In some of the tests, cleanups were missing after creating Octavia
resources.
This patch adds the missing cleanups.
Change-Id: I848e08295580709fa739df2d216dad0efd19a795
The cryptography library has been bumped to 3.1 in upper-constraints
file during Ussuri, which is quite old. So we no longer have to
maintain logic for cryptography < 3.0.
Change-Id: I1a463e320b94b0e99e92541581e1ee5feffd356a
There was an intermittent test failure in the
test_pool_reencryption_client_authentication test where members are detected
as unbalanced. This was due to the time it takes for the health monitor to
bring the member back into the pool.
This change adds a waiter for the members to go operating_status ONLINE before
checking for balanced member requests.
Story: 2010660
Task: 47710
Change-Id: Ibb1f351c77f3ed7a0c69c8295973f77ab2069dad
There has been a direction change in the "secure-RBAC" goal and scoped
tokens are no longer being implemented[1].
The Octavia tempest tests were updated for the new keystone roles and
scoped tokens at the same time with an (bad) assumption that they would be
turned on at the same time.
This patch updates the Octavia tempest plugin to not assume that scoped
tokens are in use when the RBAC type is set to keystone_default_roles.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
Depends-On: https://review.opendev.org/c/openstack/octavia/+/877433
Change-Id: Ia1c4ca0b675d39bd43640184d6d3deba823fd3f6
This patch adds a test where we test both h2 and HTTP traffic on the
same load balancer.
For this purpose, we deploy an HTTP listener, a TERMINATED_HTTPS
listener with h2 alpn protocols, and an HTTP pool with h2 alpn protocol
and backend re-encryption.
Change-Id: I470268c91cce18a00baf3fb1f721299bf4662e13
Some services are enabling "new defaults" RBAC by default. This will require all non-admin users to have either the "member" or "reader" role. This patch updates the Octavia tempest plugin to include the "member" role in test credentials when the tempest plugin is configured for "RBAC_test_type" other than owner-or-admin.
Change-Id: I8aadb98d438943b18a8d72ff54e216930cfd3ccc
Not in every cloud does tempest have permissions to list the
role assignments. Since it is not critial for running the tests,
the logging of the user roles should be configurable.
Change-Id: I8aea2b597b9dd9bbdc5a1527fae03e86364aab4c
This patch adds API and scenario tests for PROMETHEUS listeners. This
includes scenario tests that connect to the metrics endpoint.
Depends-On: https://review.opendev.org/c/openstack/octavia/+/812258
Change-Id: Ia46d8c0967bc5b0f7cd11b6e3ca3a4e03c0bc138
Several tests are skipped because of story 2007979 [1] even though it
seems that the bug tracked by the story has already been resolved.
This patch removes the skip flag for these tests as the bug has already
been resolved.
[1] https://storyboard.openstack.org/#!/story/2007979
Change-Id: Ibec0bf4fba52a32dd1c9980c5d6bd7afc35d81a3
This patch adds a pool client authentication scenario test that uses
test servers that require client authentication.
Change-Id: Id5b200954cdf02280d31ed910012a1591a2d2697
1) test_udp_update_pool_healthmonitor_listener
Traffic should PASS after updating any of LB's components.
2) test_hm_op_status_changed_as_expected_on_update
Update health monitor with various combinations of:
HTTP method, expected HTTP status codes and backend URL.
Validate that members' operation status is getting into
appropriate state on each update.
Change-Id: Ie80378ac1a96941eefa905fd6f49c8fa7e9c3692
generate_pkcs12_bundle used the PKCS12 class of the pyOpenSSL module
which is not compliant with FIPS (uses SHA1).
Switch to the cryptography module for generating the PKCS bundles unless
for really old releases (<=3.0) that don't support it (stable/train is
still on 2.8).
Change-Id: Ibd50e9a6e406683b7faba093d716c83d2b994ad7
The TLS_METHOD constant was introduced in pyopenssl 21.0.0 [0], but some
older Octavia branches (from train to victoria) still use older releases
(19.1.0 for victoria) and then don't support it. Switch back to the
previous the SSL methods if the new constanst doesn't exist.
[0] 5dc698861c
Change-Id: Ib0eeb1136c168fcc32326f4ed8b008fb7f193a30
This patch fixes the check for listeners that
have been created with admin_state_up = False,
when running a driver in non-noop mode.
By error it is checking that the listener
is in ONLINE status, when this particular case
requires checking OFFLINE.
Change-Id: I07a9f6abdef29334d70e30755bb948c5b0b65d54
TLSv1_2_METHOD and SSLv23_METHOD are deprecated in OpenSSL [0], update
SSL.Context to use the generic TLS_METHOD.
This change also fixes the c9s-based FIPS jobs (they don't support
TLSv1.2).
[0] https://www.pyopenssl.org/en/stable/api/ssl.html#context-objects
Story 2009942
Task 44847
Change-Id: I39e293db39d2a9287b581833cfe9fd469f701a7c
This commit fixes the situation when test _test_listener_list fails
because of a mismatch OPERATION_STATUS. This error can be reproduced
only in really slow environments.
Change-Id: Ie873a59fffda425c60e912abbb0d3aec68e134ed
Some checks were missing for the test_*_listener_update and
test_*_listener_delete tests in ListenerAPITest.
Change-Id: I1ee799c56286c687ea2d7c456f84f34103d58d91
Split MemberAPITest class into MemberAPITest1 and MemberAPITest2
classes. MemberAPITest contained 240 test funtions and it took 1h45 in
the octavia-v2-dsvm-noop-api job to run those functions sequentially.
By spliting this class, the load now spread on 2 workers and it reduces
the duration of the noop-api jobs, avoiding frequent timeout issues.
Change-Id: I2d2cf910bd5801bfeb92c1ede51bd120ced3b4f9
Add octavia-v2-dsvm-scenario-centos-9-stream
Add extra args to the "scp" command to authorize the pubkey exchange
with a cirros VM.
Detect the openssh client version to enable the use of the SCP protocol
(starting with openssh 8.7, the SFTP protocol is the default protocol
with scp, SFTP is not supported by Cirros) when sending files to the
cirros VM.
Depends-On: https://review.opendev.org/828189
Change-Id: I689a50e6762fd22e1aaec8aa84ff5b075ff5bd45
This is a follow-up commit for 'Add type to allow ECDSA keys'
(I34ac429ab5442cef056ee8b63fcb2ba41e8b9b27), this commit allows
using octavia-tempest-plugin with older tempest releases
(ex: in our jobs on stable/train).
It catches the exception if [validation].ssh_key_type is not
supported and doesn't pass the ssh_key_type argument to tempest
functions.
Change-Id: I5c2db87975803b30ea230c3bbf5dab4b96da4614
This patch adds ALPN protocol selection support to the pools service
client allowing you to limit the ALPN protocols negotiated when connecting
to member servers.
A follow on patch should include test coverage for this.
Change-Id: Id0b93446dbfdde479fd573eed3e9a5c1e9400609
Some tempest tests will fail under FIPS because they are trying to
ssh to a cirrus instance that has a version of dropbear that does
not support signatures other than using SHA-1 for RSA keys. This
is not allowed under FIPS. The workaround until cirros is updated
is to use ECDSA keys. This patch allows the key type to be
specified.
Depends-On: https://review.opendev.org/c/openstack/tempest/+/807465
Change-Id: I34ac429ab5442cef056ee8b63fcb2ba41e8b9b27
When adding an ipv6 member in test_ipv6_traffic_ops, the ipv4 subnet
from the same network was provided. This is incorrect, the ipv6 subnet
must be passed.
Change-Id: Id8f409a15e14c110f8075bbe943aed42224a948d
All the load balancer service clients are registered via the plugin interface[1],
that way Tempest register and create the lazy initialization of registered clients
so that they can be access from there in consistent way.
But octavia-tempest-client create a separate instance of those and access instead of
accessing the registered service client in Tempest. This commit makes all the service clients
access from Tempest registry and remove the separate objects.
[1] cac3eefc44/octavia_tempest_plugin/plugin.py (L54)
Change-Id: Ie24909b49baf2c6a886e2ff711e641e36ffe6b50
Fix except_timeout_error call to make_request. In case of an IPv6
address and a TCP-based protocol, make_request expects brackets around
the address (ex: [2001:12::2]).
Some tests failed with the following error: "Validate URL got exception:
Failed to parse: http://fd22:262a:41e1:1::f5:97. Retrying.". Then the
requests timed out because each retry failed and not for the excepted
reason (which is: SG update was applied)
Because of that issue, some IPv6 tests based on
_test_listener_with_allowed_cidrs may have failed because the tests
considered that the SG were applied, while the traffic could still pass.
Change-Id: I2e6d108a8d4ce197ae657ea10b10f63b1a5850c4
It's possible to use the same VIP port for TCP and UDP protocols.
Two listeners: UDP and TCP are being created using the same VIP port.
UDP and TCP traffic validation, both should PASS.
Change-Id: Ie93829be86b8a2442911ce212cdd0bc98237b962
This test covers LB "insert HTTP headers" functionality.
It’s a traffic based scenario and validation is done using real HTTP headers
being received on backend side.
Change-Id: I97efd6bcc793e1378356c18209d5345597f39a00
lb_observer and lb_global_observer don't have any meaning when
admin_or_owner policy override in enabled.
This commit disables client creation for those roles and removes their
uses from API tests (the behavior of the owner_or_admin tests are now
similar to their behavior before the introduction of the new RBAC
tests).
Requires the following configuration in tempest.conf:
[load_balancer]
RBAC_test_type = owner_or_admin
member_role = member
admin_role = admin
Change-Id: I2231384933d5974b962a558e8c0b3bffb1140b5a