Commit Graph

53 Commits (65e132a734f005f090a384bfa129482d195c6d6e)

Author SHA1 Message Date
Michael Johnson 6d2e2be86a Remove references to OpenStack Anchor
The OpenStack Anchor project is now officially retired[1].

This patch removes the references to Anchor from Octavia.
These old references were confusing new users.


Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
4 years ago
Carlos Goncalves c4faac25de Add Python 3.7 support
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.

Story: 2004073
Task: 27434

Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
4 years ago
Adam Harwell 57d653cc63 Make amphora cert validity time configurable
This affects only the internal certificates that we generate and install
on Amphorae for use with the amphora-agent.

Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
4 years ago
Pavel Abalikhin dc5a708d9a Fix initialization of Barbican client
Region and endpoint_type parameters should be used when initializing
Barbican client.

Change-Id: Id5a0c6f061e36b93e82d2eea8a5bac9ede66b159
Story: 2005233
Task: 30015
4 years ago
Zuul e74f19bc0b Merge "Encrypt certs and keys" 4 years ago
ZhaoBo 7aa115a553 Add 2 new fields into Pool API for support re-encryption
Add tls_ca_container_id and crl_container_id into Pool API.

Story: 2003858
Task: 26672
Co-Authored-By: Michael Johnson <>
Change-Id: I6cd6e2ca8e48a5df707a70d22505dec9d752c7eb
4 years ago
Nir Magnezi ae7c87f54a Encrypt certs and keys
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).

There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.

To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.

Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
4 years ago
ZhaoBo 0cc546a7c7 Add client_ca_tls_container_ref to listener API
This patch add 'client_ca_tls_container_ref' into listener API for front
client authentication.

Story: 2002165
Task: 20018
Co-Authored-By: Michael Johnson <>
Change-Id: I8a96d6fdfe53a16d1abcfd09bc6afedd6c490de2
4 years ago
Vadim Ponomarev dca620ce67 Fix auto setup Barbican's ACL in the legacy driver.
Add calls barbican legacy driver for set_acl and unset_acl actions when
using certificates in a container.

Change-Id: I7984c85ec98b6b8df00db1b2c58ddc067508b1a5
Story: 2003905
5 years ago
Ann Taraday 2a2b308a39 Fix passphrase None errors
At this moment if ca_private_key_passphrase is None loadbalancer
cannot be created due to AttributeError.
Current change adds check for None before encoding.

Story: 2003588

Task: 24896

Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486
5 years ago
Adam Harwell c3813d9313 Automatically set Barbican ACLs
Story: 2002973
Task: 22981

Co-Authored-By: Carlos Goncalves <>

Change-Id: I51121c599f19a91a6755571abf1c6bd854e7d50f
5 years ago
Doug Hellmann 0322cbc5c3 fix tox python3 overrides
We want to default to running all tox environments under python 3, so
set the basepython value in each environment.

We do not want to specify a minor version number, because we do not
want to have to update the file every time we upgrade python.

We do not want to set the override once in testenv, because that
breaks the more specific versions used in default environments like
py35 and py36.

This patch also updates pylint to 1.5.6 which is compatible with
In updating pylint we have some issues to correct, this patch addresses
those issues so the Octavia code passes pylint 1.5.6.

Change-Id: Iec21f4c803a427059d595612336d67a35ebf9585
Signed-off-by: Doug Hellmann <>
5 years ago
Adam Harwell a1e443ccea Properly test access to tls_refs in the API layer
Change-Id: I264c525c36f301d23378a6d72aded741fcb9f4f6
Story: 2001640
Task: 6658
5 years ago
Jacky Hu 649b33d247 Add license for empty
This also fix build-openstack-sphinx-docs, there was a change introduced
in sphinx 1.6.6:

If the size of is less than 2, then the module would be
skipped which will cause the sphinx consistency checking failing later.

Change-Id: I9d8764b6e907aceed8bb8a9b04711145d0eb32ad
5 years ago
Adam Harwell 8934a629df Switch to using PKCS12 for TLS Term certs
*NOT* deprecating the old way of storing these, as I believe that would
create a huge mess for anyone already using it.

Change-Id: I1fee174d8b8956f3d2053781a7f18c2940b21765
5 years ago
Dong Jun ff20b3faf4 import _ from octavia.i18n
builtin _ is deprecated and pylint will throw an error for it.

Change-Id: Ia5599dd2c65455eae13fadfac277f590dcaa2df5
6 years ago
Nir Magnezi 4f7c541793 Use flake8-import-order plugin
This addition automates the process, as opposed to relying on review inputs.
Inspired by Ib51bd97dc4394ef2b46d4dbb7fb36a9aa9f8fe3d

Change-Id: I1d6051cf6678b6d5db774fc884390fec626c1f2c
6 years ago
Erik Olof Gunnar Andersson adfe2fec38 Handle log message interpolation by the logger
According to OpenStack Guideline[1], logged string message should be
interpolated by the logger.


Change-Id: I532fe2537fcd2ae6b4344d214a308b1a26416745
6 years ago
Adam Harwell 75c4361a11 Reintroducing local certificate manager, as it is useful for testing
Change-Id: I6616d815135ed00662c3b921796f5e988208bdf8
6 years ago
e dc882e9d27 Remove log translations from octavia
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.

This patch also adds hacking rules for the translation tags.


Co-Authored-By: Michael Johnson <>
Change-Id: Ic95111d09e38b3f44fd6c85d0bcf0355c21ef545
6 years ago
German Eichberger 38a3d4f318 Fixes Octavia not working with Barbican
Adds conversion of the Barbicna payload (see changes at
by using oslo's encodeutils

Change-Id: Ibc9fdc8b1bb19b07e70581c6aaa25c5e45bdb1ba
Closes-Bug: #1681595
6 years ago
Michael Johnson 7fdc8a1e06 Update for new pep8 rules E402 and W503
Change-Id: I181f396b002d0c3b89579c4fc33c34b1c099953e
6 years ago
Michael Johnson 119e223750 Fix py3x gates and functional
WIP - This patch attempts to fix the py3x gates.
Please add to it as you find issues.

Closes-Bug: #1659064

Co-Authored-By: Adam Harwell <>
Depends-On: If6b6f19130c965436a637a03a4cf72203e0786b0

Change-Id: If642f7ddcb886b4e9fd04a12397f26c72b3485a4
6 years ago
Adam Harwell 654e88686e Correcting error message for CA Key validation failure
Change-Id: I8f16b56d09f69b07423faf23615a3bdd15c3b10a
7 years ago
Lubosz "diltram" Kosnik 867b350988 Remove CONF.import_group
Remove unneeded import_group lines which are not doing anything and just makes
code harder to understand.

Change-Id: I673dd04dd31ae9771e6af982d184eee0e9cbf2d4
7 years ago
Lubosz "diltram" Kosnik 076e016bb2 Backend Keystone authentication
Change methods used in backend to authenticate with keystone.
Use autodetection mechanizm for API version and refactor config
options specified in Octavia.

Change-Id: Id0deee2714040d271f43a537c27f410e2f4e3ef2
Closes-Bug: #1620668
Closes-Bug: #1618691
7 years ago
Stephen Balukoff a27b5c418a Add support for PKCS7 bundles and encrypted keys
This commit adds the ability for Octavia to make use of PKCS7
intermediate certificate bundles. These PKCS7 bundles may be in PEM or
DER format. This feature is being added since barbican specifies that
this is the preferred format for intermediate bundles in secret

This commit also re-arranges and/or strengthens several of our existing
tests of TLS / SNI functionality and in the process also fixes a bug
where encrypted private keys were not uploaded to amphorae in a format
that haproxy can readily parse. I have also added several sample or
dummy certificates which can be used for an up-coming scenario test
which exercises TLS-termination capabilities of Octavia.

Change-Id: I14e394bbf48456d2e2a7bbefcc777a1b6f4b83e4
Closes-Bug: #1627356
Closes-Bug: #1627367
7 years ago
Adam Harwell 06f50c07ef Barbican Cert Manager fails to correctly parse intermediates
This may be a candidate for stable/liberty backport.

Change-Id: Ia61bbc7099630fa33ca0f1ee4825c2b01244c7f3
Closes-Bug: 1550535
7 years ago
Chaozhe.Chen 2c50fd66f5 Trivial: cleanup unused conf and log variables
Basic clean up work.
In some files, oslo_config.cfg and oslo_log.log  has been imported
but not used. So remove them.

I noticed that there are a lot of unused conf variables in nova and
there is a patch to clean them up:
So I wondered if this was a thing in octavia as well.
Turns out it is. :- )

If have to say why not keeping them, I think it should be making
code clean and avoiding redundant compilation.

Change-Id: I59b3dcef9143db2dbaae0c9c51f4e098ddcc16e3
7 years ago
Jenkins 16719f4400 Merge "Adding "region and endpoint_type" parameters to" 7 years ago
Aishwarya Thangappa c887461f61 Adding "region and endpoint_type" parameters to
When requesting for a barbican client, this change lets you filter based on
region and endpoint_type.


Change-Id: Ib4b9b75027443177c039f60f99822b9b3d021b8a
7 years ago
Adam Harwell 0e78993002 Remove dead code around certificate handling
LocalCertManager is unusable because there's no way to get cert data
into the system (the API doesn't accept it) so there's no way we could
store it, which makes it unusable for its original purpose which was to
be a dev tool (it is not suitable for production use in any case).

Barbican does not support certificate generation in a way that makes
sense for us (they do async only) and Anchor will be the way forward.
This driver will never be completed and therefore should be removed.

Change-Id: I78019bc7ad7dffc745055216ed2aace725c58de2
7 years ago
Adam Harwell a2f02d3ec7 Add SubjectAltName and KeyUsage for localcertgen
Change-Id: I3919d392722a625dffe25c7dfe2ec3359f96e8a4
Co-Authored-By: Carlos D. Garza <>
Closes-Bug: 1494420
7 years ago
Bharath M 65ab10aa14 Use signing digest defined in config to sign CSR
Replace the hardcoded signing digest with the one as retrieved from
the corresponding configuration attribute.

Change-Id: Id51f44074ce0495609d6c8d99bae8cad7f32057f
7 years ago
caoyue 1f5031fedc Remove unused logging import
it's obviously the code was copied from other place,
let's make it perfect.

Change-Id: I4f24622c497dd65d1d8a3e829a5ef8c4978f6a46
8 years ago
Adam Harwell 52351a5698 Refactor BarbicanAuth to allow for configurable auth method
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.

Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.

While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.

Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
8 years ago
bharath d2072ae0ae Anchor support to Octavia
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url:

Co-Authored-By: bharath <>
Co-Authored-By: German Eichberger <>

Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
8 years ago
Michael Johnson f9cfd2cb0f New local certificate generator uses local time
The new local certificate generator code uses local time
for validity periods causing failures on hosts that do not
use UTC time.
This patch changes this to always use UTC time for certificate

Change-Id: Ice15ab53f322ac148c85e1f6e781f63f661d6179
Closes-Bug: #1514601
8 years ago
Adam Harwell 604ea75069 Swap out pyOpenSSL for cryptography in LocalCertGenerator
In certain cases (non-deterministic? maybe OS related?) the pyOpenSSL
bindings were not working properly, and since I was meaning to do
this eventually anyway, I just went ahead and did it now.

Change-Id: Ifb71f507875eef5f540eb602c3328b0f563b9796
8 years ago
Cedric Brandily e7eaba1dfb Improve logging in octavia.certificates
We should delegate (when possible) formatting to the logger in order to
perform formatting only when needed, by using:

 LOG.<level>(message, data)

instead of:

 LOG.<level>(message % data)


 except ...:
   LOG.exception("lorem ipsum")

instead of:

 except ... as e:
   LOG.error("lorem ipsum: %s:", e)

Change-Id: I8052ebd026c380499c19562bcb29b05cd8a7f5f0
8 years ago
Adam Harwell 77125839d5 Correct usage and configuration of CertManager/Generator with Stevedore
Change-Id: Id6371adf104a860e8926b676c8f6842c5c076abf
8 years ago
ptoohill1 5ad396cbb2 Hooking TLS together
Updated components to support TLS

Change-Id: Ia75e1d85709d37fc8cc6a7bba2f59684ce9b76ba
8 years ago
German Eichberger 0abcbc4f7d haproxy reference amphora REST API client
Adds rest driver methods
Adds rest driver tests
Add cert task for generating server certs
Modified compute task/flow
Fixed local certificate stuff
Refactored to use requests-mock inetad of responses
Added a "conditiobal flow" for REST

Cleaned up and changed the code to work with


Change-Id: Ibcbf0717b785aab4c604deef1061e8b2fa41006c
Co-Authored-By: Phillip Toohill <>
Co-Authored-By: German Eichberger <>
Co-Authored-By: Stephen Balukoff <>
Implements: bp/haproxy-amphora-driver
8 years ago
minwang 321bc765ae Fix Octavia complexity issues
This is for fixing the octavia issue.
We ran the Octavia code base through a static code analyser and several issues got flagged.
As an exercise we looked at each issue and are now proposing fixes to the complexity/code style issues.

Change-Id: I2fc0cf213a9f7488e7cf1dff789d98ca2deeb81f
8 years ago
Brandon Logan 98792dd462 DRY'ed keystone session creation and retrieval
Also corrected importing of keystone config options

Change-Id: Icf4ea584bb199d36f848104254a529e19a6cf8ef
8 years ago
Doug Wiegley ccecb6ea26 Sync with oslo-incubator, tweak as needed
Change-Id: Ice3cfd55ebdfc0b1355ecbb48d42c123cdb743bb
8 years ago
Adam Harwell eef90e4962 Update certificate generator implementations
Add PK+Cert generation implementations.

Change-Id: I66d8e202d7d3db55538e8fa8fd16b9e95acb8816
9 years ago
Carlos D. Garza 19856c014e Add nsCertType and ExtendedKey usage extensions to CertGenerator
The generated certs should be recognized as client authenticating
certs as well. The x509 should also be version 3.

Change-Id: Iadceba964761548625550d4aa2c5a4ad90e76684
9 years ago
Adam Harwell 293f44e211 Add Cert+PK generation to Certificate Interface
Change-Id: I82aa573c7db13c7a491b18540379b234c1023eb9
9 years ago
Doug Wiegley 941c302757 Oslo incubator updates
Change-Id: I9559d8a6d59477f6b5ba3f82ab9ecf9b71b75f70
9 years ago