Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_listener_tls_versions in octavia.conf.
Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.
Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
Listeners will now be able to each be assigned their own OpenSSL
cipher string with a new field: tls_ciphers. There is also a new
configuration option, default_listener_ciphers, which specifies the
cipher string to assign to new listeners when one is not explicitly
specified.
Change-Id: I77da6f14063877af0077f2c12df1aab5d5ead187
Depends-On: Id5f4c20abd40dd092558a711987953012d4ae67f
Story: 2006627
Task: 36839
This patch extends the listener API to include the new parameter
'allowed_cidrs'. This parameter is a list of IPv4 or IPv6 CIDRs. Leaving
this list unset defaults to the traditional behavior of allowing all
ingress traffic to the listener. Setting it will deny all traffic but
all CIDRs set in the 'allowed_cidrs' list.
Note that the API will validate that all CIDRs match the same IP version
of the VIP. This may change later as part of work to allow multiple VIPs
per LB (Change-Id Id7153dbf33b9616d7af685fcf13ad9a79793c06b).
Task: 26210
Story: 2003686
Change-Id: Id2b560df1cde9ce9403afbd593bbaa6cae5f06d6
The current listener API does not properly handle clearing/reseting
values on update. Some integer only fields, such as connection-limit,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.
This patch corrects this to appropriately handle None/null updates
to the listener parameters.
Change-Id: I41c9bedd8a3452513af3d409fbacd65ea287f02a
Story: 2005374
Task: 30352
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
Add tags support for all lb related resources. It includes:
load balancer, listener, member, pool, L7rule, L7policy
and health-monitor
Change-Id: Ib33a002b3b59820db29897454e9d4303c73310b2
Story: 2003890
Task: 26757
Default timeouts for backend member and frontend
client can be set now via config file.
Timeouts exposed in config in section haproxy_amphora:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: I6e1be42c5c15c4171b012734e4c2a1fded51dbc7
Partial-Bug: 1797130
Story: 2004042
Task: 27046
Various timeout options need to be exposed to enable use-cases more
complex than standard HTTP requests.
In this patch we expose four new timeout values:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: Id4667201c1bfaa06f7af9060c936ba00c2f314f9
Story: 1457556
Task: 5453
This patch implements stats to the Octavia API.
It also corrects the path for load balancer status.
Change-Id: I9405857ab4f62664daca13562cc07ee8e1a519c7
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
This patch implements status tree to the Octavia API.
Change-Id: I92a5bb7d1814c79e7d03c75916b5324f1497f2e4
Co-Authored-By: German Eichberger <German.eichberger@rackspace.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
This patch implements API filtering based off of
query parameters passed to the Octavia API. Additonally
this patch implements field selection for the Octavia
API.
Change-Id: I9fe26abe37f464d9c028b8c476485007143d3b5c
Use glance sorting and pagination from inside the SQLAlchemy query
to handle the sorting and pagination for octavia.
Change-Id: I5489c5c89691b8871e32caf3f85ab1978bc3618c
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Lubosz "diltram" Kosnik <lubosz.kosnik@intel.com>
Closes-Bug: #1596628
Closes-Bug: #1596625
Still need to fix the entry-points for each individual type, but that
wasn't even in the original spec. Not sure if we even want that.
I think this may not do things EXACTLY how the old one did it, we'll
need to look into whether it matters, as we never published docs for it
and I don't think it ever actually worked properly in neutron-lbaas.
Also closing a few bugs that are only peripherally related, because we
(possibly me) forgot to tag them on the individual CRs, but I'm
considering them closed as of this patch. See below for my reasoning on
each individual bug, and feel free to post counter-arguments.
For #1673546 (single-call create): This is the obvious one!
For #1673499 (lb return pool object): Rolled into this patch as a matter
of course, abandoned the original fix as it is no longer relevant.
For #1544214 (root tags): All existing resources now have root tags. Any
new ones will also need root tags, but I would consider this bug closed.
For #1596636 (tenant facing API): Every object is now creatable via the
v2 API, so I would consider this to be complete. Quotas and some
additional work is being finished, but it's not necessary for this IMO.
For #1665446 (hm id): This was resolved in the HM patch, I just forgot
to close it, and including it here will ensure it is release-tracked.
For #1685789 (listener quota): Just shoving it in here as I do the
single-create quotas.
For #1685827 (hm quota): Same as listener quota.
Closes-Bug: #1673546
Closes-Bug: #1673499
Closes-Bug: #1544214
Closes-Bug: #1596636
Closes-Bug: #1665446
Closes-Bug: #1685789
Closes-Bug: #1685827
Depends-On: I3d86482a2999197a60a81d42afc5ef7a6e71e313
Change-Id: I4ff03593e1cfd8dca00a13c0550d6cf95b93d746
GET all - /v2.0/lbaas/l7policies/<l7policy-id>
GET one - /v2.0/lbaas/l7policies/<l7policy-id>
POST - /v2.0/lbaas/l7policies {<body>}
PUT - /v2.0/lbaas/l7policies/<l7policy-id> {<body>}
DELETE - /v2.0/lbaas/l7policies/<l7policy-id>
Co-Authored-By: Nakul Dahiwade <nakul.dahiwade@intel.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Partially-Implements: #1616655
Change-Id: I91baf79df16d4a1eefd151ed87ec871b57ac6ef8
GET one - /v2.0/lbaas/listeners/<listener-id>
GET all - /v2.0/lbaas/listeners
POST - /v2.0/lbaas/listeners {<body>}
PUT - /v2.0/lbaas/listeners/<listener_id> {<body>}
DELETE - /v2.0/lbaas/listener/listener_id
Partially-Implements: #1616640
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Co-Authored-By: Ankur Gupta <ankur.gupta@intel.com>
Change-Id: Ia4effb6e37df3ae562b9b25976440f6eb6b0044a
Dawson Coleman