In order to support cert pinning in WCP, this change adds exact cert
match for checking NSX manager authenticity. Setting "nsx_cert_der"
enables this mode, where the pritotity is below ca cert and above
thumbprints.
Currently in nsxlib, the call chain to manage HTTPs connextion is:
1. NSXHTTPAdapter (subclass of urllib3 HTTPAdapter)
2. urllib3 PoolManager
3. urllib3 HTTPSConnectionPool
4. urllib3 HTTPSConnection
In order to inject custom TLS cert validation, we have to override the
connect() function in HTTPSConnection level. Introducing a child class
of HTTPSConnectionPool is also needed to pass the new param. Pool
manager only needs overrding two attrs to allow passing the new param
and properly binding to the new child class of connection pool.
When leaf cert verification is not used, the native urllib3 behavior
will be kept to reduce regression risk.
Change-Id: Icecf30b6df3b60fbeac20cf79586827f3370ce13
This change adds a new config param ssl_assert_hostname. Its value will
be ultimately passed to the underlying urllib3 param "assert_hostname".
Technically, the value coud be bool or string. This patch focuses to set
it to False to disable hostname check while keeping other cert
verifications.
Change-Id: I8b1ef5fe915d8317f65ce5e1927eb71141027e16
(cherry picked from commit 5d408a01f85b18466b4034d2c38c582b79d2f604)
This patch will add the support for parameter skip_host_detach in
LogicalPort deletion request as the preparation of a corner fix
which will delete the discovered port without host detach.
The other preparation in this patch is to add the new Exception
class VifRestoreAlreadyCompleted.
Change-Id: I012dbc7db5c0af31d670e71e1d04fa6216f269b3
(cherry picked from commit d11fe387c75008229766fbbfeb21d516a025ec91)
This change adds LBS usage, statistics and status API with param
'enforcement_point_path' to support querying in a multi enforcement
point setup.
Change-Id: I08cbc05bbad6e70dbd3a1c96fba72931a94f0b7f
Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
(cherry picked from commit 9341330fdb70d274905d056aebf84eb2819abd88)
This change adds hierarchical call support for deleting Policy Tier1.
H-API is already enabled for Tier1 creation. The change has no impact
for callers not using H-API for delete.
Change-Id: Ib36a0faa125b2c12c206b7c6c9ebc3bd0e04330e
According to NSX side fix merged in NSX versions 3.2.3
(and later impactor releases if any) and 4.1.*, update
the version check.
Change-Id: I8e5b29da1d10b076bef159d45ba436d135718ca8
This reverts commit d2836e34528d9061e2783283d7fad6a79b689ff2.
Reason for revert: backend support is now available
Change-Id: I835c4a99f38760e5cb834852adb4fb56b3bd234e
When creating IpPool, ip_release_delay can be set
to indicate the delay for releasing allocated IP address from IP pool.
Default is 2mins.
Change-Id: I56e9edd09df34f7909a7ce47339ae903f518fbda
This reverts commit b0c97de6605f719a6febe9febb66a44d562ddd84.
Reason for revert: it depends on nsxt support. but nsxt didn't merge the code
Change-Id: Id053d28cc9b315462849fd8df2d99b2ca7f6059c
Since the new POST API to restore vif only exists
on NSX version >=4.1.0, add version check before
invoking the new POST API. Otherwise, still use
the old patch API.
Change-Id: Ic0047cba6ccaf275830b3c24a73f59ca28883de6
When restore vif, we need to use POST api with init_state:RESTORE_VIF
for NSX to persist all properties including tags and address_bindings.
Change-Id: I0d49a3860349a4d021cc9c881fb60543936feefc
New field Introduced in IPblockSubnet in order to cap the
maximum Ip Subnets across different clusters.
Jira: #NCP-439
Change-Id: I2e01f7e787c5be5d20256b96b19e9ce8b68edbe6
client.get method retrieves only the first page of results from NSX. In large
scale environments, we wouldn't return all the Certificates. The patch fixes
this behavior to return all the certificates on NSX
Issue: #3048262
Change-Id: Ic43c28eb93bf706209980f66c97d217bd4c4d611
Update VirtualServer/LoadBalancerPool delete api to support hierarchical API
so VirtualServer/LoadBalancerPool will be deleted in one thread to reduce
nsxt waiting time and improve performance
Change-Id: If936aa1ce56c57a8b8a64f93f9b74ca180cec645
This patch restores FEATURE_ROUTER_FIREWALL, since the corresponding
feature is still available in NSX 4.0.1 onwards, but dropt usage of
the deprecated nat_pass parameter in favour of firewall_match.
All existing supported NSX releases can leverage the firewall_match
parameter for NAT rules.
Change-Id: I1dd5d2582ee291ce08af541c1a9a30ea86b33503
nat_pass property was introduced by feature ROUTER_FIREWALL, it has
been deprecated since 4.0.1. Remove the property if nsxt version
is greater than 4.0.1
Change-Id: Icba4ff4139fc8ac3502e2c633637582e075faa38
If simplejson installed, requests will use simplejson to handle the
deserialization of the JSON. if not installed, requests will use
json package
Change-Id: I64a54d105d6d533c2d75174bbf265b1d372b9b88
The nat_pass is deprecated and has been replaced by firewall_match.
This patch add support for firewall_match and stops using nat_pass
when firewall_match is specified.
Change-Id: Ibd2303cf4e182c7aea6bab57c27f36ee4c138a47
This reverts commit d761feadd7b572ed5e0c788f0ffe7e9f245e71c8.
Reason for revert: move solution to upper layer
Change-Id: I536c33e2608fbb8ce107a5236db27bc43b9974fe
operator field in Conditions for group expressions is invalid if
scope_operator field is set to NOTEQUALS, removing it for the same
Change-Id: I42a4c2586f30952fd4a6cce5235e6c2404c0c6e4
PR 2907548 shows the need of implementing also a regeneration trigger
in the exception handler to help with recovering from
invalid XSRF Token issue.
Change-Id: I51897596259bf6abcee26b148c5b70c5eb02d459
Logical port creation is a POST request. Sometimes it will trigger
ConnectionResetError which is a IOError. request_with_retry_on_ssl_error
will retry it.
If request has parameter retry_confirm, exception will be raised so ncp
could query if port has been created to avoid creating port twice.
Change-Id: Ic97b39c7a3736f02a79ab891970c1ad67b123156
In certain cases, caller would need to add route advertisment rules on
Policy Tier1 owned by other accounts. This change adds the support by
propagating the "force" param to include X-Allow-Overwrite header in the
final API call. The same operation is already allowed in MP counterpart.
Change-Id: Ic09fb16dd2403f33323c179d68fd2f1f3ce4bb42
For search api, if response size is too large, exception with
error_code 60576 is returned. Catch this kind of exception
and retry with smaller page_size.
Change-Id: If4340b7688420aabc673635f600c1e4b33aa4de3
Since there are two realized entities for subnet in
API policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/ip-pools/pool-1/ip-subnets/subnet-1,
sometimes we want to check the realization state for all entities.
Add all_results param in get_ip_subnet_realization_info func
to check all the entities realization state, and
return all the realized entities if no entity_type param set.
The default value for all_results is False.
Change-Id: I5a48c8f7e711090b38ea31d5f732f022bc7bd4bc
This change adds support for specifying ChildResourceReference entries
in NSX H-API transactions.
It also adds a method patch_entries to update security policy rules
specifying only individual rules to add.
This allows for adding rules to a security policy in a much faster way.
Change-Id: Ib2c9298b013a799a5363951855be6d16ba76d7a8
When querying switching profiles including system owned, there is
a trailing slash at the end of the URI.
This change removes this slash.
Change-Id: Iaa7d18fa8fdcd22c29baf2265259dfe843890213
In previous code, the 'details' key in error response body is
missed in the raised exceptions. This patch will reserve it.
Change-Id: Idb10c05135d2cbf5a90adbaa812abfb9ef0d153d
The NCP-AKO integration in WCP requires NCP to retrieve Avi auth token
and enforcement point information and pass to AKO controller.
Thus, add support for the corresponding API calls in nsxlib.
Change-Id: I7caa7faa80aa6c0f84d24e7ad1f629c5d6af542d