starlingx/config
Code Issues Proposed changes

Merge "OpenLDAP certificate support in sysinv apis"

Browse Source
This commit is contained in:
Zuul
2022-03-08 15:39:05 +00:00
committed by Gerrit Code Review
parent 44d60f864d ac2604e9a0
commit 7650919fb1
5 changed files with 46 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
+3
View File
@@ -81,6 +81,9 @@ def do_certificate_install(cc, args):
data = {'passphrase': args.passphrase,
'mode': args.mode}
if data['mode'] == 'openldap':
raise exc.CommandError('Warning: Invalid mode: openldap')
has_private_key = False
try:
with open(certificate_file, 'r') as reader:
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/certificate.py
+6 -4
View File
@@ -348,11 +348,12 @@ class CertificateController(rest.RestController):
continue
# validation checking for ssl, docker_registry
# and openstack certficcates
# validation checking for ssl, docker_registry, openldap
# and openstack certificates
if mode in [constants.CERT_MODE_SSL,
constants.CERT_MODE_DOCKER_REGISTRY,
constants.CERT_MODE_OPENSTACK,
constants.CERT_MODE_OPENLDAP,
]:
try:
hash_issuers.append(cutils.get_cert_issuer_hash(cert))
@@ -413,11 +414,12 @@ class CertificateController(rest.RestController):
# information returned from conductor manager.
certificate_dicts = []
for inv_cert in inv_certs:
# for ssl, tmp_mode, docker_registry and openstack certs, if the
# cert is ICA signed cert (ie, the pem_contents contains
# for ssl, tmp_mode, docker_registry, openldap and openstack certs,
# if the cert is ICA signed cert (ie, the pem_contents contains
# intermediate CA certs), skip these intermediate CA certs.
if mode in [constants.CERT_MODE_SSL,
constants.CERT_MODE_DOCKER_REGISTRY,
constants.CERT_MODE_OPENLDAP,
constants.CERT_MODE_OPENSTACK] \
and inv_cert.get('is_ca', None):
continue
sysinv/sysinv/sysinv/sysinv/cert_mon/certificate_mon_manager.py
+6
View File
@@ -85,6 +85,7 @@ class CertificateMonManager(periodic_task.PeriodicTasks):
self.dc_monitor = None
self.restapicert_monitor = None
self.registrycert_monitor = None
self.openldapcert_monitor = None
self.reattempt_monitor_tasks = []
self.sc_audit_queue = subcloud_audit_queue.SubcloudAuditPriorityQueue()
if CONF.certmon.audit_greenpool_size > 0:
@@ -344,6 +345,10 @@ class CertificateMonManager(periodic_task.PeriodicTasks):
self.registrycert_monitor = watcher.RegistryCert_CertWatcher()
self.registrycert_monitor.initialize()
def init_openldapcert_monitor(self):
self.openldapcert_monitor = watcher.OpenldapCert_CertWatcher()
self.openldapcert_monitor.initialize()
def start_monitor(self):
utils.init_keystone_auth_opts()
dc_role = utils.get_dc_role()
@@ -352,6 +357,7 @@ class CertificateMonManager(periodic_task.PeriodicTasks):
# init platform cert monitors
self.init_restapicert_monitor()
self.init_registrycert_monitor()
self.init_openldapcert_monitor()
# init dc monitor only if running in DC role
if dc_role in (constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER,
sysinv/sysinv/sysinv/sysinv/cert_mon/watcher.py
+24
View File
@@ -373,6 +373,20 @@ class RegistryCert_CertWatcher(CertWatcher):
self.register_listener(RegistryCertRenew(self.context))
class OpenldapCert_CertWatcher(CertWatcher):
def __init__(self):
super(OpenldapCert_CertWatcher, self).__init__()
def initialize(self):
self.context.initialize()
platcert_ns = constants.CERT_NAMESPACE_PLATFORM_CERTS
LOG.info('setting ns for Openldap cert : %s & registering listener' % platcert_ns)
self.namespace = platcert_ns
self.context.kubernete_namespace = platcert_ns
self.register_listener(OpenldapCertRenew(self.context))
class CertificateRenew(CertWatcherListener):
def __init__(self, context):
super(CertificateRenew, self).__init__(context)
@@ -680,3 +694,13 @@ class RegistryCertRenew(PlatformCertRenew):
LOG.info('RegistryCertRenew: Secret changes detected. Initiating certificate update')
self.update_platform_certificate(event_data, constants.CERT_MODE_DOCKER_REGISTRY, force=True)
class OpenldapCertRenew(PlatformCertRenew):
def __init__(self, context):
super(OpenldapCertRenew, self).__init__(context, constants.OPENLDAP_CERT_SECRET_NAME)
def update_certificate(self, event_data):
LOG.info('OpenldapCertRenew: Secret changes detected. Initiating certificate update')
self.update_platform_certificate(event_data, constants.CERT_MODE_OPENLDAP, force=True)
sysinv/sysinv/sysinv/sysinv/common/constants.py
+7 -3
View File
@@ -1457,14 +1457,17 @@ CERT_MODE_SSL_CA = 'ssl_ca'
CERT_MODE_DOCKER_REGISTRY = 'docker_registry'
CERT_MODE_OPENSTACK = 'openstack'
CERT_MODE_OPENSTACK_CA = 'openstack_ca'
CERT_MODE_OPENLDAP = 'openldap'
CERT_MODES_SUPPORTED = [CERT_MODE_SSL,
CERT_MODE_SSL_CA,
CERT_MODE_DOCKER_REGISTRY,
CERT_MODE_OPENSTACK,
CERT_MODE_OPENSTACK_CA,
CERT_MODE_OPENLDAP,
]
CERT_MODES_SUPPORTED_CERT_MANAGER = [CERT_MODE_SSL,
CERT_MODE_DOCKER_REGISTRY]
CERT_MODE_DOCKER_REGISTRY,
CERT_MODE_OPENLDAP]
KUBERNETES_ROOTCA_FILE = '/etc/kubernetes/pki/ca.crt'
ETCD_ROOTCA_FILE = '/etc/etcd/ca.crt'
@@ -1969,12 +1972,13 @@ ADMIN_EP_CERT_FORMAT = '{tls_key}'
# Platform certificates
RESTAPI_CERT_SECRET_NAME = "system-restapi-gui-certificate"
REGISTRY_CERT_SECRET_NAME = "system-registry-local-certificate"
OPENLDAP_CERT_SECRET_NAME = "system-openldap-local-certificate"
CERT_NAMESPACE_PLATFORM_CERTS = 'deployment'
CERT_MODE_TO_SECRET_NAME = {
CERT_MODE_SSL: RESTAPI_CERT_SECRET_NAME,
CERT_MODE_DOCKER_REGISTRY: REGISTRY_CERT_SECRET_NAME
CERT_MODE_DOCKER_REGISTRY: REGISTRY_CERT_SECRET_NAME,
CERT_MODE_OPENLDAP: OPENLDAP_CERT_SECRET_NAME
}
# Storage associated networks