Merge "Fixing TLS configuration issues"
This commit is contained in:
commit
0e0a40b2f5
|
@ -14,6 +14,7 @@
|
||||||
|
|
||||||
from barbicanclient import client as barbican_client
|
from barbicanclient import client as barbican_client
|
||||||
from neutron.i18n import _LI, _LW, _LE
|
from neutron.i18n import _LI, _LW, _LE
|
||||||
|
from neutron.plugins.common import constants
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
from oslo_utils import excutils
|
from oslo_utils import excutils
|
||||||
|
@ -169,13 +170,13 @@ class CertManager(cert_manager.CertManager):
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def get_cert(cert_ref, service_name='lbaas',
|
def get_cert(cert_ref, service_name='lbaas',
|
||||||
resource_ref=None,
|
lb_id=None,
|
||||||
check_only=False, **kwargs):
|
check_only=False, **kwargs):
|
||||||
"""Retrieves the specified cert and registers as a consumer.
|
"""Retrieves the specified cert and registers as a consumer.
|
||||||
|
|
||||||
:param cert_ref: the UUID of the cert to retrieve
|
:param cert_ref: the UUID of the cert to retrieve
|
||||||
:param service_name: Friendly name for the consuming service
|
:param service_name: Friendly name for the consuming service
|
||||||
:param resource_ref: Full HATEOAS reference to the consuming resource
|
:param lb_id: Loadbalancer id for building resource consumer URL
|
||||||
:param check_only: Read Certificate data without registering
|
:param check_only: Read Certificate data without registering
|
||||||
|
|
||||||
:return: octavia.certificates.common.Cert representation of the
|
:return: octavia.certificates.common.Cert representation of the
|
||||||
|
@ -196,7 +197,7 @@ class CertManager(cert_manager.CertManager):
|
||||||
cert_container = connection.containers.register_consumer(
|
cert_container = connection.containers.register_consumer(
|
||||||
container_ref=cert_ref,
|
container_ref=cert_ref,
|
||||||
name=service_name,
|
name=service_name,
|
||||||
url=resource_ref
|
url=CertManager._get_service_url(lb_id)
|
||||||
)
|
)
|
||||||
return Cert(cert_container)
|
return Cert(cert_container)
|
||||||
except Exception:
|
except Exception:
|
||||||
|
@ -204,12 +205,12 @@ class CertManager(cert_manager.CertManager):
|
||||||
LOG.exception(_LE("Error getting {0}").format(cert_ref))
|
LOG.exception(_LE("Error getting {0}").format(cert_ref))
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def delete_cert(cert_ref, resource_ref, service_name='lbaas', **kwargs):
|
def delete_cert(cert_ref, lb_id, service_name='lbaas', **kwargs):
|
||||||
"""Deregister as a consumer for the specified cert.
|
"""Deregister as a consumer for the specified cert.
|
||||||
|
|
||||||
:param cert_ref: the UUID of the cert to retrieve
|
:param cert_ref: the UUID of the cert to retrieve
|
||||||
:param service_name: Friendly name for the consuming service
|
:param service_name: Friendly name for the consuming service
|
||||||
:param resource_ref: Full HATEOAS reference to the consuming resource
|
:param lb_id: Loadbalancer id for building resource consumer URL
|
||||||
|
|
||||||
:raises Exception: if deregistration fails
|
:raises Exception: if deregistration fails
|
||||||
"""
|
"""
|
||||||
|
@ -222,7 +223,7 @@ class CertManager(cert_manager.CertManager):
|
||||||
connection.containers.remove_consumer(
|
connection.containers.remove_consumer(
|
||||||
container_ref=cert_ref,
|
container_ref=cert_ref,
|
||||||
name=service_name,
|
name=service_name,
|
||||||
url=resource_ref
|
url=CertManager._get_service_url(lb_id)
|
||||||
)
|
)
|
||||||
except Exception:
|
except Exception:
|
||||||
with excutils.save_and_reraise_exception():
|
with excutils.save_and_reraise_exception():
|
||||||
|
@ -256,3 +257,12 @@ class CertManager(cert_manager.CertManager):
|
||||||
LOG.exception(_LE(
|
LOG.exception(_LE(
|
||||||
"Error recursively deleting certificate container {0}"
|
"Error recursively deleting certificate container {0}"
|
||||||
).format(cert_ref))
|
).format(cert_ref))
|
||||||
|
|
||||||
|
@staticmethod
|
||||||
|
def _get_service_url(lb_id):
|
||||||
|
# Format: <servicename>://<region>/<resource>/<object_id>
|
||||||
|
return "{0}://{1}/{2}/{3}".format(
|
||||||
|
cfg.CONF.service_auth.service_name,
|
||||||
|
cfg.CONF.service_auth.region,
|
||||||
|
constants.LOADBALANCER,
|
||||||
|
lb_id)
|
||||||
|
|
|
@ -566,14 +566,17 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
|
||||||
def _validate_tls(self, listener, curr_listener=None):
|
def _validate_tls(self, listener, curr_listener=None):
|
||||||
def validate_tls_container(container_ref):
|
def validate_tls_container(container_ref):
|
||||||
cert_container = None
|
cert_container = None
|
||||||
|
lb_id = None
|
||||||
|
|
||||||
if curr_listener:
|
if curr_listener:
|
||||||
service_url = self._get_service_url(curr_listener)
|
lb_id = curr_listener['loadbalancer_id']
|
||||||
else:
|
else:
|
||||||
service_url = self._get_service_url(listener)
|
lb_id = listener.get('loadbalancer_id')
|
||||||
|
|
||||||
try:
|
try:
|
||||||
cert_container = CERT_MANAGER_PLUGIN.CertManager.get_cert(
|
cert_container = CERT_MANAGER_PLUGIN.CertManager.get_cert(
|
||||||
container_ref,
|
container_ref,
|
||||||
resource_ref=service_url)
|
lb_id=lb_id)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
if hasattr(e, 'status_code') and e.status_code == 404:
|
if hasattr(e, 'status_code') and e.status_code == 404:
|
||||||
raise loadbalancerv2.TLSContainerNotFound(
|
raise loadbalancerv2.TLSContainerNotFound(
|
||||||
|
@ -593,7 +596,7 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
|
||||||
intermediates=cert_container.get_intermediates())
|
intermediates=cert_container.get_intermediates())
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
CERT_MANAGER_PLUGIN.CertManager.delete_cert(
|
CERT_MANAGER_PLUGIN.CertManager.delete_cert(
|
||||||
container_ref, self._get_service_url(listener))
|
container_ref, lb_id)
|
||||||
raise loadbalancerv2.TLSContainerInvalid(
|
raise loadbalancerv2.TLSContainerInvalid(
|
||||||
container_id=container_ref, reason=str(e))
|
container_id=container_ref, reason=str(e))
|
||||||
|
|
||||||
|
@ -629,14 +632,6 @@ class LoadBalancerPluginv2(loadbalancerv2.LoadBalancerPluginBaseV2):
|
||||||
|
|
||||||
return len(to_validate) > 0
|
return len(to_validate) > 0
|
||||||
|
|
||||||
def _get_service_url(self, listener):
|
|
||||||
# Format: <servicename>://<region>/<resource>/<object_id>
|
|
||||||
return "{0}://{1}/{2}/{3}".format(
|
|
||||||
cfg.CONF.service_auth.service_name,
|
|
||||||
cfg.CONF.service_auth.region,
|
|
||||||
constants.LOADBALANCER,
|
|
||||||
listener['loadbalancer_id'])
|
|
||||||
|
|
||||||
def create_listener(self, context, listener):
|
def create_listener(self, context, listener):
|
||||||
listener = listener.get('listener')
|
listener = listener.get('listener')
|
||||||
lb_id = listener.get('loadbalancer_id')
|
lb_id = listener.get('loadbalancer_id')
|
||||||
|
|
|
@ -18,6 +18,7 @@ import mock
|
||||||
import neutron_lbaas.common.cert_manager.barbican_cert_manager as bbq_common
|
import neutron_lbaas.common.cert_manager.barbican_cert_manager as bbq_common
|
||||||
from neutron_lbaas.common import keystone
|
from neutron_lbaas.common import keystone
|
||||||
import neutron_lbaas.tests.base as base
|
import neutron_lbaas.tests.base as base
|
||||||
|
from oslo_config import cfg
|
||||||
|
|
||||||
|
|
||||||
class TestBarbicanAuth(base.BaseTestCase):
|
class TestBarbicanAuth(base.BaseTestCase):
|
||||||
|
@ -51,6 +52,18 @@ class TestBarbicanAuth(base.BaseTestCase):
|
||||||
bc2 = bbq_common.BarbicanKeystoneAuth.get_barbican_client()
|
bc2 = bbq_common.BarbicanKeystoneAuth.get_barbican_client()
|
||||||
self.assertIs(bc1, bc2)
|
self.assertIs(bc1, bc2)
|
||||||
|
|
||||||
|
def test_get_service_url(self):
|
||||||
|
# Format: <servicename>://<region>/<resource>/<object_id>
|
||||||
|
cfg.CONF.set_override('service_name',
|
||||||
|
'lbaas',
|
||||||
|
'service_auth')
|
||||||
|
cfg.CONF.set_override('region',
|
||||||
|
'RegionOne',
|
||||||
|
'service_auth')
|
||||||
|
self.assertEqual(
|
||||||
|
'lbaas://RegionOne/LOADBALANCER/LB-ID',
|
||||||
|
bbq_common.CertManager._get_service_url('LB-ID'))
|
||||||
|
|
||||||
|
|
||||||
class TestBarbicanCert(base.BaseTestCase):
|
class TestBarbicanCert(base.BaseTestCase):
|
||||||
|
|
||||||
|
|
|
@ -925,21 +925,6 @@ class LbaasListenerTests(ListenerTestBase):
|
||||||
context.get_admin_context(),
|
context.get_admin_context(),
|
||||||
{'listener': listener_data})
|
{'listener': listener_data})
|
||||||
|
|
||||||
def test_get_service_url(self):
|
|
||||||
# Format: <servicename>://<region>/<resource>/<object_id>
|
|
||||||
cfg.CONF.set_override('service_name',
|
|
||||||
'lbaas',
|
|
||||||
'service_auth')
|
|
||||||
cfg.CONF.set_override('region',
|
|
||||||
'RegionOne',
|
|
||||||
'service_auth')
|
|
||||||
listner = {
|
|
||||||
'loadbalancer_id': self.lb_id
|
|
||||||
}
|
|
||||||
self.assertEqual(
|
|
||||||
'lbaas://RegionOne/LOADBALANCER/{0}'.format(self.lb_id),
|
|
||||||
self.plugin._get_service_url(listner))
|
|
||||||
|
|
||||||
def test_create_listener_with_tls_invalid_container(self, **extras):
|
def test_create_listener_with_tls_invalid_container(self, **extras):
|
||||||
default_tls_container_ref = uuidutils.generate_uuid()
|
default_tls_container_ref = uuidutils.generate_uuid()
|
||||||
cfg.CONF.set_override('service_name',
|
cfg.CONF.set_override('service_name',
|
||||||
|
@ -977,7 +962,7 @@ class LbaasListenerTests(ListenerTestBase):
|
||||||
{'listener': listener_data})
|
{'listener': listener_data})
|
||||||
rm_consumer_mock.assert_called_once_with(
|
rm_consumer_mock.assert_called_once_with(
|
||||||
listener_data['default_tls_container_ref'],
|
listener_data['default_tls_container_ref'],
|
||||||
'lbaas://RegionOne/LOADBALANCER/{0}'.format(self.lb_id))
|
self.lb_id)
|
||||||
|
|
||||||
def test_create_listener_with_tls(self, **extras):
|
def test_create_listener_with_tls(self, **extras):
|
||||||
default_tls_container_ref = uuidutils.generate_uuid()
|
default_tls_container_ref = uuidutils.generate_uuid()
|
||||||
|
|
Loading…
Reference in New Issue