In some of the tests, cleanups were missing after creating Octavia
resources.
This patch adds the missing cleanups.
Change-Id: I848e08295580709fa739df2d216dad0efd19a795
There was an intermittent test failure in the
test_pool_reencryption_client_authentication test where members are detected
as unbalanced. This was due to the time it takes for the health monitor to
bring the member back into the pool.
This change adds a waiter for the members to go operating_status ONLINE before
checking for balanced member requests.
Story: 2010660
Task: 47710
Change-Id: Ibb1f351c77f3ed7a0c69c8295973f77ab2069dad
This patch adds a test where we test both h2 and HTTP traffic on the
same load balancer.
For this purpose, we deploy an HTTP listener, a TERMINATED_HTTPS
listener with h2 alpn protocols, and an HTTP pool with h2 alpn protocol
and backend re-encryption.
Change-Id: I470268c91cce18a00baf3fb1f721299bf4662e13
This patch adds a pool client authentication scenario test that uses
test servers that require client authentication.
Change-Id: Id5b200954cdf02280d31ed910012a1591a2d2697
The TLS_METHOD constant was introduced in pyopenssl 21.0.0 [0], but some
older Octavia branches (from train to victoria) still use older releases
(19.1.0 for victoria) and then don't support it. Switch back to the
previous the SSL methods if the new constanst doesn't exist.
[0] 5dc698861c
Change-Id: Ib0eeb1136c168fcc32326f4ed8b008fb7f193a30
TLSv1_2_METHOD and SSLv23_METHOD are deprecated in OpenSSL [0], update
SSL.Context to use the generic TLS_METHOD.
This change also fixes the c9s-based FIPS jobs (they don't support
TLSv1.2).
[0] https://www.pyopenssl.org/en/stable/api/ssl.html#context-objects
Story 2009942
Task 44847
Change-Id: I39e293db39d2a9287b581833cfe9fd469f701a7c
This patch adds a pool re-encryption scenario test that covers
TLS enabled pools, pools with CA validation, and pools with
certificate revocation lists.
Co-Authored-By: Gregory Thiemonge <gthiemon@redhat.com>
Change-Id: Ib3d8d766b8eb358b48da74f8634f6d24510394b4
Wait for the loadbalancer to become ACTIVE after deleting an
healthmonitor or a listener, to ensure the next test uses a LB in a
non-transitional state.
This also fixes the cidrs tests that were using the wrong waiter
timeouts.
This patch also moves individual deletion of children resources in class
tear down to a more performant way by cascade deleting the load
balancer.
Story: 2008219
Task: 41008
Depends-On: https://review.opendev.org/#/c/757604/
Depends-On: https://review.opendev.org/#/c/757840/
Depends-On: https://review.opendev.org/#/c/757841/
Depends-On: https://review.opendev.org/#/c/757842/
Co-Authored-By: Carlos Goncalves <cgoncalves@redhat.com>
Change-Id: I6a4eed7269e4f502bd0fc8613cb4ec4da13890e7
This is a patch to restructrue the scenario tests to use the
new skip_if_not_implemented capability.
Change-Id: I49a7fb6650030f2a1115c6d42442062bd33415fd
Older amphora have a verison of HAProxy that does not support TLS1.3.
This means that the error returned when the client authentication
certificate is required, but improper is different between the versions.
This patch makes the test more generic to pass when the proper
exception is raised, but will no longer validate the error string
contents as this string varies across the protocol versions used.
Change-Id: Ic08135fdf5fb2e8cf35852bf065a885327a852fa
Enabled the same flake8 extensions as the Octavia tree,
fixing the bugs that they now caught.
Trivialfix
Change-Id: I0fc3f5e3a48dc9dc0286cf9b11847a77573ac411
This patch adds map of supported algorithms by
provider drivers. For a first iteration lets select
the first from supported algorithms to be used as
a default and run the tests with it.
In addition this patch splits check_members_balanced()
into subfunctions related to the algorithm
that is validated.
Story: 2006264
Task: 35972
Change-Id: Id055763f35b487da539eddfe802c543a11246503
This patch adds a scenario test covering the "Deploy HTTP and TLS-terminated
HTTPS load balancing on the same IP and backend" usecase from the Octavia
"Basic Load Balancing Cookbook".
It creates a load balancer with two listeners, one HTTPS and one HTTP, that
point to the same backend pool of members. It then checks that the members
are balanced via both listeners.
Change-Id: Ic80eaa10645466ccaffbb19784be6efabeb92aed
This patch adds scenario tests that cover the listener client
authentication features of TLS_TERMINATED listeners.
Depends-On: https://review.opendev.org/#/c/693586/
Change-Id: Ic3a9fa1995709378b68e64aea51e1799867c1bb0
This patch adds scenario tests that exercise the SNI capabilities
of the Octavia TLS offloading.
Depends-On: https://review.opendev.org/690444
Change-Id: I4bbd103e34997dd6b1bb64cb5d69b5135c6e26ea
octavia-lib is only required to get a constant which actually should be
in the octavia-tempest-plugin codebase like other protocols are.
Change-Id: I269da85a9a7adabce340aa436d9457b12dee6e36
Tempest plugins should not explicitly set option from other plugins. The
change I7013888f94261d94e1cd4c3167dc84da7125d1da set
service_available.barbican to false if the barbican plugin doesn't
exist, but cause duplicate error if both are installed. The right way to
check if a service is available or not is checking if the attribute
exists and set the default to false. This patch fix the duplicate error.
Depends-On: https://review.openstack.org/#/c/639153/
Change-Id: I1ba353328e759391cc6a46d95b74c85c4cea6d92
Closes-Bug: 1817154
Tom Weininger