Commit Graph

104 Commits (576bac2ae0131858fcc12f96139c076d7cf9d4f5)

Author SHA1 Message Date
Danting Liu 576bac2ae0 Add methods for firewall section and rule
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules

Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
2017-03-01 02:06:18 -08:00
OpenStack Proposal Bot 3e5f2e324a Updated from global requirements
Change-Id: Ibdcb4388f8928649e78c8f0facbb047f452b1ecd
2017-03-01 04:18:35 +00:00
OpenStack Proposal Bot aeff71c05f Updated from global requirements
Change-Id: I1357e744661b309d7755c8df9ea4c91c18564f6f
2017-02-28 05:50:11 +00:00
Anna Khmelnitsky 4b654b13af Fix FW rule dictionary
Change-Id: Ia484d0429e104cd4c366df25ebe63b111920d4b4
2017-02-27 13:42:58 -08:00
Jenkins eebd6bcb13 Merge "Replace client cert file with cert provider" 2017-02-27 19:48:59 +00:00
Anna Khmelnitsky 1270fc1a93 Replace client cert file with cert provider
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal

Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
2017-02-27 10:03:37 -08:00
Jenkins 40437e1721 Merge "Add get_code to LogicalDhcpServer" 2017-02-21 00:26:38 +00:00
Gary Kotton 1e427ba318 Add get_code to LogicalDhcpServer
This will enable the plugin to validate the supported
DHCP extra options.

This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.

Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
2017-02-20 07:18:30 +02:00
Jenkins 05fdc812d5 Merge "Add support to search resources based on tags or resource type" 2017-02-16 19:33:05 +00:00
Gary Kotton fe8a4d4d25 Fix parameter args

Change-Id: I767ad5e09ce08c0f956b73f8e79619ea5b62615f
2017-02-13 22:15:13 -08:00
Jenkins 78243338ab Merge "Update interface about NSX IPAM and CIF API change" 2017-02-13 03:47:14 +00:00
Jenkins 5a472a83d8 Merge "IpPools: pass tags on create/update operations" 2017-02-12 06:48:58 +00:00
Jenkins 5d16f53c3b Merge "Fix logical switch name update" 2017-02-12 06:48:52 +00:00
Salvatore Orlando dc12c1af6b IpPools: pass tags on create/update operations
Change-Id: I65b77dce0a8acc99b9adcca8a0edf0cde83985c1
2017-02-11 00:29:37 +01:00
dantingl f601978eda Update interface about NSX IPAM and CIF API change
Change-Id: I224b8778cbb519ec9bc4ebebf9f1b3fbf4326b4d
2017-02-10 02:15:58 -08:00
OpenStack Proposal Bot 31b962f814 Updated from global requirements
Change-Id: I7ad08ea86a0d2f759344b6385d2d9eb578c5e6ca
2017-02-10 06:02:15 +00:00
Jenkins 96aa73b17c Merge "Add validation for client certificate subject" 2017-02-08 09:56:29 +00:00
Danting Liu 26b6466f03 Get list of IP block and IP block subnet
Change-Id: I90a1f5c7d255e29e896c375c0319cf87c273b22d
2017-02-07 20:39:26 -08:00
Anna Khmelnitsky 607cd7c1da Add validation for client certificate subject
Change-Id: Ib79e2d6ba630266181a3f81fd78819e9fcaa6636
2017-02-07 15:13:43 -08:00
Jenkins c85f1505dd Merge "Prevent downtime when client cert is regenerated" 2017-02-05 07:50:43 +00:00
Salvatore Orlando a7356bc304 Mute log for endpoint connection validation
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.

This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.

Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
2017-02-02 15:00:15 +01:00
Anna Khmelnitsky 2b36887f5c Prevent downtime when client cert is regenerated
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.

Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
2017-02-02 12:50:27 +00:00
Jenkins 2ac012456d Merge "Support client certificate import" 2017-01-31 06:23:24 +00:00
Anna Khmelnitsky 763f024ab8 Support client certificate import
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage

Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
2017-01-30 10:58:45 -08:00
Adit Sarfaty 76b47c2bb7 Use project-id instead of tenant -id in nsxlib
Change-Id: If4782a11b74d72bcfda520fc1bd8eaddf464f5ec
2017-01-16 09:09:56 +02:00
Abhishek Raut 1cbc5d7942 Add 'applied_tos' arg while creating FirewallRule
Allow creating a firewall rule with applied_tos parameter to
specify the target for rule.

Change-Id: I0c5f1989c97b99978a57972cac05258126c4cff3
2017-01-14 18:22:02 -08:00
Jenkins 7e88aca146 Merge "Allow passing args of type list for NSGroup and firewall rule methods" 2017-02-22 11:11:21 +00:00
Abhishek Raut 53b0dde52b Add support to update tags for FirewallSections
Allow tags to be updated on firewall sections.

Change-Id: I72085fde86288f0432e08356a41e4de721016e70
2017-01-14 09:05:57 -08:00
Abhishek Raut 0294780a4d Allow passing args of type list for NSGroup and firewall rule methods
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.

This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.

Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
2017-01-14 06:47:00 -08:00
Abhishek Raut 9fd59f7880 Add support to search resources based on tags or resource type
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
    [{'scope': <scope_val>, 'tag': <tag_value>}, ...]

Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
2017-01-12 23:25:03 -08:00
Abhishek Raut 4e3f17b422 Fix logical switch name update
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.

Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
2017-01-12 03:10:12 -08:00
Abhishek Raut ec454a10a1 Add method to security module
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.

Specifically this patch adds the following:
    1. A method to build tag expression for LogicalSwitch targets
       to create dynamic NSGroups.

Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
2017-01-12 00:37:04 -08:00
Abhishek Raut bc1b7744c6 Fix address bindings in logical port update
During port updates, if the user does not pass address bindings,
nsxlib should perform a LP GET on the backend and use the
existing address bindings.
The response body returns address bindings in a dict format
which breaks the update in _build_attrs method. This patch
adds a new method which will convert the address bindings
dict into PacketAddressClassifier namedtuple.

Change-Id: I660cc63264d1458d17d587555889974571960bd5
2017-01-09 01:57:15 -08:00
Jenkins f438d502c3 Merge "Disable uRPF check on lrp on container LS" 2017-01-27 22:38:59 +00:00
Jenkins 04ee1b3512 Merge "Add match_ports argument while adding NAT rule" 2017-01-27 22:34:50 +00:00
Jenkins fe1816d4c4 Merge "Add IP POOL ID during port create/update" 2017-01-27 16:54:59 +00:00
Jenkins 55f15b61b3 Merge "Add support to create/delete ip block subnet on backend" 2017-01-27 16:53:21 +00:00
Jenkins 7e92de7cf7 Merge "Allow setting QoS shaper values to 0" 2017-01-27 00:11:20 +00:00
Adit Sarfaty 1e760fe4f5 Allow setting QoS shaper values to 0
Change-Id: I751fcb61adf0a18a82c961a6fede4656b2643660
2017-01-19 12:22:29 +02:00
OpenStack Proposal Bot df9ff05e75 Updated from global requirements
Change-Id: I8170983c8051ac4240d524f394ac0e9f616c1fbf
2017-01-18 01:25:39 +00:00
Jenkins 4ce55c8608 Merge "Fix bugs in certificate management exceptions" 2017-01-17 21:43:44 +00:00
Anna Khmelnitsky 1c0438764a Fix bugs in certificate management exceptions
Change-Id: I3e8f9e35cd574257e923adddec9d1103da3a228a
2017-01-10 15:25:45 -08:00
Abhishek Raut 2181d94403 Disable uRPF check on lrp on container LS
uRPF check which prevents evil endpoints from spoofing source
IP address needs to be disabled for logical router ports on
logical switches with container ports in case of Kubernetes.

This is to enable kubelet to perform health check. So in this
scenario the kubelet runs on the minion and the container runs
on the same minion. The packet from the kubelet hairpins back
into the VM via the tier-1 router.

Interestingly, the 'urpf_mode' property is only valid in the port
create body when the router is either of type LogicalRouterUplinkPort
or LogicalRouterDownlinkPort.

The other two port types LogicalRouterLinkPortOnTIER0 and
LogicalRouterLinkPortOnTier1 do not have 'urpf_mode' as their object
properties, and passing them results in a API validation error.

Hence in the code in the base LogicalRouterPort create method, we
add the urpf_mode to the body only if its not None. And we pass
'urpf_mode' only when creating the Downlink port ie. when attaching
the logical router to the logical switch.

Change-Id: Ib266da6e6f232e78e07f8d6c56cb69606f2ee9fe
2017-01-08 22:16:33 -08:00
Abhishek Raut 6b99e7693a Add match_ports argument while adding NAT rule
While adding NAT rules, if match_ports argument is set,
add a match_service parameter in the the request body to match
the service type, protocol and port for the corresponding rule.

Also add support to delete nat rules by using internal IP only.

Change-Id: I7c3f37bfea6c9f348d966e3f97e9f3b141bdfad3
2017-01-08 21:44:55 -08:00
Abhishek Raut f750af9160 Add support to create/delete ip block subnet on backend
This patch adds support to create/delete IP block subnet on
This patch also adds more arguments to allocate method
for IP pools needed by nsx-ujo effort.

Change-Id: I1fddb45c1e66a78fe28d2e97a729513618409915
2017-01-08 21:43:06 -08:00
Abhishek Raut 291cbee227 Add IP POOL ID during port create/update
This patch adds IP POOL ID to the port
create/update for container ports using the
key_values parameter of context in the request body.

Change-Id: Id08c265df0c00744ecb75d07c255c1bc549c2bac
2017-01-08 21:38:35 -08:00
Jenkins fc6dcf073c Merge "Support ip-pool update" 2017-01-08 07:11:01 +00:00
Jenkins 734c845828 Merge "Client certificate management for NSXV3 authentication" 2017-01-08 06:53:28 +00:00
Jenkins af287ec1c5 Merge "Basic support for client cert authentication" 2017-01-08 06:52:46 +00:00
Anna Khmelnitsky c9063831c3 Basic support for client cert authentication
Add client_cert_file to nsxlib initialization.
If specified, nsxlib will authenticate with client certificate.
If unspecified (default), basic user/pwd authentication is used.

Change-Id: If36841e9fd9701fa173ffa294732415dc07d49e7
2017-01-06 13:59:27 -08:00