Merge pull request #43 from stackhpc/upstream/master-2025-04-21

Synchronise master with upstream

Author: priteau

octavia/common/constants.py

@@ -768,6 +768,10 @@
 RULE_API_READ_QUOTA_GLOBAL = 'rule:load-balancer:read-quota-global'
 RULE_API_WRITE_QUOTA = 'rule:load-balancer:write-quota'
 
+# The service user for Aodh needs to be able to list all
+# members of a pool to determine which are healthy.
+RULE_MEMBER_API_READ = f'{RULE_API_READ} or rule:service'
+
 RBAC_LOADBALANCER = f'{LOADBALANCER_API}:loadbalancer:'
 RBAC_LISTENER = f'{LOADBALANCER_API}:listener:'
 RBAC_POOL = f'{LOADBALANCER_API}:pool:'

octavia/controller/worker/v2/tasks/network_tasks.py

@@ -728,7 +728,11 @@ def execute(self, loadbalancer, amphora=None):
             db_lb, amphora=db_amp)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 
@@ -746,7 +750,11 @@ def execute(self, loadbalancer_id, amphora_id=None):
                                                              amphora=amphora)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 
@@ -762,7 +770,11 @@ def execute(self, loadbalancer_id):
         db_configs = self.network_driver.get_network_configs(db_lb)
         provider_dict = {}
         for amp_id, amp_conf in db_configs.items():
-            provider_dict[amp_id] = amp_conf.to_dict(recurse=True)
+            # Do not serialize loadbalancer class.  It's unused later and
+            # could be ignored for storing in results of task in persistence DB
+            provider_dict[amp_id] = amp_conf.to_dict(
+                recurse=True, calling_classes=[data_models.LoadBalancer]
+            )
         return provider_dict
 
 

octavia/policies/keystone_default_roles.py

@@ -51,6 +51,11 @@
     # auth_strategy == noauth configuration setting.
     # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
 
+    policy.RuleDefault(
+        name='service',
+        check_str='role:service',
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
+
     policy.RuleDefault(
         name='load-balancer:global_observer',
         check_str='role:admin',

octavia/policies/member.py

@@ -18,7 +18,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         f'{constants.RBAC_MEMBER}{constants.RBAC_GET_ALL}',
-        constants.RULE_API_READ,
+        constants.RULE_MEMBER_API_READ,
         "List Members of a Pool",
         [{'method': 'GET', 'path': '/v2/lbaas/pools/{pool_id}/members'}]
     ),

octavia/tests/functional/api/v2/test_member.py

@@ -169,7 +169,7 @@ def test_get_all_hides_deleted(self):
         objects = response.json.get(self.root_tag_list)
         self.assertEqual(len(objects), 0)
 
-    def test_get_all_authorized(self):
+    def _test_get_all_authorized(self, roles, project_id):
         api_m_1 = self.create_member(
             self.pool_id, '192.0.2.1', 80).get(self.root_tag)
         self.set_lb_status(self.lb_id)
@@ -195,13 +195,13 @@ def test_get_all_authorized(self):
                 'is_admin_project': True,
                 'service_project_domain_id': None,
                 'service_project_id': None,
-                'roles': ['load-balancer_member', 'member'],
+                'roles': roles,
                 'user_id': None,
                 'is_admin': False,
                 'service_user_domain_id': None,
                 'project_domain_id': None,
                 'service_roles': [],
-                'project_id': self.project_id}
+                'project_id': project_id}
             with mock.patch(
                     "oslo_context.context.RequestContext.to_policy_values",
                     return_value=override_credentials):
@@ -216,6 +216,15 @@ def test_get_all_authorized(self):
         for m in [api_m_1, api_m_2]:
             self.assertIn(m, response)
 
+    def test_get_all_authorized(self):
+        self._test_get_all_authorized(
+            roles=['load-balancer_member', 'member'],
+            project_id=self.project_id)
+
+    def test_get_all_authorized_service(self):
+        self._test_get_all_authorized(
+            roles=['service'], project_id='services')
+
     def test_get_all_unscoped_token(self):
         api_m_1 = self.create_member(
             self.pool_id, '192.0.2.1', 80).get(self.root_tag)

octavia/tests/unit/controller/worker/v2/tasks/test_network_tasks.py

@@ -1349,6 +1349,10 @@ def test_get_amphora_network_configs_by_id(
         AMP_ID = uuidutils.generate_uuid()
         mock_driver = mock.MagicMock()
         mock_get_net_driver.return_value = mock_driver
+        amphora_config_mock = mock.MagicMock()
+        mock_driver.get_network_configs.return_value = {
+            "amphora_uuid1": amphora_config_mock
+        }
         mock_amp_get.return_value = 'mock amphora'
         mock_lb_get.return_value = 'mock load balancer'
 
@@ -1360,6 +1364,9 @@ def test_get_amphora_network_configs_by_id(
             'mock load balancer', amphora='mock amphora')
         mock_amp_get.assert_called_once_with(mock_get_session(), id=AMP_ID)
         mock_lb_get.assert_called_once_with(mock_get_session(), id=LB_ID)
+        amphora_config_mock.to_dict.assert_called_once_with(
+            recurse=True, calling_classes=[o_data_models.LoadBalancer]
+        )
 
     @mock.patch('octavia.db.repositories.LoadBalancerRepository.get')
     @mock.patch('octavia.db.api.get_session', return_value=_session_mock)
@@ -1368,10 +1375,17 @@ def test_get_amphorae_network_configs(self, mock_session, mock_lb_get,
         mock_driver = mock.MagicMock()
         mock_lb_get.return_value = LB
         mock_get_net_driver.return_value = mock_driver
+        amphora_config_mock = mock.MagicMock()
+        mock_driver.get_network_configs.return_value = {
+            "amphora_uuid1": amphora_config_mock
+        }
         lb = o_data_models.LoadBalancer()
         net_task = network_tasks.GetAmphoraeNetworkConfigs()
         net_task.execute(self.load_balancer_mock)
         mock_driver.get_network_configs.assert_called_once_with(lb)
+        amphora_config_mock.to_dict.assert_called_once_with(
+            recurse=True, calling_classes=[o_data_models.LoadBalancer]
+        )
 
     def test_retrieve_portids_on_amphora_except_lb_network(
             self, mock_get_net_driver):

releasenotes/notes/aodh-service-api-5c485a172d76fa1a.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The ``service`` role now has access to list members in
+    a pool, this is needed by Aodh to evaluate unhealthy
+    members in a pool when doing evaluations.

releasenotes/notes/do-not-serialize-full-loadbalancer-graph-on-get-amphora-network-configs-347a0a4340ee222b.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Ignore serialization loadbalancer class in GetAmphoraNetworkConfigs tasks.
+    It allows to avoid storing full graph in jobboard details. It fixes cases
+    with enabled jobboard for huge LBs with ~2000+ resources in graph.