Commit Graph

22 Commits (8ae82a47e1928f99dd32f08785f876b3d1d9c3cb)

Author SHA1 Message Date
Dawson Coleman 6aad5d8b9f Add TLS version configuration for listeners
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

Add default_listener_tls_versions in octavia.conf.

Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.

Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
3 years ago
Dawson Coleman cd176e55c5 Add ability to set TLS cipher list for listeners
Listeners will now be able to each be assigned their own OpenSSL
cipher string with a new field: tls_ciphers.  There is also a new
configuration option, default_listener_ciphers, which specifies the
cipher string to assign to new listeners when one is not explicitly

Change-Id: I77da6f14063877af0077f2c12df1aab5d5ead187
Depends-On: Id5f4c20abd40dd092558a711987953012d4ae67f
Story: 2006627
Task: 36839
3 years ago
Carlos Goncalves f3b48bc2f7 Add VIP access control list
This patch extends the listener API to include the new parameter
'allowed_cidrs'. This parameter is a list of IPv4 or IPv6 CIDRs. Leaving
this list unset defaults to the traditional behavior of allowing all
ingress traffic to the listener. Setting it will deny all traffic but
all CIDRs set in the 'allowed_cidrs' list.

Note that the API will validate that all CIDRs match the same IP version
of the VIP. This may change later as part of work to allow multiple VIPs
per LB (Change-Id Id7153dbf33b9616d7af685fcf13ad9a79793c06b).

Task: 26210
Story: 2003686

Change-Id: Id2b560df1cde9ce9403afbd593bbaa6cae5f06d6
4 years ago
Michael Johnson 930a3236bf Fix listener API handling of None/null updates
The current listener API does not properly handle clearing/reseting
values on update. Some integer only fields, such as connection-limit,
will accept null, but will store the value as "None". These will
will cause failures updating the amphora configuration.

This patch corrects this to appropriately handle None/null updates
to the listener parameters.

Change-Id: I41c9bedd8a3452513af3d409fbacd65ea287f02a
Story: 2005374
Task: 30352
4 years ago
ZhaoBo 20509e2337 Add crl-file option for certification
Add crl-file in Listener side.

Story: 2002165
Co-Authored-By: Michael Johnson <>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
4 years ago
ZhaoBo 7a8eb3ce22 Add an option to the Octavia V2 listener API for client cert
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options

Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
4 years ago
ZhaoBo 0cc546a7c7 Add client_ca_tls_container_ref to listener API
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.

Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
4 years ago
wangxiyuan d62189366c Tags support for lb resources
Add tags support for all lb related resources. It includes:
load balancer, listener, member, pool, L7rule, L7policy
and health-monitor

Change-Id: Ib33a002b3b59820db29897454e9d4303c73310b2
Story: 2003890
Task: 26757
5 years ago
Kamil Sambor 8923935df2 Add posibilities to set default timeouts
Default timeouts for backend member and frontend
client can be set now via config file.
Timeouts exposed in config in section haproxy_amphora:
 * timeout_client_data
 * timeout_member_connect
 * timeout_member_data
 * timeout_tcp_inspect

Change-Id: I6e1be42c5c15c4171b012734e4c2a1fded51dbc7
Partial-Bug: 1797130
Story: 2004042
Task: 27046
5 years ago
Adam Harwell bb0447e98b Expose timeout options
Various timeout options need to be exposed to enable use-cases more
complex than standard HTTP requests.

In this patch we expose four new timeout values:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect

Change-Id: Id4667201c1bfaa06f7af9060c936ba00c2f314f9
Story: 1457556
Task: 5453
5 years ago
Jude Cross f5ea8ac085 Add statistics to V2 API
This patch implements stats to the Octavia API.

It also corrects the path for load balancer status.

Change-Id: I9405857ab4f62664daca13562cc07ee8e1a519c7
Co-Authored-By: Michael Johnson <>
6 years ago
Jude Cross ee08aaff56 Add status tree to V2 API
This patch implements status tree to the Octavia API.

Change-Id: I92a5bb7d1814c79e7d03c75916b5324f1497f2e4
Co-Authored-By: German Eichberger <>
Co-Authored-By: Michael Johnson <>
6 years ago
Jude Cross 487750a877 Add filtering and field selection to API
This patch implements API filtering based off of
query parameters passed to the Octavia API. Additonally
this patch implements field selection for the Octavia

Change-Id: I9fe26abe37f464d9c028b8c476485007143d3b5c
6 years ago
Adam Harwell 8fb7c17572 Pool name/desc needs to be "" when empty, not null
Switch to catching and filling these at the base types layer.

Change-Id: I0ade22b9e9ec0cfa456f0fe263d1cdd726d6a78e
6 years ago
Carlos D. Garza 9bfa58af9f Implement sorting and pagination for octavia
Use glance sorting and pagination from inside the SQLAlchemy query
to handle the sorting and pagination for octavia.

Change-Id: I5489c5c89691b8871e32caf3f85ab1978bc3618c
Co-Authored-By: Adam Harwell <>
Co-Authored-By: Lubosz "diltram" Kosnik <>
Closes-Bug: #1596628
Closes-Bug: #1596625
6 years ago
Adam Harwell fb0da76c27 Add support for single-create for APIv2
Still need to fix the entry-points for each individual type, but that
wasn't even in the original spec. Not sure if we even want that.

I think this may not do things EXACTLY how the old one did it, we'll
need to look into whether it matters, as we never published docs for it
and I don't think it ever actually worked properly in neutron-lbaas.

Also closing a few bugs that are only peripherally related, because we
(possibly me) forgot to tag them on the individual CRs, but I'm
considering them closed as of this patch. See below for my reasoning on
each individual bug, and feel free to post counter-arguments.

For #1673546 (single-call create): This is the obvious one!
For #1673499 (lb return pool object): Rolled into this patch as a matter
of course, abandoned the original fix as it is no longer relevant.
For #1544214 (root tags): All existing resources now have root tags. Any
new ones will also need root tags, but I would consider this bug closed.
For #1596636 (tenant facing API): Every object is now creatable via the
v2 API, so I would consider this to be complete. Quotas and some
additional work is being finished, but it's not necessary for this IMO.
For #1665446 (hm id): This was resolved in the HM patch, I just forgot
to close it, and including it here will ensure it is release-tracked.
For #1685789 (listener quota): Just shoving it in here as I do the
single-create quotas.
For #1685827 (hm quota): Same as listener quota.

Closes-Bug: #1673546
Closes-Bug: #1673499
Closes-Bug: #1544214
Closes-Bug: #1596636
Closes-Bug: #1665446
Closes-Bug: #1685789
Closes-Bug: #1685827

Depends-On: I3d86482a2999197a60a81d42afc5ef7a6e71e313

Change-Id: I4ff03593e1cfd8dca00a13c0550d6cf95b93d746
6 years ago
Adam Harwell ed8867692f Purge more tenant_id references that I missed
Change-Id: I3adfeec5d4512bba9e7a640653346addb5eb3d19
6 years ago
Adam Harwell 7f6c1b5016 project_id should remain in the response for v2 objects
Also, finally completely remove tenant_id!

Change-Id: I435ace4d2bffdf323238b57499eba39e03de90f3
6 years ago
Adam Harwell c46535d2fb Correct some v2 Listener response entries
Closes-Bug: #1681564
Closes-Bug: #1681565
Change-Id: I632f6cfef37175ce860c6bf3abb2049f93d6b9c0
6 years ago
Nir Magnezi dc90f52a74 Fix imports in v2 listener types
Change-Id: I4fcd6e720d2e3c332c31d5e1d7b3c56f3b4b1452
6 years ago
Sindhu Devale c9daa3ff6e Align Octavia API to n-lbaasv2 for L7Policy
GET all - /v2.0/lbaas/l7policies/<l7policy-id>
GET one - /v2.0/lbaas/l7policies/<l7policy-id>
POST - /v2.0/lbaas/l7policies {<body>}
PUT - /v2.0/lbaas/l7policies/<l7policy-id> {<body>}
DELETE - /v2.0/lbaas/l7policies/<l7policy-id>

Co-Authored-By: Nakul Dahiwade <>
Co-Authored-By: Adam Harwell <>

Partially-Implements: #1616655

Change-Id: I91baf79df16d4a1eefd151ed87ec871b57ac6ef8
6 years ago
Sindhu Devale 3eedc728f1 Octavia v2 API for listeners
GET one - /v2.0/lbaas/listeners/<listener-id>
GET all - /v2.0/lbaas/listeners
POST - /v2.0/lbaas/listeners {<body>}
PUT - /v2.0/lbaas/listeners/<listener_id> {<body>}
DELETE - /v2.0/lbaas/listener/listener_id

Partially-Implements: #1616640
Co-Authored-By: Adam Harwell <>
Co-Authored-By: Ankur Gupta <>
Change-Id: Ia4effb6e37df3ae562b9b25976440f6eb6b0044a
6 years ago