1184 Commits

Author SHA1 Message Date
Salvatore Orlando
c39850ebf4 [MP] Support firewall_match for NAT rules
The nat_pass is deprecated and has been replaced by firewall_match.
This patch add support for firewall_match and stops using nat_pass
when firewall_match is specified.

Change-Id: Ibd2303cf4e182c7aea6bab57c27f36ee4c138a47
2022-06-09 23:15:22 -07:00
Tao Zou
d915f2fecb Handle response is not a json format
Change-Id: I62a6c6d248301576176be5631a4ef4900460082d
2022-06-02 06:50:43 +00:00
Zuul
d660b484f3 Merge "Revert "Support multiple ca certificates"" 2022-05-30 20:45:25 +00:00
Salvatore Orlando
eb89f3f56d Drop py36 and py37 from zuul gate test
These are not supported anymore from temptest.

Change-Id: I4b622289291f175471d050e856b22fe3117ebadc
2022-05-30 10:08:03 -07:00
Tao Zou
5855a867e1 Revert "Support multiple ca certificates"
This reverts commit d761feadd7b572ed5e0c788f0ffe7e9f245e71c8.

Reason for revert: move solution to upper layer

Change-Id: I536c33e2608fbb8ce107a5236db27bc43b9974fe
2022-05-23 08:08:02 +00:00
Tao Zou
d761feadd7 Support multiple ca certificates
Split the ca file into two files if there are two ca certificates

Change-Id: I2bdef4ab4a2c6f24a28a4f41d7f58657c3e31bee
2022-05-06 13:20:36 +08:00
tathgurt
778dd72e86 Operator field invalid if Scope_operator field is present
operator field in Conditions for group expressions is invalid if
scope_operator field is set to NOTEQUALS, removing it for the same

Change-Id: I42a4c2586f30952fd4a6cce5235e6c2404c0c6e4
2022-03-18 11:21:40 -07:00
Zuul
bd5cec082e Merge "Fix the logical port created twice" 2022-03-11 06:11:53 +00:00
Xiaotong Luo
8a5b39e90b Handle bad XSRF token in exception handler
PR 2907548 shows the need of implementing also a regeneration trigger
in the exception handler to help with recovering from
invalid XSRF Token issue.

Change-Id: I51897596259bf6abcee26b148c5b70c5eb02d459
2022-03-08 11:11:25 -08:00
Tao Zou
ac224a85a8 Fix the logical port created twice
Logical port creation is a POST request. Sometimes it will trigger
ConnectionResetError which is a IOError. request_with_retry_on_ssl_error
will retry it.
If request has parameter retry_confirm, exception will be raised so ncp
could query if port has been created to avoid creating port twice.

Change-Id: Ic97b39c7a3736f02a79ab891970c1ad67b123156
2022-03-08 18:11:08 +08:00
Shawn Wang
cfe4ed8e27
Add force update of Policy T1 Adv Rules
In certain cases, caller would need to add route advertisment rules on
Policy Tier1 owned by other accounts. This change adds the support by
propagating the "force" param to include X-Allow-Overwrite header in the
final API call. The same operation is already allowed in MP counterpart.

Change-Id: Ic09fb16dd2403f33323c179d68fd2f1f3ce4bb42
2022-02-08 15:42:54 -08:00
Salvatore Orlando
f6ce73049e Remove debug log statements
Remove several statements which were added to verify client behaviour
with H-API calls.

Change-Id: Ie535eaf68ec5c55582264df1db8f9bf5122e6455
2022-01-24 06:30:46 -08:00
Zuul
72985fb905 Merge "Don't drop details info in the raised exception" 2022-01-17 07:26:17 +00:00
Gautam Verma
9e8ce5f4ec Accept locale_service_id to get seg interfaces on T1
Issue: #2883940
Change-Id: Ibe3fd0e921e35afbe0c890d252a20613e7b4ccdb
2022-01-14 15:08:57 -08:00
Salvatore Orlando
31da96584f Fix typo in exception name
Replace "ManagerException" with "ManagerError"

Change-Id: I2fc8e081dd2f36c20ee6234df2c5c900d974cabc
2021-12-01 02:46:19 -08:00
lxiaopei
8634f98915 Reduce page_size if too large response size for search api
For search api, if response size is too large, exception with
error_code 60576 is returned. Catch this kind of exception
and retry with smaller page_size.

Change-Id: If4340b7688420aabc673635f600c1e4b33aa4de3
2021-11-30 01:20:22 +00:00
Salvatore Orlando
f8abe97e87 Bump minimum pyOpenSSL to 20.0.0
Cryptography 36.0.0 isn't compatible with 19.1.0 and this
causes the lower-constraints job to fail.

Change-Id: I4caf226874c660a37de2bce7d0b31cd0b76d3813
2021-11-26 08:37:27 -08:00
lxiaopei
a62e5ad111 Add all_results param in get_ip_subnet_realization_info
Since there are two realized entities for subnet in
API policy/api/v1/infra/realized-state/realized-entities?intent_path=/infra/ip-pools/pool-1/ip-subnets/subnet-1,
sometimes we want to check the realization state for all entities.
Add all_results param in get_ip_subnet_realization_info func
to check all the entities realization state, and
return all the realized entities if no entity_type param set.
The default value for all_results is False.

Change-Id: I5a48c8f7e711090b38ea31d5f732f022bc7bd4bc
2021-11-19 00:17:52 +08:00
tathgurt
283eff2881 Adding scope_operator support for NSX 3.2 API.
Change-Id: I045745857317dc6effbb6a5ac627239354a3b230
2021-11-09 14:24:13 -08:00
Zuul
3e1146a275 Merge "NSX Policy: patch security rules with ChildResourceReference" 2021-10-25 18:27:55 +00:00
Salvatore Orlando
5ec05846f4 NSX Policy: patch security rules with ChildResourceReference
This change adds support for specifying ChildResourceReference entries
in NSX H-API transactions.
It also adds a method patch_entries to update security policy rules
specifying only individual rules to add.

This allows for adding rules to a security policy in a much faster way.

Change-Id: Ib2c9298b013a799a5363951855be6d16ba76d7a8
2021-10-25 10:57:13 -07:00
Salvatore Orlando
fedb0ba5d3 Remove trailing '/' in swiching profile operations
When querying switching profiles including system owned, there is
a trailing slash at the end of the URI.
This change removes this slash.

Change-Id: Iaa7d18fa8fdcd22c29baf2265259dfe843890213
2021-10-20 06:46:25 -07:00
Qian Sun
6e21892a0b Don't drop details info in the raised exception
In previous code, the 'details' key in error response body is
missed in the raised exceptions. This patch will reserve it.

Change-Id: Idb10c05135d2cbf5a90adbaa812abfb9ef0d153d
2021-09-29 09:19:04 +00:00
Zuul
4c6d36cfaa Merge "Add support for Avi auth token retrieval" 2021-09-20 22:22:48 +00:00
Xiaotong Luo
bcb49996e5 Add support for Avi auth token retrieval
The NCP-AKO integration in WCP requires NCP to retrieve Avi auth token
and enforcement point information and pass to AKO controller.
Thus, add support for the corresponding API calls in nsxlib.

Change-Id: I7caa7faa80aa6c0f84d24e7ad1f629c5d6af542d
2021-09-17 17:52:55 +00:00
Tao Zou
d984c45f3e Raise the log level for Retry
When urllib3 retries, log level is debug. If cluster is busy, there are
too much log when log level is debug so useful log may be flushed out.
Raise the log level to output 'PUT' method retry info.

Change-Id: I7308ee3ae32705fac8380b947e7d592cc21f2586
2021-09-09 10:34:36 +00:00
Salvatore Orlando
787dbca5b3 Add MP610 error code to retryable errors
Erro code 610 is thrown when a NSX transaction is stopped.
The transaction should be retried by the client.

This change ensures erro 610 is handled with APITransactionAborted
exception and therefore retried.

Change-Id: Ice1d712f78ffb5e9ea12fc485e3d4ac52167f678
2021-08-30 01:58:50 -07:00
Salvatore Orlando
aa25bd32fd Segment: Allow for setting multicast in advanced_config
This change enables specifying multicast in Segment's advanced_config
attribute. Upon update, the attribute is replaced. It is up to the
caller to make sure other components such as address_pool_paths are
not overwritten.

Change-Id: I738daa6243772006b69e6149b42de9451befa7e5
2021-08-26 07:35:59 -07:00
Salvatore Orlando
d0b20761cd Fix zuul config
Explicitly list jobs to be executed in check and gate queues

Change-Id: I3ca603d8adf6da75732174d3cdfa9e73f4ff0bba
2021-08-22 23:17:56 -07:00
Zuul
ca644652cc Merge "NSX PI: Do not use deprecated API when registering identity" 2021-08-02 15:32:59 +00:00
Salvatore Orlando
bb21f169fd NSX PI: Do not use deprecated API when registering identity
With this change deprecated endpoints and the deprecated permission_group
parameter won't be used anymore.
The identity will now be created with the enterprise_admin role.

Change-Id: Ie202c78487a5273ddb58923e7479157c1da091a1
2021-08-01 09:13:10 -07:00
Sean
36be37d942 Support update app_id in segment port api
Change-Id: I19e85c33e89cd8ab8f2430ae9e007afd193a7b52
2021-07-16 01:58:47 +08:00
Zuul
d717cee827 Merge "Add wait_until_realized for Tier1 Static Route" 2021-05-10 13:11:39 +00:00
Rongrong_Miao
d8596e784e [T0API] Added SCOPE parameter in static route
In setting T0 static route, a scope parameter is needed.
This patch fixes the problem with previous implementation by
adding the scope field in static route definition

Issue: #
Jira: #
Signed-off-by: Rongrong_Miao <rmiao@vmware.com>
Change-Id: I9b6e579e8e57e13cb1ba9e797c7348e23e3aaa8f
2021-04-22 16:16:52 -07:00
Danting Liu
378e4eac70 Add wait_until_realized for Tier1 Static Route
Change-Id: I26cff5ee6e7942c92d1670440aa7c039c39a2425
2021-04-22 04:02:19 -07:00
Enhao Cui
f0d39ed978 Add ORBAC Support in Policy API
Object-level RBAC Entries Support in Policy API. This resource
controls the CRUD permissions of specified user to specified resources.
URL: /policy/api/v1/aaa/object-permissions

Change-Id: If065da6e5c91fe16a563527ec2ec36c445c9afd1
2021-04-19 14:03:54 -07:00
Zuul
287757d4cd Merge "Added Tier 0 static routes" 2021-04-15 18:32:38 +00:00
lxiaopei
5af19175cd Add Create identity with cert
since POST /api/v1/trust-management/principal-identities is deprecated.

Change-Id: I5ff5f05aa6ba0e38523e6d4d8009e6aaa67449c8
2021-04-08 03:21:11 +00:00
Zuul
dfcfd10336 Merge "Allow tags to be specified while creating Policy Rules" 2021-04-07 21:21:32 +00:00
Gautam Verma
3d914f1dbc Allow tags to be specified while creating Policy Rules
Issue: #2747149
Change-Id: Iaee21403ebe3bca5d537fb4f452146e1e38f4ccb
2021-04-07 13:59:31 -07:00
Rongrong_Miao
a953b1df2f Fixes get_realization_info, added API to get router port
Currently in get_realizaiton_info in Tier1 API, the entity_type
is ignored. This patch fixes this issue to use entity_type to
filter for realized entity returned by this API

Also to easily get router port, an API is added for Tier1 API
to return a list of RouterPort realized associated with the tier1

Issue: #
Jira: #
Signed-off-by: Rongrong_Miao <rmiao@vmware.com>
Change-Id: Ife3f3652255db4ffc72872e4aef84418bf1a3211
2021-04-06 10:43:44 -07:00
Rongrong_Miao
4dcc68b807 Added Tier 0 static routes
Adds Tier 0 static routes API to support dev
on NCP side on multi VRF and multi T0 topology

Issue: #
Jira: #
Signed-off-by: Rongrong_Miao <rmiao@vmware.com>
Change-Id: I73756350b23dbd8f23c8e22ad84abe93b49831a4
2021-04-06 09:07:42 -07:00
Shawn Wang
cf25fb0923
Allow Transaction for Policy IP Pool Deletion
This patch allows IP Pool to be deleted with transaction, so that the IP
pool can be removed with its child resources (i.e. pool subnets, ip
allocations) in one API call.

Change-Id: I873f7b714a313ff5b512a3898aedab9bd805163b
2021-03-30 12:15:07 -07:00
Enhao Cui
4643ed6647 Add Support for Updating Policy Resource with PUT
NSX checks revision number for PUT requests. It rejects the request
if revision number is not latest. This is helpful for preventing
clients overwriting each other's change to the same object concurrently.

Change-Id: I226782f268b129a8e086938d8ebf258c2abc017e
2021-03-19 16:00:27 -07:00
Zuul
aaf5c222b6 Merge "Support preferred edge paths in Policy" 2021-03-18 18:58:27 +00:00
Enhao Cui
17eeeff0ea Support preferred edge paths in Policy
Add GET and SET preferred edge paths in T1 API

Change-Id: Iaf3f7ec9ecee99d95df5297f9daff59e984336ee
2021-03-17 20:00:11 +00:00
asarfaty
cf4704c807 Fix session persistemce profiles list
resource_type is a static method and not a property

Change-Id: Ia1e90b2127a865b5997c8f6bec29fb410f417f65
2021-03-17 09:16:47 +00:00
Xiaotong Luo
4741b2edd8 Update session header with JWT token and skip session create
Although we need to skip the request to /api/session/create with JWT
based auth (original patch: https://review.opendev.org/c/x/vmware-nsxlib/+/774025/),
we should update the session headers with the JWT token.

Change-Id: I87a338f99c195e163d3618c123760c13252317ab
2021-03-08 20:39:51 +00:00
sean
ce1d1e2424 Provide new parameter to disable health check
Provide a new parameter in cluster API initilalize func to disable
health check and endpoint accessiblitlity check.
By default the value is True, for some scenarios, when creating
a nsxlib object, users does not intend to validate the endpoint
state, for example, in ncp election process.

Change-Id: I6485a91f1d764fbb7ae3edc61541b7cd9f97682e
2021-02-25 22:42:42 -08:00
Xiaotong Luo
10366f00ba Skipping session create with JWT based auth
According to NSX Authentication team's response
in bug 2708018, we should not be using /api/session/create
with JWT based auth, which will cause
session create failed with 403 response.

Change-Id: Ic09090d633301401906815743bbdd83b55212203
2021-02-08 17:40:18 -08:00