-
Notifications
You must be signed in to change notification settings - Fork 390
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This fix adds tenant SSL support to existing custom attributes. User can provide barbican container ref in custom attributes and haproxy parser then downloads the container/secrets and populates the certificate. Also, the keystone auth credentials need to specified in a separate auth file whose path should be provided in contrail-vrouter-agent.conf file. Renaming to file as keystone_auth_cfg_file Change-Id: I2b85733820031033a05dfc27cbfa4fa3a3485611 Partial-Bug: #1499903
- Loading branch information
Varun Lodaya
authored and
Varun Lodaya
committed
Oct 6, 2015
1 parent
109c570
commit 766e881
Showing
10 changed files
with
392 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
104 changes: 104 additions & 0 deletions
104
src/vnsw/opencontrail-vrouter-netns/opencontrail_vrouter_netns/haproxy_cert.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
import json | ||
import keystone_auth | ||
import sys | ||
import logging | ||
|
||
class Barbican_Cert_Manager(object): | ||
"""Class to download certs from barbican and | ||
populate the pem file as required by HAProxy | ||
""" | ||
def __init__(self, keystone_auth_conf_file): | ||
self.identity = keystone_auth.Identity(keystone_auth_conf_file) | ||
if not self.identity: | ||
raise Exception() | ||
|
||
def _get_barbican_entity(self, barbican_ep, auth_token, | ||
entity_ref, metadata=True): | ||
if metadata: | ||
accept_data = 'application/json' | ||
else: | ||
accept_data = 'text/plain' | ||
|
||
try: | ||
headers = { | ||
"Accept": "%s" % accept_data, | ||
"X-Auth-Token": "%s" % auth_token | ||
} | ||
url = entity_ref | ||
resp = keystone_auth._request(url, headers, 'GET') | ||
if resp.status_code in range(200, 299): | ||
if metadata: | ||
return json.loads(resp.text) | ||
else: | ||
return resp.text | ||
else: | ||
logging.error("%s getting barbican entity %s" % \ | ||
(resp.text, url)) | ||
except Exception as e: | ||
logging.error("%s getting barbican entity %s" % \ | ||
(str(e), url)) | ||
return None | ||
|
||
def _validate_tls_secret(self, tls_container_ref): | ||
try: | ||
if self.identity: | ||
#self.identity = keystone_auth.Identity() | ||
container_detail = self._get_barbican_entity(\ | ||
self.identity.barbican_ep, | ||
self.identity.auth_token, | ||
entity_ref=tls_container_ref, | ||
metadata=True) | ||
|
||
if not container_detail: | ||
return False | ||
|
||
# Validate that secrets are stored plain text | ||
for secret in container_detail['secret_refs']: | ||
secret_meta_data = self._get_barbican_entity(\ | ||
self.identity.barbican_ep, | ||
self.identity.auth_token, | ||
entity_ref=secret['secret_ref'], | ||
metadata=True) | ||
if not secret_meta_data or secret_meta_data\ | ||
['content_types']['default'] != 'text/plain': | ||
logging.error("Invalid secret format: %s" % \ | ||
secret_meta_data['content_types']['default']) | ||
return False | ||
return True | ||
else: | ||
return False | ||
except Exception as e: | ||
logging.error("%s while validating TLS Container" % str(e)) | ||
return False | ||
|
||
def _populate_tls_pem(self, tls_container_ref): | ||
try: | ||
if self.identity: | ||
#self.identity = keystone_auth.Identity() | ||
container_detail = self._get_barbican_entity(\ | ||
self.identity.barbican_ep, | ||
self.identity.auth_token, | ||
entity_ref=tls_container_ref, | ||
metadata=True) | ||
|
||
if not container_detail: | ||
return False | ||
|
||
# Fetch the secrets stored in plain text | ||
secret_text = '' | ||
for secret in container_detail['secret_refs']: | ||
secret_detail = self._get_barbican_entity(\ | ||
self.identity.barbican_ep, | ||
self.identity.auth_token, | ||
entity_ref=secret['secret_ref'], | ||
metadata=False) | ||
if secret_detail: | ||
secret_text += secret_detail | ||
secret_text += "\n" | ||
|
||
return secret_text | ||
else: | ||
return None | ||
except Exception as e: | ||
logging.error("%s while populating SSL Pem file" % str(e)) | ||
return None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.