Add crl-file option for certification

Add crl-file in Listener side. Story: 2002165 Co-Authored-By: Michael Johnson <johnsomor@gmail.com> Change-Id: I9e2ec06719fbbfd19482c2b8d39220e7e4ed81e3
2018-10-17 15:04:12 +08:00 · 2018-10-17 15:04:12 +08:00 · 20509e2337
commit 20509e2337
parent 7a8eb3ce22
29 changed files with 543 additions and 74 deletions
--- a/api-ref/source/parameters.yaml
+++ b/api-ref/source/parameters.yaml
@ -282,6 +282,24 @@ client_ca_tls_container_ref-optional:
  min_version: 2.8
  required: false
  type: string
 client_crl_container_ref:
  description: |
    The URI of the `key manager service
    <https://docs.openstack.org/castellan/latest/>`__ secret containing a
    PEM format CA revocation list file for ``TERMINATED_TLS`` listeners.
  in: body
  min_version: 2.8
  required: true
  type: string
 client_crl_container_ref-optional:
  description: |
    The URI of the `key manager service
    <https://docs.openstack.org/castellan/latest/>`__ secret containing a
    PEM format CA revocation list file for ``TERMINATED_TLS`` listeners.
  in: body
  min_version: 2.8
  required: false
  type: string
 compute-flavor:
  description: |
    The ID of the compute flavor used for the amphora.
--- a/api-ref/source/v2/examples/listener-create-curl
+++ b/api-ref/source/v2/examples/listener-create-curl
@ -1 +1 @@
-curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"listener": {"protocol": "TERMINATED_HTTPS", "description": "A great TLS listener", "admin_state_up": true, "connection_limit": 200, "protocol_port": "443", "loadbalancer_id": "607226db-27ef-4d41-ae89-f2a800e9c2db", "name": "great_tls_listener", "insert_headers": {"X-Forwarded-For": "true", "X-Forwarded-Port": "true"}, "default_tls_container_ref": "http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "sni_container_refs": ["http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "http://198.51.100.10:9311/v1/containers/aaebb31e-7761-4826-8cb4-2b829caca3ee"], "timeout_client_data": 50000, "timeout_member_connect": 5000, "timeout_member_data": 50000, "timeout_tcp_inspect": 0, "tags": ["test_tag"], "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5", "client_authentication": "MANDATORY"}}' http://198.51.100.10:9876/v2/lbaas/listeners
+curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"listener": {"protocol": "TERMINATED_HTTPS", "description": "A great TLS listener", "admin_state_up": true, "connection_limit": 200, "protocol_port": "443", "loadbalancer_id": "607226db-27ef-4d41-ae89-f2a800e9c2db", "name": "great_tls_listener", "insert_headers": {"X-Forwarded-For": "true", "X-Forwarded-Port": "true"}, "default_tls_container_ref": "http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "sni_container_refs": ["http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "http://198.51.100.10:9311/v1/containers/aaebb31e-7761-4826-8cb4-2b829caca3ee"], "timeout_client_data": 50000, "timeout_member_connect": 5000, "timeout_member_data": 50000, "timeout_tcp_inspect": 0, "tags": ["test_tag"], "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5", "client_authentication": "MANDATORY", "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"}}' http://198.51.100.10:9876/v2/lbaas/listeners
--- a/api-ref/source/v2/examples/listener-create-request.json
+++ b/api-ref/source/v2/examples/listener-create-request.json
@ -22,6 +22,7 @@
        "timeout_tcp_inspect": 0,
        "tags": ["test_tag"],
        "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5",
-        "client_authentication": "MANDATORY"
+        "client_authentication": "MANDATORY",
        "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"
    }
 }
--- a/api-ref/source/v2/examples/listener-create-response.json
+++ b/api-ref/source/v2/examples/listener-create-response.json
@ -37,6 +37,7 @@
        "timeout_tcp_inspect": 0,
        "tags": ["test_tag"],
        "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5",
-        "client_authentication": "MANDATORY"
+        "client_authentication": "MANDATORY",
        "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"
    }
 }
--- a/api-ref/source/v2/examples/listener-show-response.json
+++ b/api-ref/source/v2/examples/listener-show-response.json
@ -37,6 +37,7 @@
        "timeout_tcp_inspect": 0,
        "tags": ["test_tag"],
        "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5",
-        "client_authentication": "MANDATORY"
+        "client_authentication": "MANDATORY",
        "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"
    }
 }
--- a/api-ref/source/v2/examples/listener-update-response.json
+++ b/api-ref/source/v2/examples/listener-update-response.json
@ -37,6 +37,7 @@
        "timeout_tcp_inspect": 5,
        "tags": ["updated_tag"],
        "client_ca_tls_container_ref": null,
-        "client_authentication": "NONE"
+        "client_authentication": "NONE",
        "client_crl_container_ref": null
    }
 }
--- a/api-ref/source/v2/examples/listeners-list-response.json
+++ b/api-ref/source/v2/examples/listeners-list-response.json
@ -39,7 +39,8 @@
            "timeout_tcp_inspect": 0,
            "tags": ["test_tag"],
            "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5",
-            "client_authentication": "NONE"
+            "client_authentication": "NONE",
            "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"
        }
    ]
 }
--- a/api-ref/source/v2/listener.inc
+++ b/api-ref/source/v2/listener.inc
@ -48,6 +48,7 @@ Response Parameters
   - admin_state_up: admin_state_up
   - client_authentication: client_authentication
   - client_ca_tls_container_ref: client_ca_tls_container_ref
   - client_crl_container_ref: client_crl_container_ref
   - connection_limit: connection_limit
   - created_at: created_at
   - default_pool_id: default_pool_id
@ -140,6 +141,7 @@ Request
   - admin_state_up: admin_state_up-default-optional
   - client_authentication: client_authentication-optional
   - client_ca_tls_container_ref: client_ca_tls_container_ref-optional
   - client_crl_container_ref: client_crl_container_ref-optional
   - connection_limit: connection_limit-optional
   - default_pool: pool-optional
   - default_pool_id: default_pool_id-optional
@ -210,6 +212,7 @@ Response Parameters
   - admin_state_up: admin_state_up
   - client_authentication: client_authentication
   - client_ca_tls_container_ref: client_ca_tls_container_ref
   - client_crl_container_ref: client_crl_container_ref
   - connection_limit: connection_limit
   - created_at: created_at
   - default_pool_id: default_pool_id
@ -286,6 +289,7 @@ Response Parameters
   - admin_state_up: admin_state_up
   - client_authentication: client_authentication
   - client_ca_tls_container_ref: client_ca_tls_container_ref
   - client_crl_container_ref: client_crl_container_ref
   - connection_limit: connection_limit
   - created_at: created_at
   - default_pool_id: default_pool_id
@ -352,6 +356,7 @@ Request
   - admin_state_up: admin_state_up-default-optional
   - client_authentication: client_authentication-optional
   - client_ca_tls_container_ref: client_ca_tls_container_ref-optional
   - client_crl_container_ref: client_crl_container_ref-optional
   - connection_limit: connection_limit-optional
   - default_pool_id: default_pool_id-optional
   - default_tls_container_ref: default_tls_container_ref-optional
@ -386,6 +391,7 @@ Response Parameters
   - admin_state_up: admin_state_up
   - client_authentication: client_authentication
   - client_ca_tls_container_ref: client_ca_tls_container_ref
   - client_crl_container_ref: client_crl_container_ref
   - connection_limit: connection_limit
   - created_at: created_at
   - default_pool_id: default_pool_id
--- a/doc/source/contributor/guides/providers.rst
+++ b/doc/source/contributor/guides/providers.rst
@ -373,6 +373,11 @@ contain the following:
 | client_ca_tls_container_ref  | string | The reference to the secrets        |
 |                              |        | container.                          |
 +------------------------------+--------+-------------------------------------+
 | client_crl_container_data    | string | A PEM encoded CRL file.             |
 +------------------------------+--------+-------------------------------------+
 | client_crl_container_ref     | string | The reference to the secrets        |
 |                              |        | container.                          |
 +------------------------------+--------+-------------------------------------+
 | connection_limit             | int    | The max number of connections       |
 |                              |        | permitted for this listener. Default|
 |                              |        | is -1, which is infinite            |
--- a/octavia/amphorae/drivers/haproxy/rest_api_driver.py
+++ b/octavia/amphorae/drivers/haproxy/rest_api_driver.py
@ -118,13 +118,16 @@ class HaproxyAmphoraLoadBalancerDriver(
                certs = self._process_tls_certificates(listener)
                client_ca_filename = self._process_secret(
                    listener, listener.client_ca_tls_certificate_id)
                crl_filename = self._process_secret(
                    listener, listener.client_crl_container_id)
                # Generate HaProxy configuration from listener object
                config = self.jinja.build_config(
                    host_amphora=amp, listener=listener,
                    tls_cert=certs['tls_cert'],
                    haproxy_versions=haproxy_versions,
-                    client_ca_filename=client_ca_filename)
+                    client_ca_filename=client_ca_filename,
                    client_crl=crl_filename)
                self.client.upload_config(amp, listener.id, config,
                                          timeout_dict=timeout_dict)
                self.client.reload_listener(amp, listener.id,
@ -156,6 +159,8 @@ class HaproxyAmphoraLoadBalancerDriver(
            certs = self._process_tls_certificates(listener)
            client_ca_filename = self._process_secret(
                listener, listener.client_ca_tls_certificate_id)
            crl_filename = self._process_secret(
                listener, listener.client_crl_container_id)
            for amp in listener.load_balancer.amphorae:
                if amp.status != consts.DELETED:
@ -167,7 +172,8 @@ class HaproxyAmphoraLoadBalancerDriver(
                        host_amphora=amp, listener=listener,
                        tls_cert=certs['tls_cert'],
                        haproxy_versions=haproxy_versions,
-                        client_ca_filename=client_ca_filename)
+                        client_ca_filename=client_ca_filename,
                        client_crl=crl_filename)
                    self.client.upload_config(amp, listener.id, config)
                    self.client.reload_listener(amp, listener.id)
--- a/octavia/api/drivers/data_models.py
+++ b/octavia/api/drivers/data_models.py
@ -135,7 +135,8 @@ class Listener(BaseDataModel):
                 timeout_member_connect=Unset, timeout_member_data=Unset,
                 timeout_tcp_inspect=Unset, client_ca_tls_container_ref=Unset,
                 client_ca_tls_container_data=Unset,
-                 client_authentication=Unset):
+                 client_authentication=Unset, client_crl_container_ref=Unset,
                 client_crl_container_data=Unset):
        self.admin_state_up = admin_state_up
        self.connection_limit = connection_limit
@ -160,6 +161,8 @@ class Listener(BaseDataModel):
        self.client_ca_tls_container_ref = client_ca_tls_container_ref
        self.client_ca_tls_container_data = client_ca_tls_container_data
        self.client_authentication = client_authentication
        self.client_crl_container_ref = client_crl_container_ref
        self.client_crl_container_data = client_crl_container_data
 class Pool(BaseDataModel):
--- a/octavia/api/drivers/utils.py
+++ b/octavia/api/drivers/utils.py
@ -184,7 +184,9 @@ def listener_dict_to_provider_dict(listener_dict):
    if 'client_ca_tls_certificate_id' in new_listener_dict:
        new_listener_dict['client_ca_tls_container_ref'] = (
            new_listener_dict.pop('client_ca_tls_certificate_id'))
-
+    if 'client_crl_container_id' in new_listener_dict:
        new_listener_dict['client_crl_container_ref'] = (
            new_listener_dict.pop('client_crl_container_id'))
    listener_obj = data_models.Listener(**listener_dict)
    if (listener_obj.tls_certificate_id or listener_obj.sni_containers or
            listener_obj.client_ca_tls_certificate_id):
@ -220,6 +222,10 @@ def listener_dict_to_provider_dict(listener_dict):
            cert = _get_secret_data(cert_manager, listener_obj,
                                    listener_obj.client_ca_tls_certificate_id)
            new_listener_dict['client_ca_tls_container_data'] = cert
        if listener_obj.client_crl_container_id:
            crl_file = _get_secret_data(cert_manager, listener_obj,
                                        listener_obj.client_crl_container_id)
            new_listener_dict['client_crl_container_data'] = crl_file
    # Remove the DB back references
    if 'load_balancer' in new_listener_dict:
--- a/octavia/api/v2/controllers/listener.py
+++ b/octavia/api/v2/controllers/listener.py
@ -142,7 +142,7 @@ class ListenersController(base.BaseController):
        if bad_refs:
            raise exceptions.CertificateRetrievalException(ref=bad_refs)
-    def _validate_client_ca_ref(self, client_ca_ref):
+    def _validate_client_ca_and_crl_refs(self, client_ca_ref, crl_ref):
        context = pecan.request.context.get('octavia_context')
        bad_refs = []
        try:
@ -151,23 +151,51 @@ class ListenersController(base.BaseController):
        except Exception:
            bad_refs.append(client_ca_ref)
-        # This will be used in a later patch
+        pem_crl = None
        if crl_ref:
            try:
                self.cert_manager.set_acls(context, crl_ref)
                pem_crl = self.cert_manager.get_secret(context, crl_ref)
            except Exception:
                bad_refs.append(crl_ref)
        if bad_refs:
            raise exceptions.CertificateRetrievalException(ref=bad_refs)
        ca_cert = None
        try:
            # Test if it needs to be UTF-8 encoded
            try:
                ca_pem = ca_pem.encode('utf-8')
            except AttributeError:
                pass
-            x509.load_pem_x509_certificate(ca_pem, default_backend())
+            ca_cert = x509.load_pem_x509_certificate(ca_pem, default_backend())
        except Exception as e:
            raise exceptions.ValidationException(detail=_(
                "The client authentication CA certificate is invalid. "
                "It must be a valid x509 PEM format certificate. "
                "Error: %s") % str(e))
        # Validate the CRL is for the client CA
        if pem_crl:
            ca_pub_key = ca_cert.public_key()
            crl = None
            # Test if it needs to be UTF-8 encoded
            try:
                pem_crl = pem_crl.encode('utf-8')
            except AttributeError:
                pass
            try:
                crl = x509.load_pem_x509_crl(pem_crl, default_backend())
            except Exception as e:
                raise exceptions.ValidationException(detail=_(
                    "The client authentication certificate revocation list "
                    "is invalid. It must be a valid x509 PEM format "
                    "certificate revocation list. Error: %s") % str(e))
            if not crl.is_signature_valid(ca_pub_key):
                raise exceptions.ValidationException(detail=_(
                    "The CRL specified is not valid for client certificate "
                    "authority reference supplied."))
    def _has_tls_container_refs(self, listener_dict):
        return (listener_dict.get('tls_certificate_id') or
                listener_dict.get('client_ca_tls_container_id') or
@ -239,15 +267,27 @@ class ListenersController(base.BaseController):
                "container reference.") %
                listener_dict.get('client_authentication'))
-        try:
+        # Make sure we have a client CA if they specify a CRL
        if (listener_dict.get('client_crl_container_id') and
                not listener_dict.get('client_ca_tls_certificate_id')):
            raise exceptions.ValidationException(detail=_(
                "A client authentication CA reference is required to "
                "specify a client authentication revocation list."))
        # Validate the TLS containers
        sni_containers = listener_dict.pop('sni_containers', [])
        tls_refs = [sni['tls_container_id'] for sni in sni_containers]
        if listener_dict.get('tls_certificate_id'):
            tls_refs.append(listener_dict.get('tls_certificate_id'))
        self._validate_tls_refs(tls_refs)
        # Validate the client CA cert and optional client CRL
        if listener_dict.get('client_ca_tls_certificate_id'):
-                self._validate_client_ca_ref(
+            self._validate_client_ca_and_crl_refs(
-                    listener_dict.get('client_ca_tls_certificate_id'))
+                listener_dict.get('client_ca_tls_certificate_id'),
                listener_dict.get('client_crl_container_id', None))
        try:
            db_listener = self.repositories.listener.create(
                lock_session, **listener_dict)
            if sni_containers:
@ -406,8 +446,28 @@ class ListenersController(base.BaseController):
        if listener.default_tls_container_ref:
            tls_refs.append(listener.default_tls_container_ref)
        self._validate_tls_refs(tls_refs)
-        if listener.client_ca_tls_container_ref:
+
-            self._validate_client_ca_ref(listener.client_ca_tls_container_ref)
+        ca_ref = None
        if (listener.client_ca_tls_container_ref and
                listener.client_ca_tls_container_ref != wtypes.Unset):
            ca_ref = listener.client_ca_tls_container_ref
        elif db_listener.client_ca_tls_certificate_id:
            ca_ref = db_listener.client_ca_tls_certificate_id
        crl_ref = None
        if (listener.client_crl_container_ref and
                listener.client_crl_container_ref != wtypes.Unset):
            crl_ref = listener.client_crl_container_ref
        elif db_listener.client_crl_container_id:
            crl_ref = db_listener.client_crl_container_id
        if crl_ref and not ca_ref:
            raise exceptions.ValidationException(detail=_(
                "A client authentication CA reference is required to "
                "specify a client authentication revocation list."))
        if ca_ref or crl_ref:
            self._validate_client_ca_and_crl_refs(ca_ref, crl_ref)
    @wsme_pecan.wsexpose(listener_types.ListenerRootResponse, wtypes.text,
                         body=listener_types.ListenerRootPUT, status_code=200)
--- a/octavia/api/v2/types/listener.py
+++ b/octavia/api/v2/types/listener.py
@ -28,7 +28,8 @@ class BaseListenerType(types.BaseType):
    _type_to_model_map = {
        'admin_state_up': 'enabled',
        'default_tls_container_ref': 'tls_certificate_id',
-        'client_ca_tls_container_ref': 'client_ca_tls_certificate_id'}
+        'client_ca_tls_container_ref': 'client_ca_tls_certificate_id',
        'client_crl_container_ref': 'client_crl_container_id'}
    _child_map = {}
@ -59,6 +60,7 @@ class ListenerResponse(BaseListenerType):
    tags = wtypes.wsattr(wtypes.ArrayType(wtypes.StringType()))
    client_ca_tls_container_ref = wtypes.StringType()
    client_authentication = wtypes.wsattr(wtypes.StringType())
    client_crl_container_ref = wtypes.wsattr(wtypes.StringType())
    @classmethod
    def from_data_model(cls, data_model, children=False):
@ -142,6 +144,7 @@ class ListenerPOST(BaseListenerType):
    client_authentication = wtypes.wsattr(
        wtypes.Enum(str, *constants.SUPPORTED_CLIENT_AUTH_MODES),
        default=constants.CLIENT_AUTH_NONE)
    client_crl_container_ref = wtypes.StringType(max_length=255)
 class ListenerRootPOST(types.BaseType):
@ -177,6 +180,7 @@ class ListenerPUT(BaseListenerType):
    client_ca_tls_container_ref = wtypes.StringType(max_length=255)
    client_authentication = wtypes.wsattr(
        wtypes.Enum(str, *constants.SUPPORTED_CLIENT_AUTH_MODES))
    client_crl_container_ref = wtypes.StringType(max_length=255)
 class ListenerRootPUT(types.BaseType):
@ -224,6 +228,7 @@ class ListenerSingleCreate(BaseListenerType):
    client_authentication = wtypes.wsattr(
        wtypes.Enum(str, *constants.SUPPORTED_CLIENT_AUTH_MODES),
        default=constants.CLIENT_AUTH_NONE)
    client_crl_container_ref = wtypes.StringType(max_length=255)
 class ListenerStatusResponse(BaseListenerType):
--- a/octavia/common/data_models.py
+++ b/octavia/common/data_models.py
@ -369,7 +369,7 @@ class Listener(BaseDataModel):
                 timeout_client_data=None, timeout_member_connect=None,
                 timeout_member_data=None, timeout_tcp_inspect=None,
                 tags=None, client_ca_tls_certificate_id=None,
-                 client_authentication=None):
+                 client_authentication=None, client_crl_container_id=None):
        self.id = id
        self.project_id = project_id
        self.name = name
@ -400,6 +400,7 @@ class Listener(BaseDataModel):
        self.tags = tags
        self.client_ca_tls_certificate_id = client_ca_tls_certificate_id
        self.client_authentication = client_authentication
        self.client_crl_container_id = client_crl_container_id
    def update(self, update_dict):
        for key, value in update_dict.items():
--- a/octavia/common/jinja/haproxy/jinja_cfg.py
+++ b/octavia/common/jinja/haproxy/jinja_cfg.py
@ -83,7 +83,7 @@ class JinjaTemplater(object):
    def build_config(self, host_amphora, listener, tls_cert,
                     haproxy_versions, socket_path=None,
-                     client_ca_filename=None):
+                     client_ca_filename=None, client_crl=None):
        """Convert a logical configuration to the HAProxy version
        :param host_amphora: The Amphora this configuration is hosted on
@ -105,7 +105,7 @@ class JinjaTemplater(object):
        return self.render_loadbalancer_obj(
            host_amphora, listener, tls_cert=tls_cert, socket_path=socket_path,
            feature_compatibility=feature_compatibility,
-            client_ca_filename=client_ca_filename)
+            client_ca_filename=client_ca_filename, client_crl=client_crl)
    def _get_template(self):
        """Returns the specified Jinja configuration template."""
@ -124,7 +124,7 @@ class JinjaTemplater(object):
    def render_loadbalancer_obj(self, host_amphora, listener,
                                tls_cert=None, socket_path=None,
                                feature_compatibility=None,
-                                client_ca_filename=None):
+                                client_ca_filename=None, client_crl=None):
        """Renders a templated configuration from a load balancer object
        :param host_amphora: The Amphora this configuration is hosted on
@ -141,7 +141,8 @@ class JinjaTemplater(object):
            listener,
            tls_cert,
            feature_compatibility,
-            client_ca_filename=client_ca_filename)
+            client_ca_filename=client_ca_filename,
            client_crl=client_crl)
        if not socket_path:
            socket_path = '%s/%s.sock' % (self.base_amp_path, listener.id)
        return self._get_template().render(
@ -154,14 +155,14 @@ class JinjaTemplater(object):
    def _transform_loadbalancer(self, host_amphora, loadbalancer, listener,
                                tls_cert, feature_compatibility,
-                                client_ca_filename=None):
+                                client_ca_filename=None, client_crl=None):
        """Transforms a load balancer into an object that will
           be processed by the templating system
        """
        t_listener = self._transform_listener(
            listener, tls_cert, feature_compatibility,
-            client_ca_filename=client_ca_filename)
+            client_ca_filename=client_ca_filename, client_crl=client_crl)
        ret_value = {
            'id': loadbalancer.id,
            'vip_address': loadbalancer.vip.ip_address,
@ -201,7 +202,7 @@ class JinjaTemplater(object):
        }
    def _transform_listener(self, listener, tls_cert, feature_compatibility,
-                            client_ca_filename=None):
+                            client_ca_filename=None, client_crl=None):
        """Transforms a listener into an object that will
            be processed by the templating system
@ -245,6 +246,9 @@ class JinjaTemplater(object):
                             client_ca_filename))
            ret_value['client_auth'] = CLIENT_AUTH_MAP.get(
                listener.client_authentication)
        if listener.client_crl_container_id:
            ret_value['client_crl_path'] = '%s' % (
                os.path.join(self.base_crt_dir, listener.id, client_crl))
        if listener.default_pool:
            ret_value['default_pool'] = self._transform_pool(
--- a/octavia/common/jinja/haproxy/templates/macros.j2
+++ b/octavia/common/jinja/haproxy/templates/macros.j2
@ -43,8 +43,13 @@ peers {{ "%s_peers"|format(listener.id.replace("-", ""))|trim() }}
    {% else %}
        {% set client_ca_opt = "" %}
    {% endif %}
    {% if listener.client_crl_path and listener.client_ca_tls_path %}
        {% set ca_crl_opt = "crl-file %s"|format(listener.client_crl_path)|trim() %}
    {% else %}
        {% set ca_crl_opt = "" %}
    {% endif %}
 bind {{ lb_vip_address }}:{{ listener.protocol_port }} {{
-"%s %s %s"|format(def_crt_opt, crt_dir_opt, client_ca_opt)|trim() }}
+"%s %s %s %s"|format(def_crt_opt, crt_dir_opt, client_ca_opt, ca_crl_opt)|trim() }}
 {% endmacro %}
--- a/octavia/db/migration/alembic_migrations/versions/ffad172e98c1_add_certificate_revoke_list_option.py
+++ b/octavia/db/migration/alembic_migrations/versions/ffad172e98c1_add_certificate_revoke_list_option.py
@ -0,0 +1,36 @@
 # Copyright 2018 Huawei
 #
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 #
 """Add certificate revoke revocation list field
 Revision ID: ffad172e98c1
 Revises: f21ae3f21adc
 Create Date: 2018-10-01 20:47:52.405865
 """
 from alembic import op
 import sqlalchemy as sa
 # revision identifiers, used by Alembic.
 revision = 'ffad172e98c1'
 down_revision = 'f21ae3f21adc'
 def upgrade():
    op.add_column(u'listener',
                  sa.Column(u'client_crl_container_id', sa.String(255),
                            nullable=True))
--- a/octavia/db/models.py
+++ b/octavia/db/models.py
@ -505,6 +505,7 @@ class Listener(base_models.BASE, base_models.IdMixin,
        sa.ForeignKey("client_authentication_mode.name",
                      name="fk_listener_client_authentication_mode_name"),
        nullable=False, default=constants.CLIENT_AUTH_NONE)
    client_crl_container_id = sa.Column(sa.String(255), nullable=True)
    _tags = orm.relationship(
        'Tags',
--- a/octavia/tests/functional/api/v2/test_listener.py
+++ b/octavia/tests/functional/api/v2/test_listener.py
@ -555,7 +555,8 @@ class TestListener(base.BaseAPITest):
    # TODO(johnsom) Fix this when there is a noop certificate manager
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
-    def test_create(self, mock_cert_data, response_status=201, **optionals):
+    def test_create(self, mock_cert_data,
                    response_status=201, **optionals):
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
@ -767,6 +768,18 @@ class TestListener(base.BaseAPITest):
        self.assertIn(
            'be provided with a client CA container reference.', fault)
    def test_create_crl_without_ca_cert(self):
        optionals = {
            'protocol': constants.PROTOCOL_TERMINATED_HTTPS,
            'client_ca_tls_container_ref': None,
            'client_crl_container_ref': uuidutils.generate_uuid()
        }
        resp = self.test_create(response_status=400, **optionals).json
        fault = resp.get('faultstring')
        self.assertIn(
            'A client authentication CA reference is required to specify a '
            'client authentication revocation list.', fault)
    def test_create_with_default_pool_id(self):
        lb_listener = {'name': 'listener1',
                       'default_pool_id': self.pool_id,
@ -973,13 +986,69 @@ class TestListener(base.BaseAPITest):
        self.assertEqual(optionals['client_authentication'],
                         listener_api.get('client_authentication'))
-    def test_create_with_ca_cert_negative_cases(self):
+    def test_create_with_ca_cert_and_crl(self):
-        # create just with option, no client_ca_tls_container_ref specified.
+        # Load up sample certs to test the validation
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
        optionals = {
-            'client_authentication': constants.CLIENT_AUTH_MANDATORY
+            'client_ca_tls_container_ref': uuidutils.generate_uuid(),
            'client_crl_container_ref': uuidutils.generate_uuid()
        }
        listener_api = self.test_create(**optionals)
        self.assertEqual(optionals['client_ca_tls_container_ref'],
                         listener_api.get('client_ca_tls_container_ref'))
        self.assertEqual(constants.CLIENT_AUTH_NONE,
                         listener_api.get('client_authentication'))
        self.assertEqual(optionals['client_crl_container_ref'],
                         listener_api.get('client_crl_container_ref'))
    # TODO(johnsom) Fix this when there is a noop certificate manager
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_create_with_crl_mismatch_ca_cert(self, mock_cert_data):
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
        mock_cert_data.return_value = {'tls_cert': cert1,
                                       'sni_certs': [cert2, cert3]}
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CERT, sample_certs.X509_CA_CRL]
        sni1 = uuidutils.generate_uuid()
        sni2 = uuidutils.generate_uuid()
        lb_listener = {
            'name': 'listener1', 'default_pool_id': None,
            'description': 'desc1',
            'admin_state_up': False,
            'protocol': constants.PROTOCOL_TERMINATED_HTTPS,
            'protocol_port': 80,
            'default_tls_container_ref': uuidutils.generate_uuid(),
            'sni_container_refs': [sni1, sni2],
            'project_id': self.project_id,
            'loadbalancer_id': self.lb_id,
            'client_ca_tls_container_ref': uuidutils.generate_uuid(),
            'client_crl_container_ref': uuidutils.generate_uuid()
        }
        body = self._build_body(lb_listener)
        response = self.post(self.LISTENERS_PATH, body, status=400).json
        self.assertEqual(
            "Validation failure: The CRL specified is not valid for client "
            "certificate authority reference supplied.",
            response['faultstring'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_create_with_ca_cert_negative_cases(self, mock_load_cert):
        # create just with option or crl,
        # no client_ca_tls_container_ref specified.
        sni1 = uuidutils.generate_uuid()
        sni2 = uuidutils.generate_uuid()
        for opt in [{'client_authentication': constants.CLIENT_AUTH_MANDATORY,
                     'client_crl_container_ref': uuidutils.generate_uuid()},
                    {'client_authentication': constants.CLIENT_AUTH_OPTIONAL,
                     'client_crl_container_ref': uuidutils.generate_uuid()}]:
            lb_listener = {
                'name': 'listener1', 'default_pool_id': None,
                'description': 'desc1',
@ -990,13 +1059,13 @@ class TestListener(base.BaseAPITest):
                'sni_container_refs': [sni1, sni2],
                'project_id': self.project_id,
                'loadbalancer_id': self.lb_id}
-        lb_listener.update(optionals)
+            lb_listener.update(opt)
            body = self._build_body(lb_listener)
            response = self.post(self.LISTENERS_PATH, body, status=400).json
            self.assertEqual(
                "Validation failure: Client authentication setting %s "
                "requires a client CA container reference." %
-            constants.CLIENT_AUTH_MANDATORY, response['faultstring'])
+                opt['client_authentication'], response['faultstring'])
    def test_create_with_bad_ca_cert_ref(self):
        sni1 = uuidutils.generate_uuid()
@ -1018,7 +1087,30 @@ class TestListener(base.BaseAPITest):
        self.cert_manager_mock().get_secret.side_effect = [
            Exception('bad ca cert')]
        response = self.post(self.LISTENERS_PATH, body, status=400).json
-        self.assertIn(lb_listener['client_ca_tls_container_ref'],
+        self.assertEqual("Could not retrieve certificate: ['%s']" %
                         lb_listener['client_ca_tls_container_ref'],
                         response['faultstring'])
    def test_create_with_unreachable_crl(self):
        sni1 = uuidutils.generate_uuid()
        sni2 = uuidutils.generate_uuid()
        lb_listener = {
            'name': 'listener1', 'default_pool_id': None,
            'description': 'desc1',
            'admin_state_up': False,
            'protocol': constants.PROTOCOL_TERMINATED_HTTPS,
            'protocol_port': 80,
            'default_tls_container_ref': uuidutils.generate_uuid(),
            'sni_container_refs': [sni1, sni2],
            'project_id': self.project_id,
            'loadbalancer_id': self.lb_id,
            'client_ca_tls_container_ref': uuidutils.generate_uuid(),
            'client_crl_container_ref': uuidutils.generate_uuid()}
        body = self._build_body(lb_listener)
        self.cert_manager_mock().get_secret.side_effect = Exception(
            'bad CRL ref')
        response = self.post(self.LISTENERS_PATH, body, status=400).json
        self.assertIn(lb_listener['client_crl_container_ref'],
                      response['faultstring'])
    def test_create_with_bad_ca_cert(self):
@ -1213,6 +1305,22 @@ class TestListener(base.BaseAPITest):
        self.assertNotEqual(ori_listener['client_authentication'],
                            optionals['client_authentication'])
    def test_update_with_crl(self):
        # Load up sample certs to test the validation
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
        optionals = {
            'client_crl_container_ref': uuidutils.generate_uuid()
        }
        ori_listener, update_listener = self.test_update(**optionals)
        self.assertEqual(optionals['client_crl_container_ref'],
                         update_listener.get('client_crl_container_ref'))
        self.assertNotEqual(ori_listener['client_crl_container_ref'],
                            optionals['client_crl_container_ref'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_from_nonexist_ca_cert_to_new_ca_cert(self, mock_cert_data):
        cert1 = data_models.TLSContainer(certificate='cert 1')
@ -1244,7 +1352,7 @@ class TestListener(base.BaseAPITest):
                         api_listener['client_authentication'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
-    def test_update_with_ca_cert_negative_cases(self, mock_cert_data):
+    def test_update_with_ca_cert_missing(self, mock_cert_data):
        # update a listener, no ca cert exist
        cert1 = data_models.TLSContainer(certificate='cert 1')
        mock_cert_data.return_value = {'tls_cert': cert1}
@ -1256,16 +1364,42 @@ class TestListener(base.BaseAPITest):
            default_tls_container_ref=tls_uuid,
            default_pool_id=None).get(self.root_tag)
        self.set_lb_status(self.lb_id)
-        lb_listener = {
+        for opt in [{'client_authentication': constants.CLIENT_AUTH_OPTIONAL,
-            'client_authentication': constants.CLIENT_AUTH_OPTIONAL}
+                     'client_crl_container_ref': uuidutils.generate_uuid()},
-        body = self._build_body(lb_listener)
+                    {'client_authentication': constants.CLIENT_AUTH_MANDATORY,
                     'client_crl_container_ref': uuidutils.generate_uuid()}]:
            body = self._build_body(opt)
            listener_path = self.LISTENER_PATH.format(
                listener_id=listener['id'])
            response = self.put(listener_path, body, status=400).json
            self.assertEqual(
                "Validation failure: Client authentication setting %s "
                "requires a client CA container reference." %
-            constants.CLIENT_AUTH_OPTIONAL, response['faultstring'])
+                opt['client_authentication'], response['faultstring'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_with_crl_but_ca_cert_missing(self, mock_cert_data):
        # update a listener, no ca cert exist
        cert1 = data_models.TLSContainer(certificate='cert 1')
        mock_cert_data.return_value = {'tls_cert': cert1,
                                       'client_ca_cert': None}
        tls_uuid = uuidutils.generate_uuid()
        listener = self.create_listener(
            constants.PROTOCOL_TERMINATED_HTTPS, 80, self.lb_id,
            name='listener1', description='desc1',
            admin_state_up=False, connection_limit=10,
            default_tls_container_ref=tls_uuid,
            default_pool_id=None).get(self.root_tag)
        self.set_lb_status(self.lb_id)
        body = self._build_body(
            {'client_crl_container_ref': uuidutils.generate_uuid()})
        listener_path = self.LISTENER_PATH.format(
            listener_id=listener['id'])
        response = self.put(listener_path, body, status=400).json
        self.assertEqual(
            "Validation failure: A client authentication CA reference is "
            "required to specify a client authentication revocation list.",
            response['faultstring'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_unset_ca_cert(self, mock_cert_data):
@ -1290,6 +1424,41 @@ class TestListener(base.BaseAPITest):
        api_listener = self.put(listener_path, body).json.get(self.root_tag)
        self.assertIsNone(api_listener.get('client_ca_tls_container_ref'))
        self.assertIsNone(api_listener.get('client_auth_option'))
        self.assertIsNone(api_listener.get('client_crl_container_ref'))
    @mock.patch(
        'octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_unset_crl(self, mock_cert_data):
        # Load up sample certs to test the validation
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL]
        cert1 = data_models.TLSContainer(certificate='cert 1')
        mock_cert_data.return_value = {'tls_cert': cert1}
        listener = self.create_listener(
            constants.PROTOCOL_TERMINATED_HTTPS, 80, self.lb_id,
            name='listener1', description='desc1',
            admin_state_up=False, connection_limit=10,
            default_tls_container_ref=uuidutils.generate_uuid(),
            default_pool_id=None,
            client_ca_tls_container_ref=uuidutils.generate_uuid(),
            client_crl_container_ref=uuidutils.generate_uuid(),
            client_authentication=constants.CLIENT_AUTH_MANDATORY).get(
            self.root_tag)
        self.set_lb_status(self.lb_id)
        lb_listener = {'client_crl_container_ref': None}
        body = self._build_body(lb_listener)
        listener_path = self.LISTENER_PATH.format(
            listener_id=listener['id'])
        api_listener = self.put(listener_path, body).json.get(self.root_tag)
        self.assertEqual(listener.get('client_ca_tls_container_ref'),
                         api_listener.get('client_ca_tls_container_ref'))
        self.assertEqual(listener.get('client_authentication'),
                         api_listener.get('client_authentication'))
        self.assertIsNone(api_listener.get('client_crl_container_ref'))
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_with_bad_ca_cert(self, mock_cert_data):
@ -1310,6 +1479,8 @@ class TestListener(base.BaseAPITest):
        self.set_lb_status(self.lb_id)
        self.cert_manager_mock().get_secret.side_effect = Exception(
            'bad ca cert')
        self.cert_manager_mock().get_secret.side_effect = Exception(
            'bad secret')
        lb_listener = {
            'client_ca_tls_container_ref': uuidutils.generate_uuid()}
        body = self._build_body(lb_listener)
@ -1319,6 +1490,72 @@ class TestListener(base.BaseAPITest):
        self.assertIn(lb_listener['client_ca_tls_container_ref'],
                      response['faultstring'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_with_unreachable_crl(self, mock_cert_data):
        # Load up sample certs to test the validation
        tls_cert_mock = mock.MagicMock()
        tls_cert_mock.get_certificate.return_value = sample_certs.X509_CA_CERT
        self.cert_manager_mock().get_cert.return_value = tls_cert_mock
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, Exception('bad CRL ref')]
        cert1 = data_models.TLSContainer(certificate='cert 1')
        mock_cert_data.return_value = {'tls_cert': cert1}
        listener = self.create_listener(
            constants.PROTOCOL_TERMINATED_HTTPS, 80, self.lb_id,
            name='listener1', description='desc1',
            admin_state_up=False, connection_limit=10,
            default_tls_container_ref=uuidutils.generate_uuid(),
            default_pool_id=None,
            client_ca_tls_container_ref=uuidutils.generate_uuid(),
            client_crl_container_ref=uuidutils.generate_uuid()).get(
            self.root_tag)
        self.set_lb_status(self.lb_id)
        lb_listener = {
            'client_crl_container_ref': uuidutils.generate_uuid()}
        body = self._build_body(lb_listener)
        listener_path = self.LISTENER_PATH.format(
            listener_id=listener['id'])
        response = self.put(listener_path, body, status=400).json
        self.assertIn(lb_listener['client_crl_container_ref'],
                      response['faultstring'])
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_update_with_bad_crl(self, mock_cert_data):
        # Load up sample certs to test the validation
        tls_cert_mock = mock.MagicMock()
        tls_cert_mock.get_certificate.return_value = sample_certs.X509_CA_CERT
        self.cert_manager_mock().get_cert.return_value = tls_cert_mock
        self.cert_manager_mock().get_secret.side_effect = [
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, sample_certs.X509_CA_CRL,
            sample_certs.X509_CA_CERT, 'bad CRL']
        cert1 = data_models.TLSContainer(certificate='cert 1')
        mock_cert_data.return_value = {'tls_cert': cert1}
        listener = self.create_listener(
            constants.PROTOCOL_TERMINATED_HTTPS, 80, self.lb_id,
            name='listener1', description='desc1',
            admin_state_up=False, connection_limit=10,
            default_tls_container_ref=uuidutils.generate_uuid(),
            default_pool_id=None,
            client_ca_tls_container_ref=uuidutils.generate_uuid(),
            client_crl_container_ref=uuidutils.generate_uuid()).get(
            self.root_tag)
        self.set_lb_status(self.lb_id)
        lb_listener = {
            'client_crl_container_ref': uuidutils.generate_uuid()}
        body = self._build_body(lb_listener)
        listener_path = self.LISTENER_PATH.format(
            listener_id=listener['id'])
        response = self.put(listener_path, body, status=400).json
        self.assertIn("The client authentication certificate revocation list "
                      "is invalid. It must be a valid x509 PEM format "
                      "certificate revocation list.",
                      response['faultstring'])
    def test_update_authorized(self):
        listener = self.create_listener(
            constants.PROTOCOL_TCP, 80, self.lb_id,
@ -1586,6 +1823,8 @@ class TestListener(base.BaseAPITest):
            listener_id=api_listener['id'])
        self.cert_manager_mock().get_cert.side_effect = [
            Exception("bad cert"), None, Exception("bad cert")]
        self.cert_manager_mock().get_secret.side_effect = [
            Exception("bad secret"), Exception("bad secret")]
        response = self.put(listener_path, body, status=400).json
        self.assertIn(tls_ref2, response['faultstring'])
        self.assertIn(sni1, response['faultstring'])
--- a/octavia/tests/functional/api/v2/test_load_balancer.py
+++ b/octavia/tests/functional/api/v2/test_load_balancer.py
@ -2358,7 +2358,9 @@ class TestLoadBalancerGraph(base.BaseAPITest):
            expected_client_ca_tls_container=None,
            create_protocol=constants.PROTOCOL_HTTP,
            create_client_authentication=None,
-            expected_client_authentication=constants.CLIENT_AUTH_NONE):
+            expected_client_authentication=constants.CLIENT_AUTH_NONE,
            create_client_crl_container=None,
            expected_client_crl_container=None):
        create_listener = {
            'name': name,
            'protocol_port': protocol_port,
@ -2380,7 +2382,8 @@ class TestLoadBalancerGraph(base.BaseAPITest):
            'timeout_tcp_inspect': constants.DEFAULT_TIMEOUT_TCP_INSPECT,
            'tags': [],
            'client_ca_tls_container_ref': None,
-            'client_authentication': constants.CLIENT_AUTH_NONE
+            'client_authentication': constants.CLIENT_AUTH_NONE,
            'client_crl_container_ref': None
        }
        if create_sni_containers:
            create_listener['sni_container_refs'] = create_sni_containers
@ -2402,6 +2405,9 @@ class TestLoadBalancerGraph(base.BaseAPITest):
        if create_client_authentication:
            create_listener['client_authentication'] = (
                create_client_authentication)
        if create_client_crl_container:
            create_listener['client_crl_container_ref'] = (
                create_client_crl_container)
        if expected_sni_containers:
            expected_listener['sni_container_refs'] = expected_sni_containers
        if expected_l7policies:
@ -2416,6 +2422,9 @@ class TestLoadBalancerGraph(base.BaseAPITest):
        if expected_client_authentication:
            expected_listener[
                'client_authentication'] = expected_client_authentication
        if expected_client_crl_container:
            expected_listener['client_crl_container_ref'] = (
                expected_client_crl_container)
        return create_listener, expected_listener
    def _get_pool_bodies(self, name='pool1', create_members=None,
@ -2664,23 +2673,27 @@ class TestLoadBalancerGraph(base.BaseAPITest):
        self._assert_graphs_equal(expected_lb, api_lb)
    @mock.patch('cryptography.hazmat.backends.default_backend')
    @mock.patch('cryptography.x509.load_pem_x509_crl')
    @mock.patch('cryptography.x509.load_pem_x509_certificate')
    @mock.patch('octavia.api.drivers.utils._get_secret_data')
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_with_full_listener_certs(self, mock_cert_data, mock_get_secret,
-                                      mock_x509_cert, mock_backend):
+                                      mock_x509_cert, mock_x509_crl,
                                      mock_backend):
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
        mock_get_secret.side_effect = ['ca cert', 'X509 CRL FILE']
        mock_cert_data.return_value = {'tls_cert': cert1,
                                       'sni_certs': [cert2, cert3]}
        mock_get_secret.side_effect = ['ca cert']
        cert_mock = mock.MagicMock()
        mock_x509_cert.return_value = cert_mock
-        create_client_ca_tls_container = uuidutils.generate_uuid()
+        create_client_ca_tls_container, create_client_crl_container = (
            uuidutils.generate_uuid(), uuidutils.generate_uuid())
        expected_client_ca_tls_container = create_client_ca_tls_container
        create_client_authentication = constants.CLIENT_AUTH_MANDATORY
        expected_client_authentication = constants.CLIENT_AUTH_MANDATORY
        expected_client_crl_container = create_client_crl_container
        create_sni_containers, expected_sni_containers = (
            self._get_sni_container_bodies())
        create_listener, expected_listener = self._get_listener_bodies(
@ -2690,7 +2703,9 @@ class TestLoadBalancerGraph(base.BaseAPITest):
            create_client_ca_tls_container=create_client_ca_tls_container,
            expected_client_ca_tls_container=expected_client_ca_tls_container,
            create_client_authentication=create_client_authentication,
-            expected_client_authentication=expected_client_authentication)
+            expected_client_authentication=expected_client_authentication,
            create_client_crl_container=create_client_crl_container,
            expected_client_crl_container=expected_client_crl_container)
        create_lb, expected_lb = self._get_lb_bodies(
            create_listeners=[create_listener],
            expected_listeners=[expected_listener])
--- a/octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver.py
+++ b/octavia/tests/unit/amphorae/drivers/haproxy/test_rest_api_driver.py
@ -66,7 +66,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
        # Build sample Listener and VIP configs
        self.sl = sample_configs.sample_listener_tuple(
-            tls=True, sni=True, client_ca_cert=True)
+            tls=True, sni=True, client_ca_cert=True, client_crl_cert=True)
        self.sl_udp = sample_configs.sample_listener_tuple(
            proto=constants.PROTOCOL_UDP,
            persistence_type=constants.SESSION_PERSISTENCE_SOURCE_IP,
@ -148,7 +148,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
    @mock.patch('octavia.common.tls_utils.cert_parser.get_host_names')
    def test_update(self, mock_cert, mock_load_crt, mock_secret):
        mock_cert.return_value = {'cn': sample_certs.X509_CERT_CN}
-        mock_secret.return_value = 'filename.pem'
+        mock_secret.side_effect = ['filename.pem', 'crl-filename.pem']
        sconts = []
        for sni_container in self.sl.sni_containers:
            sconts.append(sni_container.tls_container)
@ -168,7 +168,7 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
        self.driver.update(self.sl, self.sv)
        # verify result
-        # this is called 4 times
+        # this is called 5 times
        gcm_calls = [
            mock.call(self.amp, self.sl.id,
                      self.sl.default_tls_container.id + '.pem',
@ -209,6 +209,11 @@ class TestHaproxyAmphoraLoadBalancerDriverTest(base.TestCase):
        # start should be called once
        self.driver.client.reload_listener.assert_called_once_with(
            self.amp, self.sl.id)
        secret_calls = [
            mock.call(self.sl, self.sl.client_ca_tls_certificate_id),
            mock.call(self.sl, self.sl.client_crl_container_id)
        ]
        mock_secret.assert_has_calls(secret_calls)
    def test_udp_update(self):
        self.driver.udp_jinja.build_config.side_effect = ['fake_udp_config']
--- a/octavia/tests/unit/api/drivers/sample_data_models.py
+++ b/octavia/tests/unit/api/drivers/sample_data_models.py
@ -38,6 +38,7 @@ class SampleDriverDataModels(object):
        self.sni_container_ref_1 = uuidutils.generate_uuid()
        self.sni_container_ref_2 = uuidutils.generate_uuid()
        self.client_ca_tls_certificate_ref = uuidutils.generate_uuid()
        self.client_crl_container_ref = uuidutils.generate_uuid()
        self.pool1_id = uuidutils.generate_uuid()
        self.pool2_id = uuidutils.generate_uuid()
@ -383,7 +384,8 @@ class SampleDriverDataModels(object):
            'timeout_member_data': 3000,
            'timeout_tcp_inspect': 4000,
            'client_ca_tls_certificate_id': self.client_ca_tls_certificate_ref,
-            'client_authentication': constants.CLIENT_AUTH_NONE
+            'client_authentication': constants.CLIENT_AUTH_NONE,
            'client_crl_container_id': self.client_crl_container_ref
        }
        self.test_listener1_dict.update(self._common_test_dict)
@ -397,6 +399,7 @@ class SampleDriverDataModels(object):
        del self.test_listener2_dict['l7policies']
        del self.test_listener2_dict['sni_containers']
        del self.test_listener2_dict['client_ca_tls_certificate_id']
        del self.test_listener2_dict['client_crl_container_id']
        self.test_listeners = [self.test_listener1_dict,
                               self.test_listener2_dict]
@ -416,6 +419,7 @@ class SampleDriverDataModels(object):
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
        ca_cert = 'ca cert'
        crl_file_content = 'X509 CRL FILE'
        self.provider_listener1_dict = {
            'admin_state_up': True,
@ -441,7 +445,9 @@ class SampleDriverDataModels(object):
            'timeout_tcp_inspect': 4000,
            'client_ca_tls_container_ref': self.client_ca_tls_certificate_ref,
            'client_ca_tls_container_data': ca_cert,
-            'client_authentication': constants.CLIENT_AUTH_NONE
+            'client_authentication': constants.CLIENT_AUTH_NONE,
            'client_crl_container_ref': self.client_crl_container_ref,
            'client_crl_container_data': crl_file_content
        }
        self.provider_listener2_dict = copy.deepcopy(
@ -456,6 +462,8 @@ class SampleDriverDataModels(object):
        del self.provider_listener2_dict['client_ca_tls_container_data']
        self.provider_listener2_dict['client_authentication'] = (
            constants.CLIENT_AUTH_NONE)
        self.provider_listener2_dict['client_crl_container_ref'] = None
        del self.provider_listener2_dict['client_crl_container_data']
        self.provider_listener1 = driver_dm.Listener(
            **self.provider_listener1_dict)
--- a/octavia/tests/unit/api/drivers/test_utils.py
+++ b/octavia/tests/unit/api/drivers/test_utils.py
@ -90,7 +90,7 @@ class TestUtils(base.TestCase):
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
-        mock_secret.return_value = 'ca cert'
+        mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
        mock_load_cert.return_value = {'tls_cert': cert1,
                                       'sni_certs': [cert2, cert3]}
        test_lb_dict = {'name': 'lb1',
@ -162,7 +162,7 @@ class TestUtils(base.TestCase):
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_db_listeners_to_provider_listeners(self, mock_load_cert,
                                                mock_secret):
-        mock_secret.return_value = 'ca cert'
+        mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
@ -176,16 +176,24 @@ class TestUtils(base.TestCase):
    @mock.patch('octavia.api.drivers.utils._get_secret_data')
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
    def test_listener_dict_to_provider_dict(self, mock_load_cert, mock_secret):
-        mock_secret.return_value = 'ca cert'
+        mock_secret.side_effect = ['ca cert', 'X509 CRL FILE']
        cert1 = data_models.TLSContainer(certificate='cert 1')
        cert2 = data_models.TLSContainer(certificate='cert 2')
        cert3 = data_models.TLSContainer(certificate='cert 3')
        mock_load_cert.return_value = {'tls_cert': cert1,
                                       'sni_certs': [cert2, cert3]}
        # The reason to do this, as before the logic arrives the test func,
        # there are two data sources, one is from db_dict, the other is from
        # the api layer model_dict, actually, they are different and contain
        # different fields. That's why the test_listener1_dict from sample data
        # just contain the client_ca_tls_certificate_id for client certificate,
        # not any other related fields. So we need to delete them.
        expect_prov = copy.deepcopy(self.sample_data.provider_listener1_dict)
        provider_listener = utils.listener_dict_to_provider_dict(
            self.sample_data.test_listener1_dict)
-        self.assertEqual(self.sample_data.provider_listener1_dict,
+        expect_prov.pop('client_crl_container_ref')
-                         provider_listener)
+        provider_listener.pop('client_crl_container_ref')
        self.assertEqual(expect_prov, provider_listener)
    @mock.patch('octavia.api.drivers.utils._get_secret_data')
    @mock.patch('octavia.common.tls_utils.cert_parser.load_certificates_data')
--- a/octavia/tests/unit/certificates/manager/test_barbican.py
+++ b/octavia/tests/unit/certificates/manager/test_barbican.py
@ -48,7 +48,6 @@ class TestBarbicanManager(base.TestCase):
        self.fake_secret = 'Fake secret'
        self.secret = secrets.Secret(api=mock.MagicMock(),
                                     payload=self.fake_secret)
        self.empty_secret = mock.Mock(spec=secrets.Secret)
        # Mock out the client
--- a/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
+++ b/octavia/tests/unit/common/jinja/haproxy/test_jinja_cfg.py
@ -40,7 +40,8 @@ class TestHaproxyCfg(base.TestCase):
              "sample_listener_id_1/tls_container_id.pem "
              "crt /var/lib/octavia/certs/sample_listener_id_1 "
              "ca-file /var/lib/octavia/certs/sample_listener_id_1/"
-              "client_ca.pem verify required\n"
+              "client_ca.pem verify required crl-file /var/lib/octavia/"
              "certs/sample_listener_id_1/SHA_ID.pem\n"
              "    mode http\n"
              "    default_backend sample_pool_id_1\n"
              "    timeout client 50000\n\n").format(
@ -71,8 +72,10 @@ class TestHaproxyCfg(base.TestCase):
            sample_configs.sample_amphora_tuple(),
            sample_configs.sample_listener_tuple(proto='TERMINATED_HTTPS',
                                                 tls=True, sni=True,
-                                                 client_ca_cert=True),
+                                                 client_ca_cert=True,
-            tls_tupe, client_ca_filename='client_ca.pem')
+                                                 client_crl_cert=True),
            tls_tupe, client_ca_filename='client_ca.pem',
            client_crl='SHA_ID.pem')
        self.assertEqual(
            sample_configs.sample_base_expected_config(
                frontend=fe, backend=be),
--- a/octavia/tests/unit/common/sample_configs/sample_certs.py
+++ b/octavia/tests/unit/common/sample_configs/sample_certs.py
@ -856,3 +856,22 @@ pDEMmP7TJMJ3dG63RtAzQiGfRO18BIVOrRUfQpR32FkrYd9wCE02cnv0QZzY9NYt
 6hAlAa6Motve8UFewoO4pNknj3MBEN+64wDzHaP6VPysNJwrAlgaHfGDU6xJffAd
 uCWDmw==
 -----END CERTIFICATE-----"""
 X509_CA_CRL = b"""-----BEGIN X509 CRL-----
 MIIC7zCB2AIBATANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEPMA0GA1UE
 CAwGT3JlZ29uMRIwEAYDVQQKDAlPcGVuU3RhY2sxEDAOBgNVBAsMB09jdGF2aWEx
 FzAVBgNVBAMMDmNhLmV4YW1wbGUub3JnFw0xOTAyMTkwMjAxNTlaFw0xOTAzMjEw
 MjAxNTlaMBUwEwICEAAXDTE5MDIxOTAyMDAyMlqgMDAuMB8GA1UdIwQYMBaAFN/4
 bLQKWNMwoLzQ2du9NT33x7+DMAsGA1UdFAQEAgIQADANBgkqhkiG9w0BAQsFAAOC
 AgEAcPtYSLEkJwvqaAfMGXwI2uTTKWURqtwfcBMYdVF1u2xsBsrKR6ogpBjzc1sX
 A5WN9Tz5TXPVd38DTEGlCGLQ7wZ8wwYAR2sArHjw/zcsOJcFVTWtpX+2UAbpqis9
 rBq7K6TF2m1fYb0RJg0AUbja/wfpghoEjfFx8FjIa8WAqqazyWR9vslm7kSoEgr+
 MDV7agVK+h1n68hdLA9osUyPaAobus5FcVlXePPp5Ab8/vx1b2/Y+VXHaJXTZCin
 FLQaxaH0PsMCKN/T52GPMRKa2Cc6IEaDFgE1ZlA8nP5t2tA7MFORI8dix6jIzBJD
 W2CRf1Oxkrd3iqs1IljtlKHKMUTS67lfA9EwKlt8dR+KwH/WT23LSIoC9NnS3DP+
 aT3t52soCpjXbfl8fgs62bome1/88BoNIa2T1Mj6F0aPvepLsFB/UrXWhADFj+DX
 7WclP62BNBCTlUNvMF0eC9o7r5xeazo53KH1KI62qlFrz5MbRCG8g0JtTFqsMJld
 phYuPfZekoNbsOIPDTiPFniuP2saOF4TSRCW4KnpgblRkds6c8X+1ExdlSo5GjNa
 PftOKlYtE7T7Kw4CI9+O2H38IUOYjDt/c2twy954K4pKe4x9Ud8mImpS/oEzOsoz
 /Mn++bjO55LdaAUKQ3wa8LZ5WFB+Gs6b2kmBfzGarWEiX64=
 -----END X509 CRL-----"""
--- a/octavia/tests/unit/common/sample_configs/sample_configs.py
+++ b/octavia/tests/unit/common/sample_configs/sample_configs.py
@ -512,7 +512,7 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                          timeout_member_connect=5000,
                          timeout_member_data=50000,
                          timeout_tcp_inspect=0,
-                          client_ca_cert=False):
+                          client_ca_cert=False, client_crl_cert=False):
    proto = 'HTTP' if proto is None else proto
    if be_proto is None:
        be_proto = 'HTTP' if proto is 'TERMINATED_HTTPS' else proto
@ -527,8 +527,9 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
                    'sni_containers, load_balancer, peer_port, pools, '
                    'l7policies, enabled, insert_headers, timeout_client_data,'
                    'timeout_member_connect, timeout_member_data, '
-                    'timeout_tcp_inspect, client_ca_tls_certificate_id,'
+                    'timeout_tcp_inspect, client_ca_tls_certificate_id, '
-                    'client_ca_tls_certificate, client_authentication')
+                    'client_ca_tls_certificate, client_authentication, '
                    'client_crl_container_id')
    if l7:
        pools = [
            sample_pool_tuple(
@ -614,7 +615,8 @@ def sample_listener_tuple(proto=None, monitor=True, alloc_default_pool=True,
        ) if client_ca_cert else '',
        client_authentication=(
            constants.CLIENT_AUTH_MANDATORY if client_ca_cert else
-            constants.CLIENT_AUTH_NONE)
+            constants.CLIENT_AUTH_NONE),
        client_crl_container_id='cont_id_crl' if client_crl_cert else '',
    )
--- a/releasenotes/notes/Add-TLS-client-auth-CRL-d0722fd175bc2f51.yaml
+++ b/releasenotes/notes/Add-TLS-client-auth-CRL-d0722fd175bc2f51.yaml
@ -0,0 +1,10 @@
 ---
 features:
  - |
    You can now provide a certificate revocation list reference for listeners
    using TLS client authentication.
 security:
  - |
    Note that the amphora provider currently only supports the crl-file
    provided to check for revocation. Remote revocation lists and/or OCSP
    will not be used by the amphora provider.
`@ -1 +1 @@`
	curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"listener": {"protocol": "TERMINATED_HTTPS", "description": "A great TLS listener", "admin_state_up": true, "connection_limit": 200, "protocol_port": "443", "loadbalancer_id": "607226db-27ef-4d41-ae89-f2a800e9c2db", "name": "great_tls_listener", "insert_headers": {"X-Forwarded-For": "true", "X-Forwarded-Port": "true"}, "default_tls_container_ref": "http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "sni_container_refs": ["http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "http://198.51.100.10:9311/v1/containers/aaebb31e-7761-4826-8cb4-2b829caca3ee"], "timeout_client_data": 50000, "timeout_member_connect": 5000, "timeout_member_data": 50000, "timeout_tcp_inspect": 0, "tags": ["test_tag"], "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5", "client_authentication": "MANDATORY"}}' http://198.51.100.10:9876/v2/lbaas/listeners	curl -X POST -H "Content-Type: application/json" -H "X-Auth-Token: <token>" -d '{"listener": {"protocol": "TERMINATED_HTTPS", "description": "A great TLS listener", "admin_state_up": true, "connection_limit": 200, "protocol_port": "443", "loadbalancer_id": "607226db-27ef-4d41-ae89-f2a800e9c2db", "name": "great_tls_listener", "insert_headers": {"X-Forwarded-For": "true", "X-Forwarded-Port": "true"}, "default_tls_container_ref": "http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "sni_container_refs": ["http://198.51.100.10:9311/v1/containers/a570068c-d295-4780-91d4-3046a325db51", "http://198.51.100.10:9311/v1/containers/aaebb31e-7761-4826-8cb4-2b829caca3ee"], "timeout_client_data": 50000, "timeout_member_connect": 5000, "timeout_member_data": 50000, "timeout_tcp_inspect": 0, "tags": ["test_tag"], "client_ca_tls_container_ref": "http://198.51.100.10:9311/v1/containers/35649991-49f3-4625-81ce-2465fe8932e5", "client_authentication": "MANDATORY", "client_crl_container_ref": "http://198.51.100.10:9311/v1/containers/e222b065-b93b-4e2a-9a02-804b7a118c3c"}}' http://198.51.100.10:9876/v2/lbaas/listeners