def get_params(self, context, cluster_template, cluster, **kwargs): LOG.info("########## get_params") extra_params = kwargs.pop('extra_params', {}) label_list = [ 'minikube_version', 'kubectl_version', 'occm_container_infra_prefix', 'etcd_version' ] for label in label_list: label_value = cluster.labels.get(label) if label_value: extra_params[label] = label_value # handover the ca_key ca_cert = cert_manager.get_cluster_ca_certificate(cluster, context) if six.PY3 and isinstance(ca_cert.get_private_key_passphrase(), six.text_type): extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase().encode()).decode( ).replace("\n", "\\n") else: extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n") return super(AtomicMinikubeTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, **kwargs)
def _set_cert_manager_params(self, cluster, extra_params): cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) if six.PY3 and isinstance(ca_cert.get_private_key_passphrase(), six.text_type): extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase().encode()).decode( ).replace("\n", "\\n") else: extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n")
def _set_cert_manager_params(self, cluster, extra_params): cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) if six.PY3 and isinstance(ca_cert.get_private_key_passphrase(), six.text_type): extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase().encode() ).decode().replace("\n", "\\n") else: extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n")
def get_params(self, context, cluster_template, cluster, **kwargs): extra_params = kwargs.pop('extra_params', {}) extra_params['username'] = context.user_name osc = self.get_osc(context) extra_params['region_name'] = osc.cinder_region_name() # set docker_volume_type # use the configuration default if None provided docker_volume_type = cluster.labels.get( 'docker_volume_type', CONF.cinder.default_docker_volume_type) extra_params['docker_volume_type'] = docker_volume_type extra_params['nodes_affinity_policy'] = \ CONF.cluster.nodes_affinity_policy if cluster_template.network_driver == 'flannel': extra_params["pods_network_cidr"] = \ cluster.labels.get('flannel_network_cidr', '10.100.0.0/16') if cluster_template.network_driver == 'calico': extra_params["pods_network_cidr"] = \ cluster.labels.get('calico_ipv4pool', '10.100.0.0/16') label_list = [ 'coredns_tag', 'kube_tag', 'container_infra_prefix', 'availability_zone', 'calico_tag', 'calico_kube_controllers_tag', 'calico_ipv4pool', 'calico_ipv4pool_ipip', 'etcd_tag', 'flannel_tag' ] labels = self._get_relevant_labels(cluster, kwargs) for label in label_list: label_value = labels.get(label) if label_value: extra_params[label] = label_value cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n") plain_openstack_ca = utils.get_openstack_ca() encoded_openstack_ca = base64.b64encode(plain_openstack_ca.encode()) extra_params['openstack_ca_coreos'] = encoded_openstack_ca.decode() return super(CoreOSK8sTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, **kwargs)
def get_params(self, context, cluster_template, cluster, **kwargs): extra_params = kwargs.pop('extra_params', {}) extra_params['username'] = context.user_name osc = self.get_osc(context) extra_params['region_name'] = osc.cinder_region_name() # set docker_volume_type # use the configuration default if None provided docker_volume_type = cluster.labels.get( 'docker_volume_type', CONF.cinder.default_docker_volume_type) extra_params['docker_volume_type'] = docker_volume_type extra_params['nodes_affinity_policy'] = \ CONF.cluster.nodes_affinity_policy if cluster_template.network_driver == 'flannel': extra_params["pods_network_cidr"] = \ cluster.labels.get('flannel_network_cidr', '10.100.0.0/16') if cluster_template.network_driver == 'calico': extra_params["pods_network_cidr"] = \ cluster.labels.get('calico_ipv4pool', '192.168.0.0/16') label_list = ['coredns_tag', 'kube_tag', 'container_infra_prefix', 'availability_zone', 'calico_tag', 'calico_cni_tag', 'calico_kube_controllers_tag', 'calico_ipv4pool', 'etcd_tag', 'flannel_tag'] for label in label_list: label_value = cluster.labels.get(label) if label_value: extra_params[label] = label_value cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n") plain_openstack_ca = utils.get_openstack_ca() encoded_openstack_ca = base64.b64encode(plain_openstack_ca.encode()) extra_params['openstack_ca_coreos'] = encoded_openstack_ca.decode() return super(CoreOSK8sTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, **kwargs)
def test_decrypt_key(self, mock_load_pem_private_key, mock_default_backend, mock_no_encryption_class): mock_private_key = mock.MagicMock() mock_load_pem_private_key.return_value = mock_private_key mock_private_key.private_bytes.return_value = mock.sentinel.decrypted actual_decrypted = operations.decrypt_key(mock.sentinel.key, mock.sentinel.passphrase) mock_load_pem_private_key.assert_called_once_with( mock.sentinel.key, mock.sentinel.passphrase) mock_private_key.private_bytes.assert_called_once_with( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=mock_no_encryption_class.return_value) self.assertEqual(mock.sentinel.decrypted, actual_decrypted)
def test_decrypt_key(self, mock_load_pem_private_key, mock_default_backend, mock_no_encryption_class): mock_private_key = mock.MagicMock() mock_load_pem_private_key.return_value = mock_private_key mock_private_key.private_bytes.return_value = mock.sentinel.decrypted actual_decrypted = operations.decrypt_key(mock.sentinel.key, mock.sentinel.passphrase) mock_load_pem_private_key.assert_called_once_with( mock.sentinel.key, mock.sentinel.passphrase) mock_private_key.private_bytes.assert_called_once_with( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=mock_no_encryption_class.return_value ) self.assertEqual(mock.sentinel.decrypted, actual_decrypted)
def get_params(self, context, cluster_template, cluster, **kwargs): extra_params = kwargs.pop('extra_params', {}) extra_params['username'] = context.user_name osc = self.get_osc(context) extra_params['region_name'] = osc.cinder_region_name() # set docker_volume_type # use the configuration default if None provided docker_volume_type = cluster.labels.get( 'docker_volume_type', CONF.cinder.default_docker_volume_type) extra_params['docker_volume_type'] = docker_volume_type extra_params['nodes_affinity_policy'] = \ CONF.cluster.nodes_affinity_policy label_list = [ 'kube_tag', 'container_infra_prefix', 'availability_zone' ] for label in label_list: label_value = cluster.labels.get(label) if label_value: extra_params[label] = label_value cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n") return super(K8sFedoraTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, **kwargs)
def get_params(self, context, cluster_template, cluster, **kwargs): extra_params = kwargs.pop('extra_params', {}) extra_params['username'] = context.user_name osc = self.get_osc(context) extra_params['region_name'] = osc.cinder_region_name() # set docker_volume_type # use the configuration default if None provided docker_volume_type = cluster.labels.get( 'docker_volume_type', CONF.cinder.default_docker_volume_type) extra_params['docker_volume_type'] = docker_volume_type extra_params['nodes_affinity_policy'] = \ CONF.cluster.nodes_affinity_policy if cluster_template.network_driver == 'flannel': extra_params["pods_network_cidr"] = \ cluster.labels.get('flannel_network_cidr', '10.100.0.0/16') if cluster_template.network_driver == 'calico': extra_params["pods_network_cidr"] = \ cluster.labels.get('calico_ipv4pool', '192.168.0.0/16') # check cloud provider and cinder options. If cinder is selected, # the cloud provider needs to be enabled. cloud_provider_enabled = cluster.labels.get('cloud_provider_enabled', 'true').lower() if (cluster_template.volume_driver == 'cinder' and cloud_provider_enabled == 'false'): raise exception.InvalidParameterValue( _('"cinder" volume driver needs "cloud_provider_enabled" label ' 'to be true or unset.')) label_list = [ 'kube_tag', 'container_infra_prefix', 'availability_zone', 'cgroup_driver', 'calico_tag', 'calico_cni_tag', 'calico_kube_controllers_tag', 'calico_ipv4pool', 'etcd_tag', 'flannel_tag', 'cloud_provider_enabled', 'cloud_provider_tag', 'prometheus_tag', 'grafana_tag', 'heat_container_agent_tag', 'keystone_auth_enabled', 'k8s_keystone_auth_tag', 'tiller_enabled', 'tiller_tag', 'tiller_namespace' ] for label in label_list: label_value = cluster.labels.get(label) if label_value: extra_params[label] = label_value csr_keys = x509.generate_csr_and_key(u"Kubernetes Service Account") extra_params['kube_service_account_key'] = \ csr_keys["public_key"].replace("\n", "\\n") extra_params['kube_service_account_private_key'] = \ csr_keys["private_key"].replace("\n", "\\n") cert_manager_api = cluster.labels.get('cert_manager_api') if strutils.bool_from_string(cert_manager_api): extra_params['cert_manager_api'] = cert_manager_api ca_cert = cert_manager.get_cluster_ca_certificate(cluster) if six.PY3 and isinstance(ca_cert.get_private_key_passphrase(), six.text_type): extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase().encode()).decode( ).replace("\n", "\\n") else: extra_params['ca_key'] = x509.decrypt_key( ca_cert.get_private_key(), ca_cert.get_private_key_passphrase()).replace("\n", "\\n") extra_params['project_id'] = cluster.project_id return super(K8sFedoraTemplateDefinition, self).get_params(context, cluster_template, cluster, extra_params=extra_params, **kwargs)
def get_decrypted_private_key(self): """Returns the decrypted private key for the certificate.""" return operations.decrypt_key(self.get_private_key(), self.get_private_key_passphrase())