Bug 2126800

Summary: Octavia API does not check listener and pool's protocol when creating h2 objects
Product: Red Hat OpenStack Reporter: Omer Schwartz <oschwart>
Component: openstack-octaviaAssignee: Omer Schwartz <oschwart>
Status: ON_DEV --- QA Contact: Omer Schwartz <oschwart>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: ihrachys, lpeer, majopela, scohen
Target Milestone: gaKeywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Omer Schwartz 2022-09-14 12:48:56 UTC 
Description of problem:
Octavia API does not check the listener's (and pools) protocol when alpn protocol is one of the parameters for the listener/pool creation.

Example:

We can create UDP listeners with --alpn-protocol h2 --alpn-protocol http/1.1:

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer listener create --wait --protocol-port 12345 --protocol UDP --name UDP_listener --alpn-protocol h2 --alpn-protocol http/1.1 lb1
+-----------------------------+--------------------------------------+
| Field                       | Value                                |
+-----------------------------+--------------------------------------+
| admin_state_up              | True                                 |
| connection_limit            | -1                                   |
| created_at                  | 2022-09-14T12:37:01                  |
| default_pool_id             | None                                 |
| default_tls_container_ref   | None                                 |
| description                 |                                      |
| id                          | 4a2b73f5-5676-4f35-b083-0c5a9a4de105 |
| insert_headers              | None                                 |
| l7policies                  |                                      |
| loadbalancers               | d6de4751-afd0-4a43-9d20-d176d07ad55c |
| name                        | UDP_listener                         |
| operating_status            | OFFLINE                              |
| project_id                  | ab5d0044dfe848fbbc3063ec8942826e     |
| protocol                    | UDP                                  |
| protocol_port               | 12345                                |
| provisioning_status         | ACTIVE                               |
| sni_container_refs          | []                                   |
| timeout_client_data         | 50000                                |
| timeout_member_connect      | 5000                                 |
| timeout_member_data         | 50000                                |
| timeout_tcp_inspect         | 0                                    |
| updated_at                  | 2022-09-14T12:37:07                  |
| client_ca_tls_container_ref | None                                 |
| client_authentication       | NONE                                 |
| client_crl_container_ref    | None                                 |
| allowed_cidrs               | None                                 |
| tls_ciphers                 | None                                 |
| tls_versions                | None                                 |
| alpn_protocols              | ['h2', 'http/1.1']                   |
| tags                        |                                      |
+-----------------------------+--------------------------------------+




We can create UDP pools which will be attached to those listeners, also with --alpn-protocol h2 --alpn-protocol http/1.1 parameters:

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer pool create --name pool1 --lb-algorithm ROUND_ROBIN --listener UDP_listener --protocol UDP --alpn-protocol h2 --alpn-protocol http/1.1
+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| admin_state_up       | True                                 |
| created_at           | 2022-09-14T12:37:43                  |
| description          |                                      |
| healthmonitor_id     |                                      |
| id                   | 268e6daa-183f-422d-be7d-28714da66ece |
| lb_algorithm         | ROUND_ROBIN                          |
| listeners            | 4a2b73f5-5676-4f35-b083-0c5a9a4de105 |
| loadbalancers        | d6de4751-afd0-4a43-9d20-d176d07ad55c |
| members              |                                      |
| name                 | pool1                                |
| operating_status     | OFFLINE                              |
| project_id           | ab5d0044dfe848fbbc3063ec8942826e     |
| protocol             | UDP                                  |
| provisioning_status  | PENDING_CREATE                       |
| session_persistence  | None                                 |
| updated_at           | None                                 |
| tls_container_ref    | None                                 |
| ca_tls_container_ref | None                                 |
| crl_container_ref    | None                                 |
| tls_enabled          | False                                |
| tls_ciphers          | None                                 |
| tls_versions         | None                                 |
| tags                 |                                      |
| alpn_protocols       | ['h2', 'http/1.1']                   |
+----------------------+--------------------------------------+




We can also create that pool without a listener (providing directly the lb as a parameter):

(overcloud) [stack@undercloud-0 ~]$ openstack loadbalancer pool create --name pool2 --lb-algorithm ROUND_ROBIN --loadbalancer lb1 --protocol UDP --alpn-protocol h2 --alpn-protocol http/1.1
+----------------------+--------------------------------------+
| Field                | Value                                |
+----------------------+--------------------------------------+
| admin_state_up       | True                                 |
| created_at           | 2022-09-14T12:38:33                  |
| description          |                                      |
| healthmonitor_id     |                                      |
| id                   | eb87cb61-b03e-424d-92c7-389e75989aad |
| lb_algorithm         | ROUND_ROBIN                          |
| listeners            |                                      |
| loadbalancers        | d6de4751-afd0-4a43-9d20-d176d07ad55c |
| members              |                                      |
| name                 | pool2                                |
| operating_status     | OFFLINE                              |
| project_id           | ab5d0044dfe848fbbc3063ec8942826e     |
| protocol             | UDP                                  |
| provisioning_status  | PENDING_CREATE                       |
| session_persistence  | None                                 |
| updated_at           | None                                 |
| tls_container_ref    | None                                 |
| ca_tls_container_ref | None                                 |
| crl_container_ref    | None                                 |
| tls_enabled          | False                                |
| tls_ciphers          | None                                 |
| tls_versions         | None                                 |
| tags                 |                                      |
| alpn_protocols       | ['h2', 'http/1.1']                   |
+----------------------+--------------------------------------+


Version-Release number of selected component (if applicable):
(overcloud) [stack@undercloud-0 ~]$ cat core_puddle_version                                                                                                    
RHOS-17.1-RHEL-9-20220830.n.1

How reproducible:
100%

Steps to Reproduce:
1. Deploy Octavia
2. Create a LB
3. Create either a listener with any protocol or a pool with any protocol and provide the --alpn-protocol h2 --alpn-protocol http/1.1 parameters.

Actual results:
The listener and the pool are being created.

Expected results:
The Octavia API should deny the creation of both the listener and the pool.
Comment 3 Lukas Svaty 2023-06-16 08:13:29 UTC 
Bulk moving target milestone to GA after the release of Beta on 14th June '23.