Queens Series Release Notes¶
17.0.4-13¶
New Features¶
Octavia requires SSL certificates for communication with the amphora. This adds the automatic creation of self signed certificates for this purpose. It uses different certificate authorities for amphora and control plane thus insuring maximum security.
Octavia is creating vms, securitygroups, and other things in its project. In most cases the default quotas are not big enough. This will adjust them to (configurable) reasonable values.
Security Issues¶
It is recommended that the certificate generation is always reviewed by security professionals since algorithms and key-lengths considered secure change all the time.
Avoid setting the quotas too high for your cloud since this can impact the performance of other servcies and lead to a potential Denial-of-Service attack if Loadbalancer quotas are not set properly or RBAC is not properly set up.
17.0.4¶
New Features¶
This consolidates the amphora image tasks in a common file and adds a way to download an amphora image from an artefact storage over http(s). With the Octavia team providing test images the tests were modified to not build images any longer but download them.
Security Issues¶
It is commonly considered bad practice to downlaod random images from the Internet expecially the test images the Octavia team provides which could potentially include unpatched operating system packages - so for any production deploy adjust the download url to an artifact storage your organization controls. The system also does not authenticate the image (e.g. with an md5) so should only be used on networks your organization controls.
17.0.0¶
New Features¶
Adds a new flag to enable Octavia V2 API (disabled by default) to facilitate to run Octavia stand alone (without Neutron)
Adds a new flag to toggle Octavia V1 API (the API needed to run in conjunction with Neutron) and enables it by default.
A typical OSA install will put the neutron and octavia queues on different vhosts thus preventing the event streamer from working While octavia is streaming to its own queue the consumer on the neutron side listens to the neutron queue. With a recent octavia enhancement a separate queue for the event streamer can be configured. This patch will set up the event streamer to post into the neutron queue using neutron’s credentials. Thus reaching the consumer on the neutron-lbaas side and allowing for streaming.
Security Issues¶
Since we use neutron’s credentials to access the queue, security conscious people might want to set up an extra user for octavia on the neutron queue restricted to the topics octavia posts to.