def test_create_client_files_set_file_permissions(self): mock_cluster = mock.MagicMock() mock_cluster.uuid = "mock_cluster_uuid" mock_dir = tempfile.mkdtemp() cert_dir = os.path.join(mock_dir, mock_cluster.uuid) cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster') mock_ca_return = '%s/ca.crt' % cert_dir mock_key_return = '%s/client.key' % cert_dir mock_magnum_return = '%s/client.crt' % cert_dir mock_cert = mock.MagicMock() mock_cert.get_certificate.return_value = "some_content" mock_cert.get_decrypted_private_key.return_value = "some_key" self.CertManager.get_cert.return_value = \ mock_cert cert_manager.create_client_files(mock_cluster) ca_permission = stat.S_IMODE(os.lstat(mock_ca_return).st_mode) self.assertEqual(ca_permission, 0o600) key_permission = stat.S_IMODE(os.lstat(mock_key_return).st_mode) self.assertEqual(key_permission, 0o600) magnum_permission = stat.S_IMODE(os.lstat(mock_magnum_return).st_mode) self.assertEqual(magnum_permission, 0o600)
def test_create_client_files_temp_no_dir(self, mock_logging): mock_cluster = mock.MagicMock() mock_cluster.uuid = "mock_cluster_uuid" cfg.CONF.set_override("temp_cache_dir", "", group='cluster') mock_cert = mock.MagicMock() mock_cert.get_certificate.return_value = "some_content" mock_cert.get_decrypted_private_key.return_value = "some_key" self.CertManager.get_cert.return_value = \ mock_cert (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) mock_logging.debug.assert_called_once_with( "Certificates will not be cached in the filesystem: " "they will be created as tempfiles.") self.assertEqual(self.CertManager.get_cert.call_count, 2) self.assertEqual(mock_cert.get_certificate.call_count, 2) self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1) # Test that contents were written to files & returned properly cluster_ca_cert.seek(0) cluster_key.seek(0) cluster_magnum_cert.seek(0) self.assertEqual(mock_cert.get_certificate.return_value, cluster_ca_cert.read()) self.assertEqual(mock_cert.get_decrypted_private_key.return_value, cluster_key.read()) self.assertEqual(mock_cert.get_certificate.return_value, cluster_magnum_cert.read()) # Test for certs and keys that might be returned in binary mock_cert.get_certificate.return_value = b"byte_content" mock_cert.get_decrypted_private_key.return_value = b"byte_key" ca_cert_text = magnum_cert_text = \ mock_cert.get_certificate.return_value.decode('UTF-8') magnum_key_text = \ mock_cert.get_decrypted_private_key.return_value.decode('UTF-8') (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) cluster_ca_cert.seek(0) cluster_key.seek(0) cluster_magnum_cert.seek(0) self.assertEqual(ca_cert_text, cluster_ca_cert.read()) self.assertEqual(magnum_key_text, cluster_key.read()) self.assertEqual(magnum_cert_text, cluster_magnum_cert.read())
def docker_for_bay(context, bay): baymodel = conductor_utils.retrieve_baymodel(context, bay) ca_cert, magnum_key, magnum_cert = None, None, None client_kwargs = dict() if not baymodel.tls_disabled: (ca_cert, magnum_key, magnum_cert) = cert_manager.create_client_files(bay) client_kwargs['ca_cert'] = ca_cert.name client_kwargs['client_key'] = magnum_key.name client_kwargs['client_cert'] = magnum_cert.name yield DockerHTTPClient( bay.api_address, CONF.docker.docker_remote_api_version, CONF.docker.default_timeout, **client_kwargs ) if ca_cert: ca_cert.close() if magnum_key: magnum_key.close() if magnum_cert: magnum_cert.close()
def test_delete_client_files(self): mock_cluster = mock.MagicMock() mock_cluster.uuid = "mock_cluster_uuid" mock_dir = tempfile.mkdtemp() cert_dir = os.path.join(mock_dir, mock_cluster.uuid) cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster') mock_ca_return = '%s/ca.crt' % cert_dir mock_key_return = '%s/client.key' % cert_dir mock_magnum_return = '%s/client.crt' % cert_dir mock_cert = mock.MagicMock() mock_cert.get_certificate.return_value = "some_content" mock_cert.get_decrypted_private_key.return_value = "some_key" self.CertManager.get_cert.return_value = \ mock_cert (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) # Test the directory and files were created self.assertEqual(True, os.path.isdir(cert_dir)) self.assertEqual(True, os.path.isfile(mock_ca_return)) self.assertEqual(True, os.path.isfile(mock_key_return)) self.assertEqual(True, os.path.isfile(mock_magnum_return)) cert_manager.delete_client_files(mock_cluster) # Test that directory and files DNE self.assertEqual(False, os.path.isdir(cert_dir)) self.assertEqual(False, os.path.isfile(mock_ca_return)) self.assertEqual(False, os.path.isfile(mock_key_return)) self.assertEqual(False, os.path.isfile(mock_magnum_return))
def docker_for_cluster(context, cluster): cluster_template = conductor_utils.retrieve_cluster_template( context, cluster) ca_cert, magnum_key, magnum_cert = None, None, None client_kwargs = dict() if not cluster_template.tls_disabled: (ca_cert, magnum_key, magnum_cert) = cert_manager.create_client_files(cluster, context) client_kwargs['ca_cert'] = ca_cert.name client_kwargs['client_key'] = magnum_key.name client_kwargs['client_cert'] = magnum_cert.name yield DockerHTTPClient( cluster.api_address, CONF.docker.docker_remote_api_version, CONF.docker.default_timeout, **client_kwargs ) if ca_cert: ca_cert.close() if magnum_key: magnum_key.close() if magnum_cert: magnum_cert.close()
def docker_for_bay(context, bay): baymodel = conductor_utils.retrieve_baymodel(context, bay) tcp_url = 'tcp://%s:2376' % bay.api_address ca_cert, magnum_key, magnum_cert = None, None, None client_kwargs = dict() if not baymodel.tls_disabled: tcp_url = 'https://%s:2376' % bay.api_address (ca_cert, magnum_key, magnum_cert) = cert_manager.create_client_files(bay) client_kwargs['ca_cert'] = ca_cert.name client_kwargs['client_key'] = magnum_key.name client_kwargs['client_cert'] = magnum_cert.name yield docker_client.DockerHTTPClient(tcp_url, CONF.docker.docker_remote_api_version, CONF.docker.default_timeout, **client_kwargs) if ca_cert: ca_cert.close() if magnum_key: magnum_key.close() if magnum_cert: magnum_cert.close()
def __init__(self, context, cluster): self.context = context self.cluster = cluster # Load certificates for cluster (self.ca_file, self.key_file, self.cert_file) = create_client_files(self.cluster, self.context)
def docker_for_cluster(context, cluster): cluster_template = conductor_utils.retrieve_cluster_template( context, cluster) ca_cert, magnum_key, magnum_cert = None, None, None client_kwargs = dict() if not cluster_template.tls_disabled: (ca_cert, magnum_key, magnum_cert) = cert_manager.create_client_files(cluster) client_kwargs['ca_cert'] = ca_cert.name client_kwargs['client_key'] = magnum_key.name client_kwargs['client_cert'] = magnum_cert.name yield DockerHTTPClient( cluster.api_address, CONF.docker.docker_remote_api_version, CONF.docker.default_timeout, **client_kwargs ) if ca_cert: ca_cert.close() if magnum_key: magnum_key.close() if magnum_cert: magnum_cert.close()
def test_create_client_files_in_cache(self): mock_cluster = mock.MagicMock() mock_cluster.uuid = "mock_cluster_uuid" mock_dir = tempfile.mkdtemp() cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster') mock_cert = mock.MagicMock() mock_cert.get_certificate.return_value = "some_content" mock_cert.get_decrypted_private_key.return_value = "some_key" self.CertManager.get_cert.return_value = \ mock_cert # First call creates directory and writes files (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) # Establish call count baseline self.assertEqual(self.CertManager.get_cert.call_count, 2) self.assertEqual(mock_cert.get_certificate.call_count, 2) self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1) # Second call to create_client_files for same cluster should enter else # conditional, open cached file and return file contents unchanged. (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) # Test that function call count did not increase. self.assertEqual(self.CertManager.get_cert.call_count, 2) self.assertEqual(mock_cert.get_certificate.call_count, 2) self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1) # Check that original file contents/return values have not changed self.assertEqual(mock_cert.get_certificate.return_value, cluster_ca_cert.read()) self.assertEqual(mock_cert.get_decrypted_private_key.return_value, cluster_key.read()) self.assertEqual(mock_cert.get_certificate.return_value, cluster_magnum_cert.read())
def test_create_client_files_notin_cache(self): mock_cluster = mock.MagicMock() mock_cluster.uuid = "mock_cluster_uuid" mock_dir = tempfile.mkdtemp() cert_dir = os.path.join(mock_dir, mock_cluster.uuid) cfg.CONF.set_override("temp_cache_dir", mock_dir, group='cluster') mock_ca_return = '%s/ca.crt' % cert_dir mock_key_return = '%s/client.key' % cert_dir mock_magnum_return = '%s/client.crt' % cert_dir mock_cert = mock.MagicMock() mock_cert.get_certificate.return_value = "some_content" mock_cert.get_decrypted_private_key.return_value = "some_key" self.CertManager.get_cert.return_value = \ mock_cert # Test that directory and files DNE self.assertEqual(False, os.path.isdir(cert_dir)) self.assertEqual(False, os.path.isfile(mock_ca_return)) self.assertEqual(False, os.path.isfile(mock_key_return)) self.assertEqual(False, os.path.isfile(mock_magnum_return)) (cluster_ca_cert, cluster_key, cluster_magnum_cert) = \ cert_manager.create_client_files(mock_cluster) # Test the directory and files were created self.assertEqual(True, os.path.isdir(cert_dir)) self.assertEqual(True, os.path.isfile(mock_ca_return)) self.assertEqual(True, os.path.isfile(mock_key_return)) self.assertEqual(True, os.path.isfile(mock_magnum_return)) # Test that all functions were called in the if not conditional self.assertEqual(self.CertManager.get_cert.call_count, 2) self.assertEqual(mock_cert.get_certificate.call_count, 2) self.assertEqual(mock_cert.get_decrypted_private_key.call_count, 1) # Test that contents were written to files & returned properly cluster_ca_cert.seek(0) cluster_key.seek(0) cluster_magnum_cert.seek(0) self.assertEqual(mock_cert.get_certificate.return_value, cluster_ca_cert.read()) self.assertEqual(mock_cert.get_decrypted_private_key.return_value, cluster_key.read()) self.assertEqual(mock_cert.get_certificate.return_value, cluster_magnum_cert.read())
def __init__(self, context, bay): self.ca_file = None self.cert_file = None self.key_file = None if bay.magnum_cert_ref: (self.ca_file, self.key_file, self.cert_file) = create_client_files(bay) # build a connection with Kubernetes master client = api_client.ApiClient(bay.api_address, key_file=self.key_file.name, cert_file=self.cert_file.name, ca_certs=self.ca_file.name) super(K8sAPI, self).__init__(client)
def __init__(self, context, bay): self.ca_file = None self.cert_file = None self.key_file = None if bay.magnum_cert_ref: (self.ca_file, self.key_file, self.cert_file) = create_client_files(bay, context) # build a connection with Kubernetes master client = api_client.ApiClient(bay.api_address, key_file=self.key_file.name, cert_file=self.cert_file.name, ca_certs=self.ca_file.name) super(K8sAPI, self).__init__(client)
def __init__(self, context, cluster): self.ca_file = None self.cert_file = None self.key_file = None if cluster.magnum_cert_ref: (self.ca_file, self.key_file, self.cert_file) = create_client_files(cluster, context) config = k8s_config.ConfigurationObject() config.host = cluster.api_address config.ssl_ca_cert = self.ca_file.name config.cert_file = self.cert_file.name config.key_file = self.key_file.name # build a connection with Kubernetes master client = api_client.ApiClient(config=config) super(K8sAPI, self).__init__(client)