1084 Commits

Author SHA1 Message Date
Shawn Wang
1bbcc22d31 Add support of pinning NSX leaf cert
In order to support cert pinning in WCP, this change adds exact cert
match for checking NSX manager authenticity. Setting "nsx_cert_der"
enables this mode, where the pritotity is below ca cert and above
thumbprints.

Currently in nsxlib, the call chain to manage HTTPs connextion is:
1. NSXHTTPAdapter (subclass of urllib3 HTTPAdapter)
2. urllib3 PoolManager
3. urllib3 HTTPSConnectionPool
4. urllib3 HTTPSConnection
In order to inject custom TLS cert validation, we have to override the
connect() function in HTTPSConnection level. Introducing a child class
of HTTPSConnectionPool is also needed to pass the new param. Pool
manager only needs overrding two attrs to allow passing the new param
and properly binding to the new child class of connection pool.

When leaf cert verification is not used, the native urllib3 behavior
will be kept to reduce regression risk.

Change-Id: Icecf30b6df3b60fbeac20cf79586827f3370ce13
2024-02-05 23:30:21 +00:00
Shawn Wang
398346754e Add option to skip SSL hostname verification
This change adds a new config param ssl_assert_hostname. Its value will
be ultimately passed to the underlying urllib3 param "assert_hostname".

Technically, the value coud be bool or string. This patch focuses to set
it to False to disable hostname check while keeping other cert
verifications.

Change-Id: I8b1ef5fe915d8317f65ce5e1927eb71141027e16
(cherry picked from commit 5d408a01f85b18466b4034d2c38c582b79d2f604)
2024-01-03 03:25:30 +00:00
Qian Sun
fdc404727c Support parameter "skip_host_detach" in LogicalPort API
This patch will add the support for parameter skip_host_detach in
LogicalPort deletion request as the preparation of a corner fix
which will delete the discovered port without host detach.

The other preparation in this patch is to add the new Exception
class VifRestoreAlreadyCompleted.

Change-Id: I012dbc7db5c0af31d670e71e1d04fa6216f269b3
(cherry picked from commit d11fe387c75008229766fbbfeb21d516a025ec91)
2023-12-12 03:36:43 +00:00
Shawn Wang
dc5a59f139 Add enforcement_point_path param for LBServiceUsage
This change adds LBS usage, statistics and status API with param
'enforcement_point_path' to support querying in a multi enforcement
point setup.

Change-Id: I08cbc05bbad6e70dbd3a1c96fba72931a94f0b7f
Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
(cherry picked from commit 9341330fdb70d274905d056aebf84eb2819abd88)
2023-12-11 17:25:02 +00:00
Shawn Wang
77688b9934
Enable H-API delete for Policy Tier1 Api
This change adds hierarchical call support for deleting Policy Tier1.
H-API is already enabled for Tier1 creation. The change has no impact
for callers not using H-API for delete.

Change-Id: Ib36a0faa125b2c12c206b7c6c9ebc3bd0e04330e
2023-04-17 17:33:08 -07:00
Salvatore Orlando
ce621cfc80 Tier-1: Retry when removing edge cluster
Retry operation is a StaleRevision error is returned
from the backend.

Change-Id: I637b9d1e6a23767d9297cec115cceaa573257329
2023-04-17 00:45:08 -07:00
lxiaopei
3a627ed498 Update version check to use POST API when restore vif
According to NSX side fix merged in NSX versions 3.2.3
(and later impactor releases if any) and 4.1.*, update
the version check.

Change-Id: I8e5b29da1d10b076bef159d45ba436d135718ca8
2023-03-28 13:52:15 +08:00
Salvatore Orlando
acb8f2d53f Revert "Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper""
This reverts commit d2836e34528d9061e2783283d7fad6a79b689ff2.

Reason for revert: backend support is now available

Change-Id: I835c4a99f38760e5cb834852adb4fb56b3bd234e
2023-03-11 02:00:08 -08:00
lxiaopei
d049dbc406 Add ip_release_delay when creating IpPool
When creating IpPool, ip_release_delay can be set
to indicate the delay for releasing allocated IP address from IP pool.
Default is 2mins.

Change-Id: I56e9edd09df34f7909a7ce47339ae903f518fbda
2023-02-27 13:52:54 +08:00
Zuul
0d922467e8 Merge "Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper"" 2023-02-20 07:46:54 +00:00
Tao Zou
d2836e3452 Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper"
This reverts commit b0c97de6605f719a6febe9febb66a44d562ddd84.

Reason for revert: it depends on nsxt support. but nsxt didn't merge the code

Change-Id: Id053d28cc9b315462849fd8df2d99b2ca7f6059c
2023-02-20 07:10:57 +00:00
lxiaopei
417f4085a5 Add version check to use POST API when restore vif
Since the new POST API to restore vif only exists
on NSX version >=4.1.0, add version check before
invoking the new POST API. Otherwise, still use
the old patch API.

Change-Id: Ic0047cba6ccaf275830b3c24a73f59ca28883de6
2023-02-15 17:19:02 +08:00
Tao Zou
b0c97de660 Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper
Change-Id: I3b797c7130a7deb858a21c2d63580e91211a665f
2023-02-14 14:17:10 +08:00
lxiaopei
67a72e6baf Use POST API when restore vif
When restore vif, we need to use POST api with init_state:RESTORE_VIF
for NSX to persist all properties including tags and address_bindings.

Change-Id: I0d49a3860349a4d021cc9c881fb60543936feefc
2023-01-04 09:36:23 +08:00
Gautam Verma
349c4c3999 Allow using force option to create and release IPBlockSubnets
Change-Id: I95cd3b5ada9fc4a612bec83ca759258ed1029f81
2022-12-23 21:37:20 +00:00
tathgurt
7b16449dab Support large IPv6 subnet via NSX IPAM
New field Introduced in IPblockSubnet in order to cap the
maximum Ip Subnets across different clusters.

Jira: #NCP-439
Change-Id: I2e01f7e787c5be5d20256b96b19e9ce8b68edbe6
2022-11-08 16:32:04 -08:00
Gautam Verma
c9fea99b4f Get all certificates from NSX
client.get method retrieves only the first page of results from NSX. In large
scale environments, we wouldn't return all the Certificates. The patch fixes
this behavior to return all the certificates on NSX

Issue: #3048262
Change-Id: Ic43c28eb93bf706209980f66c97d217bd4c4d611
2022-10-13 16:53:20 +05:30
Tao Zou
ddb2cfc990 Update vs/lbpool delete api to support hierarchical API
Update VirtualServer/LoadBalancerPool delete api to support hierarchical API
so VirtualServer/LoadBalancerPool will be deleted in one thread to reduce
nsxt waiting time and improve performance

Change-Id: If936aa1ce56c57a8b8a64f93f9b74ca180cec645
2022-10-10 08:20:09 +00:00
Salvatore Orlando
7624236634 Restore FEATURE_ROUTER_FIREWALL, remove nat_pass usage
This patch restores FEATURE_ROUTER_FIREWALL, since the corresponding
feature is still available in NSX 4.0.1 onwards, but dropt usage of
the deprecated nat_pass parameter in favour of firewall_match.

All existing supported NSX releases can leverage the firewall_match
parameter for NAT rules.

Change-Id: I1dd5d2582ee291ce08af541c1a9a30ea86b33503
2022-08-23 00:19:33 -07:00
Zuul
26acee40ad Merge "[MP] Support firewall_match for NAT rules" 2022-08-22 14:36:05 +00:00
tathgurt
8481b2ab51 Extending Overwrite Header for different PI in T1 Static routes
Extending support for adding overwrite header in T1 Static Route

Issue: #3016445
Change-Id: I8b4dc401b659d7feaa090c4d3fd9bb359b671b7f
2022-08-10 11:15:36 -07:00
Tao Zou
9523d737ba Remove FEATURE_ROUTER_FIREWALL support since 4.0.1
nat_pass property was introduced by feature ROUTER_FIREWALL, it has
been deprecated since 4.0.1. Remove the property if nsxt version
is greater than 4.0.1

Change-Id: Icba4ff4139fc8ac3502e2c633637582e075faa38
2022-07-26 16:03:26 +08:00
lxiaopei
69662ffa4e Add NsxInvalidPath exception for error code 500012
We need to handle the 500012 error.

Change-Id: Ifba59b005f507b1ccf01896bfe467e3e3662be65
2022-07-05 10:24:13 +00:00
Zuul
bf42710d11 Merge "Add resource_type for NsxPolicyLoadBalancerSourceIpPersistenceProfileApi update" 2022-06-30 01:56:39 +00:00
Tao Zou
cf08f14bed Support two json decoder exception
If simplejson installed, requests will use simplejson to handle the
deserialization of the JSON.  if not installed, requests will use
json package

Change-Id: I64a54d105d6d533c2d75174bbf265b1d372b9b88
2022-06-29 14:32:32 +08:00
Tao Zou
ffaa2fbb6c Add resource_type for NsxPolicyLoadBalancerSourceIpPersistenceProfileApi update
Change-Id: I538ac689c262f74667ef896b1c77a9f658c34687
2022-06-24 15:18:57 +08:00
Zuul
3548bcfd87 Merge "Add definition for 3.2.1 and 4.0.0" 2022-06-22 02:58:04 +00:00
Sean
59e694fe81 Add definition for 3.2.1 and 4.0.0
Change-Id: I0ef93fe601bd30c7a30bf7e7510d67f7210c61b5
2022-06-20 08:48:10 +00:00
Salvatore Orlando
c39850ebf4 [MP] Support firewall_match for NAT rules
The nat_pass is deprecated and has been replaced by firewall_match.
This patch add support for firewall_match and stops using nat_pass
when firewall_match is specified.

Change-Id: Ibd2303cf4e182c7aea6bab57c27f36ee4c138a47
2022-06-09 23:15:22 -07:00
Tao Zou
d915f2fecb Handle response is not a json format
Change-Id: I62a6c6d248301576176be5631a4ef4900460082d
2022-06-02 06:50:43 +00:00
Tao Zou
5855a867e1 Revert "Support multiple ca certificates"
This reverts commit d761feadd7b572ed5e0c788f0ffe7e9f245e71c8.

Reason for revert: move solution to upper layer

Change-Id: I536c33e2608fbb8ce107a5236db27bc43b9974fe
2022-05-23 08:08:02 +00:00
Tao Zou
d761feadd7 Support multiple ca certificates
Split the ca file into two files if there are two ca certificates

Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
2022-05-06 13:20:36 +08:00
tathgurt
778dd72e86 Operator field invalid if Scope_operator field is present
operator field in Conditions for group expressions is invalid if
scope_operator field is set to NOTEQUALS, removing it for the same

Change-Id: I42a4c2586f30952fd4a6cce5235e6c2404c0c6e4
2022-03-18 11:21:40 -07:00
Zuul
bd5cec082e Merge "Fix the logical port created twice" 2022-03-11 06:11:53 +00:00
Xiaotong Luo
8a5b39e90b Handle bad XSRF token in exception handler
PR 2907548 shows the need of implementing also a regeneration trigger
in the exception handler to help with recovering from
invalid XSRF Token issue.

Change-Id: I51897596259bf6abcee26b148c5b70c5eb02d459
2022-03-08 11:11:25 -08:00
Tao Zou
ac224a85a8 Fix the logical port created twice
Logical port creation is a POST request. Sometimes it will trigger
ConnectionResetError which is a IOError. request_with_retry_on_ssl_error
will retry it.
If request has parameter retry_confirm, exception will be raised so ncp
could query if port has been created to avoid creating port twice.

Change-Id: Ic97b39c7a3736f02a79ab891970c1ad67b123156
2022-03-08 18:11:08 +08:00
Shawn Wang
cfe4ed8e27
Add force update of Policy T1 Adv Rules
In certain cases, caller would need to add route advertisment rules on
Policy Tier1 owned by other accounts. This change adds the support by
propagating the "force" param to include X-Allow-Overwrite header in the
final API call. The same operation is already allowed in MP counterpart.

Change-Id: Ic09fb16dd2403f33323c179d68fd2f1f3ce4bb42
2022-02-08 15:42:54 -08:00
Salvatore Orlando
f6ce73049e Remove debug log statements
Remove several statements which were added to verify client behaviour
with H-API calls.

Change-Id: Ie535eaf68ec5c55582264df1db8f9bf5122e6455
2022-01-24 06:30:46 -08:00
Zuul
72985fb905 Merge "Don't drop details info in the raised exception" 2022-01-17 07:26:17 +00:00
Gautam Verma
9e8ce5f4ec Accept locale_service_id to get seg interfaces on T1
Issue: #2883940
Change-Id: Ibe3fd0e921e35afbe0c890d252a20613e7b4ccdb
2022-01-14 15:08:57 -08:00
Salvatore Orlando
31da96584f Fix typo in exception name
Replace "ManagerException" with "ManagerError"

Change-Id: I2fc8e081dd2f36c20ee6234df2c5c900d974cabc
2021-12-01 02:46:19 -08:00
lxiaopei
8634f98915 Reduce page_size if too large response size for search api
For search api, if response size is too large, exception with
error_code 60576 is returned. Catch this kind of exception
and retry with smaller page_size.

Change-Id: If4340b7688420aabc673635f600c1e4b33aa4de3
2021-11-30 01:20:22 +00:00
lxiaopei
a62e5ad111 Add all_results param in get_ip_subnet_realization_info
Since there are two realized entities for subnet in
API policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/ip-pools/pool-1/ip-subnets/subnet-1,
sometimes we want to check the realization state for all entities.
Add all_results param in get_ip_subnet_realization_info func
to check all the entities realization state, and
return all the realized entities if no entity_type param set.
The default value for all_results is False.

Change-Id: I5a48c8f7e711090b38ea31d5f732f022bc7bd4bc
2021-11-19 00:17:52 +08:00
tathgurt
283eff2881 Adding scope_operator support for NSX 3.2 API.
Change-Id: I045745857317dc6effbb6a5ac627239354a3b230
2021-11-09 14:24:13 -08:00
Zuul
3e1146a275 Merge "NSX Policy: patch security rules with ChildResourceReference" 2021-10-25 18:27:55 +00:00
Salvatore Orlando
5ec05846f4 NSX Policy: patch security rules with ChildResourceReference
This change adds support for specifying ChildResourceReference entries
in NSX H-API transactions.
It also adds a method patch_entries to update security policy rules
specifying only individual rules to add.

This allows for adding rules to a security policy in a much faster way.

Change-Id: Ib2c9298b013a799a5363951855be6d16ba76d7a8
2021-10-25 10:57:13 -07:00
Salvatore Orlando
fedb0ba5d3 Remove trailing '/' in swiching profile operations
When querying switching profiles including system owned, there is
a trailing slash at the end of the URI.
This change removes this slash.

Change-Id: Iaa7d18fa8fdcd22c29baf2265259dfe843890213
2021-10-20 06:46:25 -07:00
Qian Sun
6e21892a0b Don't drop details info in the raised exception
In previous code, the 'details' key in error response body is
missed in the raised exceptions. This patch will reserve it.

Change-Id: Idb10c05135d2cbf5a90adbaa812abfb9ef0d153d
2021-09-29 09:19:04 +00:00
Zuul
4c6d36cfaa Merge "Add support for Avi auth token retrieval" 2021-09-20 22:22:48 +00:00
Xiaotong Luo
bcb49996e5 Add support for Avi auth token retrieval
The NCP-AKO integration in WCP requires NCP to retrieve Avi auth token
and enforcement point information and pass to AKO controller.
Thus, add support for the corresponding API calls in nsxlib.

Change-Id: I7caa7faa80aa6c0f84d24e7ad1f629c5d6af542d
2021-09-17 17:52:55 +00:00