Commit Graph

1222 Commits

Author SHA1 Message Date
Zuul a30074d4e5 Merge "Raise retryable exception when the returned search data size is too large" 2024-03-07 17:54:41 +00:00
Shawn Wang 82f6f63fee
Add support of pinning NSX leaf cert
In order to support cert pinning in WCP, this change adds exact cert
match for checking NSX manager authenticity. Setting "nsx_cert_der"
enables this mode, where the pritotity is below ca cert and above
thumbprints.

Currently in nsxlib, the call chain to manage HTTPs connextion is:
1. NSXHTTPAdapter (subclass of urllib3 HTTPAdapter)
2. urllib3 PoolManager
3. urllib3 HTTPSConnectionPool
4. urllib3 HTTPSConnection
In order to inject custom TLS cert validation, we have to override the
connect() function in HTTPSConnection level. Introducing a child class
of HTTPSConnectionPool is also needed to pass the new param. Pool
manager only needs overrding two attrs to allow passing the new param
and properly binding to the new child class of connection pool.

When leaf cert verification is not used, the native urllib3 behavior
will be kept to reduce regression risk.

Change-Id: Icecf30b6df3b60fbeac20cf79586827f3370ce13
2024-02-05 15:15:15 -08:00
Shawn Wang 5d408a01f8
Add option to skip SSL hostname verification
This change adds a new config param ssl_assert_hostname. Its value will
be ultimately passed to the underlying urllib3 param "assert_hostname".

Technically, the value coud be bool or string. This patch focuses to set
it to False to disable hostname check while keeping other cert
verifications.

Change-Id: I8b1ef5fe915d8317f65ce5e1927eb71141027e16
2024-01-02 14:39:30 -08:00
Shizhao Liu d979f5d796 Raise retryable exception when the returned search data size is too large
Change-Id: Ia980f2f385cf798abed94d8504ba9f013417651b
2023-12-06 21:59:20 +00:00
Qian Sun d11fe387c7 Support parameter "skip_host_detach" in LogicalPort API
This patch will add the support for parameter skip_host_detach in
LogicalPort deletion request as the preparation of a corner fix
which will delete the discovered port without host detach.

The other preparation in this patch is to add the new Exception
class VifRestoreAlreadyCompleted.

Change-Id: I012dbc7db5c0af31d670e71e1d04fa6216f269b3
2023-11-21 06:33:20 +00:00
lxiaopei d73f0aeb76 Add allow_partial_updates param for PrefixList API
Need to set allow_partial_updates param for PrefixList
update API to allow update prefix to [].

Change-Id: I5567fd8e4d25f69d09ec5362499bb1631c4d83ae
2023-08-30 14:00:16 +08:00
Shawn Wang 9341330fdb
Add enforcement_point_path param for LBServiceUsage
This change adds LBS usage, statistics and status API with param
'enforcement_point_path' to support querying in a multi enforcement
point setup.

Change-Id: I08cbc05bbad6e70dbd3a1c96fba72931a94f0b7f
Signed-off-by: Shawn Wang <wshaoquan@vmware.com>
2023-08-21 12:33:05 -07:00
Shawn Wang 77688b9934
Enable H-API delete for Policy Tier1 Api
This change adds hierarchical call support for deleting Policy Tier1.
H-API is already enabled for Tier1 creation. The change has no impact
for callers not using H-API for delete.

Change-Id: Ib36a0faa125b2c12c206b7c6c9ebc3bd0e04330e
2023-04-17 17:33:08 -07:00
Salvatore Orlando ce621cfc80 Tier-1: Retry when removing edge cluster
Retry operation is a StaleRevision error is returned
from the backend.

Change-Id: I637b9d1e6a23767d9297cec115cceaa573257329
2023-04-17 00:45:08 -07:00
lxiaopei 3a627ed498 Update version check to use POST API when restore vif
According to NSX side fix merged in NSX versions 3.2.3
(and later impactor releases if any) and 4.1.*, update
the version check.

Change-Id: I8e5b29da1d10b076bef159d45ba436d135718ca8
2023-03-28 13:52:15 +08:00
Salvatore Orlando acb8f2d53f Revert "Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper""
This reverts commit d2836e3452.

Reason for revert: backend support is now available

Change-Id: I835c4a99f38760e5cb834852adb4fb56b3bd234e
2023-03-11 02:00:08 -08:00
lxiaopei d049dbc406 Add ip_release_delay when creating IpPool
When creating IpPool, ip_release_delay can be set
to indicate the delay for releasing allocated IP address from IP pool.
Default is 2mins.

Change-Id: I56e9edd09df34f7909a7ce47339ae903f518fbda
2023-02-27 13:52:54 +08:00
Zuul 0d922467e8 Merge "Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper"" 2023-02-20 07:46:54 +00:00
Tao Zou d2836e3452 Revert "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper"
This reverts commit b0c97de660.

Reason for revert: it depends on nsxt support. but nsxt didn't merge the code

Change-Id: Id053d28cc9b315462849fd8df2d99b2ca7f6059c
2023-02-20 07:10:57 +00:00
lxiaopei 417f4085a5 Add version check to use POST API when restore vif
Since the new POST API to restore vif only exists
on NSX version >=4.1.0, add version check before
invoking the new POST API. Otherwise, still use
the old patch API.

Change-Id: Ic0047cba6ccaf275830b3c24a73f59ca28883de6
2023-02-15 17:19:02 +08:00
Zuul 7d64ecb265 Merge "Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper" 2023-02-14 06:51:40 +00:00
Tao Zou b0c97de660 Add sync_realization while creating ip-pool/ip-subnet for nsx-keeper
Change-Id: I3b797c7130a7deb858a21c2d63580e91211a665f
2023-02-14 14:17:10 +08:00
Shawn Wang cbbb782084
Fix issues with tox 4.2.4
tox 4.2.4 starts to fail if basepython mismatches with python env[1].
This change works around the issue by setting [tox]
ignore_base_python_conflict.

Also changing envlist from py37 to py38 given the Zuul env using py3.8
now.

[1] https://github.com/tox-dev/tox/pull/2824/

Change-Id: I380c1073a4b1f5b8d8a066345c7512061bd007fb
2023-02-13 21:30:34 -08:00
Zuul 44ac0a020a Merge "Use POST API when restore vif" 2023-01-04 04:37:14 +00:00
lxiaopei 67a72e6baf Use POST API when restore vif
When restore vif, we need to use POST api with init_state:RESTORE_VIF
for NSX to persist all properties including tags and address_bindings.

Change-Id: I0d49a3860349a4d021cc9c881fb60543936feefc
2023-01-04 09:36:23 +08:00
Salvatore Orlando 2ae52acfab Drop lower-constraints job
The job is not supported anymore, and failing
with errors related to SSL symbols.

Change-Id: Ia879c9b18d5a5e8d5d784323c1fc33be022a8181
2023-01-03 01:56:16 -08:00
Gautam Verma 349c4c3999 Allow using force option to create and release IPBlockSubnets
Change-Id: I95cd3b5ada9fc4a612bec83ca759258ed1029f81
2022-12-23 21:37:20 +00:00
Salvatore Orlando 4f35234766 [tox] Make pass_env compatible with tox4
Change-Id: I2c4e321afe8b5b6bf2e6a03181cd182be06c4f44
(cherry picked from commit be23e754a7)
2022-12-23 20:53:51 +00:00
tathgurt 7b16449dab Support large IPv6 subnet via NSX IPAM
New field Introduced in IPblockSubnet in order to cap the
maximum Ip Subnets across different clusters.

Jira: #NCP-439
Change-Id: I2e01f7e787c5be5d20256b96b19e9ce8b68edbe6
2022-11-08 16:32:04 -08:00
Gautam Verma c9fea99b4f Get all certificates from NSX
client.get method retrieves only the first page of results from NSX. In large
scale environments, we wouldn't return all the Certificates. The patch fixes
this behavior to return all the certificates on NSX

Issue: #3048262
Change-Id: Ic43c28eb93bf706209980f66c97d217bd4c4d611
2022-10-13 16:53:20 +05:30
Zuul ed1fe81f56 Merge "Update vs/lbpool delete api to support hierarchical API" 2022-10-11 00:55:37 +00:00
Salvatore Orlando d7a7a15b3e lower-constraints: bump pyopenssl to 21.0.0
This will prevent failure in initialization due to changes
in cryptography 38.0.0

Change-Id: Iceefc865f96fa784e1bde593b34249272a664e93
2022-10-10 02:15:35 -07:00
Tao Zou ddb2cfc990 Update vs/lbpool delete api to support hierarchical API
Update VirtualServer/LoadBalancerPool delete api to support hierarchical API
so VirtualServer/LoadBalancerPool will be deleted in one thread to reduce
nsxt waiting time and improve performance

Change-Id: If936aa1ce56c57a8b8a64f93f9b74ca180cec645
2022-10-10 08:20:09 +00:00
Salvatore Orlando 7624236634 Restore FEATURE_ROUTER_FIREWALL, remove nat_pass usage
This patch restores FEATURE_ROUTER_FIREWALL, since the corresponding
feature is still available in NSX 4.0.1 onwards, but dropt usage of
the deprecated nat_pass parameter in favour of firewall_match.

All existing supported NSX releases can leverage the firewall_match
parameter for NAT rules.

Change-Id: I1dd5d2582ee291ce08af541c1a9a30ea86b33503
2022-08-23 00:19:33 -07:00
Zuul 26acee40ad Merge "[MP] Support firewall_match for NAT rules" 2022-08-22 14:36:05 +00:00
tathgurt 8481b2ab51 Extending Overwrite Header for different PI in T1 Static routes
Extending support for adding overwrite header in T1 Static Route

Issue: #3016445
Change-Id: I8b4dc401b659d7feaa090c4d3fd9bb359b671b7f
2022-08-10 11:15:36 -07:00
Tao Zou 9523d737ba Remove FEATURE_ROUTER_FIREWALL support since 4.0.1
nat_pass property was introduced by feature ROUTER_FIREWALL, it has
been deprecated since 4.0.1. Remove the property if nsxt version
is greater than 4.0.1

Change-Id: Icba4ff4139fc8ac3502e2c633637582e075faa38
2022-07-26 16:03:26 +08:00
lxiaopei 69662ffa4e Add NsxInvalidPath exception for error code 500012
We need to handle the 500012 error.

Change-Id: Ifba59b005f507b1ccf01896bfe467e3e3662be65
2022-07-05 10:24:13 +00:00
Zuul bf42710d11 Merge "Add resource_type for NsxPolicyLoadBalancerSourceIpPersistenceProfileApi update" 2022-06-30 01:56:39 +00:00
Tao Zou cf08f14bed Support two json decoder exception
If simplejson installed, requests will use simplejson to handle the
deserialization of the JSON.  if not installed, requests will use
json package

Change-Id: I64a54d105d6d533c2d75174bbf265b1d372b9b88
2022-06-29 14:32:32 +08:00
Tao Zou ffaa2fbb6c Add resource_type for NsxPolicyLoadBalancerSourceIpPersistenceProfileApi update
Change-Id: I538ac689c262f74667ef896b1c77a9f658c34687
2022-06-24 15:18:57 +08:00
Zuul 3548bcfd87 Merge "Add definition for 3.2.1 and 4.0.0" 2022-06-22 02:58:04 +00:00
Sean 59e694fe81 Add definition for 3.2.1 and 4.0.0
Change-Id: I0ef93fe601bd30c7a30bf7e7510d67f7210c61b5
2022-06-20 08:48:10 +00:00
Salvatore Orlando c39850ebf4 [MP] Support firewall_match for NAT rules
The nat_pass is deprecated and has been replaced by firewall_match.
This patch add support for firewall_match and stops using nat_pass
when firewall_match is specified.

Change-Id: Ibd2303cf4e182c7aea6bab57c27f36ee4c138a47
2022-06-09 23:15:22 -07:00
Tao Zou d915f2fecb Handle response is not a json format
Change-Id: I62a6c6d248301576176be5631a4ef4900460082d
2022-06-02 06:50:43 +00:00
Zuul d660b484f3 Merge "Revert "Support multiple ca certificates"" 2022-05-30 20:45:25 +00:00
Salvatore Orlando eb89f3f56d Drop py36 and py37 from zuul gate test
These are not supported anymore from temptest.

Change-Id: I4b622289291f175471d050e856b22fe3117ebadc
2022-05-30 10:08:03 -07:00
Tao Zou 5855a867e1 Revert "Support multiple ca certificates"
This reverts commit d761feadd7.

Reason for revert: move solution to upper layer

Change-Id: I536c33e2608fbb8ce107a5236db27bc43b9974fe
2022-05-23 08:08:02 +00:00
Tao Zou d761feadd7 Support multiple ca certificates
Split the ca file into two files if there are two ca certificates

Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
2022-05-06 13:20:36 +08:00
tathgurt 778dd72e86 Operator field invalid if Scope_operator field is present
operator field in Conditions for group expressions is invalid if
scope_operator field is set to NOTEQUALS, removing it for the same

Change-Id: I42a4c2586f30952fd4a6cce5235e6c2404c0c6e4
2022-03-18 11:21:40 -07:00
Zuul bd5cec082e Merge "Fix the logical port created twice" 2022-03-11 06:11:53 +00:00
Xiaotong Luo 8a5b39e90b Handle bad XSRF token in exception handler
PR 2907548 shows the need of implementing also a regeneration trigger
in the exception handler to help with recovering from
invalid XSRF Token issue.

Change-Id: I51897596259bf6abcee26b148c5b70c5eb02d459
2022-03-08 11:11:25 -08:00
Tao Zou ac224a85a8 Fix the logical port created twice
Logical port creation is a POST request. Sometimes it will trigger
ConnectionResetError which is a IOError. request_with_retry_on_ssl_error
will retry it.
If request has parameter retry_confirm, exception will be raised so ncp
could query if port has been created to avoid creating port twice.

Change-Id: Ic97b39c7a3736f02a79ab891970c1ad67b123156
2022-03-08 18:11:08 +08:00
Shawn Wang cfe4ed8e27
Add force update of Policy T1 Adv Rules
In certain cases, caller would need to add route advertisment rules on
Policy Tier1 owned by other accounts. This change adds the support by
propagating the "force" param to include X-Allow-Overwrite header in the
final API call. The same operation is already allowed in MP counterpart.

Change-Id: Ic09fb16dd2403f33323c179d68fd2f1f3ce4bb42
2022-02-08 15:42:54 -08:00
Salvatore Orlando f6ce73049e Remove debug log statements
Remove several statements which were added to verify client behaviour
with H-API calls.

Change-Id: Ie535eaf68ec5c55582264df1db8f9bf5122e6455
2022-01-24 06:30:46 -08:00