Splitting assertEqual on a tuple with None into multiple
asserts, using aassertIsNone for expected None values.
Also fix the order of expected/observed in assertEqual calls.
Change-Id: I1c60c7d05ed8841178b6c9aabb7e1fb19d34818d
When we create FIP in Neutron, default DNAT is created without
passing match_ports to add_fip_nat_rules. However, when adding
nat rules, [] is not None, and it goes ahead to create default
DNAT rule only allowing TCP protocol which is wrong. We should
ANY protocol for FIP DNAT.
Closes-Bug: #1672939
Change-Id: Ib3743018646c521923bb8bbc5fad1409eb4fbe16
This patch adds a utility method to create complex expressions
for NSGroups in order to create a dynamic membership criteria
to match multiple tags.
Change-Id: I8a15db52e8df889af7fb4b73579873bc86bfa30d
When openstack runs in HA mode, admin might choose to assign two
separate client certificates for each openstack host. This is
possible with storage_type=none. This change allows deleting cert
and identity based not only on identity name, but on cert pem.
In addition, allow faster cluster recovery in case of certificate
change.
Change-Id: Ia4eea874cfa2bf4befc724b719e53e936292e11f
When building the native dhcp server config we use the dns domain/nameservers
from the network/subnet objects.
If not defined, we use the global values in the nsxlib config.
Now adding optional default parameters to be used instead of global ones.
This will enable using different configuration per network availability zone.
Change-Id: I38b458e2c530f29a0e5518257ed3041d0610df25
The dhcp_profile_uuid is a part of the nsxlib configuration but it is
never used.
Adding a deprecation warning for it, and stop adding it to the config class.
Change-Id: Ib36ba0c473d66d81a99d79c691548642da34982c
Ths patch simply adds 3 attributes to the request body sent to NSX
when creating principal identities for certificates, adjusts the
code in vmware_nsxlib.v3.client_cert accordingly, and removes
code that was based on "single cert per identity" assumtion.
Change-Id: Ib4e1f44e98843d7cb308c57434e3ecc68f7b8dc2
In nsxlib configuration, replace client certificate file with a
broader concept of provider: apart from certificate file name, the
provider can implement __enter__ and __exit__ routines to handle
file creation and disposal
Change-Id: I0c11107324786cf0852b054f32940422dffef5bb
This will enable the plugin to validate the supported
DHCP extra options.
This is done via the method get_dhcp_opt_code. If a name is
not supported then None is returned.
Change-Id: Ia28c2da080d79e7e1e87db0f137963a4560862bb
The endpoint validation process queries transport zones.
Requests/responses for transport zones can clutter logs quite a bit and
make troubleshooting and support more complex.
This patch introduces the possibility of muting logging in _rest_call,
by passing a "silent" parameter to it, defaulting to False. The
_validate_connection routine will instead set this parameter to True,
thus preventing request and response for the transport zone resource to
be dumped on the log.
Change-Id: I1f4ef84d11db9ead3e23666a7c8e8b76ca30b1ec
When client certificate is regenerated, keepalive connection
to NSX endpoint will be broken. This patch will detect this and
invoke a callback to give nsxlib user a chance to reload the cert;
then regenerate connection pool to restore connectivity.
Change-Id: I0a334df4dd05feb784b9ff8bdc988ac41878863c
In addition, add getters for certificate fields,
and ensure certificate object has short lifespan, since
it might change in storage
Change-Id: I2abbec0e48d82d432c9cc18afaca62bae7558d7c
Currently the search API accepts resource_type as an optional param
which is used to limit the scope of the search to a given type of
resource. This in turn searches the backend for all fields of all
objects.
For example, a search for LogicalSwitch resource_type may return
NSGroups which contain a membership criteria for LogicalSwitch.
In this case NSGroups are returned since the target_type field for
the NSGroup is set to LogicalSwitch.
In order to correctly return only objects of type LogicalSwitch, the
query must have resource_type:LogicalSwitch instead of LogicalSwitch.
Change-Id: I0418c0a758b28ec46b77a7adaf2dbc3addac6da3
This patch adds IPSet CRUD operations under the security module.
This patch also adds a util method for IPSets to return reference
dict for IPSet objects.
Change-Id: Ie5157055e80ec1976159cabc172d8285314570c4
1. get logical port applyto reference
2. get rule address
3. get l4 portset nsservice
4. create section with rules
Change-Id: I02003b64f6937f1200572cb07accd8b59be19544
The current NSGroup create method does not allow for passing a
list of membership criterias. Similarly the source, destination
and service arguments of Firewall rule method does not allow for
passing a list. This patch provides a fix for it and updates
all occurences of get_rule_dict with appropriate values.
This patch also adds a new arg to get_rule_dict to allow creation
of firewall rules with the disabled=True or False. The default
value of this arg is False, which means rules are enabled.
Change-Id: I6b16d37bf3ca61f3c9f02688f9548ea4b3b6adb6
This patch adds a new util method to the NsxLib class.
NsxLib will expose a search method to retrieve objects from
backend based on their tags and resource type. Tags argument
must be present in order to search.
Tags are supplied in the following form:
[{'scope': <scope_val>, 'tag': <tag_value>}, ...]
Change-Id: I304e9c44e55657e652b2a8236e85602c295cf22b
If user does not intend to update the name of the logical switch,
the name should remain the same on backend. The logical switch
update method will now first get the resource from the backend
and retain the display name previously configured if name is not
updated. This allows the caller to no longer send the name of the
LS even if it is not updated.
Change-Id: Iee42c59ff1edd1fb822184535a8c0943a94e334e
This patch adds a method to security module to further expose
more options available from firewall APIs on the backend.
Specifically this patch adds the following:
1. A method to build tag expression for LogicalSwitch targets
to create dynamic NSGroups.
Change-Id: I9bbacfe14076d9ff92b0f45e9a85335876302f72
Adit Sarfaty