NSX policy is conceptually a separate endpoint, with a different
set of managed objects, but same connection management funtionality.
NsxLib user might want to have two instances of the library (based
on different configurations), one for policy and one for core nsx api.
Note: This patch will require adjustments in vmware_nsx UTs, due to
resource mocks.
Change-Id: I0d3660a8f9092bcf4e2fb4bf93e86c0dc7be7aaa
Splitting assertEqual on a tuple with None into multiple
asserts, using aassertIsNone for expected None values.
Also fix the order of expected/observed in assertEqual calls.
Change-Id: I1c60c7d05ed8841178b6c9aabb7e1fb19d34818d
When we create FIP in Neutron, default DNAT is created without
passing match_ports to add_fip_nat_rules. However, when adding
nat rules, [] is not None, and it goes ahead to create default
DNAT rule only allowing TCP protocol which is wrong. We should
ANY protocol for FIP DNAT.
Closes-Bug: #1672939
Change-Id: Ib3743018646c521923bb8bbc5fad1409eb4fbe16
In order to remove IP addresses from the IPSet and empty the list,
the request to update IPSets should allow empty list. Currently an
empty list is replaced with previous values which ends up not
updating the ip address list with the desired values.
Change-Id: I7261cffd39ad983d4c225b6ab352632c95e2a950
This patch adds a utility method to create complex expressions
for NSGroups in order to create a dynamic membership criteria
to match multiple tags.
Change-Id: I8a15db52e8df889af7fb4b73579873bc86bfa30d
When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate
change.
Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
When building the native dhcp server config we use the dns domain/nameservers
from the network/subnet objects.
If not defined, we use the global values in the nsxlib config.
Now adding optional default parameters to be used instead of global ones.
This will enable using different configuration per network availability zone.
Change-Id: I38b458e2c530f29a0e5518257ed3041d0610df25
The dhcp_profile_uuid is a part of the nsxlib configuration but it is
never used.
Adding a deprecation warning for it, and stop adding it to the config class.
Change-Id: Ib36ba0c473d66d81a99d79c691548642da34982c
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.
Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal
Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
This will enable the plugin to validate the supported
DHCP extra options.
This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.
Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.
This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.
Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.
Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage
Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
Currently the search API accepts resource_type as an optional param
which is used to limit the scope of the search to a given type of
resource. This in turn searches the backend for all fields of all
objects.
For example, a search for LogicalSwitch resource_type may return
NSGroups which contain a membership criteria for LogicalSwitch.
In this case NSGroups are returned since the target_type field for
the NSGroup is set to LogicalSwitch.
In order to correctly return only objects of type LogicalSwitch, the
query must have resource_type:LogicalSwitch instead of LogicalSwitch.
Change-Id: I0418c0a758b28ec46b77a7adaf2dbc3addac6da3
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.
Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules
Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
Anna Khmelnitsky