def _build_vim_auth(self, vim_info):
LOG.debug('VIM id is %s', vim_info['id'])
vim_auth = vim_info['auth_cred']
# decode password
if ('password' in vim_auth) and (vim_auth['password'] is not None):
vim_auth['password'] = self._decode_vim_auth(vim_info['id'],
vim_auth,
vim_auth['password'])
# decode bearer_token
if 'bearer_token' in vim_auth:
vim_auth['bearer_token'] = self.\
_decode_vim_auth(vim_info['id'],
vim_auth,
vim_auth['bearer_token'])
# decode ssl_ca_cert
if utils.none_from_string(vim_auth.get('ssl_ca_cert')) is not None:
vim_auth['ssl_ca_cert'] = self.\
_decode_vim_auth(vim_info['id'],
vim_auth,
vim_auth['ssl_ca_cert'])
vim_auth['auth_url'] = vim_info['auth_url']
# These attributes are needless for authentication
# from keystone, so we remove them.
needless_attrs = ['key_type', 'secret_uuid']
for attr in needless_attrs:
if attr in vim_auth:
vim_auth.pop(attr, None)
return vim_auth
def encode_vim_auth(self, vim_id, auth):
"""Encode VIM credentials
Store VIM auth using fernet key encryption
"""
fernet_key, fernet_obj = self.kubernetes.create_fernet_key()
if ('password' in auth) and (auth['password'] is not None):
encoded_auth = fernet_obj.encrypt(auth['password'].encode('utf-8'))
auth['password'] = encoded_auth
if 'bearer_token' in auth:
encoded_auth = fernet_obj.encrypt(
auth['bearer_token'].encode('utf-8'))
auth['bearer_token'] = encoded_auth
if utils.none_from_string(auth.get('ssl_ca_cert')):
encoded_auth = fernet_obj.encrypt(
auth['ssl_ca_cert'].encode('utf-8'))
auth['ssl_ca_cert'] = encoded_auth
if CONF.k8s_vim.use_barbican:
try:
k_context = t_context.generate_tacker_service_context()
keystone_conf = CONF.keystone_authtoken
keymgr_api = KEYMGR_API(keystone_conf.auth_url)
secret_uuid = keymgr_api.store(k_context, fernet_key)
auth['key_type'] = 'barbican_key'
auth['secret_uuid'] = secret_uuid
LOG.debug('VIM auth successfully stored for vim %s', vim_id)
except Exception as exception:
LOG.warning('VIM key creation failed for vim %s due to %s',
vim_id, exception)
raise
else:
raise nfvo.VimEncryptKeyError(vim_id=vim_id)
def _create_ssl_ca_file(self, auth_attr):
ca_cert = utils.none_from_string(auth_attr.get('ssl_ca_cert'))
if ca_cert is not None:
file_descriptor, file_path = \
self.kubernetes.create_ca_cert_tmp_file(ca_cert)
auth_attr['ca_cert_file'] = file_path
return file_descriptor
else:
return None