We have an IdMixin. All the other objects with an ID here use it.
No point in inconsistently defining 'id' with the Amphora model.
Change-Id: I7758c08536e13d3ef653a604bcc74e1896c7d143
Each config option has limitation for type and value.
In production code, oslo.conf can ensure user's input
is valid, but in unit test, test methods can pass if
we use method CONF.set_override without parameter
enforce_type=True even we pass wrong type or wrong
value to config option. This commit makes sure calling
method CONF.set_override with enforce_type=True.
Change-Id: I1e4f2aa5797ba8582a5637cd86c6b2b626daa923
Closes-Bug: #1517839
This makes more sense and also suppresses the error messages when
launching the service returned from oslo_messaing.get_rpc_server
service. Instead of that service wait() being called, the Consumer's
wait will be called.
Change-Id: I63816e92fbe26a4213946e6ab584531bdc3b7dd2
Closes-Bug: #1527418
There were some bad unit tests that would fail depending on the test
order. This would intermittently cause gate failures.
This patch corrects those unit tests.
Closes-Bug: #1526942
Change-Id: Id80a0a1a71a8248e5709f7df8c9af6a93a412f93
Current code to install diskimage-builder requirements in
devstack does not pass on enviroment settings to sudo, which can
cause the pip install to fail behind a proxy.
This happens when the user has http_proxy/https_proxy values set
but not for root. The stack.sh runs and installs for a while,
before failing on the Octavia diskimage-builder.
Change-Id: I196aca7004ea0eed713877e54ba10dcfe1d343e7
Closes-Bug: #1526108
The project_id (formerly tenant_id) was not actually allowed as an
attribute of any entity on create nor would it be returned as details
of an entity. project_id will be used in the future and is just
overall good to have.
This also accepts request headers to set the project_id if they are passed in
and no tenant_id is provided in the body.
Change-Id: I6408b7863409870b502de03af35692b065b2c6dc
This was meant to be done in a prior review but the author of that review (me)
was not thinking clearly when he did not include them as part of that rename.
Change-Id: Ibae52777921adcfa3e6835274d61670b4091ca39
flows have been optimized to limit the amount of data being stored.
* member object is stored in flow, hence member_id can easily be retrieved
* same with vip and load_balancer
Change-Id: I85c1f55dc7faa412dcb649bd09a845c674ea853c
Closes-Bug: #1461686
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.
Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.
While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.
Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
upstart was hardcoded as the means of start, stopping and reloading
of haproxy. Allow for sysvinit scripts and paths to handle haproxy.
This patch provides a configuration option to switch
between the defaultl upstart init scripts or sysvinit.
Change-Id: I9efe51c5a08d8e2268150d69ac25725c708dfb8e
Since openstack is going through renaming tenants to projects
it is best that we do this now while its easier before it becomes
bigger and harder to do.
This also adds project_id to the health_monitor table and models
since this seemed like an oversight.
Change-Id: Icc8034dcb517a3f8d218d83c94e4a2dcc977cc29
This patch enables nopreempt for active/standby topology amphora.
This reduces the need to migrate the IP between the active and standby
amphora. This is important for amphora that are using TLS offload.
When a MASTER amphora fails over to a BACKUP amphora the IP address
migrates to the BACKUP which becomes the new MASTER.
With this patch, should the original MASTER come back up, the IP will not
migrate back to the original MASTER until the BACKUP fails.
Current behavior is when the original MASTER comes back up the IP
will migrate back to it.
Change-Id: Ib9f5ecd92f37299c7ae5cbb607f4f9df9106409f
In the dependent patch we pinned the amphora-agent to pull the patch set
version so that scenario tests will pass. This patch removes that pin.
Change-Id: I1421939423916fd9dd5dc6f754a87e316ec7c110
This patch implements the Active/Standby blueprint in
https://blueprints.launchpad.net/octavia/+spec/activepassiveamphora
The following points describe the main changes:
1. The patch introduces new flows and subflows to create M amphorae. The
controller worker parses the loadbalancer_topology configuration. If the
loadbalancer_topology value is ACTIVE_STANDBY, the controller invokes a new flow
independent from the SINGLE topology case, which is left untouched. The new
flow uses conditional taskflows to check for spare amphorae at runtime. This
removes the need for the exception workaround we earlier had. The controller
creates the amphorae in parallel using an unordered flow. A new database task
alter an amphora role as either MASTER or BACKUP and assigns a VRRP priority to
each amphora. After the amphorae are created, the controller invokes a separate
flow for post amphora configuration including plug_vip methods, vrrp
configuration upload, and keepalived service start.
2. The patch introduces new data models that include a new table for VRRP group
configuration per loadbalancer, and update the amphora, loadbalancer, and
listener tables to support the new active/standby capability. The VRRPGroup
table hides authentication data, and makes future extensions of VRRP
capabilities easy.
3. This patch updates the existing Haproxy configuration templates to include
peer synchronization. In case of ACTIVE_STANDBY configuration, the jinja
configuration renders the peer section in the Haproxy configuration and assigns
short names to the amphorae as listener peers. As listeners implies different
Haproxy process, each listener synchronizes on a different port evaluated as
BASE_PORT (1024) + NUMBER_OF_LISTENERS accounting for ports in use.
4. This patch introduces a new Jinja configuration templater and a REST driver
for Keepalived (developed as a Mixin). By default, Keepalived runs "all" check
scripts found in a predefined directory. The keepalived driver is a Mixin that
can be plugged in other services' drivers. It is the responsibility of these
services drivers to introduce their own check scripts. In this patch a
lightweight check script for Haproxy was introduced along with changes in the
amphora agent installation script.
5. The VRRP requires enabling protocol 112 for Master/Backup advertisements,
and enabling protocol 51 for authentication header. This patch enables these
protocols as needed in the loadbalancer security group.
Note: Updates to the failover flow to support active/standby will come in
a dependent patch.
Note: The amphora-agent is pinned to this patch in this patch set. This
is required so the scenario tests will pass. It will be removed in a
follow up patch.
Co-Authored-By: Sherif Abdelwahab <sherif.abdelwahab@hp.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Implements: blueprint activepassiveamphora
Depends-On: Ifdf20378b26cdd13e0a3ff87cec8990fe89c0661
Change-Id: Ic4e04594e114ba682088d68d5f1af3f8f376db83
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url: https://github.com/openstack/anchor
Co-Authored-By: bharath <bharath.stacker@gmail.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
The goal of this patch is to add the function that once we detect an
amphora's cert will expire in 2 weeks from utcnow, we will update its
cert with a new one and update its db information at the same time.
In order to achieve this target, I did the following changes:
Add 2 new columns cert_busy and cert_expiration in amphora table
Add methods to get cert expiration date from PEM server_pem and
update db info
Use the new REST agent method to perform cycling
Add process in housekeeping to facilitate rotation
Add unit tests
Change-Id: I28578a3e560ee09ba300788a5423863c893b8638
The test was slightly incorrect to begin with, but the issue didn't
become apparent until the oslo.log update from 1.13.0 to 2.0.0 for
whatever reason. open() raises IOError() not Exception() so it was not
being handled properly.
Also taking this opportunity to standardize the use of builtins to
match our other tests.
Change-Id: Idab637b09e8a437333f810f82f45b3e9c027dfdd
