Commit Graph

30 Commits (65e132a734f005f090a384bfa129482d195c6d6e)

Author SHA1 Message Date
Michael Johnson 6d2e2be86a Remove references to OpenStack Anchor
The OpenStack Anchor project is now officially retired[1].

This patch removes the references to Anchor from Octavia.
These old references were confusing new users.


Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
2019-06-03 14:58:44 -07:00
Carlos Goncalves c4faac25de Add Python 3.7 support
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.

Story: 2004073
Task: 27434

Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
2019-05-14 17:11:22 +00:00
Ann Taraday 2a2b308a39 Fix passphrase None errors
At this moment if ca_private_key_passphrase is None loadbalancer
cannot be created due to AttributeError.
Current change adds check for None before encoding.

Story: 2003588

Task: 24896

Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486
2018-08-30 09:47:54 +00:00
Jacky Hu 649b33d247 Add license for empty
This also fix build-openstack-sphinx-docs, there was a change introduced
in sphinx 1.6.6:

If the size of is less than 2, then the module would be
skipped which will cause the sphinx consistency checking failing later.

Change-Id: I9d8764b6e907aceed8bb8a9b04711145d0eb32ad
2018-03-14 07:02:56 +09:00
Dong Jun ff20b3faf4 import _ from octavia.i18n
builtin _ is deprecated and pylint will throw an error for it.

Change-Id: Ia5599dd2c65455eae13fadfac277f590dcaa2df5
2017-10-13 21:35:21 +08:00
e dc882e9d27 Remove log translations from octavia
Log messages are no longer being translated. This removes all use of
the _LE, _LI, and _LW translation markers to simplify logging and to
avoid confusion with new contributions.

This patch also adds hacking rules for the translation tags.


Co-Authored-By: Michael Johnson <>
Change-Id: Ic95111d09e38b3f44fd6c85d0bcf0355c21ef545
2017-05-03 20:30:47 -07:00
Michael Johnson 7fdc8a1e06 Update for new pep8 rules E402 and W503
Change-Id: I181f396b002d0c3b89579c4fc33c34b1c099953e
2017-03-10 22:21:39 +00:00
Michael Johnson 119e223750 Fix py3x gates and functional
WIP - This patch attempts to fix the py3x gates.
Please add to it as you find issues.

Closes-Bug: #1659064

Co-Authored-By: Adam Harwell <>
Depends-On: If6b6f19130c965436a637a03a4cf72203e0786b0

Change-Id: If642f7ddcb886b4e9fd04a12397f26c72b3485a4
2017-02-07 11:06:08 -08:00
Adam Harwell 654e88686e Correcting error message for CA Key validation failure
Change-Id: I8f16b56d09f69b07423faf23615a3bdd15c3b10a
2017-01-04 23:09:43 -08:00
Lubosz "diltram" Kosnik 867b350988 Remove CONF.import_group
Remove unneeded import_group lines which are not doing anything and just makes
code harder to understand.

Change-Id: I673dd04dd31ae9771e6af982d184eee0e9cbf2d4
2016-11-21 15:54:15 -06:00
Adam Harwell 0e78993002 Remove dead code around certificate handling
LocalCertManager is unusable because there's no way to get cert data
into the system (the API doesn't accept it) so there's no way we could
store it, which makes it unusable for its original purpose which was to
be a dev tool (it is not suitable for production use in any case).

Barbican does not support certificate generation in a way that makes
sense for us (they do async only) and Anchor will be the way forward.
This driver will never be completed and therefore should be removed.

Change-Id: I78019bc7ad7dffc745055216ed2aace725c58de2
2016-02-08 12:43:57 -06:00
Adam Harwell a2f02d3ec7 Add SubjectAltName and KeyUsage for localcertgen
Change-Id: I3919d392722a625dffe25c7dfe2ec3359f96e8a4
Co-Authored-By: Carlos D. Garza <>
Closes-Bug: 1494420
2016-02-04 11:45:54 -06:00
Bharath M 65ab10aa14 Use signing digest defined in config to sign CSR
Replace the hardcoded signing digest with the one as retrieved from
the corresponding configuration attribute.

Change-Id: Id51f44074ce0495609d6c8d99bae8cad7f32057f
2016-01-28 16:06:39 -08:00
caoyue 1f5031fedc Remove unused logging import
it's obviously the code was copied from other place,
let's make it perfect.

Change-Id: I4f24622c497dd65d1d8a3e829a5ef8c4978f6a46
2016-01-15 16:29:01 +08:00
Adam Harwell 52351a5698 Refactor BarbicanAuth to allow for configurable auth method
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.

Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.

While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.

Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
2015-12-08 14:56:32 -06:00
bharath d2072ae0ae Anchor support to Octavia
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url:

Co-Authored-By: bharath <>
Co-Authored-By: German Eichberger <>

Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
2015-12-03 10:06:04 -08:00
Michael Johnson f9cfd2cb0f New local certificate generator uses local time
The new local certificate generator code uses local time
for validity periods causing failures on hosts that do not
use UTC time.
This patch changes this to always use UTC time for certificate

Change-Id: Ice15ab53f322ac148c85e1f6e781f63f661d6179
Closes-Bug: #1514601
2015-11-09 22:26:38 +00:00
Adam Harwell 604ea75069 Swap out pyOpenSSL for cryptography in LocalCertGenerator
In certain cases (non-deterministic? maybe OS related?) the pyOpenSSL
bindings were not working properly, and since I was meaning to do
this eventually anyway, I just went ahead and did it now.

Change-Id: Ifb71f507875eef5f540eb602c3328b0f563b9796
2015-11-05 16:25:51 +00:00
Adam Harwell 77125839d5 Correct usage and configuration of CertManager/Generator with Stevedore
Change-Id: Id6371adf104a860e8926b676c8f6842c5c076abf
2015-08-13 19:13:22 -05:00
German Eichberger 0abcbc4f7d haproxy reference amphora REST API client
Adds rest driver methods
Adds rest driver tests
Add cert task for generating server certs
Modified compute task/flow
Fixed local certificate stuff
Refactored to use requests-mock inetad of responses
Added a "conditiobal flow" for REST

Cleaned up and changed the code to work with


Change-Id: Ibcbf0717b785aab4c604deef1061e8b2fa41006c
Co-Authored-By: Phillip Toohill <>
Co-Authored-By: German Eichberger <>
Co-Authored-By: Stephen Balukoff <>
Implements: bp/haproxy-amphora-driver
2015-06-29 09:08:37 -07:00
minwang 321bc765ae Fix Octavia complexity issues
This is for fixing the octavia issue.
We ran the Octavia code base through a static code analyser and several issues got flagged.
As an exercise we looked at each issue and are now proposing fixes to the complexity/code style issues.

Change-Id: I2fc0cf213a9f7488e7cf1dff789d98ca2deeb81f
2015-04-28 13:17:10 -07:00
Brandon Logan 98792dd462 DRY'ed keystone session creation and retrieval
Also corrected importing of keystone config options

Change-Id: Icf4ea584bb199d36f848104254a529e19a6cf8ef
2015-03-31 02:34:04 -05:00
Doug Wiegley ccecb6ea26 Sync with oslo-incubator, tweak as needed
Change-Id: Ice3cfd55ebdfc0b1355ecbb48d42c123cdb743bb
2015-03-30 18:06:47 -06:00
Adam Harwell eef90e4962 Update certificate generator implementations
Add PK+Cert generation implementations.

Change-Id: I66d8e202d7d3db55538e8fa8fd16b9e95acb8816
2015-01-14 12:35:29 -06:00
Carlos D. Garza 19856c014e Add nsCertType and ExtendedKey usage extensions to CertGenerator
The generated certs should be recognized as client authenticating
certs as well. The x509 should also be version 3.

Change-Id: Iadceba964761548625550d4aa2c5a4ad90e76684
2015-01-09 00:37:26 -06:00
Adam Harwell 293f44e211 Add Cert+PK generation to Certificate Interface
Change-Id: I82aa573c7db13c7a491b18540379b234c1023eb9
2014-12-18 12:11:11 -08:00
Doug Wiegley 941c302757 Oslo incubator updates
Change-Id: I9559d8a6d59477f6b5ba3f82ab9ecf9b71b75f70
2014-12-02 12:00:34 -07:00
Adam Harwell 0f7e269821 Barbican implementation for Certificates
A Barbican implementation of CertManager and a placeholder
implementation of CertGenerator (not supported yet).

Change-Id: Icdbf883a733101c84b9a7bb933782ef166b929f7
Partially-implements: blueprint tls-data-security
2014-11-19 14:26:26 -06:00
Adam Harwell 1e866f3ba2 Local development implementation for Certificates
A basic local filesystem implementation of CertManager and
a local pyOpenSSL implementation of CertGenerator.

Change-Id: I0eb0476afaad8a1bbb2eaaf90564eb63f7872546
Partially-implements: blueprint tls-data-security
2014-11-12 15:40:10 -06:00
Adam Harwell 1c873900b2 Support for Certificate data handling
Create an interface CertManager for handling certificate data.
Create an interface CertGenerator for signing certificates from CSRs.

Change-Id: I7a18496b9665b74c6ca89c503e68ef33a8581d0f
Partially-implements: blueprint tls-data-security
2014-11-11 14:29:01 -06:00