The project_id (formerly tenant_id) was not actually allowed as an
attribute of any entity on create nor would it be returned as details
of an entity. project_id will be used in the future and is just
overall good to have.
This also accepts request headers to set the project_id if they are passed in
and no tenant_id is provided in the body.
Change-Id: I6408b7863409870b502de03af35692b065b2c6dc
This was meant to be done in a prior review but the author of that review (me)
was not thinking clearly when he did not include them as part of that rename.
Change-Id: Ibae52777921adcfa3e6835274d61670b4091ca39
flows have been optimized to limit the amount of data being stored.
* member object is stored in flow, hence member_id can easily be retrieved
* same with vip and load_balancer
Change-Id: I85c1f55dc7faa412dcb649bd09a845c674ea853c
Closes-Bug: #1461686
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.
Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.
While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.
Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
upstart was hardcoded as the means of start, stopping and reloading
of haproxy. Allow for sysvinit scripts and paths to handle haproxy.
This patch provides a configuration option to switch
between the defaultl upstart init scripts or sysvinit.
Change-Id: I9efe51c5a08d8e2268150d69ac25725c708dfb8e
Since openstack is going through renaming tenants to projects
it is best that we do this now while its easier before it becomes
bigger and harder to do.
This also adds project_id to the health_monitor table and models
since this seemed like an oversight.
Change-Id: Icc8034dcb517a3f8d218d83c94e4a2dcc977cc29
This patch enables nopreempt for active/standby topology amphora.
This reduces the need to migrate the IP between the active and standby
amphora. This is important for amphora that are using TLS offload.
When a MASTER amphora fails over to a BACKUP amphora the IP address
migrates to the BACKUP which becomes the new MASTER.
With this patch, should the original MASTER come back up, the IP will not
migrate back to the original MASTER until the BACKUP fails.
Current behavior is when the original MASTER comes back up the IP
will migrate back to it.
Change-Id: Ib9f5ecd92f37299c7ae5cbb607f4f9df9106409f
In the dependent patch we pinned the amphora-agent to pull the patch set
version so that scenario tests will pass. This patch removes that pin.
Change-Id: I1421939423916fd9dd5dc6f754a87e316ec7c110
This patch implements the Active/Standby blueprint in
https://blueprints.launchpad.net/octavia/+spec/activepassiveamphora
The following points describe the main changes:
1. The patch introduces new flows and subflows to create M amphorae. The
controller worker parses the loadbalancer_topology configuration. If the
loadbalancer_topology value is ACTIVE_STANDBY, the controller invokes a new flow
independent from the SINGLE topology case, which is left untouched. The new
flow uses conditional taskflows to check for spare amphorae at runtime. This
removes the need for the exception workaround we earlier had. The controller
creates the amphorae in parallel using an unordered flow. A new database task
alter an amphora role as either MASTER or BACKUP and assigns a VRRP priority to
each amphora. After the amphorae are created, the controller invokes a separate
flow for post amphora configuration including plug_vip methods, vrrp
configuration upload, and keepalived service start.
2. The patch introduces new data models that include a new table for VRRP group
configuration per loadbalancer, and update the amphora, loadbalancer, and
listener tables to support the new active/standby capability. The VRRPGroup
table hides authentication data, and makes future extensions of VRRP
capabilities easy.
3. This patch updates the existing Haproxy configuration templates to include
peer synchronization. In case of ACTIVE_STANDBY configuration, the jinja
configuration renders the peer section in the Haproxy configuration and assigns
short names to the amphorae as listener peers. As listeners implies different
Haproxy process, each listener synchronizes on a different port evaluated as
BASE_PORT (1024) + NUMBER_OF_LISTENERS accounting for ports in use.
4. This patch introduces a new Jinja configuration templater and a REST driver
for Keepalived (developed as a Mixin). By default, Keepalived runs "all" check
scripts found in a predefined directory. The keepalived driver is a Mixin that
can be plugged in other services' drivers. It is the responsibility of these
services drivers to introduce their own check scripts. In this patch a
lightweight check script for Haproxy was introduced along with changes in the
amphora agent installation script.
5. The VRRP requires enabling protocol 112 for Master/Backup advertisements,
and enabling protocol 51 for authentication header. This patch enables these
protocols as needed in the loadbalancer security group.
Note: Updates to the failover flow to support active/standby will come in
a dependent patch.
Note: The amphora-agent is pinned to this patch in this patch set. This
is required so the scenario tests will pass. It will be removed in a
follow up patch.
Co-Authored-By: Sherif Abdelwahab <sherif.abdelwahab@hp.com>
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Implements: blueprint activepassiveamphora
Depends-On: Ifdf20378b26cdd13e0a3ff87cec8990fe89c0661
Change-Id: Ic4e04594e114ba682088d68d5f1af3f8f376db83
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url: https://github.com/openstack/anchor
Co-Authored-By: bharath <bharath.stacker@gmail.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
The goal of this patch is to add the function that once we detect an
amphora's cert will expire in 2 weeks from utcnow, we will update its
cert with a new one and update its db information at the same time.
In order to achieve this target, I did the following changes:
Add 2 new columns cert_busy and cert_expiration in amphora table
Add methods to get cert expiration date from PEM server_pem and
update db info
Use the new REST agent method to perform cycling
Add process in housekeeping to facilitate rotation
Add unit tests
Change-Id: I28578a3e560ee09ba300788a5423863c893b8638
The test was slightly incorrect to begin with, but the issue didn't
become apparent until the oslo.log update from 1.13.0 to 2.0.0 for
whatever reason. open() raises IOError() not Exception() so it was not
being handled properly.
Also taking this opportunity to standardize the use of builtins to
match our other tests.
Change-Id: Idab637b09e8a437333f810f82f45b3e9c027dfdd
The below patch caused a test order issue with the oslo config
override via fixture. This is causing gate failures.
https://review.openstack.org/#/c/246046/1
This fixes that ordering issue.
Change-Id: Id9390f546cc19ea3af0bfffc0b97b108eb6042e8
The nova compute driver currently raises an exception if the
instance has already been deleted.
This patch logs a warning, but does not raise an exception when
the instance being deleted is not found.
Change-Id: I72e54297b925c5c6ce0dd711a33e19afc74ba37d
Partial-Bug: #1509706
The amphora jinja templater renders the interfaces_file option with a string of 'None'.
This causes failures while communicating with the Amphora.
Change-Id: I57b16387cc84b3942f0af5fc92320513baaff76e
Closes-Bug: #1516827
So far we don't have unit tests for method house_keeping_db_cleanup,
,spare_amphora_check and main in file cmd/house_keeping.py,
this patch is to add unit tests for these 3 methods.
Change-Id: I2f45b905d96a883b364e7645eeac0a7b8a1e9aba
The amphora agent should be able to add interfaces by using the
/etc/network/interfaces file as well as the /etc/network/interfaces.d/*.cfg
files.
Closes-Bug: #1507889
Change-Id: I7840931fc426a0c74386512dfae3666d223049f8
Oslo_reports enables OpenStack projects to dump Guru Meditation
Reports with useful debugging information to files or stderr.
Closes-Bug: #1514504
Change-Id: Id35fb7dc8c31f304cbf1d9cca0d21b9d5e97865a
The following change use Python 3.4 "cryptography" libraries instead of "pyasn1".
https://review.openstack.org/#/c/184868/
Clean up have been performed in requirements.txt
Closes-Bug: #1515917
Change-Id: I36877d27ac222908db7af6183628589dbcdf2968
