NSXV: handle certificate bundles

Octavia may supply the driver with a bundle that contains multiple CA
and signed certificate.
The driver should avoid using CA certificates for the listener.
So when the certificates are uploaded to NSX, the driver should look for
the id of the signed certificate object within the bundle.

Change-Id: I3b183a34f429573f35e343f15a5492d53e541660
This commit is contained in:
Kobi Samoray 2021-05-02 14:47:03 +03:00
parent 61bcb1e4ba
commit 5ec01809d2
1 changed files with 12 additions and 1 deletions

View File

@ -145,7 +145,18 @@ class EdgeListenerManagerFromDict(base_mgr.EdgeLoadbalancerBaseManager):
cert_obj = self.vcns.upload_edge_certificate(edge_id, request)[1]
cert_list = cert_obj.get('certificates', {})
if cert_list:
edge_cert_id = cert_list[0]['objectId']
if len(cert_list) > 1:
LOG.warning(
'Certificate object contains multiple certificates. '
'Using first signed certificate of the bundle')
edge_cert_id = None
for cert in cert_list:
if cert['certificateType'] == 'certificate_signed':
edge_cert_id = cert['objectId']
break
if not edge_cert_id:
error = _("No signed certificate found in certificate bundle")
raise nsxv_exc.NsxPluginException(err_msg=error)
else:
error = _("Failed to upload a certificate to edge %s") % edge_id
raise nsxv_exc.NsxPluginException(err_msg=error)