The OpenStack Anchor project is now officially retired[1].
This patch removes the references to Anchor from Octavia.
These old references were confusing new users.
[1] https://review.opendev.org/#/c/611187/
Change-Id: Idfe90aa69b497e8270118174dde00567d7fab4ab
In order to support Python 3.7, pylint has to be updated to 2.0.0
minimum. Newer versions of Pylint enforce additional checkers which can
be addressed with some code refactoring rather than silently ignoring
them in pylintrc; except useless-object-inheritance which is required to
be silented so that we stay compatible with Python 2.x.
Story: 2004073
Task: 27434
Change-Id: I52301d763797d619f195bd8a1c32bc47f1e68420
At this moment if ca_private_key_passphrase is None loadbalancer
cannot be created due to AttributeError.
Current change adds check for None before encoding.
Story: 2003588
Task: 24896
Change-Id: I40063aa2f96534c12b284f72d16c9f5a72ad1486
This also fix build-openstack-sphinx-docs, there was a change introduced
in sphinx 1.6.6:
https://github.com/sphinx-doc/sphinx/pull/4335/files
If the size of __init__.py is less than 2, then the module would be
skipped which will cause the sphinx consistency checking failing later.
Change-Id: I9d8764b6e907aceed8bb8a9b04711145d0eb32ad
WIP - This patch attempts to fix the py3x gates.
Please add to it as you find issues.
Closes-Bug: #1659064
Co-Authored-By: Adam Harwell <flux.adam@gmail.com>
Depends-On: If6b6f19130c965436a637a03a4cf72203e0786b0
Change-Id: If642f7ddcb886b4e9fd04a12397f26c72b3485a4
Remove unneeded import_group lines which are not doing anything and just makes
code harder to understand.
Change-Id: I673dd04dd31ae9771e6af982d184eee0e9cbf2d4
LocalCertManager is unusable because there's no way to get cert data
into the system (the API doesn't accept it) so there's no way we could
store it, which makes it unusable for its original purpose which was to
be a dev tool (it is not suitable for production use in any case).
Barbican does not support certificate generation in a way that makes
sense for us (they do async only) and Anchor will be the way forward.
This driver will never be completed and therefore should be removed.
Change-Id: I78019bc7ad7dffc745055216ed2aace725c58de2
Replace the hardcoded signing digest with the one as retrieved from
the corresponding configuration attribute.
Change-Id: Id51f44074ce0495609d6c8d99bae8cad7f32057f
There is now a new configuration option "barbican_auth" in the
certificates section, to specify which auth plugin to use when
communicating with Barbican. This is because the default option (using
ACLs inside Barbican to control access) should be ok as a default
workflow, but it might be required to use other methods depending on
your deployment. For example, another possible auth method would be
BarbicanTrustAuth, utilizing Keystone Trusts.
Some deployers may need custom auth methods that do not exist in
upstream Keystone, and will need their own Auth plugin. This should be in line
with the way Octavia's network and compute drivers work already.
While we're in this file, prune the unused (and really bad) method that
would *actually* delete certs from Barbican (not in our scope).
Also do the tenant_id -> project_id rename.
Change-Id: Ic9aef68924bb5c216734afd25403e59476c576e7
Use Anchor for certificate signing to make the octavia communication
more secure. Anchor Ref url: https://github.com/openstack/anchor
Co-Authored-By: bharath <bharath.stacker@gmail.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Change-Id: Id77b2b1540377db661f15d4eeafc4922f446d987
The new local certificate generator code uses local time
for validity periods causing failures on hosts that do not
use UTC time.
This patch changes this to always use UTC time for certificate
generation.
Change-Id: Ice15ab53f322ac148c85e1f6e781f63f661d6179
Closes-Bug: #1514601
In certain cases (non-deterministic? maybe OS related?) the pyOpenSSL
bindings were not working properly, and since I was meaning to do
this eventually anyway, I just went ahead and did it now.
Change-Id: Ifb71f507875eef5f540eb602c3328b0f563b9796
Adds rest driver methods
Adds rest driver tests
Add cert task for generating server certs
Modified compute task/flow
Fixed local certificate stuff
Refactored to use requests-mock inetad of responses
Added a "conditiobal flow" for REST
Cleaned up and changed the code to work with
https://review.openstack.org/#/c/160034/
Replaces:
https://review.openstack.org/#/c/144348/https://review.openstack.org/#/c/145637/14
Change-Id: Ibcbf0717b785aab4c604deef1061e8b2fa41006c
Co-Authored-By: Phillip Toohill <phillip.toohill@rackspace.com>
Co-Authored-By: German Eichberger <german.eichberger@hp.com>
Co-Authored-By: Stephen Balukoff <sbalukoff@bluebox.net>
Implements: bp/haproxy-amphora-driver
This is for fixing the octavia issue.
We ran the Octavia code base through a static code analyser and several issues got flagged.
As an exercise we looked at each issue and are now proposing fixes to the complexity/code style issues.
Change-Id: I2fc0cf213a9f7488e7cf1dff789d98ca2deeb81f
The generated certs should be recognized as client authenticating
certs as well. The x509 should also be version 3.
Change-Id: Iadceba964761548625550d4aa2c5a4ad90e76684
A Barbican implementation of CertManager and a placeholder
implementation of CertGenerator (not supported yet).
Change-Id: Icdbf883a733101c84b9a7bb933782ef166b929f7
Partially-implements: blueprint tls-data-security
A basic local filesystem implementation of CertManager and
a local pyOpenSSL implementation of CertGenerator.
Change-Id: I0eb0476afaad8a1bbb2eaaf90564eb63f7872546
Partially-implements: blueprint tls-data-security
Create an interface CertManager for handling certificate data.
Create an interface CertGenerator for signing certificates from CSRs.
Change-Id: I7a18496b9665b74c6ca89c503e68ef33a8581d0f
Partially-implements: blueprint tls-data-security
Michael Johnson