def audit_sc_cert_task(self, context):
if len(self.subclouds_to_audit) > 0:
subcloud_name = self.subclouds_to_audit[0]
if subcloud_name == TASK_NAME_PAUSE_AUDIT:
LOG.info('Pause audit for ongoing update to complete')
self.subclouds_to_audit.pop(0)
return
LOG.info('Auditing %s' % subcloud_name)
try:
subcloud_sysinv_url = utils.dc_get_subcloud_sysinv_url(
subcloud_name)
sc_ssl_cert = utils.get_endpoint_certificate(
subcloud_sysinv_url)
secret = utils.get_sc_intermediate_ca_secret(subcloud_name)
check_list = ['ca.crt', 'tls.crt', 'tls.key']
for item in check_list:
if item not in secret.data:
raise Exception('%s certificate data missing %s' %
(subcloud_name, item))
txt_ssl_cert = base64.b64decode(secret.data['tls.crt'])
txt_ssl_key = base64.b64decode(secret.data['tls.key'])
txt_ca_cert = base64.b64decode(secret.data['ca.crt'])
except Exception as e:
LOG.error('Cannot audit ssl certificate on %s' % subcloud_name)
LOG.exception(e)
# certificate is not ready, no reaudit. Will be picked up
# by certificate MODIFIED event if it comes back
self.subclouds_to_audit.pop(0)
return
cert_chain = txt_ssl_cert + txt_ca_cert
dc_token = utils.get_dc_token(subcloud_name)
if not cutils.verify_intermediate_ca_cert(cert_chain, sc_ssl_cert):
# The subcloud needs renewal.
LOG.info(
'Updating {} intermediate CA as it is out-of-sync'.format(
subcloud_name))
# move the subcloud to the end of the queue for reauditing
self.requeue_audit(subcloud_name)
utils.update_subcloud_status(dc_token, subcloud_name,
utils.SYNC_STATUS_OUT_OF_SYNC)
try:
utils.update_subcloud_ca_cert(dc_token, subcloud_name,
subcloud_sysinv_url,
txt_ca_cert, txt_ssl_cert,
txt_ssl_key)
except Exception:
LOG.exception('Failed to update intermediate CA on %s' %
subcloud_name)
else:
LOG.info('%s intermediate CA cert is in-sync' % subcloud_name)
utils.update_subcloud_status(dc_token, subcloud_name,
utils.SYNC_STATUS_IN_SYNC)
self.subclouds_to_audit.remove(subcloud_name)
def update_certificate(self, event_data):
subcloud_name = self._get_subcloud_name(event_data)
LOG.info('subcloud %s %s' % (subcloud_name, event_data))
token = self.context.get_dc_token(subcloud_name)
subcloud_sysinv_url = utils.dc_get_subcloud_sysinv_url(subcloud_name)
utils.update_subcloud_ca_cert(token, subcloud_name,
subcloud_sysinv_url, event_data.ca_crt,
event_data.tls_crt, event_data.tls_key)
self.audit_subcloud(subcloud_name)