From 3f7f1471eb909eb052197ab0485f02b58cd0b0af Mon Sep 17 00:00:00 2001
From: Kobi Samoray <ksamoray@vmware.com>
Date: Sun, 2 May 2021 14:47:03 +0300
Subject: [PATCH] NSXV: handle certificate bundles

Octavia may supply the driver with a bundle that contains multiple CA
and signed certificate.
The driver should avoid using CA certificates for the listener.
So when the certificates are uploaded to NSX, the driver should look for
the id of the signed certificate object within the bundle.

Change-Id: I3b183a34f429573f35e343f15a5492d53e541660
---
 .../lbaas/nsx_v/implementation/listener_mgr.py      | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py b/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py
index cbc1c5d171..761d170e5d 100644
--- a/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py
+++ b/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py
@@ -145,7 +145,18 @@ class EdgeListenerManagerFromDict(base_mgr.EdgeLoadbalancerBaseManager):
         cert_obj = self.vcns.upload_edge_certificate(edge_id, request)[1]
         cert_list = cert_obj.get('certificates', {})
         if cert_list:
-            edge_cert_id = cert_list[0]['objectId']
+            if len(cert_list) > 1:
+                LOG.warning(
+                    'Certificate object contains multiple certificates. '
+                    'Using first signed certificate of the bundle')
+            edge_cert_id = None
+            for cert in cert_list:
+                if cert['certificateType'] == 'certificate_signed':
+                    edge_cert_id = cert['objectId']
+                    break
+            if not edge_cert_id:
+                error = _("No signed certificate found in certificate bundle")
+                raise nsxv_exc.NsxPluginException(err_msg=error)
         else:
             error = _("Failed to upload a certificate to edge %s") % edge_id
             raise nsxv_exc.NsxPluginException(err_msg=error)