Rocky Series Release Notes

13.3.1-20

New Features

  • Added build_active_retries and port_detach_timeout parameters.

  • Added the “connection_logging” parameter.

  • Adds connection_max_retries and connection_retry_interval to control retry behavior when the contacting the amphora.

  • Added octavia::controller::controller_ip_port_list which can be used to configure the [health_manager]/controller_ip_port_list configuration option.

  • Add new parameter, “workers” to health_manager which defaults to $::os_workers

  • Added Keepalived VRRP parameters.

  • The passphrase for config option ‘server_certs_key_passphrase’, that was recently added to Octavia, will now be auto-generated.

  • When certificate data or file paths change in octavia::certificates it will not cause a restart of the Octavia services so that for example the octavia-worker service can use the new certificates.

Upgrade Notes

  • Octavia option [haproxy_amphora]/key_path will no longer be set. None of the maintained Octavia releases support it (removed in Mitaka).

  • If you want to use the new octavia::controller class you must define it before the octavia::worker class.

Deprecation Notes

  • octavia::housekeeping::spare_amphorae_pool_size is deprecated and will be removed in the future release. Please use octavia::housekeeping::spare_amphora_pool_size instead.

  • The following octavia::worker parameters are deprecated and have been moved to octavia::controller class. When you start using octavia::controller make sure it’s defined before octavia::worker.

    • amp_flavor_id

    • amp_image_tag

    • amp_secgroup_list

    • amp_boot_network_list

    • loadbalancer_topology

    • amphora_driver

    • compute_driver

    • network_driver

    • amp_ssh_key_name

    • enable_ssh_access

    • timeout_member_connect

    • timeout_member_data

    • timeout_tcp_inspect

Security Issues

  • Certificate changes no longer shows diffs in output.

Bug Fixes

  • Fixed a bug where certificate folders that depended on paths provided by packages failed.

  • Fixed a bug where certificate changes would show the diffs. Certificate are now considered secrets and not displayed.

  • The passphrase for config option ‘server_certs_key_passphrase’, is used as a Fernet key in Octavia and thus must be 32 chars long.

  • There are a couple of configuration options that need to be set not only for the worker but also for other Octavia services. For example, on a composable node deployment where the API runs on a separate node than the rest of the Octavia services, the network driver was not being set (hence defaulting to noop driver) while for the worker the driver was allowed_address_pairs_driver. Another example is the database that was only being set for the API service. Such configuration misalignment and omissions lead to operate Octavia services and its resources.

13.3.1

New Features

  • Added new parameter octavia::api::allow_tls_terminated_listeners which can be used to set the allow_tls_terminated_listeners config option.

  • Added new parameters octavia::api::api_v1_enabled and api_v2_enabled that can be used for enable/disable the API versions.

  • Added new parameter cert_generator, cert_manager, region_name and endpoint_type to the octavia::certificates class that configures the certificates section in the octavia.conf file.

  • Added new parameter client_ca and client_data_data to octavia::certificates. These can be used to separate the ca_certificate/server_ca and client_ca used which is something you want to do in production environment to avoid a compromised Amphora being able to connect to the other running amphoras.

  • Added new parameter octavia::worker::workers that can be used to set the number of worker processes.

  • Added new class octavia::wsgi::apache, you can now run the API under Apache with mod_wsgi.

  • Added new octavia::glance class that can be used to configure the glance section in octavia.conf

  • Added new octavia::neutron class that can be used to configure the neutron section in octavia.conf

  • Added new octavia::nova class that can be used to configure the nova section in octavia.conf

13.1.0

New Features

  • Add a new class octavia::quota to manage the quota settings in Octavia.

Upgrade Notes

  • The deprecated octavia::rpc_backend is now removed. Please use octavia::default_transport_url instead.

13.0.0

New Features

  • Adds the pool_timeout option for configuring oslo.db. This will configure this value for pool_timeout with SQLAlchemy.

  • Added octavia::roles::role_names parameter to enable creation of the keystone roles supported by the Octavia API.

  • Add openstack-db tag to Exec that run db-sync.

Upgrade Notes

  • Deprecated ensure_package option has been removed.

  • Deprecated keystone::authtoken::revocation_cache_time option has been removed.

Deprecation Notes

  • auth_uri is deprecated and will be removed in a future release. Please use www_authenticate_uri instead.