263 Commits

Author SHA1 Message Date
Zuul
c368fa37ee Merge "Fix VPN api as the NSX api changed" 2018-01-16 14:14:17 +00:00
Adit Sarfaty
eaa14e1e25 Fix VPN api as the NSX api changed
Catching up with different VPN api changes done in the NSX

Change-Id: I32d6593860844bd23bb251c3fe30957c6efb9c2a
2018-01-16 10:43:40 +02:00
Adit Sarfaty
faeb5b8605 Support get & update for rate limit
Rate limit is returned as a part of node/services/http response
In order to update one should:
1. GET the current configuration
2. PUT the updated configuration (the http response will be 202)
3. POST a restart action request (the http response will be 202)

Change-Id: I35a05f9810832e9a22ec9db43f167f13df0744a4
2018-01-15 08:11:25 +00:00
Shih-Hao Li
9bf329a0e3 NSXv3: Enhance NSGroup create and update functions
- Allow passing direct members when creating a new NSGroup
- Allow removing membership_criteria when updating a NSGroup

Change-Id: Ib0e5f5193f2d9ed455e0918fdf67da7a0acfdb62
2018-01-12 17:16:48 -08:00
Adit Sarfaty
0834c3226e Refactor security modules and retry
A small refactor to the nsxlib:
1. change the security object code to be more similar to the other resources
2. Use retry code in base resources class only and not in resources
implementations
3. generelize the resource update code, to avoid duplications in different
classes
4. Adding some tests to verify the fix does not damage anything

Change-Id: Iac2cc1d55d3525ad21cb6399da691e212d6d4722
2018-01-07 08:38:42 +02:00
Gary Kotton
9a1e189386 Raise StaleResource when a 409 is returned by NSX
In order for us to be able to retry on this exception we
raise a StaleResource.

Change-Id: Ide796c56b0479c894c4c644310602c64447b68a4
2018-01-03 04:56:09 -08:00
Zuul
0976764f40 Merge "NSX rate limit support" 2018-01-03 07:12:24 +00:00
Adit Sarfaty
b17cd2b6ab NSX rate limit support
In case of too many requests in a short period of time, the NSX will
return response 429.
In this case (if configured) the nsxlib client will retry sending the request.

This option is controlled by a new parameter in the nsxlib config
rate_limit_retry which is enabled by default.

Change-Id: I20fca36d553e1e74da61292342a87247b53b5d13
2018-01-03 07:56:52 +02:00
Zuul
05da9854c8 Merge "Ensure delete retry for ip set resources" 2018-01-01 11:03:32 +00:00
Adit Sarfaty
64168bfe59 Add router advertisement rules support
Change-Id: I53bf97a304c07cd9b1b8c82192225810d3ef1966
2017-12-25 06:45:44 +00:00
Adit Sarfaty
bc57bc7037 initial vpn ipsec resources
Supporting new vpn ipsec objects, which were added at NSX 2.2
- IkeProfile
- IPSecTunnelProfile
- IPSecDpdProfile
- IPSecPeerEndpoint
- IPSecLocalEndpoint
- VPN service
- VPN Session with rules (policy based only)

Change-Id: I48139f9f0cc7e1b998efcf6fc7f50ac8e596bc6c
2017-12-20 09:20:53 +00:00
Shih-Hao Li
103700b64c Allow creating firewall section with empty rule
Currently if users pass rules=[] when calling
create_with_rules method, it will get errors from MP.
The reason is that this method does not append
create_with_rules action in the url if rules is None or empty,
but it still includes 'rules=[]' attribute in the request body.

Thus MP throws an error because it doesn't expect 'rules'
attribute in the request.

Change-Id: I86122f1f2b5382224084d786f9700330e2c83d50
2017-12-11 10:41:15 -08:00
Gary Kotton
a5a56bc473 Ensure delete retry for ip set resources
Do a retry if a stale resource is received from the NSX

Change-Id: I41b533663b082f9f9ce916d304bc231ecbe35f10
2017-12-07 11:20:01 +02:00
Gary Kotton
9e970254fe Ensure update retry for load balancing resources
Do a retry if a stale resource is received from the NSX

Change-Id: I3e6b17acd943feffcd66a854cbda33d8dbc6dbaf
2017-12-04 01:35:12 -08:00
Gary Kotton
9a937475d4 Add in a retry decoractor to loadbalancer updates
If we get a stale resource from the NSX then we need to make
sure that we have a retry

Change-Id: Iada00101db8ed317ddb4da1e53b3863da25bb220
2017-11-13 05:03:53 +02:00
Zuul
e94c16d48e Merge "Logical switch trunk vlan support" 2017-11-29 13:02:01 +00:00
Adit Sarfaty
8737c1b296 Mock the update tags limits code in unittests
py35 unit tests are failing because of this

Change-Id: I534ac78d5f22370bd003ae70a60c295d7fdf5dd1
2017-11-28 15:33:15 +02:00
Adit Sarfaty
be6f7e2bc0 Logical switch trunk vlan support
Adding support for trunk vlan for logical switches in NSX 2.2 and up
This flag can be used for guest vlan, and is mutual exclusive from
the vlan id.

Change-Id: I0d08a84df796c226678a27c29cdd1e637f356e72
2017-11-28 08:39:29 +00:00
Zuul
9ddcaa1a79 Merge "Support NSX tag limitations" 2017-11-27 20:53:38 +00:00
Gary Kotton
ee376de40c Support NSX tag limitations
The NSX has various tag limitations. For example the maximum
length of the tags and the maximum amount of tags per resource.
This may increase with NSX versions.

This patch enables the library to learn from the NSX the tag limits.

Change-Id: Ie2eac9c51a36496908140018d7ca1d15ed0e9d58
2017-11-26 04:32:29 -08:00
Tong Liu
b6f23d4317 NSXv3: Return body if resource_type is None
During application profile update, user doesn't need to provide
resource_type and the resource_type is None in this case. If it
is None, we just need to return the body directly.

Change-Id: I296ff540f36a4072e9c774d201a6728878bc2b44
2017-11-25 23:04:09 -08:00
Tong Liu
e55e9f1eb7 Add find cert by pem data method
Add a method in trust management model to find certificate by pem
data. Also added an unit test for this method.

Change-Id: I2550b41dbbd71ac7f35a7c9ce85bd8e4e166b49e
2017-11-20 13:31:57 -08:00
Gary Kotton
cdcb5963da Remove neutron-lib from the dependencies
The patch removes the neutron-lib from the dependencies. We do not
want/need the consumers of this library to pull in all of the
neutron-lib dependencies.

The patch adds the following:
1. callback to bind is_attr_set - set_is_attr_callback
2. A new exception NsxLibInvalidInput - this is raised when inputs
   are invalid.

Change-Id: Ia8ec71dee2d5de921700a9b4fd7e789d2aed4679
2017-11-15 00:42:05 -08:00
Abhishek Raut
82ce3daf8c Allow add_rule(s) method to accept 'operation' as an arg
NSX allows DFW rules to be added to a DFW section with query
param 'operation', which can be used to create the said rule
at top or bottom within the DFW section. This patch
adds 'operation' as an argument for the methods 'add_rule'
and 'add_rules'.

Change-Id: I82dd206967543b3382dd20d7bffb140fce9cb59d
2017-11-09 18:13:25 -08:00
Zuul
6f04d52536 Merge "Re-apply skipped cluster test" 2017-11-09 10:01:17 +00:00
Adit Sarfaty
58ac9a009b Re-apply skipped cluster test
Change-Id: I9686ccbcc3acf1e5a7ddafa028a3ebc35d7b2c98
2017-11-07 17:37:59 +02:00
Gary Kotton
49ab5d77de Add in feature for 'on behalf of'
Version 2.2 has a logging feature wher the NSX can log via the
X-NSX-EUSER header details of who the request was made for.

This feature will enable the plugin to determine whether or
not to send this header.

Change-Id: Ib87d5df2fbf5e15856511a50013ea47dbd4ca728
2017-11-07 04:08:40 -08:00
Adit Sarfaty
9c0d96c285 Add IPSEC VPN feature flag and update version number
Change-Id: If3130bdfd4f558aaf9558c70b46f54361017c5f2
2017-11-07 11:58:45 +02:00
Zuul
d6bf9cd1b6 Merge "Fix typos in comments" 2017-11-06 12:38:55 +00:00
Boden R
2b76bbcf01 use new payload objects for *_INIT callbacks
Part of the work we did while rehoming the callback modules introduced
the notion of payload objects [1] to replace the unstructured kwargs
used today. When using payloads event sources need to use publish()
rather than notify() to trigger the callback(s) and pass along a payload
object (if needed).

This patch begins to move us onto the payload objects by updating
BEFORE_INIT and AFTER_INIT event types to use the payloads.

Depends-On: I9194c7857f10392149159071cda8e080e93adc10

[1] https://github.com/openstack/neutron-lib/blob/master/doc/source/devref/callbacks.rst#event-payloads

Change-Id: Ie8311f28ebac6c1990a261cc6cfa130fac0cfc5f
2017-11-06 06:05:34 +00:00
Adit Sarfaty
609bc5e2ae Fix typos in comments
TrivialFix

Change-Id: I418a241ba1b1acd64b2bb17a50afeae4cf0f378a
2017-11-05 14:25:47 +02:00
Gary Kotton
216d8a3be9 Provide a callback to inject headers to the NSX
Enable application to bind to a callback that will inject
headers to the requests sent to the NSX. This can for example
be: 'X-NSX-EUSER' which will provide the NSX context of the user
on behalf of whom the opertaion is done.

A new method set_inject_headers_callback(in is added. This method
receives a callback that should return a dictionary of headers to
be added.

Change-Id: I90fa7ea8c7828bf97aec66321e4169588108760e
2017-10-24 23:41:56 -07:00
Zuul
6341ef2e9d Merge "NSXv3: Update stats api" 2017-10-25 01:12:26 +00:00
Abhishek Raut
8b38b2ba33 Add support to retrieve VIFs and VirtualMachines
This patch adds support to retrieve resources of type
VirtualMachines and VirtualNetworkInterface.

Change-Id: I9d551e35e68cbaadbe2787f23775296f61c0e72d
2017-10-23 15:02:35 -07:00
Tong Liu
51c3a3a905 NSXv3: Update stats api
NSXv3 backend has a limitation that it only supports realtime
mode for now. This patch adds a source param for stats api.

Change-Id: I56a8ad0bb3641c9560cffdb1efcf3b8a7c461580
2017-10-23 17:40:59 +00:00
Gary Kotton
abc121b5d9 Fix failing unit test
Change-Id: I7e6197a40010be6cd395b9607c1fcf267b2e286b
2017-10-19 19:38:59 -07:00
Tong Liu
45b127140a Add ssl profile binding methods for LB virtual server
Add two methods for load balancer virtual server ssl profile
binding.
  - Add client_ssl_profile_binding for virtual server. This
    setting is used when load balancer acts as an SSL server and
    terminating the client SSL connection.
  - Add server_ssl_profile_binding for virtual server. This
    setting is used when load balancer acts as an SSL client and
    establishing a connection to the backend server.

This patch also fixes a typo in server_ssl_profile.

Change-Id: I692a3cc30dcef9c8d68fe1b40c0624b881954bdd
2017-10-17 05:21:10 +00:00
Gary Kotton
1f16b50882 Add router to nsxlib class
This is a RouterLib object

Change-Id: Iaf1e4a5cccce60ae091a912c318be0e9957aaa84
2017-10-15 00:58:07 -07:00
Tong Liu
185749e05a Add private_key and passphrase to cert creation
Currently, only pem_encoded option is availabe when importing a
certificate into NSX. There are two more options we can expose
including private_key and passphrase. Also, we don't need to
remove '\n' from the cert as NSX backend will do it automatically.

This patch aslo adds a trust_management object in the NsxLib for
nsxlib consumer accessing it easily.

Change-Id: I0429d1d7caf7995f044d4daaa46da13e506fddb2
2017-10-09 12:58:36 +00:00
Zuul
1ab929cb0a Merge "Cache Get results for some nsxlib resources" 2017-10-02 08:13:10 +00:00
Adit Sarfaty
8a5c545135 Cache Get results for some nsxlib resources
Adding a caching mechanism to remember previous results of get commands
and return them if they are not too old.
This mechanism is disabled for most of the nsxlib resources, and used only
by a few resources that are accessed frequently and modifies rarely
such as transport zones.

Change-Id: I4c1c723ee878feab9a86ff9015246c9e1773bd8b
2017-09-28 09:32:43 +03:00
Jenkins
0afb28b1b8 Merge "Add supported feature for VLAN router interfaces" 2017-09-27 19:13:36 +00:00
Jenkins
2b43fa1a51 Merge "Support ENS transport zone" 2017-09-27 04:51:49 +00:00
Adit Sarfaty
d987ecb25d Add supported feature for VLAN router interfaces
NSX 3.0.0 (version may change later) will support adding a vlan
router interface and not just overlay ones.
This patch adds a feature for this, so the plugin can check if this
is supported or not.

Change-Id: I86d79e5a14a326db5659bd7a746fefb9b44dbf46
2017-09-26 10:49:18 +00:00
Abhishek Raut
9f38953c00 Update ip_protocol during loadbalancer app profile updates
Application profiles are of type TCP, UDP or HTTP. In case the
application profile is being updated with a new type, the virtual
server must also be updated with the new IP Protocol.

Additionally, it should not be necessary to update both the
persistence profile and application profile simultaneously.

Change-Id: I4953dcefa6b168406276851c59b89c3ddaa2f9ad
2017-09-25 14:38:02 -07:00
Adit Sarfaty
f2cf04fa36 Support ENS transport zone
Change-Id: Iba4fa617c91df9bb1afce4e2612cee9da873a08d
2017-09-24 13:47:57 +03:00
Adit Sarfaty
63dbcea970 Update update_advertisement depending on NSX version
Using the load balancing related args for the router
update_advertisement should be done only if the NSX version
supports the load balancing feature.

Change-Id: I1a94ee58e6b8908e6122a69f6515dfdf2d2c1b28
2017-09-18 05:31:33 +00:00
Abhishek Raut
90f223d1b2 Add LB related flags for update_route_advertisement
Change-Id: Ia84cd4fa9ff1b57cfd46582ed67f774b724d5e0a
2017-09-15 17:34:19 +00:00
Jenkins
4b4f6c7c35 Merge "Move LBaaS to 2.1 supported feature" 2017-09-15 03:27:13 +00:00
Tong Liu
fc58ec85b7 Move LBaaS to 2.1 supported feature
NSXv3 supports native load balancing since 2.1. Move the feature
to 2.1 from 2.0.

Change-Id: Ib2076a2afdd7576ebc262af30d5a4e05fa866ce8
2017-09-14 11:22:11 +00:00