User can specify additional subnet_id/ip_address pairs to bring up on
the VIP port. This will allow for situations like having an LB with both
IPv4+IPv6 or being exposed on both public and a private network.
For UDP/SCTP loadbalancers, mixing IPv4 VIP and IPv6 members is not
supported (IPv6 VIP and IPv4 members as well). It's still possible to
use IPv4 and IPv6 VIPs at the same time in the same loadbalancer but an
IPv4 VIP can only communicate with IPv4 members.
Thanks Michael for help with validating/fixing the templates!
Thanks Gregory for help with the centos networking!
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Co-Authored-By: Gregory Thiemonge <gthiemon@redhat.com>
Co-Authored-By: Brian Haley <haleyb.dev@gmail.com>
Story: 2005608
Task: 30847
Change-Id: Id7153dbf33b9616d7af685fcf13ad9a79793c06b
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Pool API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference) to be advertised by load balancer to
members.
This patch also adds HTTP/2 over TLS support to TLS-enabled pools to the
Amphora provider driver, although default the pool ALPN protocol list
configuration setting has HTTP/2 disabled similarly to the default
listener ALPN protocol list value added in Victoria release.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: I91924486bab22601c15c538c8a5282ad8bc54700
This patch adds an amphora delete API. It can be used to delete
extra "spare" amphora after the feature has been disabled.
A followup patch will be required for the amphorav2 path as the
amphorav2 failover patch, which is required for the amphora delete
flow, has not yet merged.
Story: 2008014
Task: 40666
Change-Id: I32b6561c78c153a4b7e73b1a4b83e045fbe97fb6
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Listener API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference).
Presently, the amphora provider driver is limited to http/1.0 and
http/1.1 ALPN protocol IDs. Support for "h2" (HTTP/2 over TLS) depends
on HAProxy 2.0 or newer.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: If08a8169498cdfaa75440e8971ba0caff45ac4c4
Current octavia has no l7policy and l7rule quota definitions. But
they are necessary for some scenarios. For example, implement
product design compatible with Neutron Lbaas.
Story: 2003382
Task: 24457
Change-Id: I09ee23dcb83f5f08a56e25cc05ff77caa3ad4230
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Add field tls_versions to listeners for restricting TLS versions used.
This is a list of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_listener_tls_versions in octavia.conf.
Note that at this time TLS 1.3 ciphersuites are not impelemented,
so any TLS 1.3 connections will use haproxy's default ciphers
instead of what's specified by tls_ciphers.
Change-Id: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Story: 2006733
Task: 37170
Task: 37169
Pools can now be each be assigned an OpenSSL cipher string with the
field tls_ciphers. A new configuration option, default_pool_ciphers,
specifies what cipher string to use for new tls-enabled pools
if one is not explicitly specified at time of creation.
Change-Id: Iedb7774bfb8d70ea307d6a513248e1fe2389fa34
Depends-On: I77da6f14063877af0077f2c12df1aab5d5ead187
Story: 2006627
Task: 37172
Listeners will now be able to each be assigned their own OpenSSL
cipher string with a new field: tls_ciphers. There is also a new
configuration option, default_listener_ciphers, which specifies the
cipher string to assign to new listeners when one is not explicitly
specified.
Change-Id: I77da6f14063877af0077f2c12df1aab5d5ead187
Depends-On: Id5f4c20abd40dd092558a711987953012d4ae67f
Story: 2006627
Task: 36839
Adds the ability for admins to create/manage availability_zones
and profiles for use with upcoming functionality. Works like flavors.
Depends-On: https://review.opendev.org/#/c/694057/
Change-Id: I468d9fdf8c9d0898f9e30f04ac233510a10a53fc
This patch extends the listener API to include the new parameter
'allowed_cidrs'. This parameter is a list of IPv4 or IPv6 CIDRs. Leaving
this list unset defaults to the traditional behavior of allowing all
ingress traffic to the listener. Setting it will deny all traffic but
all CIDRs set in the 'allowed_cidrs' list.
Note that the API will validate that all CIDRs match the same IP version
of the VIP. This may change later as part of work to allow multiple VIPs
per LB (Change-Id Id7153dbf33b9616d7af685fcf13ad9a79793c06b).
Task: 26210
Story: 2003686
Change-Id: Id2b560df1cde9ce9403afbd593bbaa6cae5f06d6
There is a typographical error in healthmonitors-list-response.json.
Correcting spelling from http_vesion to http_version.
Task: 36020
Story: 2006304
Change-Id: I6be0a593b1deb43f8aba982043ebf427be57d937
This patch adds 2 new options for healthmonitor HTTP health check.
'http_version' is for user to specify the HTTP version, 1.0 and 1.1 are
available.
'domain_name' is for user to specify the HTTP host header inject to check
the HTTP backend health.
'domain_name' only available when HTTP version is 1.1
Story: 2002160
Task: 20010
Change-Id: Id3bf3962a02fbf77cf886c40ac64588cbacd3832
Currently, L7Policy already support the redirection by url_prefix.
Then we can support the redirection with HTTP code.
This patch adds an new option 'redirect_http_code' to L7Policy API.
Story: 2003609
Task: 24941
Change-Id: Id0c9c376ffbc2fb10ddb988537d0ef1a8205e586
Add "tls_enabled" option in Pool API.
This option will work on cert cases or no cert cases.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I62e31aaa66748ba652dfd5dbfd5a8b06d9ba0dfe
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Add 1 fields like Listener does, which is 'tls_container_ref', this
field is introduced into Pool for storage the pool client certificate to
the backend servers, when the traffic willing to bring a cert to the
servers and check for tls connection.
Story: 2003859
Task: 26685
Change-Id: I29b7c7116e6087c942179ed9efdead494ef277a3
Add crl-file in Listener side.
Story: 2002165
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
Listener API for client cerificate authentication with "None,
Optional, Mandatory" options
Story: 2002165
Task: 20019
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: Ia753659981d99b315504f166c09afb8f5b14f195
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
This patch adds an API that allows operators to query a provider driver
for the list of supported flavor capabilities.
Change-Id: Ia3d62acdc3b1af2e666f58d32a06d2238706dee6
Operators want to have the ability to see amphora flavor information.
But they haven't access permisson of octavia configuration file. So
it is necessary to show amphora flavor information as part of command
'openstack loadbalancer amphora list/show'.
Story: 2002896
Task: 22986
Change-Id: Ib3ca05d816747d08ef7055ec532b81746468cbf9
Add tags support for all lb related resources. It includes:
load balancer, listener, member, pool, L7rule, L7policy
and health-monitor
Change-Id: Ib33a002b3b59820db29897454e9d4303c73310b2
Story: 2003890
Task: 26757
Currently, Octavia only support three actions for L7Policy,
in this patch we will implement new action for L7Policy.
Story: 2003700
Change-Id: Ie99591ede097b566294ebdb673c460442dd6d942
This patch addresses the following:
Fixes some unit tests.
Cleans up some code from the parent patches,
Adds a release note for the provider driver support.
Adds the "List providers" API.
Adds a document listing the know provider drivers.
Adds a provider driver development guide.
Change-Id: I90dc39e5e9d7d5839913dc2dbf187d935ee2b8b5
Story: 1655768
Task: 5165
This matches neutron-lbaas. This was never actually used, so changing it
should not be an issue hopefully.
Change-Id: If5dfcb291e7fa5c406ea99905f61673786823c8b
Various timeout options need to be exposed to enable use-cases more
complex than standard HTTP requests.
In this patch we expose four new timeout values:
* timeout_client_data
* timeout_member_connect
* timeout_member_data
* timeout_tcp_inspect
Change-Id: Id4667201c1bfaa06f7af9060c936ba00c2f314f9
Story: 1457556
Task: 5453
Setting a member as "backup" means no traffic will be sent to it unless
all non-backup members are marked as down.
This should be essentially the same in every backend provider AFAIU.
This was requested by at least one operator (me) and was agreed during
the PTG to add value.
Story: 2001777
Task: 12483
Change-Id: I953abe71a0988da78efc6b3961f7518c81c2a06d
This patch extend Octavia v2 API to access qos_policy_id from neutron.
Users can pass it as 'vip_qos_policy_id' to Octavia request body to
create/update Loadbalancers, and the vrrp ports will have the qos
abilities.
This patch modifies the Loadbalancer Post/Put request body and response
body. It also extends the 'vip' table with the new column named
'qos_policy_id' to store the qos_id from neutron.
Co-Authored-By: Reedip <reedip.banerjee@nectechnologies.in>
Change-Id: I43aba9d2ae816b1498d16da077936d6bdb62e30a
The name of the remove_quota API call is misleading.
The real purpose of this call is to reset the quota
to its default value, not to remove it.
This patch is limited to the title of the call in v2,
and it does not modify the REST API in any way.
Task: 5868
Story: 2001295
Change-Id: Idfb1f3c3fe90d71434d0bb6a973e146ea3dea67c
This will enable a number of possible features that need to select
amphorae based on their availability zone.
This would allow for quick-lookups on large lists and could be stale,
but it would be expected that future code that uses this would check
with nova for an update if it needs fully accurate data.
Having it be explicitly "cached" should take care of concerns about
users (operators, in this case) being confused about correctness.
Using simply the word "zone" should address concerns about commonality
between compute providers.
Change-Id: I8e26f99bca3496a454ba7bae2570f517e07d5fc2
Story: 2001221
Task: 5732
Administrators can now use /v2.0/octavia/amphorae to retrieve internal
information about amphora details like compute_id and lb_network_ip.
Change-Id: I5ac8d1ce189db09d52e518d42aeb3a192b8a8814
Also fix an incorrect exposure of /healthmonitors on /pools and a badly
ordered flow for member updates.
Change-Id: Id256ea94293519b75983f7a44945ac9bbbf25cd1
Implements: blueprint member-put-list
This will allow an operator to force the failover of a load
balancer's underlying amphora for upgrades or other
maintenance.
- Adds a new failover endpoint to the queue
- Adds the functionality to the worker
- Adds the failover command to the producer
- Adds a failover controller so
/lodabalancer/123/failover will initiate
a failover and return 202
- Adds logic to insert the server group into the
failover flow
Change-Id: Ic4698066773828ae37b55a8d79bd2df6fc6624be
This patch adds the L7 policy section to the v2 API reference.
This patch also updates the child object create error code lists to
include 409 as a possible error code.
Change-Id: I6cb469c65832af3440c18dc71c7786a8fbf9bd2b
Partial-Bug: #1558385
