pools.
It also fixes a minor issue with the specs tox job.
Change-Id: Id2aa4dfad149583f9cb16205cb617f6e2a1bc92e
Partial-Bug: #1690481
Use glance sorting and pagination from inside the SQLAlchemy query
to handle the sorting and pagination for octavia.
Change-Id: I5489c5c89691b8871e32caf3f85ab1978bc3618c
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Closes-Bug: #1596628
Closes-Bug: #1596625
Still need to fix the entry-points for each individual type, but that
wasn't even in the original spec. Not sure if we even want that.
I think this may not do things EXACTLY how the old one did it, we'll
need to look into whether it matters, as we never published docs for it
and I don't think it ever actually worked properly in neutron-lbaas.
Also closing a few bugs that are only peripherally related, because we
(possibly me) forgot to tag them on the individual CRs, but I'm
considering them closed as of this patch. See below for my reasoning on
each individual bug, and feel free to post counter-arguments.
For #1673546 (single-call create): This is the obvious one!
For #1673499 (lb return pool object): Rolled into this patch as a matter
of course, abandoned the original fix as it is no longer relevant.
For #1544214 (root tags): All existing resources now have root tags. Any
new ones will also need root tags, but I would consider this bug closed.
For #1596636 (tenant facing API): Every object is now creatable via the
v2 API, so I would consider this to be complete. Quotas and some
additional work is being finished, but it's not necessary for this IMO.
For #1665446 (hm id): This was resolved in the HM patch, I just forgot
to close it, and including it here will ensure it is release-tracked.
For #1685789 (listener quota): Just shoving it in here as I do the
single-create quotas.
For #1685827 (hm quota): Same as listener quota.
Closes-Bug: #1673546
Closes-Bug: #1673499
Closes-Bug: #1544214
Closes-Bug: #1596636
Closes-Bug: #1665446
Closes-Bug: #1685789
Closes-Bug: #1685827
Depends-On: I3d86482a2999197a60a81d42afc5ef7a6e71e313
Change-Id: I4ff03593e1cfd8dca00a13c0550d6cf95b93d746
This patch aligns Octavia v2 API for members with
lbaasv2.
GET all - /v2.0/lbaas/pools/<pool-id>/members
GET one - /v2.0/lbaas/pools/<pool-id>/members/<member-id>
POST - /v2.0/lbaas/pools/<pool-id>/members {<body>}
PUT - /v2.0/lbaas/pools/<pool-id>/members/<member-id> {<body>}
DELETE - /v2.0/lbaas/pools/<pool-id>/members/<member-id>
Also fixes a few bugs from previous API commits and refactors
some test code / adds missing tests.
Note: This changes the default operating_status of Members from OFFLINE
to NO_MONITOR in the *v1* API, if the pool has no Health Monitor.
I see this as a bug fix.
Co-Authored-By: Nakul Dahiwade <nakul.dahiwade@intel.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Partially-Implements: #1616642
Closes-Bug: #1678330
Closes-Bug: #1678336
Closes-Bug: #1678337
Change-Id: I0e15ab70afd5bbbc8b94db0dc9e64f13146003e8
Make API path for pools independent of Loadbalancers and
Listeners.
- /v2.0/lbaas/pools/
- /v2.0/pools/
GET all - /pools/
GET one - /pools/<pool-id>
POST - /pools/ {<body>}
PUT - /pools/<pool-id> {<body>}
DELETE - /pools/<pool-id>
Co-Authored-By: Shashank Kumar Shankar <shashank.kumar.shankar@intel.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Partially-Implements: #1616641
Change-Id: I7679cc7b3f559db774a9d036580177cf1aa7e693
This patch corrects the project_id handling for POST calls to the
Octavia v1 API. For load balancer create calls we use the specified
project_id if the user is an admin or noauth is specified. If no
project_id is specified in the request we use the project_id from
the context. If no project_id can be found we raise an exception.
For the other object POST methods we use the project_id
from the parent load balancer.
Change-Id: Ibf59541b8811e3bbe36cfec039f91e20036102e4
Closes-Bug: #1624145
Octavia has no quota definitions, but needs them for parity with Neutron LBaaS.
This will provide an endpoint and support for retrieving, updating, and deleting
quotas for projects, as well as adding enforcement of those those quotas.
Adds scenario test that simply validates quotas in a lb graph.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Co-Authored-By: Phillip Toohill <phillip.toohill@rackspace.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: Ia1d85dcd931a57a2fa3f6276d3fe6dabfeadd15e
Closes-Bug: #1596652
Michael Johnson
Brian Haley
Dawson Coleman
ZhaoBo
Sam Morrison
Yang JianFeng
Gregory Thiemonge
Carlos Goncalves
Vadim Ponomarev
Lingxian Kong
Adit Sarfaty
huangshan
Doug Hellmann
Adam Harwell
Jude Cross
Carlos D. Garza
Sindhu Devale
Trevor Vardeman
Sergey Belous