The OpenStack Anchor project is now officially retired[1].
This patch removes the references to Anchor from Octavia.
These old references were confusing new users.
[1] https://review.opendev.org/#/c/611187/
Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.
Story: 2004073
Task: 27434
Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
This affects only the internal certificates that we generate and install
on Amphorae for use with the amphora-agent.
Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
Region and endpoint_type parameters should be used when initializing
Barbican client.
Change-Id: Id5a0c6f061e36b93e82d2eea8a5bac9ede66b159
Story: 2005233
Task: 30015
Add tls_ca_container_id and crl_container_id into Pool API.
Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).
There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.
To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.
Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.
Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <johnsomor@gmail.com>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
Add calls barbican legacy driver for set_acl and unset_acl actions when
using certificates in a container.
Change-Id: I7984c85ec98b6b8df00db1b2c58ddc067508b1a5
Story: 2003905
At this moment if ca_private_key_passphrase is None loadbalancer
cannot be created due to AttributeError.
Current change adds check for None before encoding.
Story: 2003588
Task: 24896
Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.
We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.
We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.
This patch also updates pylint to 1.5.6 which is compatible with
python3.
In updating pylint we have some issues to correct, this patch addresses
those issues so the Octavia code passes pylint 1.5.6.
Change-Id: Iec21f4c803a427059d595612336d67a35ebf9585
Signed-off-by: Doug Hellmann <doug@doughellmann.com>
This also fix build-openstack-sphinx-docs, there was a change introduced
in sphinx 1.6.6:
https://github.com/sphinx-doc/sphinx/pull/4335/files
If the size of __init__.py is less than 2, then the module would be
skipped which will cause the sphinx consistency checking failing later.
Change-Id: I9d8764b6e907aceed8bb8a9b04711145d0eb32ad
*NOT* deprecating the old way of storing these, as I believe that would
create a huge mess for anyone already using it.
Change-Id: I1fee174d8b8956f3d2053781a7f18c2940b21765
This addition automates the process, as opposed to relying on review inputs.
Inspired by Ib51bd97dc4394ef2b46d4dbb7fb36a9aa9f8fe3d
Change-Id: I1d6051cf6678b6d5db774fc884390fec626c1f2c
WIP - This patch attempts to fix the py3x gates.
Please add to it as you find issues.
Closes-Bug: #1659064
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Depends-On: If6b6f19130c965436a637a03a4cf72203e0786b0
Change-Id: If642f7ddcb886b4e9fd04a12397f26c72b3485a4
Remove unneeded import_group lines which are not doing anything and just makes
code harder to understand.
Change-Id: I673dd04dd31ae9771e6af982d184eee0e9cbf2d4
Change methods used in backend to authenticate with keystone.
Use autodetection mechanizm for API version and refactor config
options specified in Octavia.
Change-Id: Id0deee2714040d271f43a537c27f410e2f4e3ef2
Closes-Bug: #1620668
Closes-Bug: #1618691
This commit adds the ability for Octavia to make use of PKCS7
intermediate certificate bundles. These PKCS7 bundles may be in PEM or
DER format. This feature is being added since barbican specifies that
this is the preferred format for intermediate bundles in secret
containers.
This commit also re-arranges and/or strengthens several of our existing
tests of TLS / SNI functionality and in the process also fixes a bug
where encrypted private keys were not uploaded to amphorae in a format
that haproxy can readily parse. I have also added several sample or
dummy certificates which can be used for an up-coming scenario test
which exercises TLS-termination capabilities of Octavia.
Change-Id: I14e394bbf48456d2e2a7bbefcc777a1b6f4b83e4
Closes-Bug: #1627356
Closes-Bug: #1627367
Basic clean up work.
In some files, oslo_config.cfg and oslo_log.log has been imported
but not used. So remove them.
I noticed that there are a lot of unused conf variables in nova and
there is a patch to clean them up:
https://review.openstack.org/#/c/280068/
So I wondered if this was a thing in octavia as well.
Turns out it is. :- )
If have to say why not keeping them, I think it should be making
code clean and avoiding redundant compilation.
Change-Id: I59b3dcef9143db2dbaae0c9c51f4e098ddcc16e3
When requesting for a barbican client, this change lets you filter based on
region and endpoint_type.
Conflicts:
etc/octavia.conf
Change-Id: Ib4b9b75027443177c039f60f99822b9b3d021b8a
LocalCertManager is unusable because there's no way to get cert data
into the system (the API doesn't accept it) so there's no way we could
store it, which makes it unusable for its original purpose which was to
be a dev tool (it is not suitable for production use in any case).
Barbican does not support certificate generation in a way that makes
sense for us (they do async only) and Anchor will be the way forward.
This driver will never be completed and therefore should be removed.
Change-Id: I78019bc7ad7dffc745055216ed2aace725c58de2
Replace the hardcoded signing digest with the one as retrieved from
the corresponding configuration attribute.
Change-Id: Id51f44074ce0495609d6c8d99bae8cad7f32057f
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.
Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.
While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.
Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url: https://github.com/openstack/anchor
Co-Authored-By: bharath <bharath.stacker@gmail.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
The new local certificate generator code uses local time
for validity periods causing failures on hosts that do not
use UTC time.
This patch changes this to always use UTC time for certificate
generation.
Change-Id: Ice15ab53f322ac148c85e1f6e781f63f661d6179
Closes-Bug: #1514601
In certain cases (non-deterministic? maybe OS related?) the pyOpenSSL
bindings were not working properly, and since I was meaning to do
this eventually anyway, I just went ahead and did it now.
Change-Id: Ifb71f507875eef5f540eb602c3328b0f563b9796
We should delegate (when possible) formatting to the logger in order to
perform formatting only when needed, by using:
LOG.<level>(message, data)
instead of:
LOG.<level>(message % data)
and
try:
...
except ...:
LOG.exception("lorem ipsum")
instead of:
try:
...
except ... as e:
LOG.error("lorem ipsum: %s:", e)
Change-Id: I8052ebd026c380499c19562bcb29b05cd8a7f5f0
Adds rest driver methods
Adds rest driver tests
Add cert task for generating server certs
Modified compute task/flow
Fixed local certificate stuff
Refactored to use requests-mock inetad of responses
Added a "conditiobal flow" for REST
Cleaned up and changed the code to work with
https://review.openstack.org/#/c/160034/
Replaces:
https://review.openstack.org/#/c/144348/https://review.openstack.org/#/c/145637/14
Change-Id: Ibcbf0717b785aab4c604deef1061e8b2fa41006c
Co-Authored-By: Phillip Toohill <phillip.toohill@rackspace.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Co-Authored-By: Stephen Balukoff <sbalukoff@bluebox.net>
Implements: bp/haproxy-amphora-driver
This is for fixing the octavia issue.
We ran the Octavia code base through a static code analyser and several issues got flagged.
As an exercise we looked at each issue and are now proposing fixes to the complexity/code style issues.
Change-Id: I2fc0cf213a9f7488e7cf1dff789d98ca2deeb81f
The generated certs should be recognized as client authenticating
certs as well. The x509 should also be version 3.
Change-Id: Iadceba964761548625550d4aa2c5a4ad90e76684
Michael Johnson