octavia 13.0.0__py3-none-any.whl → 13.0.1__py3-none-any.whl

octavia/certificates/manager/noop.py

@@ -0,0 +1,106 @@
+# Copyright (c) 2023 Red Hat
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+import uuid
+
+from oslo_log import log as logging
+
+from octavia.certificates.common import cert
+from octavia.certificates.common import local
+from octavia.certificates.manager import cert_mgr
+from octavia.common.tls_utils import cert_parser
+from octavia.tests.common import sample_certs
+
+LOG = logging.getLogger(__name__)
+
+
+class NoopCertManager(cert_mgr.CertManager):
+    """Cert manager implementation for no-op operations
+
+    """
+    def __init__(self):
+        super().__init__()
+        self._local_cert = None
+
+    @property
+    def local_cert(self):
+        if self._local_cert is None:
+            self._local_cert = self.store_cert(
+                None,
+                sample_certs.X509_CERT,
+                sample_certs.X509_CERT_KEY_ENCRYPTED,
+                sample_certs.X509_IMDS,
+                private_key_passphrase=sample_certs.X509_CERT_KEY_PASSPHRASE)
+        return self._local_cert
+
+    def store_cert(self, context, certificate, private_key, intermediates=None,
+                   private_key_passphrase=None, **kwargs) -> cert.Cert:
+        """Stores (i.e., registers) a cert with the cert manager.
+
+        This method stores the specified cert to the filesystem and returns
+        a UUID that can be used to retrieve it.
+
+        :param context: Ignored in this implementation
+        :param certificate: PEM encoded TLS certificate
+        :param private_key: private key for the supplied certificate
+        :param intermediates: ordered and concatenated intermediate certs
+        :param private_key_passphrase: optional passphrase for the supplied key
+
+        :returns: the UUID of the stored cert
+        :raises CertificateStorageException: if certificate storage fails
+        """
+        cert_ref = str(uuid.uuid4())
+        if isinstance(certificate, bytes):
+            certificate = certificate.decode('utf-8')
+        if isinstance(private_key, bytes):
+            private_key = private_key.decode('utf-8')
+
+        LOG.debug('Driver %s no-op, store_cert certificate %s, cert_ref %s',
+                  self.__class__.__name__, certificate, cert_ref)
+
+        cert_data = {'certificate': certificate, 'private_key': private_key}
+        if intermediates:
+            if isinstance(intermediates, bytes):
+                intermediates = intermediates.decode('utf-8')
+            cert_data['intermediates'] = list(
+                cert_parser.get_intermediates_pems(intermediates))
+        if private_key_passphrase:
+            if isinstance(private_key_passphrase, bytes):
+                private_key_passphrase = private_key_passphrase.decode('utf-8')
+            cert_data['private_key_passphrase'] = private_key_passphrase
+
+        return local.LocalCert(**cert_data)
+
+    def get_cert(self, context, cert_ref, check_only=True, **kwargs) -> (
+            cert.Cert):
+        LOG.debug('Driver %s no-op, get_cert with cert_ref %s',
+                  self.__class__.__name__, cert_ref)
+        return self.local_cert
+
+    def delete_cert(self, context, cert_ref, resource_ref, service_name=None):
+        LOG.debug('Driver %s no-op, delete_cert with cert_ref %s',
+                  self.__class__.__name__, cert_ref)
+
+    def set_acls(self, context, cert_ref):
+        LOG.debug('Driver %s no-op, set_acls with cert_ref %s',
+                  self.__class__.__name__, cert_ref)
+
+    def unset_acls(self, context, cert_ref):
+        LOG.debug('Driver %s no-op, unset_acls with cert_ref %s',
+                  self.__class__.__name__, cert_ref)
+
+    def get_secret(self, context, secret_ref) -> cert.Cert:
+        LOG.debug('Driver %s no-op, get_secret with secret_ref %s',
+                  self.__class__.__name__, secret_ref)
+        return self.local_cert

octavia/common/clients.py

@@ -79,11 +79,22 @@ class NeutronAuth(object):
         ksession = keystone.KeystoneSession('neutron')
         if not cls.neutron_client:
             sess = ksession.get_session()
-
-            kwargs = {}
+            kwargs = {'region_name': CONF.neutron.region_name}
+            # TODO(ricolin) `interface` option don't take list as option yet.
+            # We can move away from this when openstacksdk no longer depends
+            # on `interface`.
+            try:
+                interface = CONF.neutron.valid_interfaces[0]
+            except (TypeError, LookupError):
+                interface = CONF.neutron.valid_interfaces
+            if interface:
+                kwargs['interface'] = interface
             if CONF.neutron.endpoint_override:
                 kwargs['network_endpoint_override'] = (
                     CONF.neutron.endpoint_override)
+                if CONF.neutron.endpoint_override.startswith("https"):
+                    kwargs['insecure'] = CONF.neutron.insecure
+                    kwargs['cacert'] = CONF.neutron.cafile
 
             conn = openstack.connection.Connection(
                 session=sess, **kwargs)
@@ -100,15 +111,22 @@ class NeutronAuth(object):
         client.
         """
         sess = keystone.KeystoneSession('neutron').get_session()
+        kwargs = {}
         neutron_endpoint = CONF.neutron.endpoint_override
         if neutron_endpoint is None:
             endpoint_data = sess.get_endpoint_data(
-                service_type='network', interface=CONF.neutron.endpoint_type,
+                service_type='network',
+                interface=CONF.neutron.valid_interfaces,
                 region_name=CONF.neutron.region_name)
             neutron_endpoint = endpoint_data.catalog_url
 
+        neutron_cafile = getattr(CONF.neutron, "cafile", None)
+        insecure = getattr(CONF.neutron, "insecure", False)
+        kwargs['verify'] = not insecure
+        if neutron_cafile is not None and not insecure:
+            kwargs['verify'] = neutron_cafile
         user_auth = token_endpoint.Token(neutron_endpoint, context.auth_token)
-        user_sess = session.Session(auth=user_auth)
+        user_sess = session.Session(auth=user_auth, **kwargs)
 
         conn = openstack.connection.Connection(
             session=user_sess, oslo_conf=CONF)

octavia/common/config.py

@@ -534,7 +534,18 @@ controller_worker_opts = [
     cfg.BoolOpt('event_notifications', default=True,
                 help=_('Enable octavia event notifications. See '
                        'oslo_messaging_notifications section for additional '
-                       'requirements.'))
+                       'requirements.')),
+    # 2000 attempts is around 2h45 with the default settings
+    cfg.IntOpt('db_commit_retry_attempts', default=2000,
+               help=_('The number of times the database action will be '
+                      'attempted.')),
+    cfg.IntOpt('db_commit_retry_initial_delay', default=1,
+               help=_('The initial delay before a retry attempt.')),
+    cfg.IntOpt('db_commit_retry_backoff', default=1,
+               help=_('The time to backoff retry attempts.')),
+    cfg.IntOpt('db_commit_retry_max', default=5,
+               help=_('The maximum amount of time to wait between retry '
+                      'attempts.')),
 ]
 
 task_flow_opts = [
@@ -924,24 +935,29 @@ def register_cli_opts():
 def handle_neutron_deprecations():
     # Apply neutron deprecated options to their new setting if needed
 
-    # Basicaly: if the value of the deprecated option is not the default:
+    # Basically: if the new option is not set and the value of the deprecated
+    # option is not the default, it means that the deprecated setting is still
+    # used in the config file:
     # * convert it to a valid "new" value if needed
     # * set it as the default for the new option
     # Thus [neutron].<new_option> has an higher precedence than
     # [neutron].<deprecated_option>
     loc = cfg.CONF.get_location('endpoint', 'neutron')
-    if loc and loc.location != cfg.Locations.opt_default:
+    new_loc = cfg.CONF.get_location('endpoint_override', 'neutron')
+    if not new_loc and loc and loc.location != cfg.Locations.opt_default:
         cfg.CONF.set_default('endpoint_override', cfg.CONF.neutron.endpoint,
                              'neutron')
 
     loc = cfg.CONF.get_location('endpoint_type', 'neutron')
-    if loc and loc.location != cfg.Locations.opt_default:
+    new_loc = cfg.CONF.get_location('valid_interfaces', 'neutron')
+    if not new_loc and loc and loc.location != cfg.Locations.opt_default:
         endpoint_type = cfg.CONF.neutron.endpoint_type.replace('URL', '')
         cfg.CONF.set_default('valid_interfaces', [endpoint_type],
                              'neutron')
 
     loc = cfg.CONF.get_location('ca_certificates_file', 'neutron')
-    if loc and loc.location != cfg.Locations.opt_default:
+    new_loc = cfg.CONF.get_location('cafile', 'neutron')
+    if not new_loc and loc and loc.location != cfg.Locations.opt_default:
         cfg.CONF.set_default('cafile', cfg.CONF.neutron.ca_certificates_file,
                              'neutron')
 

octavia/common/constants.py

@@ -313,6 +313,7 @@ AMPHORA_INDEX = 'amphora_index'
 AMPHORA_NETWORK_CONFIG = 'amphora_network_config'
 AMPHORAE = 'amphorae'
 AMPHORAE_NETWORK_CONFIG = 'amphorae_network_config'
+AMPHORAE_STATUS = 'amphorae_status'
 AMPS_DATA = 'amps_data'
 ANTI_AFFINITY = 'anti-affinity'
 ATTEMPT_NUMBER = 'attempt_number'
@@ -387,6 +388,7 @@ MESSAGE = 'message'
 NAME = 'name'
 NETWORK = 'network'
 NETWORK_ID = 'network_id'
+NEW_AMPHORA_ID = 'new_amphora_id'
 NEXTHOP = 'nexthop'
 NICS = 'nics'
 OBJECT = 'object'
@@ -435,6 +437,7 @@ TLS_CERTIFICATE_ID = 'tls_certificate_id'
 TLS_CONTAINER_ID = 'tls_container_id'
 TOPOLOGY = 'topology'
 TOTAL_CONNECTIONS = 'total_connections'
+UNREACHABLE = 'unreachable'
 UPDATED_AT = 'updated_at'
 UPDATE_DICT = 'update_dict'
 UPDATED_PORTS = 'updated_ports'
@@ -562,6 +565,7 @@ ADMIN_DOWN_PORT = 'admin-down-port'
 AMPHORA_POST_VIP_PLUG = 'amphora-post-vip-plug'
 AMPHORA_RELOAD_LISTENER = 'amphora-reload-listener'
 AMPHORA_TO_ERROR_ON_REVERT = 'amphora-to-error-on-revert'
+AMPHORAE_GET_CONNECTIVITY_STATUS = 'amphorae-get-connectivity-status'
 AMPHORAE_POST_NETWORK_PLUG = 'amphorae-post-network-plug'
 ATTACH_PORT = 'attach-port'
 CALCULATE_AMPHORA_DELTA = 'calculate-amphora-delta'

octavia/common/exceptions.py

@@ -133,6 +133,12 @@ class UnreadablePKCS12(APIException):
     code = 400
 
 
+class MissingCertSubject(APIException):
+    msg = _('No CN or DNSName(s) found in certificate. The certificate is '
+            'invalid.')
+    code = 400
+
+
 class MisMatchedKey(OctaviaException):
     message = _("Key and x509 certificate do not match")
 

octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2

@@ -208,13 +208,18 @@ frontend {{ listener.id }}
         {% else %}
             {% set monitor_port_opt = "" %}
         {% endif %}
+        {% if pool.alpn_protocols is defined %}
+            {% set alpn_opt = " check-alpn %s"|format(pool.alpn_protocols) %}
+        {% else %}
+            {% set alpn_opt = "" %}
+        {% endif %}
         {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %}
             {% set monitor_ssl_opt = " check-ssl verify none" %}
         {% else %}
             {% set monitor_ssl_opt = "" %}
         {% endif %}
-        {% set hm_opt = " check%s inter %ds fall %d rise %d%s%s"|format(
-            monitor_ssl_opt, pool.health_monitor.delay,
+        {% set hm_opt = " check%s%s inter %ds fall %d rise %d%s%s"|format(
+            monitor_ssl_opt, alpn_opt, pool.health_monitor.delay,
             pool.health_monitor.fall_threshold,
             pool.health_monitor.rise_threshold, monitor_addr_opt,
             monitor_port_opt) %}
@@ -370,9 +375,6 @@ backend {{ pool.id }}:{{ listener.id }}
     option httpchk {{ pool.health_monitor.http_method }} {{ pool.health_monitor.url_path }}
             {% endif %}
     http-check expect rstatus {{ pool.health_monitor.expected_codes }}
-        {% endif %}
-        {% if pool.health_monitor.type == constants.HEALTH_MONITOR_TLS_HELLO %}
-    option ssl-hello-chk
         {% endif %}
         {% if pool.health_monitor.type == constants.HEALTH_MONITOR_PING %}
     option external-check

octavia/common/keystone.py

@@ -80,14 +80,14 @@ class KeystoneSession(object):
 
                 config = getattr(cfg.CONF, self.section)
                 for opt in config:
-                    # For each option in the [neutron] section, get its setting
-                    # location, if the location is 'opt_default' or
-                    # 'set_default', it means that the option is not configured
-                    # in the config file, it should be replaced with the one
-                    # from [service_auth]
+                    # For each option in the [section] section, get its setting
+                    # location, if the location is 'opt_default', it means that
+                    # the option is not configured in the config file.
+                    # if the option is also defined in [service_auth], the
+                    # option of the [section] can be replaced by the one from
+                    # [service_auth]
                     loc = cfg.CONF.get_location(opt, self.section)
-                    if not loc or loc.location in (cfg.Locations.opt_default,
-                                                   cfg.Locations.set_default):
+                    if not loc or loc.location == cfg.Locations.opt_default:
                         if hasattr(cfg.CONF.service_auth, opt):
                             cur_value = getattr(config, opt)
                             value = getattr(cfg.CONF.service_auth, opt)

octavia/common/tls_utils/cert_parser.py

@@ -164,16 +164,14 @@ def _parse_pkcs7_bundle(pkcs7):
     if PKCS7_BEG in pkcs7:
         try:
             for substrate in _read_pem_blocks(pkcs7):
-                for cert in _get_certs_from_pkcs7_substrate(substrate):
-                    yield cert
+                yield from _get_certs_from_pkcs7_substrate(substrate)
         except Exception as e:
             LOG.exception('Unreadable Certificate.')
             raise exceptions.UnreadableCert from e
 
     # If no PEM encoding, assume this is DER encoded and try to decode
     else:
-        for cert in _get_certs_from_pkcs7_substrate(pkcs7):
-            yield cert
+        yield from _get_certs_from_pkcs7_substrate(pkcs7)
 
 
 def _read_pem_blocks(data):
@@ -256,14 +254,16 @@ def get_host_names(certificate):
     """
     if isinstance(certificate, str):
         certificate = certificate.encode('utf-8')
+    host_names = {'cn': None, 'dns_names': []}
     try:
         cert = x509.load_pem_x509_certificate(certificate,
                                               backends.default_backend())
-        cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0]
-        host_names = {
-            'cn': cn.value.lower(),
-            'dns_names': []
-        }
+        try:
+            cn = cert.subject.get_attributes_for_oid(x509.OID_COMMON_NAME)[0]
+            host_names['cn'] = cn.value.lower()
+        except Exception as e:
+            LOG.debug(f'Unable to get CN from certificate due to: {e}. '
+                      f'Assuming subject alternative names are present.')
         try:
             ext = cert.extensions.get_extension_for_oid(
                 x509.OID_SUBJECT_ALTERNATIVE_NAME
@@ -274,7 +274,17 @@ def get_host_names(certificate):
             LOG.debug("%s extension not found",
                       x509.OID_SUBJECT_ALTERNATIVE_NAME)
 
+        # Certs with no subject are valid as long as a subject alternative
+        # name is present. If both are missing, it is an invalid cert per
+        # the x.509 standard.
+        if not host_names['cn'] and not host_names['dns_names']:
+            LOG.warning('No CN or DNSName(s) found in certificate. The '
+                        'certificate is invalid.')
+            raise exceptions.MissingCertSubject()
+
         return host_names
+    except exceptions.MissingCertSubject:
+        raise
     except Exception as e:
         LOG.exception('Unreadable Certificate.')
         raise exceptions.UnreadableCert from e
@@ -359,6 +369,10 @@ def load_certificates_data(cert_mngr, obj, context=None):
                 cert_mngr.get_cert(context,
                                    obj.tls_certificate_id,
                                    check_only=True))
+        except exceptions.MissingCertSubject:
+            # This was logged below, so raise as is to provide a clear
+            # user error
+            raise
         except Exception as e:
             LOG.warning('Unable to retrieve certificate: %s due to %s.',
                         obj.tls_certificate_id, str(e))

octavia/controller/worker/task_utils.py

@@ -14,18 +14,32 @@
 
 """ Methods common to the controller work tasks."""
 
+from oslo_config import cfg
 from oslo_log import log as logging
+from oslo_utils import excutils
+import tenacity
 
 from octavia.common import constants
 from octavia.db import api as db_apis
 from octavia.db import repositories as repo
 
+CONF = cfg.CONF
 LOG = logging.getLogger(__name__)
 
 
 class TaskUtils(object):
     """Class of helper/utility methods used by tasks."""
 
+    status_update_retry = tenacity.retry(
+        retry=tenacity.retry_if_exception_type(Exception),
+        wait=tenacity.wait_incrementing(
+            CONF.controller_worker.db_commit_retry_initial_delay,
+            CONF.controller_worker.db_commit_retry_backoff,
+            CONF.controller_worker.db_commit_retry_max),
+        stop=tenacity.stop_after_attempt(
+            CONF.controller_worker.db_commit_retry_attempts),
+        after=tenacity.after_log(LOG, logging.DEBUG))
+
     def __init__(self, **kwargs):
         self.amphora_repo = repo.AmphoraRepository()
         self.health_mon_repo = repo.HealthMonitorRepository()
@@ -160,6 +174,7 @@ class TaskUtils(object):
                       "provisioning status to ERROR due to: "
                       "%(except)s", {'list': listener_id, 'except': str(e)})
 
+    @status_update_retry
     def mark_loadbalancer_prov_status_error(self, loadbalancer_id):
         """Sets a load balancer provisioning status to ERROR.
 
@@ -175,9 +190,12 @@ class TaskUtils(object):
                     id=loadbalancer_id,
                     provisioning_status=constants.ERROR)
         except Exception as e:
-            LOG.error("Failed to update load balancer %(lb)s "
-                      "provisioning status to ERROR due to: "
-                      "%(except)s", {'lb': loadbalancer_id, 'except': str(e)})
+            # Reraise for tenacity
+            with excutils.save_and_reraise_exception():
+                LOG.error("Failed to update load balancer %(lb)s "
+                          "provisioning status to ERROR due to: "
+                          "%(except)s", {'lb': loadbalancer_id,
+                                         'except': str(e)})
 
     def mark_listener_prov_status_active(self, listener_id):
         """Sets a listener provisioning status to ACTIVE.
@@ -214,6 +232,7 @@ class TaskUtils(object):
                       "to ACTIVE due to: %(except)s", {'pool': pool_id,
                                                        'except': str(e)})
 
+    @status_update_retry
     def mark_loadbalancer_prov_status_active(self, loadbalancer_id):
         """Sets a load balancer provisioning status to ACTIVE.
 
@@ -229,9 +248,12 @@ class TaskUtils(object):
                     id=loadbalancer_id,
                     provisioning_status=constants.ACTIVE)
         except Exception as e:
-            LOG.error("Failed to update load balancer %(lb)s "
-                      "provisioning status to ACTIVE due to: "
-                      "%(except)s", {'lb': loadbalancer_id, 'except': str(e)})
+            # Reraise for tenacity
+            with excutils.save_and_reraise_exception():
+                LOG.error("Failed to update load balancer %(lb)s "
+                          "provisioning status to ACTIVE due to: "
+                          "%(except)s", {'lb': loadbalancer_id,
+                                         'except': str(e)})
 
     def mark_member_prov_status_error(self, member_id):
         """Sets a member provisioning status to ERROR.

octavia/controller/worker/v2/controller_worker.py

@@ -394,8 +394,8 @@ class ControllerWorker(object):
                  constants.SERVER_GROUP_ID: db_lb.server_group_id,
                  constants.PROJECT_ID: db_lb.project_id}
         if cascade:
-            listeners = flow_utils.get_listeners_on_lb(db_lb)
-            pools = flow_utils.get_pools_on_lb(db_lb)
+            listeners = flow_utils.get_listeners_on_lb(db_lb, True)
+            pools = flow_utils.get_pools_on_lb(db_lb, True)
 
             self.run_flow(
                 flow_utils.get_cascade_delete_load_balancer_flow,

octavia/controller/worker/v2/flows/amphora_flows.py

@@ -226,7 +226,8 @@ class AmphoraFlows(object):
         return delete_amphora_flow
 
     def get_vrrp_subflow(self, prefix, timeout_dict=None,
-                         create_vrrp_group=True):
+                         create_vrrp_group=True,
+                         get_amphorae_status=True):
         sf_name = prefix + '-' + constants.GET_VRRP_SUBFLOW
         vrrp_subflow = linear_flow.Flow(sf_name)
 
@@ -242,6 +243,17 @@ class AmphoraFlows(object):
             requires=constants.LOADBALANCER_ID,
             provides=constants.AMPHORAE_NETWORK_CONFIG))
 
+        if get_amphorae_status:
+            # Get the amphorae_status dict in case the caller hasn't fetched
+            # it yet.
+            vrrp_subflow.add(
+                amphora_driver_tasks.AmphoraeGetConnectivityStatus(
+                    name=constants.AMPHORAE_GET_CONNECTIVITY_STATUS,
+                    requires=constants.AMPHORAE,
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
+                    inject={constants.TIMEOUT_DICT: timeout_dict},
+                    provides=constants.AMPHORAE_STATUS))
+
         # VRRP update needs to be run on all amphora to update
         # their peer configurations. So parallelize this with an
         # unordered subflow.
@@ -252,7 +264,8 @@ class AmphoraFlows(object):
 
         amp_0_subflow.add(amphora_driver_tasks.AmphoraIndexUpdateVRRPInterface(
             name=sf_name + '-0-' + constants.AMP_UPDATE_VRRP_INTF,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict},
             provides=constants.AMP_VRRP_INT))
@@ -261,13 +274,15 @@ class AmphoraFlows(object):
             name=sf_name + '-0-' + constants.AMP_VRRP_UPDATE,
             requires=(constants.LOADBALANCER_ID,
                       constants.AMPHORAE_NETWORK_CONFIG, constants.AMPHORAE,
-                      constants.AMP_VRRP_INT),
+                      constants.AMPHORAE_STATUS, constants.AMP_VRRP_INT),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
         amp_0_subflow.add(amphora_driver_tasks.AmphoraIndexVRRPStart(
             name=sf_name + '-0-' + constants.AMP_VRRP_START,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 0,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -275,7 +290,8 @@ class AmphoraFlows(object):
 
         amp_1_subflow.add(amphora_driver_tasks.AmphoraIndexUpdateVRRPInterface(
             name=sf_name + '-1-' + constants.AMP_UPDATE_VRRP_INTF,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict},
             provides=constants.AMP_VRRP_INT))
@@ -284,12 +300,14 @@ class AmphoraFlows(object):
             name=sf_name + '-1-' + constants.AMP_VRRP_UPDATE,
             requires=(constants.LOADBALANCER_ID,
                       constants.AMPHORAE_NETWORK_CONFIG, constants.AMPHORAE,
-                      constants.AMP_VRRP_INT),
+                      constants.AMPHORAE_STATUS, constants.AMP_VRRP_INT),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict}))
         amp_1_subflow.add(amphora_driver_tasks.AmphoraIndexVRRPStart(
             name=sf_name + '-1-' + constants.AMP_VRRP_START,
-            requires=constants.AMPHORAE,
+            requires=(constants.AMPHORAE, constants.AMPHORAE_STATUS),
+            rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
             inject={constants.AMPHORA_INDEX: 1,
                     constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -538,6 +556,14 @@ class AmphoraFlows(object):
             constants.CONN_RETRY_INTERVAL:
                 CONF.haproxy_amphora.active_connection_retry_interval}
 
+        failover_amp_flow.add(
+            amphora_driver_tasks.AmphoraeGetConnectivityStatus(
+                name=constants.AMPHORAE_GET_CONNECTIVITY_STATUS,
+                requires=constants.AMPHORAE,
+                rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
+                inject={constants.TIMEOUT_DICT: timeout_dict},
+                provides=constants.AMPHORAE_STATUS))
+
         # Listeners update needs to be run on all amphora to update
         # their peer configurations. So parallelize this with an
         # unordered subflow.
@@ -548,7 +574,9 @@ class AmphoraFlows(object):
             update_amps_subflow.add(
                 amphora_driver_tasks.AmphoraIndexListenerUpdate(
                     name=str(amp_index) + '-' + constants.AMP_LISTENER_UPDATE,
-                    requires=(constants.LOADBALANCER, constants.AMPHORAE),
+                    requires=(constants.LOADBALANCER, constants.AMPHORAE,
+                              constants.AMPHORAE_STATUS),
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
                     inject={constants.AMPHORA_INDEX: amp_index,
                             constants.TIMEOUT_DICT: timeout_dict}))
 
@@ -558,7 +586,8 @@ class AmphoraFlows(object):
         if lb_amp_count == 2:
             failover_amp_flow.add(
                 self.get_vrrp_subflow(constants.GET_VRRP_SUBFLOW,
-                                      timeout_dict, create_vrrp_group=False))
+                                      timeout_dict, create_vrrp_group=False,
+                                      get_amphorae_status=False))
 
         # Reload the listener. This needs to be done here because
         # it will create the required haproxy check scripts for
@@ -574,7 +603,9 @@ class AmphoraFlows(object):
                 amphora_driver_tasks.AmphoraIndexListenersReload(
                     name=(str(amp_index) + '-' +
                           constants.AMPHORA_RELOAD_LISTENER),
-                    requires=(constants.LOADBALANCER, constants.AMPHORAE),
+                    requires=(constants.LOADBALANCER, constants.AMPHORAE,
+                              constants.AMPHORAE_STATUS),
+                    rebind={constants.NEW_AMPHORA_ID: constants.AMPHORA_ID},
                     inject={constants.AMPHORA_INDEX: amp_index,
                             constants.TIMEOUT_DICT: timeout_dict}))
 

octavia/controller/worker/v2/flows/flow_utils.py

@@ -41,29 +41,31 @@ def get_delete_load_balancer_flow(lb):
     return LB_FLOWS.get_delete_load_balancer_flow(lb)
 
 
-def get_listeners_on_lb(db_lb):
+def get_listeners_on_lb(db_lb, for_delete=False):
     """Get a list of the listeners on a load balancer.
 
     :param db_lb: A load balancer database model object.
+    :param for_delete: Skip errors on tls certs loading.
     :returns: A list of provider dict format listeners.
     """
     listener_dicts = []
     for listener in db_lb.listeners:
         prov_listener = provider_utils.db_listener_to_provider_listener(
-            listener)
+            listener, for_delete)
         listener_dicts.append(prov_listener.to_dict())
     return listener_dicts
 
 
-def get_pools_on_lb(db_lb):
+def get_pools_on_lb(db_lb, for_delete=False):
     """Get a list of the pools on a load balancer.
 
     :param db_lb: A load balancer database model object.
+    :param for_delete: Skip errors on tls certs loading.
     :returns: A list of provider dict format pools.
     """
     pool_dicts = []
     for pool in db_lb.pools:
-        prov_pool = provider_utils.db_pool_to_provider_pool(pool)
+        prov_pool = provider_utils.db_pool_to_provider_pool(pool, for_delete)
         pool_dicts.append(prov_pool.to_dict())
     return pool_dicts