NSX policy is conceptually a separate endpoint, with a different
set of managed objects, but same connection management funtionality.
NsxLib user might want to have two instances of the library (based
on different configurations), one for policy and one for core nsx api.
Note: This patch will require adjustments in vmware_nsx UTs, due to
resource mocks.
Change-Id: I0d3660a8f9092bcf4e2fb4bf93e86c0dc7be7aaa
In order to remove IP addresses from the IPSet and empty the list,
the request to update IPSets should allow empty list. Currently an
empty list is replaced with previous values which ends up not
updating the ip address list with the desired values.
Change-Id: I7261cffd39ad983d4c225b6ab352632c95e2a950
Splitting assertEqual on a tuple with None into multiple
asserts, using aassertIsNone for expected None values.
Also fix the order of expected/observed in assertEqual calls.
Change-Id: I1c60c7d05ed8841178b6c9aabb7e1fb19d34818d
This patch adds a utility method to create complex expressions
for NSGroups in order to create a dynamic membership criteria
to match multiple tags.
Change-Id: I8a15db52e8df889af7fb4b73579873bc86bfa30d
When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate
change.
Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
When building the native dhcp server config we use the dns domain/nameservers
from the network/subnet objects.
If not defined, we use the global values in the nsxlib config.
Now adding optional default parameters to be used instead of global ones.
This will enable using different configuration per network availability zone.
Change-Id: I38b458e2c530f29a0e5518257ed3041d0610df25
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.
Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal
Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
Currently the search API accepts resource_type as an optional param
which is used to limit the scope of the search to a given type of
resource. This in turn searches the backend for all fields of all
objects.
For example, a search for LogicalSwitch resource_type may return
NSGroups which contain a membership criteria for LogicalSwitch.
In this case NSGroups are returned since the target_type field for
the NSGroup is set to LogicalSwitch.
In order to correctly return only objects of type LogicalSwitch, the
query must have resource_type:LogicalSwitch instead of LogicalSwitch.
Change-Id: I0418c0a758b28ec46b77a7adaf2dbc3addac6da3
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.
Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules
Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
[{'scope': <scope_val>, 'tag': <tag_value>}, ...]
Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage
Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
This patch adds IP POOL ID to the port
create/update for container ports using the
key_values parameter of context in the request body.
Change-Id: Id08c265df0c00744ecb75d07c255c1bc549c2bac
Add client_cert_file to nsxlib initialization.
If specified, nsxlib will authenticate with client certificate.
If unspecified (default), basic user/pwd authentication is used.
Change-Id: If36841e9fd9701fa173ffa294732415dc07d49e7
Client certificate authentication will replace basic authentication.
A single client certificate will be generated by admin for the
configuration agent (openstack, container,..).
This commit focuses on certificate generation and coordination of
certificate management on backend, storage and in the agent itself.
Change-Id: Ib00e2c00aecb53cec63a746e9db6829a5594eb3a
There were some directories excluded from the pep8 run, and many checks
were ignored.
This cleans the exclude list, and fixes the PEP8 issues.
Change-Id: Ib56d45443009349a42fecfc14a792fdaa6d88d67
Sometimes function under test makes multiple calls to the backend,
and being able to provide list of different responses would improve
test coverage.
Change-Id: I27a8cefe28287d25ed5411d44c6e2cc6f0a0701e
Adding support for IP pool create/delete/get actions,
and also allocate & release IPs from the pool
Change-Id: Ieac0aad2268cffa9d4fb5b521ebec268f2b408f3
Following OpenStack Style Guidelines[1]:
[H203] Unit test assertions tend to give better messages for more
specific assertions. As a result, assertIsNotNone(...) is preferred
over assertNotEqual(None, ...) and assertIsNot(None, ...)
[1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises
Change-Id: Ic584db06c10fa351c9bf86d0ed8def047305d1df
For allowed address pairs to be functional on NSXv3 plugin, we
need to enforce both Spoof Guard and MAC Learning switching
profile. MAC Learning is used to learning the mac address and
spoof guard is used for switch security to ensure only added
allowed address pairs to be allowed on this port.
Moreover, during fix bug #1631540, we removed the parameter
"mac_change_allowed". After further discussion with NSX team,
it doesn't have negative effect to add it back. The value it can
bring is to support guest VM on ESX host to change MAC address (
the mac_address still needs to be in allowed address pairs) on the
interface.
(Cherry picked from: I2c725df74835165587170f6136c06494d1bfcf7b)
Closes-Bug: #1631539
Change-Id: I1bd8b8e78d955d0f5d2e5a846dfa25c0a7312e47
The NSX3Client did not get the nsx managers IPs, and they where missing
from error messages.
To fix this, and also better fix a similar problem with max_attempts,
the client init method may get another instance of the client, and copy
relevant information from it.
This option is used by the copy-constructor "new_client_for" without the
RestClient class being aware of arguments relevant only to the NSXClient.
Also adding a new test for a resource error message, to make sure it contains
the nsx_manager ip.
(Cherry picked from : I9e7e28eb5fd69ace44547d40cf8cd09e2457c5ed)
Change-Id: I5066ae12aadd286ff880c8545df99a567aeddbeb
Anna Khmelnitsky