This patch fixes the sample keystone_default_roles-policy.yaml file to use admin instead of reader for the system-reader role.
Change-Id: I914aaa2eb57cf4c7206909e8ea17af1033c54965
Currently castellan can't be configured through octavia.conf as
conf is not passed while initializing backend.
Also document castellan configuration options in reference.
Change-Id: I30b81866989c22b94fb77e62e7abd180f0f0af50
This change introduces the config file for the oslo-config-generator
command, so that users can easily generate octavia.conf.example without
tox.
Note this change adds parameters of oslo.policy and oslo.middleware
which were missing previously.
Change-Id: I5ea921cf8d63b28c5143f95dbb47802d5018d7a4
Stop failovers if the count of simultaneously failed
amphora reaches the number configured in the new
failover_threshold option.
This may prevent large scale accidental failover events,
like in the case of network failures or read-only
database issues.
Story: 2005604
Task: 30837
Co-Authored-By: Tatsuma Matsuki <matsuki.tatsuma@jp.fujitsu.com>
Co-Authored-By: Tom Weininger <tweining@redhat.com>
Change-Id: I0d2c332fa72e47e70d594579ab819a6ece094cdd
This patch creates tasks for load balancer notifications and adds them to the amphora loadbalancer create/delete/update flows.
Change-Id: I287d89cd83e91473f1375788c969521aa58ca567
This patch moves the system scope configuration in the policy override example files out to a separate override file. This way the new default roles can be enabled independently of system scoped tokens. This helps us align to the changes in the secure-RBAC spec[1].
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Change-Id: I1b41780f3ca84ceca563d668ae8bb40011a60bf4
This patch adds a new protocol for listeners called "PROMETHEUS" that exposes
a Prometheus endpoint. This allows detailed metrics collection from Octavia
load balancers.
Change-Id: I3e27e4e57ad955bcd7728426c91f05171a46ef7f
[haproxy_amphora]/active_connection_rety_interval
is renamed to active_connection_retry_interval.
A config option with the typo still exists as a deprecated alias, so it
doesn't break compatibility with old config files.
Change-Id: Iafc479f1628fd3959c3f0ef83edb7a739823fb91
Handle network configuration using Octavia tools.
amphora-interface configures network interfaces inside the amphora
using pyroute2 and a set of json files for persistent configuration in
the /etc/octavia/interfaces/ directory.
Story: 2005235
Task: 30019
Depends-On: https://review.opendev.org/806558
Change-Id: I5360c8246cd39f90eb7104a883f87c0042d146c4
Spare pool feature was deprecated in Victoria, we decided to remove it
during the Xena release cycle.
Change-Id: I830c6a4c49fa47105f788cf99a0f775e5dbdcaea
The directive [certificates]/ca_certificates_file currently has a
confusing comment. This tries to fix it and make it more easy for
Octavia operators to configure the directive.
Change-Id: I99ce408ec886820c056b69696b26be9521740f1c
The healthcheck endpoint should cache results to reduce the potential load on the backend systems being tested.
This patch adds the caching and a configuration setting for the interval
between cache refreshes.
Change-Id: Ic97a991437144f3a220d9b96839cec5b63565f8c
Story: 2008203
Task: 40987
The two tested Linux distributions for Wallaby release (Ubuntu 20.04 and
CentOS 8) [1] provide a recent enough HAProxy version (>=2.0) that allow
us to add HTTP/2 to the default ALPN protocols list for listeners and
pools.
[1] https://governance.openstack.org/tc/reference/runtimes/wallaby.html
Change-Id: I998bea5e7bcdc28962f2f393e204791a0b519910
Add SCTP support in the Amphora (with keepalived).
Add amphora-health-checker script for customized SCTP health checks
(INIT/INIT-ACK/ABORT).
Change-Id: I30997ae6cc6b8ec724f0e9dcfdfe49356b320ff4
Story: 2007884
Task: 40932
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Pool API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference) to be advertised by load balancer to
members.
This patch also adds HTTP/2 over TLS support to TLS-enabled pools to the
Amphora provider driver, although default the pool ALPN protocol list
configuration setting has HTTP/2 disabled similarly to the default
listener ALPN protocol list value added in Victoria release.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: I91924486bab22601c15c538c8a5282ad8bc54700
Taskflow 4.4.0 contains essential fix for jobboard behaviour on
Storage failure [1].
Also add jobboard_redis_sentinel parameter to allow usage sentinel
for Redis jobboard. Support of this also appear in 4.4.0 version.
[1] - https://docs.openstack.org/releasenotes/taskflow/unreleased.html#bug-fixes
Change-Id: I48245b3322b0f2e5f2c11594a15632501a7e4086
Previously the stats driver was responsible for parsing the health
message, which should have been done prior to passing the stats to the
driver interface.
Removed the driver interface for the health updater because it is core
Octavia functionality.
Stats drivers is now a singleton and can load multiple drivers.
Both the amphora health manager AND provider statistics should use the
new driver interface.
Co-Authored-By: Stephanie Djajadi <stephanie.djajadi@gmail.com>
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Change-Id: I3a013aebd1eb89cd4f983fbf4f8ae8d6639548cd
Use of the spares pool was originally recommended to increase provisioning
speed, but since Nova's server groups do not support adding existing VMs,
Octavia cannot support use of the spares pool with the Active-Standby
topology. Since this is our recommended topology for production deployments,
and speed is less essential in development/testing environments (the
only place we could recommend the use of Single topology), the overhead of
maintaining spares pool support exceeds its theoretical usefulness.
Change-Id: I7375e9758c7ae80e2370189117e8e63c79446490
With this image driver interface, we align our codebase with other
existing driver interfaces like compute, network and volume.
This interface also allows the amphora provider driver to check for
existence of tagged images at API level (e.g. amphora image tag
capability in Octavia flavors).
Change-Id: Id808c082808fafe1a1e004957ff47eca57f97ee8
The switch to live drivers ease greenfield deployments by not requiring
deployers to explicitly set live drivers. The switch also helps
deployers identify production-ready from experimental drivers.
Experimental features like volume and distributor remain defaulted to
their noop drivers.
This patch also fixes some tests that were not mocked properly.
Change-Id: I1e4e3c4f0e4142fa0d0d1ac895b10e2349d79c20
ALPN is a TLS extension for application-layer protocol negotiation
within the TLS handshake [1].
This patch extends the Listener API to include a new 'alpn_protocols'
parameter. With this parameter, users can set an ALPN preference list
(descending order of preference).
Presently, the amphora provider driver is limited to http/1.0 and
http/1.1 ALPN protocol IDs. Support for "h2" (HTTP/2 over TLS) depends
on HAProxy 2.0 or newer.
[1] https://tools.ietf.org/html/rfc7301
Change-Id: If08a8169498cdfaa75440e8971ba0caff45ac4c4
This patch adds a new configuration setting to enable/disable jobboard
functionality in the amphorav2 provider. When disabled, the amphorav2
provider behaves similarly to the amphora v1 provider.
The default setting is jobboard disabled while jobboard remains an
experimental feature.
Change-Id: I063d832f5a049d7ae38378766200c7f82a35996d
With 1.8.x releases, haproxy consumes a lot of memory when
using 1,000,000 as default connection_limit.
This commit introduces a new configuration option for the Amphora
provider: [haproxy_amphora].default_connection_limit (defaulted to
50,000). This value is used when creating a listener with -1 (which is
the default) as connection_limit, or when unsetting connection_limit in
a listener.
Updating an existing listener by setting connection_limit to -1 also
sets it to default_connection_limit.
The global connection_limit for a load balancer is the sum of the
connection_limit of the listeners, but it cannot be over
HAPROXY_MAX_MAXCONN (which is still 1,000,000).
Story: 2007794
Task: 40046
Change-Id: Ibc525d9a046a5ab7f090a942459d80a2df66ae2e
The configuration option tls_cipher_blacklist has been
deprecated and replaced by tls_cipher_prohibit_list.
Change-Id: I6152838c697e12d19b27343e3a0714e55ca52d88
This patch refactors the failover flows to improve the performance
and reliability of failovers in Octavia.
Specific improvements are:
* More tasks and flows will retry when other OpenStack services are
failing.
* Failover can now succeed even when all of the amphora are missing
for a given load balancer.
* It will check and repair the load balancer VIP should the VIP
port(s) become corrupted in neutron.
* It will cleanup extra resources that may be associated with a
load balancer in the event of a cloud service failure.
This patch also removes some dead code.
Change-Id: I04cb2f1f10ec566298834f81df0cf8b100ca916c
Story: 2003084
Task: 23166
Story: 2004440
Task: 28108
Recent additions to the Octavia API did not update the Octavia API
CADF audit map. This patch corrects that by adding the new API
paths.
Change-Id: I22107317837e68e54a29f8a4051c464120b29809
There was a bug in the CADF audit map file for the "failover" action.
This patch corrects the audit map file to handle "failover" correctly
and stop keystonemiddleware from raising an exception.
Change-Id: If3954ba34740e26937dba10bdd8061acde758c88
Story: 2007831
Task: 40116
Oslo.policy is moving away from using json format policy files[1].
This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.
Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.
[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
Current octavia has no l7policy and l7rule quota definitions. But
they are necessary for some scenarios. For example, implement
product design compatible with Neutron Lbaas.
Story: 2003382
Task: 24457
Change-Id: I09ee23dcb83f5f08a56e25cc05ff77caa3ad4230
Add new configuration option "minimum_tls_versions" to octavia.conf.
Listeners, pools, or the default values for either will be blocked from
using lower versions.
Change-Id: Ifa0d695c2227772d6b37987a7857fe58ca660dc8
Story: 2006733
Task: 37171
Depends-On: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Add field tls_versions to pools for restricing TLS versions used.
This is a colon-separated string of versions to be used.
Available values (as defined in octavia-lib):
SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
Add default_pool_tls_versions in octavia.conf
Note: TLSv1.3 connections will use haproxy's default ciphers
instead of the listener's tls_ciphers field
Change-Id: I480b7fb9756d98ba9dbcdfd1d4b193ce6868e291
Story: 2006733
Task: 37173
Depends-On: Ic33d9b9a256490ae1b048cdfd2475d6340509fdb
Gregory Thiemonge