octavia 12.0.0.0rc2__py3-none-any.whl → 13.0.0.0rc1__py3-none-any.whl

octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver_1_0.py

@@ -123,7 +123,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
             vip_subnet=network_models.Subnet(
                 id=self.lb.vip.subnet_id,
                 cidr=FAKE_VIP_SUBNET,
-                host_routes=[]))
+                host_routes=[])).to_dict(recurse=True)
 
     @mock.patch('octavia.amphorae.drivers.haproxy.rest_api_driver.'
                 'HaproxyAmphoraLoadBalancerDriver._process_secret')
@@ -167,7 +167,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         self.driver.clients[API_VERSION].upload_config.assert_not_called()
         self.driver.clients[API_VERSION].reload_listener.assert_not_called()
 
-    @mock.patch('octavia.db.api.get_session')
+    @mock.patch('octavia.db.api.session')
     @mock.patch('octavia.db.repositories.ListenerRepository.update')
     @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
     def test_update_amphora_listeners_bad_cert(
@@ -176,12 +176,13 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         mock_amphora.id = 'mock_amphora_id'
         mock_amphora.api_version = API_VERSION
 
-        mock_get_session.return_value = 'fake_session'
+        mock_session = mock_get_session().begin().__enter__()
+
         mock_load_cert.side_effect = [Exception]
         self.driver.update_amphora_listeners(self.lb,
                                              mock_amphora, self.timeout_dict)
         mock_list_update.assert_called_once_with(
-            'fake_session', self.lb.listeners[0].id,
+            mock_session, self.lb.listeners[0].id,
             provisioning_status=constants.ERROR,
             operating_status=constants.ERROR)
         self.driver.jinja_combo.build_config.assert_not_called()
@@ -698,43 +699,64 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
         self.assertIsNone(result)
 
     def test_post_vip_plug(self):
-        amphorae_network_config = mock.MagicMock()
-        amphorae_network_config.get().vip_subnet.cidr = FAKE_CIDR
-        amphorae_network_config.get().vip_subnet.gateway_ip = FAKE_GATEWAY
-        amphorae_network_config.get().vip_subnet.host_routes = self.host_routes
-        amphorae_network_config.get().vip_subnet.to_dict.return_value = {
+        vip_subnet = mock.MagicMock()
+        vip_subnet.cidr = FAKE_CIDR
+        vip_subnet.gateway_ip = FAKE_GATEWAY
+        vip_subnet.host_routes = self.host_routes
+        vip_subnet.to_dict.return_value = {
             'cidr': FAKE_CIDR,
             'gateway_ip': FAKE_GATEWAY,
             'host_routes': [
                 hr.to_dict(recurse=True)
                 for hr in self.host_routes]
         }
+
+        amphorae_network_config = mock.MagicMock()
+        amphorae_network_config.get().vip_subnet = vip_subnet
         amphorae_network_config.get().vrrp_port = self.port
-        self.driver.post_vip_plug(self.amp, self.lb, amphorae_network_config)
+        self.driver.post_vip_plug(self.amp, self.lb, amphorae_network_config,
+                                  self.port, vip_subnet,
+                                  additional_vip_data=[])
         self.driver.clients[API_VERSION].plug_vip.assert_called_once_with(
             self.amp, self.lb.vip.ip_address, self.subnet_info)
 
     def test_post_vip_plug_additional_vips(self):
-        amphorae_network_config = mock.MagicMock()
-        amphorae_network_config.get().vip_subnet.cidr = FAKE_CIDR
-        amphorae_network_config.get().vip_subnet.gateway_ip = FAKE_GATEWAY
-        amphorae_network_config.get().vip_subnet.host_routes = self.host_routes
-        amphorae_network_config.get().vip_subnet.to_dict.return_value = {
+        vip_subnet = mock.MagicMock()
+        vip_subnet.cidr = FAKE_CIDR
+        vip_subnet.gateway_ip = FAKE_GATEWAY
+        vip_subnet.host_routes = self.host_routes
+        vip_subnet.to_dict.return_value = {
             'cidr': FAKE_CIDR,
             'gateway_ip': FAKE_GATEWAY,
             'host_routes': [
                 hr.to_dict(recurse=True)
                 for hr in self.host_routes]
         }
+
+        amphorae_network_config = mock.MagicMock()
+        amphorae_network_config.get().vip_subnet = vip_subnet
         amphorae_network_config.get().vrrp_port = self.port
+
+        vip1_subnet = mock.MagicMock()
+        vip1_subnet.cidr = mock.Mock()
+        vip1_subnet.gateway_ip = mock.Mock()
+        vip1_subnet.host_routes = self.host_routes
+        vip1_subnet.to_dict.return_value = {
+            'cidr': vip1_subnet.cidr,
+            'gateway_ip': vip1_subnet.gateway_ip,
+            'host_routes': [
+                hr.to_dict(recurse=True)
+                for hr in self.host_routes]
+        }
         additional_vip1 = mock.MagicMock()
         additional_vip1.ip_address = mock.Mock()
-        additional_vip1.subnet.cidr = mock.Mock()
-        additional_vip1.subnet.gateway_ip = mock.Mock()
-        additional_vip1.subnet.host_routes = self.host_routes
+        additional_vip1.subnet = vip1_subnet
         additional_vip_data = [additional_vip1]
-        self.driver.post_vip_plug(self.amp, self.lb, amphorae_network_config,
-                                  additional_vip_data=additional_vip_data)
+        self.driver.post_vip_plug(
+            self.amp, self.lb,
+            amphorae_network_config,
+            self.port, vip_subnet,
+            additional_vip_data=additional_vip_data)
         netinfo = self.subnet_info.copy()
         netinfo['additional_vips'] = [
             {

octavia/tests/unit/amphorae/drivers/health/test_heartbeat_udp.py

@@ -73,16 +73,6 @@ class TestHeartbeatUDP(base.TestCase):
             total_connections=random.randrange(1000000000),
             request_errors=random.randrange(1000000000),
             received_time=float(random.randrange(1000000000)))
-        self.listener_stats_dict = {
-            self.listener_id: {
-                "request_errors": self.listener_stats.request_errors,
-                "active_connections":
-                    self.listener_stats.active_connections,
-                "total_connections": self.listener_stats.total_connections,
-                "bytes_in": self.listener_stats.bytes_in,
-                "bytes_out": self.listener_stats.bytes_out,
-            }
-        }
 
     @mock.patch('octavia.statistics.stats_base.update_stats_via_driver')
     def test_update_stats_v1(self, mock_stats_base):
@@ -130,11 +120,15 @@ class TestHeartbeatUDP(base.TestCase):
                         "totconns": self.listener_stats.total_connections,
                         "rx": self.listener_stats.bytes_in,
                         "tx": self.listener_stats.bytes_out,
-                    },
-                    "pools": {
-                        "pool-id-1:{}".format(self.listener_id): {
-                            "status": constants.UP,
-                            "members": {"member-id-1": constants.ONLINE}
+                    }
+                }
+            },
+            "pools": {
+                "pool-id-1:{}".format(self.listener_id): {
+                    "status": constants.UP,
+                    "members": {
+                        "member-id-1": {
+                            "status": constants.ONLINE
                         }
                     }
                 }
@@ -162,11 +156,15 @@ class TestHeartbeatUDP(base.TestCase):
                         "totconns": self.listener_stats.total_connections,
                         "rx": self.listener_stats.bytes_in,
                         "tx": self.listener_stats.bytes_out,
-                    },
-                    "pools": {
-                        "pool-id-1:{}".format(self.listener_id): {
-                            "status": constants.UP,
-                            "members": {"member-id-1": constants.ONLINE}
+                    }
+                }
+            },
+            "pools": {
+                "pool-id-1:{}".format(self.listener_id): {
+                    "status": constants.UP,
+                    "members": {
+                        "member-id-1": {
+                            "status": constants.ONLINE
                         }
                     }
                 }

octavia/tests/unit/amphorae/drivers/keepalived/jinja/test_jinja_cfg.py

@@ -267,7 +267,7 @@ class TestVRRPRestDriver(base.TestCase):
         mock_subnet.gateway_ip = '10.1.0.1'
         mock_subnet.host_routes = []
         amp_net_config = n_data_models.AmphoraNetworkConfig(
-            vip_subnet=mock_subnet)
+            vip_subnet=mock_subnet).to_dict(recurse=True)
 
         config = self.templater.build_keepalived_config(
             self.lb, self.amphora1, amp_net_config)
@@ -279,7 +279,7 @@ class TestVRRPRestDriver(base.TestCase):
         mock_subnet.gateway_ip = '2001:db8::ff'
         mock_subnet.host_routes = []
         amp_net_config = n_data_models.AmphoraNetworkConfig(
-            vip_subnet=mock_subnet)
+            vip_subnet=mock_subnet).to_dict(recurse=True)
 
         config = self.templater.build_keepalived_config(
             self.lbv6, self.amphora1v6, amp_net_config)
@@ -302,7 +302,7 @@ class TestVRRPRestDriver(base.TestCase):
         )
         amp_net_config = n_data_models.AmphoraNetworkConfig(
             vip_subnet=mock_subnet1,
-            additional_vip_data=[additional_vip])
+            additional_vip_data=[additional_vip]).to_dict(recurse=True)
 
         config = self.templater.build_keepalived_config(
             self.lb, self.amphora1, amp_net_config)
@@ -315,7 +315,7 @@ class TestVRRPRestDriver(base.TestCase):
         )
         amp_net_config = n_data_models.AmphoraNetworkConfig(
             vip_subnet=mock_subnet2,
-            additional_vip_data=[additional_vip])
+            additional_vip_data=[additional_vip]).to_dict(recurse=True)
 
         config = self.templater.build_keepalived_config(
             self.lbv6, self.amphora1v6, amp_net_config)

octavia/tests/unit/amphorae/drivers/noop_driver/test_driver.py

@@ -123,8 +123,11 @@ class TestNoopAmphoraLoadBalancerDriver(base.TestCase):
                              self.amphora.id, self.port.id)])
 
     def test_post_vip_plug(self):
+        port = network_models.Port(id=uuidutils.generate_uuid())
+        subnet = network_models.Subnet(id=uuidutils.generate_uuid())
         self.driver.post_vip_plug(self.amphora, self.load_balancer,
-                                  self.amphorae_net_configs)
+                                  self.amphorae_net_configs,
+                                  port, subnet)
         expected_method_and_args = (self.load_balancer.id,
                                     self.amphorae_net_configs,
                                     'post_vip_plug')

octavia/tests/unit/api/drivers/driver_agent/test_driver_get.py

@@ -27,7 +27,7 @@ class TestDriverGet(base.TestCase):
     @mock.patch('octavia.db.api.get_session')
     def _test_process_get_object(self, object_name, mock_object_repo,
                                  mock_object_to_provider, mock_get_session):
-        mock_get_session.return_value = 'bogus_session'
+        mock_get_session.return_value = mock.MagicMock()
         object_repo_mock = mock.MagicMock()
         mock_object_repo.return_value = object_repo_mock
         db_object_mock = mock.MagicMock()
@@ -47,7 +47,7 @@ class TestDriverGet(base.TestCase):
 
         mock_object_repo.assert_called_once_with()
         object_repo_mock.get.assert_called_once_with(
-            'bogus_session', id=object_id, show_deleted=False)
+            mock_get_session(), id=object_id, show_deleted=False)
         mock_object_to_provider.assert_called_once_with(db_object_mock)
         self.assertEqual(ref_prov_dict, result)
 
@@ -61,7 +61,7 @@ class TestDriverGet(base.TestCase):
 
         mock_object_repo.assert_called_once_with()
         object_repo_mock.get.assert_called_once_with(
-            'bogus_session', id=object_id, show_deleted=False)
+            mock_get_session(), id=object_id, show_deleted=False)
         mock_object_to_provider.assert_not_called()
         self.assertEqual({}, result)
 

octavia/tests/unit/api/drivers/driver_agent/test_driver_updater.py

@@ -39,7 +39,7 @@ class TestDriverUpdater(base.TestCase):
               mock_pool_repo, mock_l7r_repo, mock_l7p_repo, mock_list_repo,
               mock_lb_repo):
         super().setUp()
-        self.mock_session = "FAKE_DB_SESSION"
+        self.mock_session = mock.MagicMock()
         mock_get_session.return_value = self.mock_session
 
         member_mock = mock.MagicMock()
@@ -98,34 +98,32 @@ class TestDriverUpdater(base.TestCase):
     @mock.patch('octavia.db.repositories.Repositories.decrement_quota')
     @mock.patch('octavia.db.api.get_session')
     def test_decrement_quota(self, mock_get_session, mock_dec_quota):
-        mock_session = mock.MagicMock()
-        mock_get_session.return_value = mock_session
         mock_dec_quota.side_effect = [mock.DEFAULT,
                                       exceptions.OctaviaException('Boom')]
 
         self.driver_updater._decrement_quota(self.mock_lb_repo,
                                              'FakeName', self.lb_id)
         mock_dec_quota.assert_called_once_with(
-            mock_session, self.mock_lb_repo.model_class.__data_model__,
+            self.mock_session, self.mock_lb_repo.model_class.__data_model__,
             self.lb_project_id)
-        mock_session.commit.assert_called_once()
-        mock_session.rollback.assert_not_called()
+        self.mock_session.commit.assert_called_once()
+        self.mock_session.rollback.assert_not_called()
 
         # Test exception path
         mock_dec_quota.reset_mock()
-        mock_session.reset_mock()
+        self.mock_session.reset_mock()
         self.assertRaises(exceptions.OctaviaException,
                           self.driver_updater._decrement_quota,
                           self.mock_lb_repo, 'FakeName', self.lb_id)
         mock_dec_quota.assert_called_once_with(
-            mock_session, self.mock_lb_repo.model_class.__data_model__,
+            self.mock_session, self.mock_lb_repo.model_class.__data_model__,
             self.lb_project_id)
-        mock_session.commit.assert_not_called()
-        mock_session.rollback.assert_called_once()
+        self.mock_session.commit.assert_not_called()
+        self.mock_session.rollback.assert_called_once()
 
         # Test already deleted path
         mock_dec_quota.reset_mock()
-        mock_session.reset_mock()
+        self.mock_session.reset_mock()
         # Create a local mock LB and LB_repo for this test
         mock_lb = mock.MagicMock()
         mock_lb.id = self.lb_id
@@ -136,8 +134,8 @@ class TestDriverUpdater(base.TestCase):
         self.driver_updater._decrement_quota(mock_lb_repo,
                                              'FakeName', self.lb_id)
         mock_dec_quota.assert_not_called()
-        mock_session.commit.assert_not_called()
-        mock_session.rollback.assert_called_once()
+        self.mock_session.commit.assert_not_called()
+        self.mock_session.rollback.assert_called_once()
 
     @mock.patch('octavia.api.drivers.driver_agent.driver_updater.'
                 'DriverUpdater._decrement_quota')

octavia/tests/unit/base.py

@@ -25,6 +25,8 @@ from octavia.common import rpc
 # needed for tests to function when run independently:
 from octavia.common import config  # noqa: F401
 
+from octavia.tests import fixtures as oc_fixtures
+
 
 class TestCase(testtools.TestCase):
 
@@ -34,6 +36,8 @@ class TestCase(testtools.TestCase):
         self.addCleanup(mock.patch.stopall)
         self.addCleanup(self.clean_caches)
 
+        self.warning_fixture = self.useFixture(oc_fixtures.WarningsFixture())
+
     def clean_caches(self):
         clients.NovaAuth.nova_client = None
         clients.NeutronAuth.neutron_client = None
@@ -44,6 +48,8 @@ class TestRpc(testtools.TestCase):
         super().__init__(*args, **kwargs)
         self._buses = {}
 
+        self.warning_fixture = self.useFixture(oc_fixtures.WarningsFixture())
+
     def _fake_create_transport(self, url):
         if url not in self._buses:
             self._buses[url] = messaging.get_rpc_transport(

octavia/tests/unit/cmd/test_interface.py

@@ -23,8 +23,8 @@ class TestInterfaceCMD(base.TestCase):
     def setUp(self):
         super().setUp()
 
-        self.interface1 = interface_file.InterfaceFile("eth1")
-        self.interface2 = interface_file.InterfaceFile("eth2")
+        self.interface1 = interface_file.InterfaceFile("eth1", if_type="type1")
+        self.interface2 = interface_file.InterfaceFile("eth2", if_type="type2")
 
     def test_interfaces_find(self):
         controller = mock.Mock()

octavia/tests/unit/cmd/test_status.py

@@ -32,8 +32,8 @@ class TestUpgradeChecks(base.TestCase):
     def test__check_amphorav2_not_enabled(self):
         self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
         self.conf.config(group='api_settings',
-                         default_provider_driver=constants.AMPHORA,
-                         enabled_provider_drivers={constants.AMPHORA: "Test"})
+                         default_provider_driver='other_provider',
+                         enabled_provider_drivers={'other_provider': "Test"})
         check_result = self.cmd._check_amphorav2()
         self.assertEqual(
             Code.SUCCESS, check_result.code)

octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py

@@ -49,6 +49,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 "
               "ssl crt-list {crt_list} "
               "ca-file /var/lib/octavia/certs/sample_loadbalancer_id_1/"
@@ -107,6 +109,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ssl crt-list {crt_list}"
               "   ciphers {ciphers} no-sslv3 no-tlsv10 no-tlsv11 alpn {alpn}\n"
               "    mode http\n"
@@ -158,6 +162,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ssl crt-list {crt_list}    "
               "no-sslv3 no-tlsv10 no-tlsv11 alpn {alpn}\n"
               "    mode http\n"
@@ -208,6 +214,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 "
               "ssl crt-list {crt_list} "
               "ca-file /var/lib/octavia/certs/sample_loadbalancer_id_1/"
@@ -266,6 +274,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ssl crt-list {crt_list}    "
               "alpn {alpn}\n"
               "    mode http\n"
@@ -318,6 +328,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ssl crt-list {crt_list}   "
               "ciphers {ciphers} no-sslv3 no-tlsv10 no-tlsv11 alpn {alpn}\n"
               "    mode http\n"
@@ -370,6 +382,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ssl crt-list {crt_list}   "
               "ciphers {ciphers} no-sslv3 no-tlsv10 no-tlsv11\n"
               "    mode http\n"
@@ -412,6 +426,119 @@ class TestHaproxyCfg(base.TestCase):
                 frontend=fe, backend=be),
             rendered_obj)
 
+    def test_render_template_tls_no_alpn_hsts_max_age_only(self):
+        conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
+        conf.config(group="haproxy_amphora", base_cert_dir='/fake_cert_dir')
+        FAKE_CRT_LIST_FILENAME = os.path.join(
+            CONF.haproxy_amphora.base_cert_dir,
+            'sample_loadbalancer_id_1/sample_listener_id_1.pem')
+        fe = ("frontend sample_listener_id_1\n"
+              "    maxconn {maxconn}\n"
+              "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000;\"\n"
+              "    bind 10.0.0.2:443 ssl crt-list {crt_list}   "
+              "ciphers {ciphers} no-sslv3 no-tlsv10 no-tlsv11\n"
+              "    mode http\n"
+              "    default_backend sample_pool_id_1:sample_listener_id_1\n"
+              "    timeout client 50000\n").format(
+            maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
+            crt_list=FAKE_CRT_LIST_FILENAME,
+            ciphers=constants.CIPHERS_OWASP_SUITE_B)
+        be = ("backend sample_pool_id_1:sample_listener_id_1\n"
+              "    mode http\n"
+              "    balance roundrobin\n"
+              "    cookie SRV insert indirect nocache\n"
+              "    timeout check 31s\n"
+              "    option httpchk GET /index.html HTTP/1.0\\r\\n\n"
+              "    http-check expect rstatus 418\n"
+              "    fullconn {maxconn}\n"
+              "    option allbackups\n"
+              "    timeout connect 5000\n"
+              "    timeout server 50000\n"
+              "    server sample_member_id_1 10.0.0.99:82 "
+              "weight 13 check inter 30s fall 3 rise 2 "
+              "cookie sample_member_id_1\n"
+              "    server sample_member_id_2 10.0.0.98:82 "
+              "weight 13 check inter 30s fall 3 rise 2 "
+              "cookie sample_member_id_2\n\n").format(
+            maxconn=constants.HAPROXY_DEFAULT_MAXCONN)
+        rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
+            sample_configs_combined.sample_amphora_tuple(),
+            [sample_configs_combined.sample_listener_tuple(
+                proto='TERMINATED_HTTPS', tls=True,
+                alpn_protocols=None, hsts_include_subdomains=False,
+                hsts_preload=False)],
+            tls_certs={'cont_id_1':
+                       sample_configs_combined.sample_tls_container_tuple(
+                           id='tls_container_id',
+                           certificate='ImAalsdkfjCert',
+                           private_key='ImAsdlfksdjPrivateKey',
+                           primary_cn="FakeCN")})
+        self.assertEqual(
+            sample_configs_combined.sample_base_expected_config(
+                frontend=fe, backend=be),
+            rendered_obj)
+
+    def test_render_template_tls_no_hsts(self):
+        conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
+        conf.config(group="haproxy_amphora", base_cert_dir='/fake_cert_dir')
+        FAKE_CRT_LIST_FILENAME = os.path.join(
+            CONF.haproxy_amphora.base_cert_dir,
+            'sample_loadbalancer_id_1/sample_listener_id_1.pem')
+        fe = ("frontend sample_listener_id_1\n"
+              "    maxconn {maxconn}\n"
+              "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    bind 10.0.0.2:443 "
+              "ssl crt-list {crt_list} "
+              "ca-file /var/lib/octavia/certs/sample_loadbalancer_id_1/"
+              "client_ca.pem verify required crl-file /var/lib/octavia/"
+              "certs/sample_loadbalancer_id_1/SHA_ID.pem ciphers {ciphers} "
+              "no-sslv3 no-tlsv10 no-tlsv11 alpn {alpn}\n"
+              "    mode http\n"
+              "    default_backend sample_pool_id_1:sample_listener_id_1\n"
+              "    timeout client 50000\n").format(
+            maxconn=constants.HAPROXY_DEFAULT_MAXCONN,
+            crt_list=FAKE_CRT_LIST_FILENAME,
+            ciphers=constants.CIPHERS_OWASP_SUITE_B,
+            alpn=",".join(constants.AMPHORA_SUPPORTED_ALPN_PROTOCOLS))
+        be = ("backend sample_pool_id_1:sample_listener_id_1\n"
+              "    mode http\n"
+              "    balance roundrobin\n"
+              "    cookie SRV insert indirect nocache\n"
+              "    timeout check 31s\n"
+              "    option httpchk GET /index.html HTTP/1.0\\r\\n\n"
+              "    http-check expect rstatus 418\n"
+              "    fullconn {maxconn}\n"
+              "    option allbackups\n"
+              "    timeout connect 5000\n"
+              "    timeout server 50000\n"
+              "    server sample_member_id_1 10.0.0.99:82 "
+              "weight 13 check inter 30s fall 3 rise 2 "
+              "cookie sample_member_id_1\n"
+              "    server sample_member_id_2 10.0.0.98:82 "
+              "weight 13 check inter 30s fall 3 rise 2 cookie "
+              "sample_member_id_2\n\n").format(
+            maxconn=constants.HAPROXY_DEFAULT_MAXCONN)
+        tls_tupe = {'cont_id_1':
+                    sample_configs_combined.sample_tls_container_tuple(
+                        id='tls_container_id',
+                        certificate='imaCert1', private_key='imaPrivateKey1',
+                        primary_cn='FakeCN'),
+                    'cont_id_ca': 'client_ca.pem',
+                    'cont_id_crl': 'SHA_ID.pem'}
+        rendered_obj = self.jinja_cfg.render_loadbalancer_obj(
+            sample_configs_combined.sample_amphora_tuple(),
+            [sample_configs_combined.sample_listener_tuple(
+                proto='TERMINATED_HTTPS', tls=True, sni=True,
+                client_ca_cert=True, client_crl_cert=True,
+                hsts_max_age=None)],
+            tls_tupe)
+        self.assertEqual(
+            sample_configs_combined.sample_base_expected_config(
+                frontend=fe, backend=be),
+            rendered_obj)
+
     def test_render_template_http(self):
         be = ("backend sample_pool_id_1:sample_listener_id_1\n"
               "    mode http\n"
@@ -922,7 +1049,7 @@ class TestHaproxyCfg(base.TestCase):
         be = ("backend sample_pool_id_1:sample_listener_id_1\n"
               "    mode http\n"
               "    balance roundrobin\n"
-              "    stick-table type ip size 10k\n"
+              "    stick-table type ipv6 size 10k\n"
               "    stick on src\n"
               "    timeout check 31s\n"
               "    option httpchk GET /index.html HTTP/1.0\\r\\n\n"
@@ -1559,6 +1686,28 @@ class TestHaproxyCfg(base.TestCase):
         self.assertLess(ret['global_connection_limit'],
                         connection_limit_sum)
 
+    def test_transform_with_disabled_listeners(self):
+        in_amphora = sample_configs_combined.sample_amphora_tuple()
+
+        in_listeners = []
+
+        connection_limit_sum = 0
+
+        in_listener = (
+            sample_configs_combined.sample_listener_tuple())
+        connection_limit_sum += constants.HAPROXY_DEFAULT_MAXCONN
+        in_listeners.append(in_listener)
+
+        disabled_listener = (
+            sample_configs_combined.sample_listener_tuple(enabled=False))
+        in_listeners.append(disabled_listener)
+
+        ret = self.jinja_cfg._transform_loadbalancer(
+            in_amphora, in_listeners[0].load_balancer,
+            in_listeners, None, {})
+        self.assertEqual(ret['global_connection_limit'],
+                         connection_limit_sum)
+
     def test_transform_amphora(self):
         in_amphora = sample_configs_combined.sample_amphora_tuple()
         ret = self.jinja_cfg._transform_amphora(in_amphora, {})
@@ -1758,6 +1907,8 @@ class TestHaproxyCfg(base.TestCase):
         fe = ("frontend sample_listener_id_1\n"
               "    maxconn {maxconn}\n"
               "    redirect scheme https if !{{ ssl_fc }}\n"
+              "    http-response set-header Strict-Transport-Security "
+              "\"max-age=10000000; includeSubDomains; preload;\"\n"
               "    bind 10.0.0.2:443 ciphers {ciphers} "
               "no-sslv3 no-tlsv10 no-tlsv11 alpn {alpn}\n"
               "    mode http\n"

octavia/tests/unit/common/sample_configs/sample_configs_combined.py

@@ -707,7 +707,9 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                           backend_alpn_protocols=constants.
                           AMPHORA_SUPPORTED_ALPN_PROTOCOLS,
                           include_pools=True,
-                          additional_vips=False):
+                          additional_vips=False,
+                          hsts_max_age=10_000_000,
+                          hsts_include_subdomains=True, hsts_preload=True):
     proto = 'HTTP' if proto is None else proto
     if be_proto is None:
         be_proto = 'HTTP' if proto == 'TERMINATED_HTTPS' else proto
@@ -731,7 +733,9 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                     'timeout_tcp_inspect, client_ca_tls_certificate_id, '
                     'client_ca_tls_certificate, client_authentication, '
                     'client_crl_container_id, provisioning_status, '
-                    'tls_ciphers, tls_versions, alpn_protocols')
+                    'tls_ciphers, tls_versions, alpn_protocols, '
+                    'hsts_max_age, hsts_include_subdomains, hsts_preload'
+    )
     if l7:
         pools = [
             sample_pool_tuple(
@@ -859,7 +863,10 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
         provisioning_status=provisioning_status,
         tls_ciphers=tls_ciphers,
         tls_versions=tls_versions,
-        alpn_protocols=alpn_protocols
+        alpn_protocols=alpn_protocols,
+        hsts_max_age=hsts_max_age,
+        hsts_include_subdomains=hsts_include_subdomains,
+        hsts_preload=hsts_preload,
     )
     if recursive_nest:
         listener.load_balancer.listeners.append(listener)