When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate
change.
Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.
Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal
Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
This will enable the plugin to validate the supported
DHCP extra options.
This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.
Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.
This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.
Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.
Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage
Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.
Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules
Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.
This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.
Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
[{'scope': <scope_val>, 'tag': <tag_value>}, ...]
Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.
Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.
Specifically this patch adds the following:
1. A method to build tag expression for LogicalSwitch targets
to create dynamic NSGroups.
Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
During port updates, if the user does not pass address bindings,
nsxlib should perform a LP GET on the backend and use the
existing address bindings.
The response body returns address bindings in a dict format
which breaks the update in _build_attrs method. This patch
adds a new method which will convert the address bindings
dict into PacketAddressClassifier namedtuple.
Change-Id: I660cc63264d1458d17d587555889974571960bd5
Anna Khmelnitsky