Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_listener_tls_versions in octavia.conf.
Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.
Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
Pools can now be each be assigned an OpenSSL cipher string with the
field tls_ciphers. A new configuration option, default_pool_ciphers,
specifies what cipher string to use for new tls-enabled pools
if one is not explicitly specified at time of creation.
Change-Id: Iedb7774bfb8d70ea307d6a513248e1fe2389fa34
Depends-On: I77da6f14063877af0077f2c12df1aab5d5ead187
Story: 2006627
Task: 37172
Listeners will now be able to each be assigned their own OpenSSL
cipher string with a new field: tls_ciphers. There is also a new
configuration option, default_listener_ciphers, which specifies the
cipher string to assign to new listeners when one is not explicitly
specified.
Change-Id: I77da6f14063877af0077f2c12df1aab5d5ead187
Depends-On: Id5f4c20abd40dd092558a711987953012d4ae67f
Story: 2006627
Task: 36839
Adds the ability for admins to create/manage availability_zones
and profiles for use with upcoming functionality. Works like flavors.
Depends-On: https://review.opendev.org/#/c/694057/
Change-Id: I468d9fdf8c9d0898f9e30f04ac233510a10a53fc
This patch extends the listener API to include the new parameter
'allowed_cidrs'. This parameter is a list of IPv4 or IPv6 CIDRs. Leaving
this list unset defaults to the traditional behavior of allowing all
ingress traffic to the listener. Setting it will deny all traffic but
all CIDRs set in the 'allowed_cidrs' list.
Note that the API will validate that all CIDRs match the same IP version
of the VIP. This may change later as part of work to allow multiple VIPs
per LB (Change-Id Id7153dbf33b9616d7af685fcf13ad9a79793c06b).
Task: 26210
Story: 2003686
Change-Id: Id2b560df1cde9ce9403afbd593bbaa6cae5f06d6
The current health monitor API does not properly handle
clearing/reseting values on update. Some integer only fields,
such as max_retries_down, will accept null, but will store the
value as "None". These will will cause failures updating the
amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the health monitor parameters.
Change-Id: Ida1d544933aec9e5cd556aef57a06e9f19f1b255
Story: 2005374
Task: 33533
The current member API does not properly handle clearing/reseting
values on update. Some integer only fields, such as weight,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the member parameters.
Change-Id: I41038b1d8d882efa19d991c07dca47f06dcbb5ca
Story: 2005374
Task: 33523
The current listener API does not properly handle clearing/reseting
values on update. Some integer only fields, such as connection-limit,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the listener parameters.
Change-Id: I41c9bedd8a3452513af3d409fbacd65ea287f02a
Story: 2005374
Task: 30352
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1
Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.
This patch adds an new option 'redirect_http_code' to L7Policy API.
Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
This patch adds an API that allows operators to query a provider driver
for the list of supported flavor capabilities.
Change-Id: Ia3d62acdc3b1af2e666f58d32a06d2238706dee6
This patch adds support for flavor metadata validation by the amphora driver
and support for setting the load balancer topology via a flavor.
It also adds "flavor_id" to the load balancer table in the database.
Change-Id: I8eae870abdb20dc32917957e32606deef387ec88
This patch adds flavor and flavor_profile tables.
It also implements flavors and flavorprofiles apis.
Partially-Implements: Blueprint octavia-lbaas-flavors
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I99a673438458757d0acdaa46dd8ee041edb3be9c
Operators want to have the ability to see amphora flavor information.
But they haven't access permisson of octavia configuration file. So
it is necessary to show amphora flavor information as part of command
'openstack loadbalancer amphora list/show'.
Story: 2002896
Task: 22986
Change-Id: Ib3ca05d816747d08ef7055ec532b81746468cbf9
Add tags support for all lb related resources. It includes:
load balancer, listener, member, pool, L7rule, L7policy
and health-monitor
Change-Id: Ib33a002b3b59820db29897454e9d4303c73310b2
Story: 2003890
Task: 26757
Default timeouts for backend member and frontend
client can be set now via config file.
Timeouts exposed in config in section haproxy_amphora:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: I6e1be42c5c15c4171b012734e4c2a1fded51dbc7
Partial-Bug: 1797130
Story: 2004042
Task: 27046
Currently, Octavia only support three actions for L7Policy,
in this patch we will implement new action for L7Policy.
Story: 2003700
Change-Id: Ie99591ede097b566294ebdb673c460442dd6d942
Add new types into db table.
Extending the existing API, including Listener, Pool, HealthMonitor for
UDP fields support.
For healthmonitor part, need to wait for other patch to fix the default
value.
Patch List:
[1] Finish keepalived LVS jinja template for UDP support
[2] Extend the ability of amp agent for upload/refresh the keepalived
process
[3] Extend the db model and db table with necessary fields for met the new
udp backend
[4] Add logic/workflow elements process in UDP cases
[5] Extend the existing API to access udp parameters in Listener API
[6] Extend the existing pool API to access the new option in
session_persistence fields
Story: 1657091
Task: 5484
Change-Id: If728705f142f4195fe624bd9ef17413722d54fe3
Filtering load balancers by VIP data would raise an internal server
error (500 HTTP) in octavia-api. This patch fixes that as well as pool
filtering by healthmonitor_id.
The patch also adds vip.qos_policy_id to the load balancer filtering
capabilities.
Story: 2001944
Task: 15061
Change-Id: Iaa4877f71e98689b7e92b3e2abb9d7da2c5ca521
The WSME package is not validating null/None fields correctly,
especially for Enum fields.
This patch strengthens the API validaton for health monitors.
It also removes an un-used status update method in the API
controllers.
Change-Id: I892dd81b166e9ab1a26bb80e8b0da1cb2e5c7482
This patch addresses the following:
Fixes some unit tests.
Cleans up some code from the parent patches,
Adds a release note for the provider driver support.
Adds the "List providers" API.
Adds a document listing the know provider drivers.
Adds a provider driver development guide.
Change-Id: I90dc39e5e9d7d5839913dc2dbf187d935ee2b8b5
Story: 1655768
Task: 5165
This patch adds provider driver support to the Octavia v2 API, starting
with the load balancer API.
This patch also creates a provider driver for Octavia, initially fully
implementing the load balancer methods.
Follow on patches will implement the remain parts of the API.
Change-Id: Ia15280827799d1800c23ed76d2af0e3596b9d2f7
Story: 1655768
Task: 5165
This matches neutron-lbaas. This was never actually used, so changing it
should not be an issue hopefully.
Change-Id: If5dfcb291e7fa5c406ea99905f61673786823c8b
This patch adds validation to the pool session persistence options.
It validates the cookie_name specified and whether that option is valid
for the session persistence type specified.
Change-Id: I2f35a1a267bf2fc35bbb93a7f5390213ca20d1a8
Story: 2001818
Task: 12555
Various timeout options need to be exposed to enable use-cases more
complex than standard HTTP requests.
In this patch we expose four new timeout values:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: Id4667201c1bfaa06f7af9060c936ba00c2f314f9
Story: 1457556
Task: 5453
Setting a member as "backup" means no traffic will be sent to it unless
all non-backup members are marked as down.
This should be essentially the same in every backend provider AFAIU.
This was requested by at least one operator (me) and was agreed during
the PTG to add value.
Story: 2001777
Task: 12483
Change-Id: I953abe71a0988da78efc6b3961f7518c81c2a06d
This also fix build-openstack-sphinx-docs, there was a change introduced
in sphinx 1.6.6:
https://github.com/sphinx-doc/sphinx/pull/4335/files
If the size of __init__.py is less than 2, then the module would be
skipped which will cause the sphinx consistency checking failing later.
Change-Id: I9d8764b6e907aceed8bb8a9b04711145d0eb32ad
This patch extend Octavia v2 API to access qos_policy_id from neutron.
Users can pass it as 'vip_qos_policy_id' to Octavia request body to
create/update Loadbalancers, and the vrrp ports will have the qos
abilities.
This patch modifies the Loadbalancer Post/Put request body and response
body. It also extends the 'vip' table with the new column named
'qos_policy_id' to store the qos_id from neutron.
Co-Authored-By: Reedip <reedip.banerjee@nectechnologies.in>
Change-Id: I43aba9d2ae816b1498d16da077936d6bdb62e30a
This will enable a number of possible features that need to select
amphorae based on their availability zone.
This would allow for quick-lookups on large lists and could be stale,
but it would be expected that future code that uses this would check
with nova for an update if it needs fully accurate data.
Having it be explicitly "cached" should take care of concerns about
users (operators, in this case) being confused about correctness.
Using simply the word "zone" should address concerns about commonality
between compute providers.
Change-Id: I8e26f99bca3496a454ba7bae2570f517e07d5fc2
Story: 2001221
Task: 5732
pylint will be added in fllow up patch
************* Module octavia.api.handlers.controller_simulator.handler
E: 56,21: Too many positional arguments for method call (too-many-function-args)
E: 59,21: Too many positional arguments for method call (too-many-function-args)
E: 93,26: Too many positional arguments for method call (too-many-function-args)
E: 96,26: Too many positional arguments for method call (too-many-function-args)
E:119,24: Too many positional arguments for method call (too-many-function-args)
E:122,24: Too many positional arguments for method call (too-many-function-args)
E:150,20: Too many positional arguments for method call (too-many-function-args)
************* Module octavia.api.v2.types.load_balancer
E: 58,17: Bad first argument 'BaseLoadBalancerType' given to super() (bad-super-call)
************* Module octavia.controller.worker.tasks.amphora_driver_tasks
E:310, 8: Unsupported logging format character 'a' (0x61) at index 31 (logging-unsupported-format)
************* Module octavia.controller.worker.tasks.database_tasks
E:1437,12: Unexpected keyword argument 'provisioning_status' in method call (unexpected-keyword-arg)
E:1437,12: No value for argument 'pool_dict' in method call (no-value-for-parameter)
Change-Id: I2554a5f94f70058000ce33460fbfc6021e735eeb
Administrators can now use /v2.0/octavia/amphorae to retrieve internal
information about amphora details like compute_id and lb_network_ip.
Change-Id: I5ac8d1ce189db09d52e518d42aeb3a192b8a8814
Also fix an incorrect exposure of /healthmonitors on /pools and a badly
ordered flow for member updates.
Change-Id: Id256ea94293519b75983f7a44945ac9bbbf25cd1
Implements: blueprint member-put-list
This patch implements stats to the Octavia API.
It also corrects the path for load balancer status.
Change-Id: I9405857ab4f62664daca13562cc07ee8e1a519c7
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Dawson Coleman