Refactor TLS cert fetching for config

* No longer generate Key,CSR and sign cert if use_keystone is set.
* Break complex section into smaller functions.

Change-Id: I500d9421d188c98daa685aaff79968a935ce8371
This commit is contained in:
Dale Smith 2024-05-10 09:52:00 +12:00
parent 260925ec64
commit 3833c46ba4
2 changed files with 51 additions and 17 deletions

View File

@ -438,30 +438,63 @@ class ConfigCluster(command.Command):
cluster_template = mag_client.cluster_templates.get( cluster_template = mag_client.cluster_templates.get(
cluster.cluster_template_id) cluster.cluster_template_id)
opts = {
'cluster_uuid': cluster.uuid,
}
tls = None tls = self._fetch_tls(
if not cluster_template.tls_disabled: mag_client=mag_client,
tls = magnum_utils.generate_csr_and_key() cluster_uuid=cluster.uuid,
tls['ca'] = mag_client.certificates.get(**opts).pem tls_required=(not cluster_template.tls_disabled),
opts['csr'] = tls['csr'] certkey_required=(not parsed_args.use_keystone)
tls['cert'] = mag_client.certificates.create(**opts).pem )
if parsed_args.output_certs:
for k in ('key', 'cert', 'ca'): if parsed_args.output_certs:
fname = "%s/%s.pem" % (parsed_args.dir, k) self._write_certs(
if os.path.exists(fname) and not parsed_args.force: certs=tls,
raise Exception("File %s exists, aborting." % fname) path=parsed_args.dir,
else: force=parsed_args.force
with open(fname, "w") as f: )
f.write(tls[k])
print(magnum_utils.config_cluster( print(magnum_utils.config_cluster(
cluster, cluster_template, parsed_args.dir, cluster, cluster_template, parsed_args.dir,
force=parsed_args.force, certs=tls, force=parsed_args.force, certs=tls,
use_keystone=parsed_args.use_keystone)) use_keystone=parsed_args.use_keystone))
def _fetch_tls(
self,
mag_client,
cluster_uuid,
tls_required,
certkey_required=True,
):
if not tls_required:
return {}
opts = {
'cluster_uuid': cluster_uuid,
}
tls = {
'ca': mag_client.certificates.get(**opts).pem
}
if certkey_required:
csr = magnum_utils.generate_csr_and_key()
opts['csr'] = csr['csr']
tls['cert'] = mag_client.certificates.create(**opts).pem
tls['key'] = csr['key']
return tls
def _write_certs(self, certs, path, force):
for k in ('key', 'cert', 'ca'):
fname = "%s/%s.pem" % (path, k)
if os.path.exists(fname):
if not force:
raise Exception("File %s exists, aborting." % fname)
os.remove(fname)
if k not in certs:
# key and cert aren't always generated
continue
with open(fname, "w") as f:
f.write(certs[k])
class ResizeCluster(command.Command): class ResizeCluster(command.Command):
_description = _("Resize a Cluster") _description = _("Resize a Cluster")

View File

@ -269,6 +269,7 @@ def do_cluster_config(cs, args):
'cluster_uuid': cluster.uuid, 'cluster_uuid': cluster.uuid,
} }
# Create a new Certificate and Key, sign it
if not cluster_template.tls_disabled: if not cluster_template.tls_disabled:
tls = magnum_utils.generate_csr_and_key() tls = magnum_utils.generate_csr_and_key()
tls['ca'] = cs.certificates.get(**opts).pem tls['ca'] = cs.certificates.get(**opts).pem