Openssl genrsa is deprecated in favor of genpkey, and fails in FIPS mode.
Update the relevant calls to use genpkey instead.
Change-Id: I1aab9faa8afe845e445e620d1800785d2e19ad1e
The devstack plugin code was sourcing a file that was
enabling bash errexit, which was then inheriting it in
later operations that could cause the shell to exit
unexpectedly.
Change both scripts to 'set +e' near exit so sourcing
them doesn't have issues.
Change-Id: I16513b0066c05cd6fc606da341df636094010a34
RHEL8 and Centos8 refuse to load certificates generated with a 1024-bits
key because of new security policies. Increasing key size to 2048-bits
fixes certificate generation scripts for these distributions.
Story 2006944
Task 37623
Change-Id: I6d5d39c4cf87ac687355f80ca591c1a611f46f41
When calling ./stack.sh twice, octavia devstack plugin fails because
local certificate directory already exists.
This commit deletes the directory each time a certificate creation
script is called and when the user cleans up his devstack's
installation.
Change-Id: I21dfffa9b30274fa0fa9f365a88222b8f4c89e29
This patch updates the devstack plugin to use a dual Certificate
Authority (CA) with intermediate CAs for the Octavia controller
deployment.
This is a more realistic deployment model for testing.
Note: This change uses weak security to save gate resources. Please
refer to the Octavia Certificate Configuration Guide for production
instructions.
Change-Id: I3ec135766c9a1ddb7ac6655c0ee1ccb1e78ead5c
The quick start guide was pointing users to the old create_certificate.sh
script. This patch clarifies that the "Octavia Certificate Configuration
Guide" should be used when configurting certificates for the Octavia
controllers.
It also adds a warning to the create_certificate.sh script.
Change-Id: I7a87430be5a1553ff760e31c26ca52090399d00a
create_certificates.sh requires permission of /etc/octavia basically
and creates certificates under that. If not granting enough permission
the script creates these files under current directory and that makes
mess. So this patch adds minimum error-handling for avoiding that.
Change-Id: I5166329a7c45c8f17890f11af99bedb206144de5
When operating bin/create_certificates.sh, it shows like
...
certificate need to be different so a hacker can't just use the server certificate from a
compromised amphora to control all the others.
\nTo use the certificates copy them to the directory specified in the octavia.conf
If we want to add a new line with "\n", we need to pass -e to echo.
Otherwise, we can just remove it.
Change-Id: I9cf7da7650df29c97ab8c46846dbf62f2bede5f4
* Fill the create LB log message correctly with ID
* Create the full path when creating certs (prevents annoying errors)
Change-Id: Iadace0f7f84ada920139b4476b8e854eec6ab1f7
The existing pregenerated certificates (CA) were already expired
and not working on the multinode tests. Those pregenerated
certificates are used so all the nodes share the same CA.
This patch introduces a script to regenerate the certs in the
repo too.
Change-Id: I977c29e3d5867e22efd60d6bdda8a98a26559fc9
Closes-Bug: 1633436
Used binary compressed encoding of json dumped object. To reduce
the size needed to send heart beats incase some stats objects
start getting sent later on. Also used sha256 instead of sha1
with hmac.
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Co-Authored-By: German Eichberger <german.eichbeger@hp.com>
Co-Authored-By: Carlos Garza <carlos.garza@rackspace.com>
Partially implements: health-manager
Change-Id: I932c693101b94c9132e1741291610508876eab43
- Added configuration
- Added uploading of haproxy config
- Added start, stop, reload (async)
- Added get_details
- Fixed returns of API -- they are now all spec conform
- Added info, get haproxy file
- Added function to get listener status
- Added class to parse haproxy stats socket
- Added methods to handle certs
- Added client cert validation to the sever
- Added script to generate example certs
- Added init script for agent
- Added network and vip plugging
- Added devstack stuff
- Added diskimage scripts; upstart ini file
Change-Id: Ib1db8da9e019e68e9a0f4a16a622b8b1286afd3e
Implements: blueprint amphora-api
Moved octavia/bin directory to octavia/octavia/cmd and renamed octavia-api to
api.py. This follows the new strucutre most openstack projects are doing.
Also implemented octavia-api being built when doing setup install.
Had to remove the octavia/tests/specs symlink because pbr did not like it and
would not allow anything to be built. Also found out the test_titles test was
not being run on the specs, so that has been added as a separate tox
environment.
Change-Id: I92f2bc6eaa346983f7a2479dc9fa43d2040f2cd5
This is to allow neturon-lbaas to be able to give its own ids so it
can know what id octavia is tracking.
Change-Id: Id49c7971894228fdf56189df86175fd35c6ed5ca
Setup executable to use wsgiref.simple_server
Simple setup of pecan
Defined controllers that define the API resources
Implemented all controllers to manipulate database and send to handler
Added repository methods required for creating multiple items in one transaction
Defined a few API exceptions based of wsme exceptions
Defined the wsme types that define the resource response and request bodies
Defined an abstract handler that all handlers should subclass
Defined a simple handler that is responsible for sending to controller
Added some wsme type tests
Implements: bp/operator-api
Change-Id: I0d91934db47a6e45f0c9ac22089f8689957bd239
Ade Lee