def test_load_certificates(self, mock_oslo):
listener = sample_configs.sample_listener_tuple(tls=True, sni=True,
client_ca_cert=True)
client = mock.MagicMock()
context = mock.Mock()
context.project_id = '12345'
with mock.patch.object(cert_parser,
'get_host_names') as cp:
with mock.patch.object(cert_parser,
'_map_cert_tls_container'):
cp.return_value = {'cn': 'fakeCN'}
cert_parser.load_certificates_data(client, listener, context)
# Ensure upload_cert is called three times
calls_cert_mngr = [
mock.call.get_cert(context, 'cont_id_1', check_only=True),
mock.call.get_cert(context, 'cont_id_2', check_only=True),
mock.call.get_cert(context, 'cont_id_3', check_only=True)
]
client.assert_has_calls(calls_cert_mngr)
# Test asking for nothing
listener = sample_configs.sample_listener_tuple(tls=False, sni=False,
client_ca_cert=False)
client = mock.MagicMock()
with mock.patch.object(cert_parser,
'_map_cert_tls_container') as mock_map:
result = cert_parser.load_certificates_data(client, listener)
mock_map.assert_not_called()
ref_empty_dict = {'tls_cert': None, 'sni_certs': []}
self.assertEqual(ref_empty_dict, result)
mock_oslo.assert_called()
def test_load_certificates(self, mock_oslo):
listener = sample_configs_combined.sample_listener_tuple(
tls=True, sni=True, client_ca_cert=True)
client = mock.MagicMock()
context = mock.Mock()
context.project_id = '12345'
with mock.patch.object(cert_parser, 'get_host_names') as cp:
with mock.patch.object(cert_parser, '_map_cert_tls_container'):
cp.return_value = {'cn': 'fakeCN'}
cert_parser.load_certificates_data(client, listener, context)
# Ensure upload_cert is called three times
calls_cert_mngr = [
mock.call.get_cert(context, 'cont_id_1', check_only=True),
mock.call.get_cert(context, 'cont_id_2', check_only=True),
mock.call.get_cert(context, 'cont_id_3', check_only=True)
]
client.assert_has_calls(calls_cert_mngr)
# Test asking for nothing
listener = sample_configs_combined.sample_listener_tuple(
tls=False, sni=False, client_ca_cert=False)
client = mock.MagicMock()
with mock.patch.object(cert_parser,
'_map_cert_tls_container') as mock_map:
result = cert_parser.load_certificates_data(client, listener)
mock_map.assert_not_called()
ref_empty_dict = {'tls_cert': None, 'sni_certs': []}
self.assertEqual(ref_empty_dict, result)
mock_oslo.assert_called()
def test_load_certificates(self):
listener = sample_configs.sample_listener_tuple(tls=True, sni=True)
client = mock.MagicMock()
with mock.patch.object(cert_parser, 'get_host_names') as cp:
with mock.patch.object(cert_parser, '_map_cert_tls_container'):
cp.return_value = {'cn': 'fakeCN'}
cert_parser.load_certificates_data(client, listener)
# Ensure upload_cert is called three times
calls_cert_mngr = [
mock.call.get_cert('12345', 'cont_id_1', check_only=True),
mock.call.get_cert('12345', 'cont_id_2', check_only=True),
mock.call.get_cert('12345', 'cont_id_3', check_only=True)
]
client.assert_has_calls(calls_cert_mngr)
def _process_tls_certificates(self, listener):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
data = []
certs = cert_parser.load_certificates_data(
self.cert_manager, listener)
sni_containers = certs['sni_certs']
tls_cert = certs['tls_cert']
if certs['tls_cert'] is not None:
data.append(cert_parser.build_pem(tls_cert))
if sni_containers:
for sni_cont in sni_containers:
data.append(cert_parser.build_pem(sni_cont))
if data:
cert_dir = os.path.join(self.amp_config.base_cert_dir, listener.id)
listener_cert = '{0}/{1}.pem'.format(cert_dir, tls_cert.primary_cn)
self._exec_on_amphorae(
listener.load_balancer.amphorae, [
'chmod 600 {0}/*.pem'.format(cert_dir)],
make_dir=cert_dir,
data=data, upload_dir=listener_cert)
return certs
def get_certificates(self, obj, context=None):
"""Fetches certificates and creates dict out of octavia objects
:param obj: octavia listener or pool object
:param context: optional oslo_context
:return: certificate dict
"""
certificates = []
cert_dict = cert_parser.load_certificates_data(self.cert_manager, obj, context)
cert_dict['container_id'] = []
if obj.tls_certificate_id:
cert_dict['container_id'].append(obj.tls_certificate_id.split('/')[-1])
if hasattr(obj, 'sni_containers') and obj.sni_containers:
cert_dict['container_id'].extend([sni.tls_container_id.split('/')[-1]
for sni in obj.sni_containers])
# Note, the first cert is the TLS default cert
if cert_dict['tls_cert'] is not None:
certificates.append({
'id': '{}{}'.format(constants.PREFIX_CERTIFICATE, cert_dict['tls_cert'].id),
'as3': m_cert.get_certificate(
'Container {}'.format(', '.join(cert_dict['container_id'])),
cert_dict['tls_cert'])
})
for sni_cert in cert_dict['sni_certs']:
certificates.append({
'id': '{}{}'.format(constants.PREFIX_CERTIFICATE, sni_cert.id),
'as3': m_cert.get_certificate(
'Container {}'.format(', '.join(cert_dict['container_id'])),
sni_cert)
})
return certificates
def _process_tls_certificates(self, listener):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
tls_cert = None
sni_certs = []
certs = []
data = cert_parser.load_certificates_data(self.cert_manager, listener)
if data['tls_cert'] is not None:
tls_cert = data['tls_cert']
certs.append(tls_cert)
if data['sni_certs']:
sni_certs = data['sni_certs']
certs.extend(sni_certs)
for cert in certs:
pem = cert_parser.build_pem(cert)
md5 = hashlib.md5(six.b(pem)).hexdigest()
name = '{cn}.pem'.format(cn=cert.primary_cn)
self._apply(self._upload_cert, listener, pem, md5, name)
return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def _process_tls_certificates(self, listener):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
data = []
certs = cert_parser.load_certificates_data(self.cert_manager, listener)
sni_containers = certs['sni_certs']
tls_cert = certs['tls_cert']
if certs['tls_cert'] is not None:
data.append(cert_parser.build_pem(tls_cert))
if sni_containers:
for sni_cont in sni_containers:
data.append(cert_parser.build_pem(sni_cont))
if data:
cert_dir = os.path.join(self.amp_config.base_cert_dir, listener.id)
listener_cert = '{0}/{1}.pem'.format(cert_dir, tls_cert.primary_cn)
self._exec_on_amphorae(listener.load_balancer.amphorae,
['chmod 600 {0}/*.pem'.format(cert_dir)],
make_dir=cert_dir,
data=data,
upload_dir=listener_cert)
return certs
def _process_tls_certificates(self, listener):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
tls_cert = None
sni_certs = []
certs = []
data = cert_parser.load_certificates_data(
self.cert_manager, listener)
if data['tls_cert'] is not None:
tls_cert = data['tls_cert']
certs.append(tls_cert)
if data['sni_certs']:
sni_certs = data['sni_certs']
certs.extend(sni_certs)
for cert in certs:
pem = cert_parser.build_pem(cert)
md5 = hashlib.md5(six.b(pem)).hexdigest()
name = '{cn}.pem'.format(cn=cert.primary_cn)
self._apply(self._upload_cert, listener, pem, md5, name)
return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def _process_tls_certificates(self, listener, amphora=None, obj_id=None):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
tls_cert = None
sni_certs = []
certs = []
data = cert_parser.load_certificates_data(self.cert_manager, listener)
if data['tls_cert'] is not None:
tls_cert = data['tls_cert']
certs.append(tls_cert)
if data['sni_certs']:
sni_certs = data['sni_certs']
certs.extend(sni_certs)
if amphora and obj_id:
for cert in certs:
pem = cert_parser.build_pem(cert)
md5 = hashlib.md5(pem).hexdigest() # nosec
name = '{id}.pem'.format(id=cert.id)
self._upload_cert(amphora, obj_id, pem, md5, name)
return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def _process_pool_certs(self, listener, pool, amphora=None, obj_id=None):
pool_cert_dict = dict()
# Handle the client cert(s) and key
if pool.tls_certificate_id:
data = cert_parser.load_certificates_data(self.cert_manager, pool)
pem = cert_parser.build_pem(data)
try:
pem = pem.encode('utf-8')
except AttributeError:
pass
md5 = hashlib.md5(pem).hexdigest() # nosec
name = '{id}.pem'.format(id=data.id)
if amphora and obj_id:
self._upload_cert(amphora, obj_id, pem=pem, md5=md5, name=name)
pool_cert_dict['client_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.ca_tls_certificate_id:
name = self._process_secret(listener, pool.ca_tls_certificate_id,
amphora, obj_id)
pool_cert_dict['ca_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.crl_container_id:
name = self._process_secret(listener, pool.crl_container_id,
amphora, obj_id)
pool_cert_dict['crl'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
return pool_cert_dict
def _process_pool_certs(self, listener, pool):
pool_cert_dict = dict()
# Handle the cleint cert(s) and key
if pool.tls_certificate_id:
data = cert_parser.load_certificates_data(self.cert_manager, pool)
pem = cert_parser.build_pem(data)
try:
pem = pem.encode('utf-8')
except AttributeError:
pass
md5 = hashlib.md5(pem).hexdigest() # nosec
name = '{id}.pem'.format(id=data.id)
self._apply(self._upload_cert, listener, None, pem, md5, name)
pool_cert_dict['client_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.ca_tls_certificate_id:
name = self._process_secret(listener, pool.ca_tls_certificate_id)
pool_cert_dict['ca_cert'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
if pool.crl_container_id:
name = self._process_secret(listener, pool.crl_container_id)
pool_cert_dict['crl'] = os.path.join(
CONF.haproxy_amphora.base_cert_dir, listener.id, name)
return pool_cert_dict
def test_load_certificates(self):
listener = sample_configs.sample_listener_tuple(tls=True, sni=True)
client = mock.MagicMock()
with mock.patch.object(cert_parser,
'get_host_names') as cp:
with mock.patch.object(cert_parser,
'_map_cert_tls_container'):
cp.return_value = {'cn': 'fakeCN'}
cert_parser.load_certificates_data(client, listener)
# Ensure upload_cert is called three times
calls_cert_mngr = [
mock.call.get_cert('cont_id_1', check_only=True),
mock.call.get_cert('cont_id_2', check_only=True),
mock.call.get_cert('cont_id_3', check_only=True)
]
client.assert_has_calls(calls_cert_mngr)
def _process_tls_certificates(self, listener, amphora=None, obj_id=None):
"""Processes TLS data from the listener.
Converts and uploads PEM data to the Amphora API
return TLS_CERT and SNI_CERTS
"""
tls_cert = None
sni_certs = []
certs = []
cert_filename_list = []
data = cert_parser.load_certificates_data(self.cert_manager, listener)
if data['tls_cert'] is not None:
tls_cert = data['tls_cert']
# Note, the first cert is the TLS default cert
certs.append(tls_cert)
if data['sni_certs']:
sni_certs = data['sni_certs']
certs.extend(sni_certs)
if amphora and obj_id:
for cert in certs:
pem = cert_parser.build_pem(cert)
md5 = hashlib.md5(pem).hexdigest() # nosec
name = '{id}.pem'.format(id=cert.id)
cert_filename_list.append(
os.path.join(CONF.haproxy_amphora.base_cert_dir, obj_id,
name))
self._upload_cert(amphora, obj_id, pem, md5, name)
if certs:
# Build and upload the crt-list file for haproxy
crt_list = "\n".join(cert_filename_list)
crt_list = f'{crt_list}\n'.encode('utf-8')
md5 = hashlib.md5(crt_list).hexdigest() # nosec
name = '{id}.pem'.format(id=listener.id)
self._upload_cert(amphora, obj_id, crt_list, md5, name)
return {'tls_cert': tls_cert, 'sni_certs': sni_certs}
def pool_dict_to_provider_dict(pool_dict):
new_pool_dict = _base_to_provider_dict(pool_dict, include_project_id=True)
new_pool_dict['pool_id'] = new_pool_dict.pop('id')
# Pull the certs out of the certificate manager to pass to the provider
if 'tls_certificate_id' in new_pool_dict:
new_pool_dict['tls_container_ref'] = new_pool_dict.pop(
'tls_certificate_id')
if 'ca_tls_certificate_id' in new_pool_dict:
new_pool_dict['ca_tls_container_ref'] = new_pool_dict.pop(
'ca_tls_certificate_id')
if 'crl_container_id' in new_pool_dict:
new_pool_dict['crl_container_ref'] = new_pool_dict.pop(
'crl_container_id')
pool_obj = data_models.Pool(**pool_dict)
if (pool_obj.tls_certificate_id or pool_obj.ca_tls_certificate_id or
pool_obj.crl_container_id):
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
cert_dict = cert_parser.load_certificates_data(cert_manager,
pool_obj)
if 'tls_cert' in cert_dict and cert_dict['tls_cert']:
new_pool_dict['tls_container_data'] = (
cert_dict['tls_cert'].to_dict())
if pool_obj.ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.ca_tls_certificate_id)
new_pool_dict['ca_tls_container_data'] = cert
if pool_obj.crl_container_id:
crl_file = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.crl_container_id)
new_pool_dict['crl_container_data'] = crl_file
# Remove the DB back references
if ('session_persistence' in new_pool_dict and
new_pool_dict['session_persistence']):
if 'pool_id' in new_pool_dict['session_persistence']:
del new_pool_dict['session_persistence']['pool_id']
if 'pool' in new_pool_dict['session_persistence']:
del new_pool_dict['session_persistence']['pool']
if 'l7policies' in new_pool_dict:
del new_pool_dict['l7policies']
if 'listeners' in new_pool_dict:
del new_pool_dict['listeners']
if 'load_balancer' in new_pool_dict:
del new_pool_dict['load_balancer']
if 'load_balancer_id' in new_pool_dict:
new_pool_dict['loadbalancer_id'] = new_pool_dict.pop(
'load_balancer_id')
if 'health_monitor' in new_pool_dict:
hm = new_pool_dict.pop('health_monitor')
if hm:
new_pool_dict['healthmonitor'] = hm_dict_to_provider_dict(hm)
else:
new_pool_dict['healthmonitor'] = None
if 'members' in new_pool_dict and new_pool_dict['members']:
members = new_pool_dict.pop('members')
provider_members = []
for member in members:
provider_member = member_dict_to_provider_dict(member)
provider_members.append(provider_member)
new_pool_dict['members'] = provider_members
return new_pool_dict
def listener_dict_to_provider_dict(listener_dict):
new_listener_dict = _base_to_provider_dict(listener_dict,
include_project_id=True)
new_listener_dict['listener_id'] = new_listener_dict.pop('id')
if 'load_balancer_id' in new_listener_dict:
new_listener_dict['loadbalancer_id'] = new_listener_dict.pop(
'load_balancer_id')
# Pull the certs out of the certificate manager to pass to the provider
if 'tls_certificate_id' in new_listener_dict:
new_listener_dict['default_tls_container_ref'] = new_listener_dict.pop(
'tls_certificate_id')
if 'sni_containers' in new_listener_dict:
sni_refs = []
sni_containers = new_listener_dict.pop('sni_containers')
for sni in sni_containers:
if 'tls_container_id' in sni:
sni_refs.append(sni['tls_container_id'])
else:
raise exceptions.ValidationException(
detail=_('Invalid SNI container on listener'))
new_listener_dict['sni_container_refs'] = sni_refs
if 'sni_container_refs' in listener_dict:
listener_dict['sni_containers'] = listener_dict.pop(
'sni_container_refs')
if 'client_ca_tls_certificate_id' in new_listener_dict:
new_listener_dict['client_ca_tls_container_ref'] = (
new_listener_dict.pop('client_ca_tls_certificate_id'))
if 'client_crl_container_id' in new_listener_dict:
new_listener_dict['client_crl_container_ref'] = (
new_listener_dict.pop('client_crl_container_id'))
listener_obj = data_models.Listener(**listener_dict)
if (listener_obj.tls_certificate_id or listener_obj.sni_containers or
listener_obj.client_ca_tls_certificate_id):
SNI_objs = []
for sni in listener_obj.sni_containers:
if isinstance(sni, dict):
if 'listener' in sni:
del sni['listener']
sni_obj = data_models.SNI(**sni)
SNI_objs.append(sni_obj)
elif isinstance(sni, six.string_types):
sni_obj = data_models.SNI(tls_container_id=sni)
SNI_objs.append(sni_obj)
else:
raise exceptions.ValidationException(
detail=_('Invalid SNI container on listener'))
listener_obj.sni_containers = SNI_objs
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
cert_dict = cert_parser.load_certificates_data(cert_manager,
listener_obj)
if 'tls_cert' in cert_dict and cert_dict['tls_cert']:
new_listener_dict['default_tls_container_data'] = (
cert_dict['tls_cert'].to_dict())
if 'sni_certs' in cert_dict and cert_dict['sni_certs']:
sni_data_list = []
for sni in cert_dict['sni_certs']:
sni_data_list.append(sni.to_dict())
new_listener_dict['sni_container_data'] = sni_data_list
if listener_obj.client_ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_ca_tls_certificate_id)
new_listener_dict['client_ca_tls_container_data'] = cert
if listener_obj.client_crl_container_id:
crl_file = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_crl_container_id)
new_listener_dict['client_crl_container_data'] = crl_file
# Remove the DB back references
if 'load_balancer' in new_listener_dict:
del new_listener_dict['load_balancer']
if 'peer_port' in new_listener_dict:
del new_listener_dict['peer_port']
if 'pools' in new_listener_dict:
del new_listener_dict['pools']
if 'stats' in new_listener_dict:
del new_listener_dict['stats']
if ('default_pool' in new_listener_dict and
new_listener_dict['default_pool']):
pool = new_listener_dict.pop('default_pool')
new_listener_dict['default_pool'] = pool_dict_to_provider_dict(pool)
provider_l7policies = []
if 'l7policies' in new_listener_dict:
l7policies = new_listener_dict.pop('l7policies') or []
for l7policy in l7policies:
provider_l7policy = l7policy_dict_to_provider_dict(l7policy)
provider_l7policies.append(provider_l7policy)
new_listener_dict['l7policies'] = provider_l7policies
return new_listener_dict
def listener_dict_to_provider_dict(listener_dict, for_delete=False):
new_listener_dict = _base_to_provider_dict(listener_dict,
include_project_id=True)
new_listener_dict['listener_id'] = new_listener_dict.pop('id')
if 'load_balancer_id' in new_listener_dict:
new_listener_dict['loadbalancer_id'] = new_listener_dict.pop(
'load_balancer_id')
# Pull the certs out of the certificate manager to pass to the provider
if 'tls_certificate_id' in new_listener_dict:
new_listener_dict['default_tls_container_ref'] = new_listener_dict.pop(
'tls_certificate_id')
if 'sni_containers' in new_listener_dict:
sni_refs = []
sni_containers = new_listener_dict.pop('sni_containers')
for sni in sni_containers:
if 'tls_container_id' in sni:
sni_refs.append(sni['tls_container_id'])
else:
raise exceptions.ValidationException(
detail=_('Invalid SNI container on listener'))
new_listener_dict['sni_container_refs'] = sni_refs
if 'sni_container_refs' in listener_dict:
listener_dict['sni_containers'] = listener_dict.pop(
'sni_container_refs')
if 'client_ca_tls_certificate_id' in new_listener_dict:
new_listener_dict['client_ca_tls_container_ref'] = (
new_listener_dict.pop('client_ca_tls_certificate_id'))
if 'client_crl_container_id' in new_listener_dict:
new_listener_dict['client_crl_container_ref'] = (
new_listener_dict.pop('client_crl_container_id'))
listener_obj = data_models.Listener(**listener_dict)
if (listener_obj.tls_certificate_id or listener_obj.sni_containers
or listener_obj.client_ca_tls_certificate_id):
SNI_objs = []
for sni in listener_obj.sni_containers:
if isinstance(sni, dict):
if 'listener' in sni:
del sni['listener']
sni_obj = data_models.SNI(**sni)
SNI_objs.append(sni_obj)
elif isinstance(sni, str):
sni_obj = data_models.SNI(tls_container_id=sni)
SNI_objs.append(sni_obj)
else:
raise exceptions.ValidationException(
detail=_('Invalid SNI container on listener'))
listener_obj.sni_containers = SNI_objs
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
try:
cert_dict = cert_parser.load_certificates_data(
cert_manager, listener_obj)
except Exception as e:
with excutils.save_and_reraise_exception() as ctxt:
LOG.warning('Unable to retrieve certificate(s) due to %s.',
str(e))
if for_delete:
ctxt.reraise = False
cert_dict = {}
if 'tls_cert' in cert_dict and cert_dict['tls_cert']:
new_listener_dict['default_tls_container_data'] = (
cert_dict['tls_cert'].to_dict(recurse=True))
if 'sni_certs' in cert_dict and cert_dict['sni_certs']:
sni_data_list = []
for sni in cert_dict['sni_certs']:
sni_data_list.append(sni.to_dict(recurse=True))
new_listener_dict['sni_container_data'] = sni_data_list
if listener_obj.client_ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_ca_tls_certificate_id)
new_listener_dict['client_ca_tls_container_data'] = cert
if listener_obj.client_crl_container_id:
crl_file = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_crl_container_id)
new_listener_dict['client_crl_container_data'] = crl_file
# Format the allowed_cidrs
if ('allowed_cidrs' in new_listener_dict
and new_listener_dict['allowed_cidrs']
and 'cidr' in new_listener_dict['allowed_cidrs'][0]):
cidrs_dict_list = new_listener_dict.pop('allowed_cidrs')
new_listener_dict['allowed_cidrs'] = [
cidr_dict['cidr'] for cidr_dict in cidrs_dict_list
]
# Remove the DB back references
if 'load_balancer' in new_listener_dict:
del new_listener_dict['load_balancer']
if 'peer_port' in new_listener_dict:
del new_listener_dict['peer_port']
if 'pools' in new_listener_dict:
del new_listener_dict['pools']
if 'stats' in new_listener_dict:
del new_listener_dict['stats']
if ('default_pool' in new_listener_dict
and new_listener_dict['default_pool']):
pool = new_listener_dict.pop('default_pool')
new_listener_dict['default_pool'] = pool_dict_to_provider_dict(
pool, for_delete=for_delete)
provider_l7policies = []
if 'l7policies' in new_listener_dict:
l7policies = new_listener_dict.pop('l7policies') or []
for l7policy in l7policies:
provider_l7policy = l7policy_dict_to_provider_dict(l7policy)
provider_l7policies.append(provider_l7policy)
new_listener_dict['l7policies'] = provider_l7policies
return new_listener_dict
def listener_dict_to_provider_dict(listener_dict):
new_listener_dict = _base_to_provider_dict(listener_dict)
new_listener_dict['listener_id'] = new_listener_dict.pop('id')
if 'load_balancer_id' in new_listener_dict:
new_listener_dict['loadbalancer_id'] = new_listener_dict.pop(
'load_balancer_id')
# Pull the certs out of the certificate manager to pass to the provider
if 'tls_certificate_id' in new_listener_dict:
new_listener_dict['default_tls_container_ref'] = new_listener_dict.pop(
'tls_certificate_id')
if 'sni_containers' in new_listener_dict:
new_listener_dict['sni_container_refs'] = new_listener_dict.pop(
'sni_containers')
if 'sni_container_refs' in listener_dict:
listener_dict['sni_containers'] = listener_dict.pop(
'sni_container_refs')
if 'client_ca_tls_certificate_id' in new_listener_dict:
new_listener_dict['client_ca_tls_container_ref'] = (
new_listener_dict.pop('client_ca_tls_certificate_id'))
if 'client_crl_container_id' in new_listener_dict:
new_listener_dict['client_crl_container_ref'] = (
new_listener_dict.pop('client_crl_container_id'))
listener_obj = data_models.Listener(**listener_dict)
if (listener_obj.tls_certificate_id or listener_obj.sni_containers or
listener_obj.client_ca_tls_certificate_id):
SNI_objs = []
for sni in listener_obj.sni_containers:
if isinstance(sni, dict):
sni_obj = data_models.SNI(**sni)
SNI_objs.append(sni_obj)
elif isinstance(sni, six.string_types):
sni_obj = data_models.SNI(tls_container_id=sni)
SNI_objs.append(sni_obj)
else:
raise exceptions.ValidationException(
detail=_('Invalid SNI container on listener'))
listener_obj.sni_containers = SNI_objs
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
cert_dict = cert_parser.load_certificates_data(cert_manager,
listener_obj)
if 'tls_cert' in cert_dict and cert_dict['tls_cert']:
new_listener_dict['default_tls_container_data'] = (
cert_dict['tls_cert'].to_dict())
if 'sni_certs' in cert_dict and cert_dict['sni_certs']:
sni_data_list = []
for sni in cert_dict['sni_certs']:
sni_data_list.append(sni.to_dict())
new_listener_dict['sni_container_data'] = sni_data_list
if listener_obj.client_ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_ca_tls_certificate_id)
new_listener_dict['client_ca_tls_container_data'] = cert
if listener_obj.client_crl_container_id:
crl_file = _get_secret_data(cert_manager, listener_obj.project_id,
listener_obj.client_crl_container_id)
new_listener_dict['client_crl_container_data'] = crl_file
# Remove the DB back references
if 'load_balancer' in new_listener_dict:
del new_listener_dict['load_balancer']
if 'peer_port' in new_listener_dict:
del new_listener_dict['peer_port']
if 'pools' in new_listener_dict:
del new_listener_dict['pools']
if 'stats' in new_listener_dict:
del new_listener_dict['stats']
if ('default_pool' in new_listener_dict and
new_listener_dict['default_pool']):
pool = new_listener_dict.pop('default_pool')
new_listener_dict['default_pool'] = pool_dict_to_provider_dict(pool)
provider_l7policies = []
if 'l7policies' in new_listener_dict:
l7policies = new_listener_dict.pop('l7policies')
for l7policy in l7policies:
provider_l7policy = l7policy_dict_to_provider_dict(l7policy)
provider_l7policies.append(provider_l7policy)
new_listener_dict['l7policies'] = provider_l7policies
return new_listener_dict
def pool_dict_to_provider_dict(pool_dict):
new_pool_dict = _base_to_provider_dict(pool_dict)
new_pool_dict['pool_id'] = new_pool_dict.pop('id')
# Pull the certs out of the certificate manager to pass to the provider
if 'tls_certificate_id' in new_pool_dict:
new_pool_dict['tls_container_ref'] = new_pool_dict.pop(
'tls_certificate_id')
if 'ca_tls_certificate_id' in new_pool_dict:
new_pool_dict['ca_tls_container_ref'] = new_pool_dict.pop(
'ca_tls_certificate_id')
if 'crl_container_id' in new_pool_dict:
new_pool_dict['crl_container_ref'] = new_pool_dict.pop(
'crl_container_id')
pool_obj = data_models.Pool(**pool_dict)
if (pool_obj.tls_certificate_id or pool_obj.ca_tls_certificate_id or
pool_obj.crl_container_id):
cert_manager = stevedore_driver.DriverManager(
namespace='octavia.cert_manager',
name=CONF.certificates.cert_manager,
invoke_on_load=True,
).driver
cert_dict = cert_parser.load_certificates_data(cert_manager,
pool_obj)
if 'tls_cert' in cert_dict and cert_dict['tls_cert']:
new_pool_dict['tls_container_data'] = (
cert_dict['tls_cert'].to_dict())
if pool_obj.ca_tls_certificate_id:
cert = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.ca_tls_certificate_id)
new_pool_dict['ca_tls_container_data'] = cert
if pool_obj.crl_container_id:
crl_file = _get_secret_data(cert_manager, pool_obj.project_id,
pool_obj.crl_container_id)
new_pool_dict['crl_container_data'] = crl_file
# Remove the DB back references
if ('session_persistence' in new_pool_dict and
new_pool_dict['session_persistence']):
if 'pool_id' in new_pool_dict['session_persistence']:
del new_pool_dict['session_persistence']['pool_id']
if 'pool' in new_pool_dict['session_persistence']:
del new_pool_dict['session_persistence']['pool']
if 'l7policies' in new_pool_dict:
del new_pool_dict['l7policies']
if 'listeners' in new_pool_dict:
del new_pool_dict['listeners']
if 'load_balancer' in new_pool_dict:
del new_pool_dict['load_balancer']
if 'load_balancer_id' in new_pool_dict:
new_pool_dict['loadbalancer_id'] = new_pool_dict.pop(
'load_balancer_id')
if 'health_monitor' in new_pool_dict and new_pool_dict['health_monitor']:
hm = new_pool_dict.pop('health_monitor')
new_pool_dict['healthmonitor'] = hm_dict_to_provider_dict(hm)
if 'members' in new_pool_dict and new_pool_dict['members']:
members = new_pool_dict.pop('members')
provider_members = []
for member in members:
provider_member = member_dict_to_provider_dict(member)
provider_members.append(provider_member)
new_pool_dict['members'] = provider_members
return new_pool_dict
