def delete_certificates_from_bay(bay):
"""Delete ca cert and magnum client cert from bay
:param bay: The bay which has certs
"""
for cert_ref in [bay.ca_cert_ref, bay.magnum_cert_ref]:
try:
if cert_ref:
cert_manager.get_backend().CertManager.delete_cert(cert_ref)
except Exception:
LOG.warn(_LW("Deleting cert is failed: %s") % cert_ref)
def delete_certificates_from_bay(bay, context=None):
"""Delete ca cert and magnum client cert from bay
:param bay: The bay which has certs
"""
for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
try:
cert_ref = getattr(bay, cert_ref, None)
if cert_ref:
cert_manager.get_backend().CertManager.delete_cert(
cert_ref, resource_ref=bay.uuid, context=context)
except Exception:
LOG.warning(_LW("Deleting certs is failed for Bay %s"), bay.uuid)
def delete_certificates_from_bay(bay, context=None):
"""Delete ca cert and magnum client cert from bay
:param bay: The bay which has certs
"""
for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
try:
cert_ref = getattr(bay, cert_ref, None)
if cert_ref:
cert_manager.get_backend().CertManager.delete_cert(
cert_ref, resource_ref=bay.uuid, context=context)
except Exception:
LOG.warning(_LW("Deleting certs is failed for Bay %s"), bay.uuid)
def delete_certificates_from_cluster(cluster, context=None):
"""Delete ca cert and magnum client cert from cluster
:param cluster: The cluster which has certs
"""
for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
try:
cert_ref = getattr(cluster, cert_ref, None)
if cert_ref:
cert_manager.get_backend().CertManager.delete_cert(
cert_ref, resource_ref=cluster.uuid, context=context)
except Exception:
LOG.warning(_LW("Deleting certs is failed for Cluster %s"),
cluster.uuid)
def delete_certificates_from_cluster(cluster, context=None):
"""Delete ca cert and magnum client cert from cluster
:param cluster: The cluster which has certs
"""
for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
try:
cert_ref = getattr(cluster, cert_ref, None)
if cert_ref:
cert_manager.get_backend().CertManager.delete_cert(
cert_ref, resource_ref=cluster.uuid, context=context)
except Exception:
LOG.warning("Deleting certs is failed for Cluster %s",
cluster.uuid)
def sign_node_certificate(bay, csr):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref, resource_ref=bay.uuid)
node_cert = x509.sign(csr, bay.name, ca_cert.get_private_key(),
ca_cert.get_private_key_passphrase())
return node_cert
def get_bay_magnum_cert(bay):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref,
resource_ref=bay.uuid
)
return magnum_cert
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
"""Generate and store magnum_client_cert
:param issuer_name: CA subject name
:param ca_cert: CA certificate
:param ca_password: CA private key password
:returns: Magnum client cert uuid
"""
client_password = short_id.generate_id()
client_cert = x509.generate_client_certificate(
issuer_name,
CONDUCTOR_CLIENT_NAME,
ca_cert['private_key'],
encryption_password=client_password,
ca_key_password=ca_password,
)
magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=client_cert['certificate'],
private_key=client_cert['private_key'],
private_key_passphrase=client_password,
name=CONDUCTOR_CLIENT_NAME,
context=context
)
LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
return magnum_cert_ref
def get_bay_magnum_cert(bay):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref,
resource_ref=bay.uuid
)
return magnum_cert
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
"""Generate and store magnum_client_cert
:param issuer_name: CA subject name
:param ca_cert: CA certificate
:param ca_password: CA private key password
:returns: Magnum client cert uuid
"""
client_password = short_id.generate_id()
# TODO(strigazi): set subject name and organization per driver
# For RBAC kubernetes cluster we need the client to have:
# subject_name: admin
# organization_name system:masters
# Non kubernetes drivers are not using the certificates fields
# for authorization
subject_name = 'admin'
organization_name = 'system:masters'
client_cert = x509.generate_client_certificate(
issuer_name,
subject_name,
organization_name,
ca_cert['private_key'],
encryption_password=client_password,
ca_key_password=ca_password,
)
magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=client_cert['certificate'],
private_key=client_cert['private_key'],
private_key_passphrase=client_password,
name=CONDUCTOR_CLIENT_NAME,
context=context
)
LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
return magnum_cert_ref
def get_bay_ca_certificate(bay):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref,
resource_ref=bay.uuid
)
return ca_cert.get_certificate()
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
"""Generate and store magnum_client_cert
:param issuer_name: CA subject name
:param ca_cert: CA certificate
:param ca_password: CA private key password
:returns: Magnum client cert uuid
"""
client_password = short_id.generate_id()
# TODO(strigazi): set subject name and organization per driver
# For RBAC kubernetes cluster we need the client to have:
# subject_name: admin
# organization_name system:masters
# Non kubernetes drivers are not using the certificates fields
# for authorization
subject_name = 'admin'
organization_name = 'system:masters'
client_cert = x509.generate_client_certificate(
issuer_name,
subject_name,
organization_name,
ca_cert['private_key'],
encryption_password=client_password,
ca_key_password=ca_password,
)
magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=client_cert['certificate'],
private_key=client_cert['private_key'],
private_key_passphrase=client_password,
name=CONDUCTOR_CLIENT_NAME,
context=context)
LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
return magnum_cert_ref
def get_bay_ca_certificate(bay):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref,
resource_ref=bay.uuid
)
return ca_cert
def get_cluster_magnum_cert(cluster, context=None):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.magnum_cert_ref,
resource_ref=cluster.uuid,
context=context
)
return magnum_cert
def get_cluster_ca_certificate(cluster, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.ca_cert_ref,
resource_ref=cluster.uuid,
context=context
)
return ca_cert
def get_bay_magnum_cert(bay, context=None):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref,
resource_ref=bay.uuid,
context=context
)
return magnum_cert
def sign_node_certificate(cluster, csr, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.ca_cert_ref, resource_ref=cluster.uuid, context=context)
node_cert = x509.sign(csr, _get_issuer_name(cluster),
ca_cert.get_private_key(),
ca_cert.get_private_key_passphrase())
return node_cert
def get_cluster_magnum_cert(cluster, context=None):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.magnum_cert_ref,
resource_ref=cluster.uuid,
context=context
)
return magnum_cert
def get_cluster_ca_certificate(cluster, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.ca_cert_ref,
resource_ref=cluster.uuid,
context=context
)
return ca_cert
def get_bay_ca_certificate(bay, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref,
resource_ref=bay.uuid,
context=context
)
return ca_cert
def sign_node_certificate(bay, csr):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref,
resource_ref=bay.uuid
)
node_cert = x509.sign(csr, bay.name, ca_cert.get_private_key(),
ca_cert.get_private_key_passphrase())
return node_cert
def get_cluster_ca_certificate(cluster, context=None, ca_cert_type=None):
ref = cluster.ca_cert_ref
if ca_cert_type == "etcd":
ref = cluster.etcd_ca_cert_ref
elif ca_cert_type in ["front_proxy", "front-proxy"]:
ref = cluster.front_proxy_ca_cert_ref
ca_cert = cert_manager.get_backend().CertManager.get_cert(
ref, resource_ref=cluster.uuid, context=context)
return ca_cert
def sign_node_certificate(cluster, csr, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
cluster.ca_cert_ref,
resource_ref=cluster.uuid,
context=context
)
node_cert = x509.sign(csr,
_get_issuer_name(cluster),
ca_cert.get_private_key(),
ca_cert.get_private_key_passphrase())
return node_cert
def _create_certificate_files(self, bay):
"""Read certificate and key for a bay and stores in files.
:param bay: Bay object
"""
magnum_cert_obj = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref, resource_ref=bay.uuid)
self.cert_file = self._create_temp_file_with_content(
magnum_cert_obj.get_certificate())
private_key = serialization.load_pem_private_key(
magnum_cert_obj.get_private_key(),
password=magnum_cert_obj.get_private_key_passphrase(),
backend=default_backend(),
)
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
self.key_file = self._create_temp_file_with_content(private_key)
ca_cert_obj = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref, resource_ref=bay.uuid)
self.ca_file = self._create_temp_file_with_content(
ca_cert_obj.get_certificate())
def sign_node_certificate(cluster, csr, ca_cert_type=None, context=None):
ref = cluster.ca_cert_ref
if ca_cert_type == "etcd":
ref = cluster.etcd_ca_cert_ref
elif ca_cert_type in ["front_proxy", "front-proxy"]:
ref = cluster.front_proxy_ca_cert_ref
ca_cert = cert_manager.get_backend().CertManager.get_cert(
ref, resource_ref=cluster.uuid, context=context)
node_cert = x509.sign(csr, _get_issuer_name(cluster),
ca_cert.get_private_key(),
ca_cert.get_private_key_passphrase())
return node_cert
def _create_certificate_files(self, bay):
"""Read certificate and key for a bay and stores in files.
:param bay: Bay object
"""
magnum_cert_obj = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref, resource_ref=bay.uuid)
self.cert_file = self._create_temp_file_with_content(
magnum_cert_obj.get_certificate())
private_key = serialization.load_pem_private_key(
magnum_cert_obj.get_private_key(),
password=magnum_cert_obj.get_private_key_passphrase(),
backend=default_backend(),
)
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
self.key_file = self._create_temp_file_with_content(
private_key)
ca_cert_obj = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref, resource_ref=bay.uuid)
self.ca_file = self._create_temp_file_with_content(
ca_cert_obj.get_certificate())
def _generate_ca_cert(issuer_name):
"""Generate and store ca_cert
:param issuer_name: CA subject name
:returns: CA cert uuid and CA cert, CA private key password
"""
ca_password = short_id.generate_id()
ca_cert = x509.generate_ca_certificate(issuer_name,
encryption_password=ca_password)
ca_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=ca_cert['certificate'],
private_key=ca_cert['private_key'],
private_key_passphrase=ca_password,
name=issuer_name,
)
LOG.debug('CA cert is created: %s' % ca_cert_ref)
return ca_cert_ref, ca_cert, ca_password
def _generate_ca_cert(issuer_name):
"""Generate and store ca_cert
:param issuer_name: CA subject name
:returns: CA cert uuid and CA cert, CA private key password
"""
ca_password = short_id.generate_id()
ca_cert = x509.generate_ca_certificate(issuer_name,
encryption_password=ca_password)
ca_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=ca_cert['certificate'],
private_key=ca_cert['private_key'],
private_key_passphrase=ca_password,
name=issuer_name,
)
LOG.debug('CA cert is created: %s' % ca_cert_ref)
return ca_cert_ref, ca_cert, ca_password
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
"""Generate and store magnum_client_cert
:param issuer_name: CA subject name
:param ca_cert: CA certificate
:param ca_password: CA private key password
:returns: Magnum client cert uuid
"""
client_password = short_id.generate_id()
client_cert = x509.generate_client_certificate(
issuer_name,
CONDUCTOR_CLIENT_NAME,
ca_cert['private_key'],
encryption_password=client_password,
ca_key_password=ca_password,
)
magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
certificate=client_cert['certificate'],
private_key=client_cert['private_key'],
private_key_passphrase=client_password,
name=CONDUCTOR_CLIENT_NAME,
context=context)
LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
return magnum_cert_ref
def get_bay_magnum_cert(bay, context=None):
magnum_cert = cert_manager.get_backend().CertManager.get_cert(
bay.magnum_cert_ref, resource_ref=bay.uuid, context=context)
return magnum_cert
def get_bay_ca_certificate(bay):
ca_cert = cert_manager.get_backend().CertManager.get_cert(bay.ca_cert_ref)
return ca_cert.get_certificate()
def test_local_cert_manager(self):
fixture.Config().config(group='certificates',
cert_manager_type='local')
self.assertEqual(get_backend().CertManager, lcm.CertManager)
def get_bay_ca_certificate(bay, context=None):
ca_cert = cert_manager.get_backend().CertManager.get_cert(
bay.ca_cert_ref, resource_ref=bay.uuid, context=context)
return ca_cert
def test_barbican_cert_manager(self):
fixture.Config().config(group='certificates',
cert_manager_type='barbican')
self.assertEqual(get_backend().CertManager, bcm.CertManager)
def test_barbican_cert_manager(self):
fixture.Config().config(group='certificates',
cert_manager_type='barbican')
self.assertEqual(get_backend().CertManager,
bcm.CertManager)
def test_local_cert_manager(self):
fixture.Config().config(group='certificates',
cert_manager_type='local')
self.assertEqual(get_backend().CertManager,
lcm.CertManager)