1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules
Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal
Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
This will enable the plugin to validate the supported
DHCP extra options.
This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.
Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.
This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.
Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.
Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage
Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.
This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.
Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
[{'scope': <scope_val>, 'tag': <tag_value>}, ...]
Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.
Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.
Specifically this patch adds the following:
1. A method to build tag expression for LogicalSwitch targets
to create dynamic NSGroups.
Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
During port updates, if the user does not pass address bindings,
nsxlib should perform a LP GET on the backend and use the
existing address bindings.
The response body returns address bindings in a dict format
which breaks the update in _build_attrs method. This patch
adds a new method which will convert the address bindings
dict into PacketAddressClassifier namedtuple.
Change-Id: I660cc63264d1458d17d587555889974571960bd5
uRPF check which prevents evil endpoints from spoofing source
IP address needs to be disabled for logical router ports on
logical switches with container ports in case of Kubernetes.
This is to enable kubelet to perform health check. So in this
scenario the kubelet runs on the minion and the container runs
on the same minion. The packet from the kubelet hairpins back
into the VM via the tier-1 router.
Interestingly, the 'urpf_mode' property is only valid in the port
create body when the router is either of type LogicalRouterUplinkPort
or LogicalRouterDownlinkPort.
The other two port types LogicalRouterLinkPortOnTIER0 and
LogicalRouterLinkPortOnTier1 do not have 'urpf_mode' as their object
properties, and passing them results in a API validation error.
Hence in the code in the base LogicalRouterPort create method, we
add the urpf_mode to the body only if its not None. And we pass
'urpf_mode' only when creating the Downlink port ie. when attaching
the logical router to the logical switch.
Change-Id: Ib266da6e6f232e78e07f8d6c56cb69606f2ee9fe
While adding NAT rules, if match_ports argument is set,
add a match_service parameter in the the request body to match
the service type, protocol and port for the corresponding rule.
Also add support to delete nat rules by using internal IP only.
Change-Id: I7c3f37bfea6c9f348d966e3f97e9f3b141bdfad3
This patch adds support to create/delete IP block subnet on
NSX.
This patch also adds more arguments to allocate method
for IP pools needed by nsx-ujo effort.
Change-Id: I1fddb45c1e66a78fe28d2e97a729513618409915
This patch adds IP POOL ID to the port
create/update for container ports using the
key_values parameter of context in the request body.
Change-Id: Id08c265df0c00744ecb75d07c255c1bc549c2bac
Add client_cert_file to nsxlib initialization.
If specified, nsxlib will authenticate with client certificate.
If unspecified (default), basic user/pwd authentication is used.
Change-Id: If36841e9fd9701fa173ffa294732415dc07d49e7
Danting Liu