def test_create_client_files_set_file_permissions(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir,
mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
cert_manager.create_client_files(mock_cluster)
ca_permission = stat.S_IMODE(os.lstat(mock_ca_return).st_mode)
self.assertEqual(ca_permission, 0o600)
key_permission = stat.S_IMODE(os.lstat(mock_key_return).st_mode)
self.assertEqual(key_permission, 0o600)
magnum_permission = stat.S_IMODE(os.lstat(mock_magnum_return).st_mode)
self.assertEqual(magnum_permission, 0o600)
def test_create_client_files_set_file_permissions(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir, mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
cert_manager.create_client_files(mock_cluster)
ca_permission = stat.S_IMODE(os.lstat(mock_ca_return).st_mode)
self.assertEqual(ca_permission, 0o600)
key_permission = stat.S_IMODE(os.lstat(mock_key_return).st_mode)
self.assertEqual(key_permission, 0o600)
magnum_permission = stat.S_IMODE(os.lstat(mock_magnum_return).st_mode)
self.assertEqual(magnum_permission, 0o600)
def test_create_client_files_temp_no_dir(self, mock_logging):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
cfg.CONF.set_override("temp_cache_dir", "", group='cluster')
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
mock_logging.debug.assert_called_once_with(
"Certificates will not be cached in the filesystem: "
"they will be created as tempfiles.")
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Test that contents were written to files & returned properly
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
# Test for certs and keys that might be returned in binary
mock_cert.get_certificate.return_value = b"byte_content"
mock_cert.get_decrypted_private_key.return_value = b"byte_key"
ca_cert_text = magnum_cert_text = \
mock_cert.get_certificate.return_value.decode('UTF-8')
magnum_key_text = \
mock_cert.get_decrypted_private_key.return_value.decode('UTF-8')
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(ca_cert_text, cluster_ca_cert.read())
self.assertEqual(magnum_key_text, cluster_key.read())
self.assertEqual(magnum_cert_text, cluster_magnum_cert.read())
def test_create_client_files_temp_no_dir(self, mock_logging):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
cfg.CONF.set_override("temp_cache_dir", "", group='cluster')
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
mock_logging.debug.assert_called_once_with(
"Certificates will not be cached in the filesystem: "
"they will be created as tempfiles.")
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Test that contents were written to files & returned properly
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
# Test for certs and keys that might be returned in binary
mock_cert.get_certificate.return_value = b"byte_content"
mock_cert.get_decrypted_private_key.return_value = b"byte_key"
ca_cert_text = magnum_cert_text = \
mock_cert.get_certificate.return_value.decode('UTF-8')
magnum_key_text = \
mock_cert.get_decrypted_private_key.return_value.decode('UTF-8')
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(ca_cert_text, cluster_ca_cert.read())
self.assertEqual(magnum_key_text, cluster_key.read())
self.assertEqual(magnum_cert_text, cluster_magnum_cert.read())
def docker_for_bay(context, bay):
baymodel = conductor_utils.retrieve_baymodel(context, bay)
ca_cert, magnum_key, magnum_cert = None, None, None
client_kwargs = dict()
if not baymodel.tls_disabled:
(ca_cert, magnum_key,
magnum_cert) = cert_manager.create_client_files(bay)
client_kwargs['ca_cert'] = ca_cert.name
client_kwargs['client_key'] = magnum_key.name
client_kwargs['client_cert'] = magnum_cert.name
yield DockerHTTPClient(
bay.api_address,
CONF.docker.docker_remote_api_version,
CONF.docker.default_timeout,
**client_kwargs
)
if ca_cert:
ca_cert.close()
if magnum_key:
magnum_key.close()
if magnum_cert:
magnum_cert.close()
def test_delete_client_files(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir, mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test the directory and files were created
self.assertEqual(True, os.path.isdir(cert_dir))
self.assertEqual(True, os.path.isfile(mock_ca_return))
self.assertEqual(True, os.path.isfile(mock_key_return))
self.assertEqual(True, os.path.isfile(mock_magnum_return))
cert_manager.delete_client_files(mock_cluster)
# Test that directory and files DNE
self.assertEqual(False, os.path.isdir(cert_dir))
self.assertEqual(False, os.path.isfile(mock_ca_return))
self.assertEqual(False, os.path.isfile(mock_key_return))
self.assertEqual(False, os.path.isfile(mock_magnum_return))
def docker_for_cluster(context, cluster):
cluster_template = conductor_utils.retrieve_cluster_template(
context, cluster)
ca_cert, magnum_key, magnum_cert = None, None, None
client_kwargs = dict()
if not cluster_template.tls_disabled:
(ca_cert, magnum_key,
magnum_cert) = cert_manager.create_client_files(cluster, context)
client_kwargs['ca_cert'] = ca_cert.name
client_kwargs['client_key'] = magnum_key.name
client_kwargs['client_cert'] = magnum_cert.name
yield DockerHTTPClient(
cluster.api_address,
CONF.docker.docker_remote_api_version,
CONF.docker.default_timeout,
**client_kwargs
)
if ca_cert:
ca_cert.close()
if magnum_key:
magnum_key.close()
if magnum_cert:
magnum_cert.close()
def docker_for_bay(context, bay):
baymodel = conductor_utils.retrieve_baymodel(context, bay)
tcp_url = 'tcp://%s:2376' % bay.api_address
ca_cert, magnum_key, magnum_cert = None, None, None
client_kwargs = dict()
if not baymodel.tls_disabled:
tcp_url = 'https://%s:2376' % bay.api_address
(ca_cert, magnum_key,
magnum_cert) = cert_manager.create_client_files(bay)
client_kwargs['ca_cert'] = ca_cert.name
client_kwargs['client_key'] = magnum_key.name
client_kwargs['client_cert'] = magnum_cert.name
yield docker_client.DockerHTTPClient(tcp_url,
CONF.docker.docker_remote_api_version,
CONF.docker.default_timeout,
**client_kwargs)
if ca_cert:
ca_cert.close()
if magnum_key:
magnum_key.close()
if magnum_cert:
magnum_cert.close()
def __init__(self, context, cluster):
self.context = context
self.cluster = cluster
# Load certificates for cluster
(self.ca_file, self.key_file,
self.cert_file) = create_client_files(self.cluster, self.context)
def docker_for_cluster(context, cluster):
cluster_template = conductor_utils.retrieve_cluster_template(
context, cluster)
ca_cert, magnum_key, magnum_cert = None, None, None
client_kwargs = dict()
if not cluster_template.tls_disabled:
(ca_cert, magnum_key,
magnum_cert) = cert_manager.create_client_files(cluster)
client_kwargs['ca_cert'] = ca_cert.name
client_kwargs['client_key'] = magnum_key.name
client_kwargs['client_cert'] = magnum_cert.name
yield DockerHTTPClient(
cluster.api_address,
CONF.docker.docker_remote_api_version,
CONF.docker.default_timeout,
**client_kwargs
)
if ca_cert:
ca_cert.close()
if magnum_key:
magnum_key.close()
if magnum_cert:
magnum_cert.close()
def test_delete_client_files(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir,
mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test the directory and files were created
self.assertEqual(True, os.path.isdir(cert_dir))
self.assertEqual(True, os.path.isfile(mock_ca_return))
self.assertEqual(True, os.path.isfile(mock_key_return))
self.assertEqual(True, os.path.isfile(mock_magnum_return))
cert_manager.delete_client_files(mock_cluster)
# Test that directory and files DNE
self.assertEqual(False, os.path.isdir(cert_dir))
self.assertEqual(False, os.path.isfile(mock_ca_return))
self.assertEqual(False, os.path.isfile(mock_key_return))
self.assertEqual(False, os.path.isfile(mock_magnum_return))
def test_create_client_files_in_cache(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
# First call creates directory and writes files
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Establish call count baseline
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Second call to create_client_files for same cluster should enter else
# conditional, open cached file and return file contents unchanged.
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test that function call count did not increase.
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Check that original file contents/return values have not changed
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
def test_create_client_files_in_cache(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
# First call creates directory and writes files
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Establish call count baseline
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Second call to create_client_files for same cluster should enter else
# conditional, open cached file and return file contents unchanged.
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test that function call count did not increase.
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Check that original file contents/return values have not changed
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
def test_create_client_files_notin_cache(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir,
mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
# Test that directory and files DNE
self.assertEqual(False, os.path.isdir(cert_dir))
self.assertEqual(False, os.path.isfile(mock_ca_return))
self.assertEqual(False, os.path.isfile(mock_key_return))
self.assertEqual(False, os.path.isfile(mock_magnum_return))
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test the directory and files were created
self.assertEqual(True, os.path.isdir(cert_dir))
self.assertEqual(True, os.path.isfile(mock_ca_return))
self.assertEqual(True, os.path.isfile(mock_key_return))
self.assertEqual(True, os.path.isfile(mock_magnum_return))
# Test that all functions were called in the if not conditional
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Test that contents were written to files & returned properly
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
def test_create_client_files_notin_cache(self):
mock_cluster = mock.MagicMock()
mock_cluster.uuid = "mock_cluster_uuid"
mock_dir = tempfile.mkdtemp()
cert_dir = os.path.join(mock_dir,
mock_cluster.uuid)
cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster')
mock_ca_return = '%s/ca.crt' % cert_dir
mock_key_return = '%s/client.key' % cert_dir
mock_magnum_return = '%s/client.crt' % cert_dir
mock_cert = mock.MagicMock()
mock_cert.get_certificate.return_value = "some_content"
mock_cert.get_decrypted_private_key.return_value = "some_key"
self.CertManager.get_cert.return_value = \
mock_cert
# Test that directory and files DNE
self.assertEqual(False, os.path.isdir(cert_dir))
self.assertEqual(False, os.path.isfile(mock_ca_return))
self.assertEqual(False, os.path.isfile(mock_key_return))
self.assertEqual(False, os.path.isfile(mock_magnum_return))
(cluster_ca_cert, cluster_key, cluster_magnum_cert) = \
cert_manager.create_client_files(mock_cluster)
# Test the directory and files were created
self.assertEqual(True, os.path.isdir(cert_dir))
self.assertEqual(True, os.path.isfile(mock_ca_return))
self.assertEqual(True, os.path.isfile(mock_key_return))
self.assertEqual(True, os.path.isfile(mock_magnum_return))
# Test that all functions were called in the if not conditional
self.assertEqual(self.CertManager.get_cert.call_count, 2)
self.assertEqual(mock_cert.get_certificate.call_count, 2)
self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1)
# Test that contents were written to files & returned properly
cluster_ca_cert.seek(0)
cluster_key.seek(0)
cluster_magnum_cert.seek(0)
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_ca_cert.read())
self.assertEqual(mock_cert.get_decrypted_private_key.return_value,
cluster_key.read())
self.assertEqual(mock_cert.get_certificate.return_value,
cluster_magnum_cert.read())
def __init__(self, context, bay):
self.ca_file = None
self.cert_file = None
self.key_file = None
if bay.magnum_cert_ref:
(self.ca_file, self.key_file,
self.cert_file) = create_client_files(bay)
# build a connection with Kubernetes master
client = api_client.ApiClient(bay.api_address,
key_file=self.key_file.name,
cert_file=self.cert_file.name,
ca_certs=self.ca_file.name)
super(K8sAPI, self).__init__(client)
def __init__(self, context, bay):
self.ca_file = None
self.cert_file = None
self.key_file = None
if bay.magnum_cert_ref:
(self.ca_file, self.key_file,
self.cert_file) = create_client_files(bay, context)
# build a connection with Kubernetes master
client = api_client.ApiClient(bay.api_address,
key_file=self.key_file.name,
cert_file=self.cert_file.name,
ca_certs=self.ca_file.name)
super(K8sAPI, self).__init__(client)
def __init__(self, context, cluster):
self.ca_file = None
self.cert_file = None
self.key_file = None
if cluster.magnum_cert_ref:
(self.ca_file, self.key_file,
self.cert_file) = create_client_files(cluster, context)
config = k8s_config.ConfigurationObject()
config.host = cluster.api_address
config.ssl_ca_cert = self.ca_file.name
config.cert_file = self.cert_file.name
config.key_file = self.key_file.name
# build a connection with Kubernetes master
client = api_client.ApiClient(config=config)
super(K8sAPI, self).__init__(client)
def __init__(self, context, cluster):
self.ca_file = None
self.cert_file = None
self.key_file = None
if cluster.magnum_cert_ref:
(self.ca_file, self.key_file,
self.cert_file) = create_client_files(cluster, context)
config = k8s_config.ConfigurationObject()
config.host = cluster.api_address
config.ssl_ca_cert = self.ca_file.name
config.cert_file = self.cert_file.name
config.key_file = self.key_file.name
# build a connection with Kubernetes master
client = api_client.ApiClient(config=config)
super(K8sAPI, self).__init__(client)
