Improvement: SSL offloading with Virtual Router

[weizhouapache]

Description

This PR improves the SSL termination feature to support CloudStack VR

Design doc: https://cwiki.apache.org/confluence/display/CLOUDSTACK/SSL+Offloading+with+Virtual+Router

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 14670

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 71.25000% with 69 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.39%. Comparing base (3d6ec29) to head (be5e66e).
⚠️ Report is 19 commits behind head on main.

Files with missing lines	Patch %	Lines
...in/java/com/cloud/network/HAProxyConfigurator.java	75.00%	10 Missing and 8 partials ⚠️
...user/loadbalancer/AssignCertToLoadBalancerCmd.java	0.00%	11 Missing ⚠️
...apache/cloudstack/network/ssl/CertServiceImpl.java	82.00%	5 Missing and 4 partials ⚠️
...er/loadbalancer/RemoveCertFromLoadBalancerCmd.java	0.00%	7 Missing ⚠️
...va/com/cloud/network/router/NetworkHelperImpl.java	0.00%	6 Missing ⚠️
...ain/java/com/cloud/network/dao/SslCertDaoImpl.java	0.00%	5 Missing ⚠️
...loud/network/lb/LoadBalancingRulesManagerImpl.java	80.00%	1 Missing and 4 partials ⚠️
...ork/router/VirtualNetworkApplianceManagerImpl.java	50.00%	3 Missing and 2 partials ⚠️
...in/java/com/cloud/agent/api/to/LoadBalancerTO.java	75.00%	1 Missing ⚠️
...d/user/loadbalancer/CreateLoadBalancerRuleCmd.java	0.00%	1 Missing ⚠️
... and 1 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #11468      +/-   ##
============================================
+ Coverage     17.36%   17.39%   +0.03%     
- Complexity    15237    15273      +36     
============================================
  Files          5888     5888              
  Lines        525741   526002     +261     
  Branches      64164    64204      +40     
============================================
+ Hits          91274    91496     +222     
- Misses       424167   424178      +11     
- Partials      10300    10328      +28     

Flag	Coverage Δ
uitests	3.62% <ø> (-0.01%)	⬇️
unittests	18.44% <71.25%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14671

[weizhouapache]

@blueorangutan test

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✖️ debian ✔️ suse15. SL-JID 14689

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14870

[weizhouapache]

@blueorangutan package

[blueorangutan]

@weizhouapache a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14872

[weizhouapache]

@blueorangutan test ol8 vmware-80u3

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + vmware-80u3) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian Build Failed (tid-14225)

[blueorangutan]

[SF] Trillian test result (tid-14216)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 54071 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14216-kvm-ol8.zip
Smoke tests completed. 147 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

[SF] Trillian test result (tid-14217)
Environment: kvm-ubuntu22 (x2), zone: Advanced Networking with Mgmt server u22
Total time taken: 57677 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14217-kvm-ubuntu22.zip
Smoke tests completed. 147 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[blueorangutan]

[SF] Trillian test result (tid-14219)
Environment: xcpng82 (x2), zone: Advanced Networking with Mgmt server ol9
Total time taken: 77763 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14219-xcpng82.zip
Smoke tests completed. 140 look OK, 7 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_events_resource	Error	213.62	test_events_resource.py
test_01_non_strict_host_anti_affinity	Error	211.39	test_nonstrict_affinity_group.py
test_02_non_strict_host_affinity	Error	52.20	test_nonstrict_affinity_group.py
test_01_primary_storage_iscsi	Error	0.77	test_primary_storage.py
test_05_disk_offering_strictness_true	Failure	631.83	test_service_offerings.py
test_01_volume_usage	Error	100.31	test_usage.py
test_01_vpn_usage	Error	1.11	test_usage.py
test_11_destroy_vm_and_volumes	Error	26.19	test_vm_life_cycle.py
test_01_migrate_vm_strict_tags_success	Error	63.38	test_vm_strict_host_tags.py

[weizhouapache]

@blueorangutan test ol8 vmware-80u3

[blueorangutan]

@weizhouapache a [SL] Trillian-Jenkins test job (ol8 mgmt + vmware-80u3) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-14236)
Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 80726 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14236-vmware-80u3.zip
Smoke tests completed. 145 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestSharedFSLifecycle>:setup	Error	0.00	test_sharedfs_lifecycle.py
test_01_ssl_offloading_isolated_network	Failure	1882.23	test_ssl_offloading.py
test_01_ssl_offloading_isolated_network	Error	1882.26	test_ssl_offloading.py
test_02_ssl_offloading_project_vpc	Error	712.65	test_ssl_offloading.py
test_02_ssl_offloading_project_vpc	Error	712.66	test_ssl_offloading.py
ContextSuite context=TestSslOffloading>:teardown	Error	843.72	test_ssl_offloading.py

[blueorangutan]

[SF] Trillian test result (tid-14253)
Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 57207 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14253-vmware-80u3.zip
Smoke tests completed. 127 look OK, 1 have errors, 19 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_01_volume_usage	Error	94.40	test_usage.py
test_01_vpn_usage	Error	1.12	test_usage.py
all_test_vm_autoscaling	Skipped	---	test_vm_autoscaling.py
all_test_vm_deployment_planner	Skipped	---	test_vm_deployment_planner.py
all_test_vm_life_cycle	Skipped	---	test_vm_life_cycle.py
all_test_vm_lifecycle_unmanage_import	Skipped	---	test_vm_lifecycle_unmanage_import.py
all_test_vm_lifecycle_with_snapshot_or_volume	Skipped	---	test_vm_lifecycle_with_snapshot_or_volume.py
all_test_vm_schedule	Skipped	---	test_vm_schedule.py
all_test_vm_snapshot_kvm	Skipped	---	test_vm_snapshot_kvm.py
all_test_vm_snapshots	Skipped	---	test_vm_snapshots.py
all_test_vm_strict_host_tags	Skipped	---	test_vm_strict_host_tags.py
all_test_vnf_templates	Skipped	---	test_vnf_templates.py
all_test_volumes	Skipped	---	test_volumes.py
all_test_vpc_ipv6	Skipped	---	test_vpc_ipv6.py
all_test_vpc_redundant	Skipped	---	test_vpc_redundant.py
all_test_vpc_router_nics	Skipped	---	test_vpc_router_nics.py
all_test_vpc_vpn	Skipped	---	test_vpc_vpn.py
all_test_webhook_delivery	Skipped	---	test_webhook_delivery.py
all_test_webhook_lifecycle	Skipped	---	test_webhook_lifecycle.py
all_test_host_maintenance	Skipped	---	test_host_maintenance.py
all_test_hostha_kvm	Skipped	---	test_hostha_kvm.py

[borisstoyanov]

[SF] Trillian test result (tid-14236) Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8 Total time taken: 80726 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14236-vmware-80u3.zip Smoke tests completed. 145 look OK, 2 have errors, 0 did not run Only failed and skipped tests results shown below:

Test Result Time (s) Test File
ContextSuite context=TestSharedFSLifecycle>:setup Error 0.00 test_sharedfs_lifecycle.py
test_01_ssl_offloading_isolated_network Failure 1882.23 test_ssl_offloading.py
test_01_ssl_offloading_isolated_network Error 1882.26 test_ssl_offloading.py
test_02_ssl_offloading_project_vpc Error 712.65 test_ssl_offloading.py
test_02_ssl_offloading_project_vpc Error 712.66 test_ssl_offloading.py
ContextSuite context=TestSslOffloading>:teardown Error 843.72 test_ssl_offloading.py

@weizhouapache this might be a potential issue, in Marvin logs I see bunch of:
"Exception: Warning: Exception during cleanup : HTTPConnectionPool(host='10.0.34.57', port=8080): Max retries exceeded with url: /client/api?jobid=f30b4774-a137-4419-8b08-92ab4fbf418c&command=queryAsyncJobResult&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=RzxkJU6oHq5zTGOYHIfarU%2BnNTo%3D (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f0bfa438550>: Failed to establish a new connection: [Errno 110] Connection timed out'))\n"]

[weizhouapache]

[SF] Trillian test result (tid-14236) Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8 Total time taken: 80726 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14236-vmware-80u3.zip Smoke tests completed. 145 look OK, 2 have errors, 0 did not run Only failed and skipped tests results shown below:
Test Result Time (s) Test File
ContextSuite context=TestSharedFSLifecycle>:setup Error 0.00 test_sharedfs_lifecycle.py
test_01_ssl_offloading_isolated_network Failure 1882.23 test_ssl_offloading.py
test_01_ssl_offloading_isolated_network Error 1882.26 test_ssl_offloading.py
test_02_ssl_offloading_project_vpc Error 712.65 test_ssl_offloading.py
test_02_ssl_offloading_project_vpc Error 712.66 test_ssl_offloading.py
ContextSuite context=TestSslOffloading>:teardown Error 843.72 test_ssl_offloading.py

@weizhouapache this might be a potential issue, in Marvin logs I see bunch of: "Exception: Warning: Exception during cleanup : HTTPConnectionPool(host='10.0.34.57', port=8080): Max retries exceeded with url: /client/api?jobid=f30b4774-a137-4419-8b08-92ab4fbf418c&command=queryAsyncJobResult&response=json&apiKey=LIN6rqXuaJwMPfGYFh13qDwYz5VNNz1J2J6qIOWcd3oLQOq0WtD4CwRundBL6rzXToa3lQOC_vKjI3nkHtiD8Q&signature=RzxkJU6oHq5zTGOYHIfarU%2BnNTo%3D (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f0bfa438550>: Failed to establish a new connection: [Errno 110] Connection timed out'))\n"]

thanks @borisstoyanov looking into it
it looks like the mgmt server is not reachable, probably out-of-memory, let me re-kick the test

the failures with test_ssl_offloading.py is caused the cloud-init template for vmware (ubuntu 22.04 cloud image does not work)

[borisstoyanov]

LGTM

[rohityadavcloud]

LGTM, merging this based on reviews and QA.

[blueorangutan]

[SF] Trillian test result (tid-14315)
Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 79654 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14315-vmware-80u3.zip
Smoke tests completed. 145 look OK, 2 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_05_ping_in_cpvm_success	Failure	15.43	test_diagnostics.py
test_08_arping_in_ssvm	Failure	5.22	test_diagnostics.py
test_09_arping_in_cpvm	Failure	5.19	test_diagnostics.py
test_16_retrieve_ssvm_single_file	Failure	9.28	test_diagnostics.py
test_17_retrieve_cpvm_default_files	Failure	2.16	test_diagnostics.py
test_18_retrieve_cpvm_single_file	Failure	1.13	test_diagnostics.py
test_04_extract_Iso	Failure	1.13	test_iso.py

[weizhouapache]

[SF] Trillian test result (tid-14315) Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8 Total time taken: 79654 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11468-t14315-vmware-80u3.zip Smoke tests completed. 145 look OK, 2 have errors, 0 did not run Only failed and skipped tests results shown below:

Test Result Time (s) Test File
test_05_ping_in_cpvm_success Failure 15.43 test_diagnostics.py
test_08_arping_in_ssvm Failure 5.22 test_diagnostics.py
test_09_arping_in_cpvm Failure 5.19 test_diagnostics.py
test_16_retrieve_ssvm_single_file Failure 9.28 test_diagnostics.py
test_17_retrieve_cpvm_default_files Failure 2.16 test_diagnostics.py
test_18_retrieve_cpvm_single_file Failure 1.13 test_diagnostics.py
test_04_extract_Iso Failure 1.13 test_iso.py

manual check looks good

[root@pr11468-t14315-vmware-80u3-marvin ~]# cat /marvin//MarvinLogs/test_diagnostics_7VWRMC/results.txt 
test_01_1_create_iso_with_checksum_sha1_negative (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_01_1_create_iso_with_checksum_sha1_negative | Status : SUCCESS ===
ok
test_01_create_iso_with_checksum_sha1 (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_01_create_iso_with_checksum_sha1 | Status : SUCCESS ===
ok
test_02_1_create_iso_with_checksum_sha256_negative (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_02_1_create_iso_with_checksum_sha256_negative | Status : SUCCESS ===
ok
test_02_create_iso_with_checksum_sha256 (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_02_create_iso_with_checksum_sha256 | Status : SUCCESS ===
ok
test_03_1_create_iso_with_checksum_md5_negative (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_03_1_create_iso_with_checksum_md5_negative | Status : SUCCESS ===
ok
test_03_create_iso_with_checksum_md5 (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_03_create_iso_with_checksum_md5 | Status : SUCCESS ===
ok
test_04_create_iso_with_no_checksum (smoke.test_iso.TestCreateISOWithChecksum) ... === TestName: test_04_create_iso_with_no_checksum | Status : SUCCESS ===
ok
Test create public & private ISO ... === TestName: test_01_create_iso | Status : SUCCESS ===
ok
Test Edit ISO ... === TestName: test_02_edit_iso | Status : SUCCESS ===
ok
Test delete ISO ... === TestName: test_03_delete_iso | Status : SUCCESS ===
ok
Test for extract ISO ... === TestName: test_04_extract_Iso | Status : SUCCESS ===
ok
Update & Test for ISO permissions ... === TestName: test_05_iso_permissions | Status : SUCCESS ===
ok
Test for copy ISO from one zone to another ... SKIP: Not enough zones available to perform copy template
Test delete ISO ... === TestName: test_07_list_default_iso | Status : SUCCESS ===
ok
Test Ping command execution in VR ... === TestName: test_01_ping_in_vr_success | Status : SUCCESS ===
ok
Test Ping command execution in VR ... === TestName: test_02_ping_in_vr_failure | Status : SUCCESS ===
ok
Test Ping command execution in SSVM ... === TestName: test_03_ping_in_ssvm_success | Status : SUCCESS ===
ok
Test Ping command execution in SSVM ... === TestName: test_04_ping_in_ssvm_failure | Status : SUCCESS ===
ok
Test Ping command execution in CPVM ... === TestName: test_05_ping_in_cpvm_success | Status : SUCCESS ===
ok
Test Ping command execution in CPVM ... === TestName: test_06_ping_in_cpvm_failure | Status : SUCCESS ===
ok
Test Arping command execution in VR ... === TestName: test_07_arping_in_vr | Status : SUCCESS ===
ok
Test Arping command execution in SSVM ... === TestName: test_08_arping_in_ssvm | Status : SUCCESS ===
ok
Test Arping command execution in CPVM ... === TestName: test_09_arping_in_cpvm | Status : SUCCESS ===
ok
Test traceroute command execution in VR ... === TestName: test_10_traceroute_in_vr | Status : SUCCESS ===
ok
Test Traceroute command execution in SSVM ... === TestName: test_11_traceroute_in_ssvm | Status : SUCCESS ===
ok
Test Traceroute command execution in CPVMM ... === TestName: test_12_traceroute_in_cpvm | Status : SUCCESS ===
ok
test_13_retrieve_vr_default_files (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_13_retrieve_vr_default_files | Status : SUCCESS ===
ok
test_14_retrieve_vr_one_file (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_14_retrieve_vr_one_file | Status : SUCCESS ===
ok
test_15_retrieve_ssvm_default_files (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_15_retrieve_ssvm_default_files | Status : SUCCESS ===
ok
test_16_retrieve_ssvm_single_file (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_16_retrieve_ssvm_single_file | Status : SUCCESS ===
ok
test_17_retrieve_cpvm_default_files (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_17_retrieve_cpvm_default_files | Status : SUCCESS ===
ok
test_18_retrieve_cpvm_single_file (smoke.test_diagnostics.TestRemoteDiagnostics) ... === TestName: test_18_retrieve_cpvm_single_file | Status : SUCCESS ===
ok

----------------------------------------------------------------------
Ran 32 tests in 624.346s

OK (SKIP=1)