Add 2 new options to Pool for support backend certificates validation

This patch add 2 new options, which are '--ca-tls-container-ref' and
'--crl-container-ref' into Pool CLI.

'--ca-tls-container-ref' will store the ca certificate used by backend
servers.
'--crl-container-ref' will store the revocation list file.

Change-Id: I8da1c081549433fcc3d99a7675886d5167720125
Story: 2003858
Task: 26679
Depends-On: https://review.openstack.org/#/c/614447/
This commit is contained in:
ZhaoBo 2018-11-27 11:41:32 +08:00 committed by Michael Johnson
parent 594a0939a0
commit be64125af7
5 changed files with 53 additions and 8 deletions

View File

@ -101,7 +101,9 @@ POOL_ROWS = (
'provisioning_status',
'session_persistence',
'updated_at',
'tls_container_ref')
'tls_container_ref',
'ca_tls_container_ref',
'crl_container_ref')
POOL_COLUMNS = (
'id',

View File

@ -94,6 +94,20 @@ class CreatePool(command.ShowOne):
"containing the certificate and key for ``tls_enabled``"
"pools to re-encrpt the traffic to backend member servers."
)
parser.add_argument(
'--ca-tls-container-ref',
metavar='<ca_tls_container_ref>',
help="The reference to the key manager service secrets container "
"containing the CA certificate for ``tls_enabled`` pools "
"to check the backend member servers certificates"
)
parser.add_argument(
'--crl-container-ref',
metavar='<crl_container_ref>',
help="The reference to the key manager service secrets container "
"containting the CA revocation list file for ``tls_enabled`` "
"pools to validate the backend member servers certificates."
)
return parser
@ -247,6 +261,21 @@ class SetPool(command.Command):
"pools to re-encrpt the traffic from TERMINATED_TLS "
"listener to backend servers."
)
parser.add_argument(
'--ca-tls-container-ref',
metavar='<ca_tls_container_ref>',
help="The URI to the key manager service secrets container "
"containing the CA certificate for TERMINATED_TLS listeners "
"to check the backend servers certificates in ssl traffic."
)
parser.add_argument(
'--crl-container-ref',
metavar='<crl_container_ref>',
help="The URI to the key manager service secrets container "
"containting the CA revocation list file for TERMINATED_TLS "
"listeners to valid the backend servers certificates in ssl "
"traffic."
)
return parser

View File

@ -255,6 +255,10 @@ def get_pool_attrs(client_manager, parsed_args):
'disable': ('admin_state_up', lambda x: False),
'tls_container_ref': ('tls_container_ref',
_format_str_if_need_treat_unset),
'ca_tls_container_ref': ('ca_tls_container_ref',
_format_str_if_need_treat_unset),
'crl_container_ref': ('crl_container_ref',
_format_str_if_need_treat_unset),
}
_attrs = vars(parsed_args)

View File

@ -147,7 +147,9 @@ POOL_ATTRS = {
"project_id": uuidutils.generate_uuid(dashed=True),
"protocol": "HTTP",
"provisioning_status": "ACTIVE",
"tls_container_ref": uuidutils.generate_uuid()
"tls_container_ref": uuidutils.generate_uuid(),
"ca_tls_container_ref": uuidutils.generate_uuid(),
"crl_container_ref": uuidutils.generate_uuid()
}
QUOTA_ATTRS = {

View File

@ -105,14 +105,18 @@ class TestPoolCreate(TestPool):
'--name', self._po.name,
'--protocol', 'HTTP',
'--lb-algorithm', 'ROUND_ROBIN',
'--tls-container-ref', self._po.tls_container_ref]
'--tls-container-ref', self._po.tls_container_ref,
'--ca-tls-container-ref', self._po.ca_tls_container_ref,
'--crl-container-ref', self._po.crl_container_ref]
verifylist = [
('loadbalancer', 'mock_lb_id'),
('name', self._po.name),
('protocol', 'HTTP'),
('lb_algorithm', 'ROUND_ROBIN'),
('tls_container_ref', self._po.tls_container_ref)
('tls_container_ref', self._po.tls_container_ref),
('ca_tls_container_ref', self._po.ca_tls_container_ref),
('crl_container_ref', self._po.crl_container_ref)
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@ -149,16 +153,20 @@ class TestPoolSet(TestPool):
self.cmd = pool.SetPool(self.app, None)
def test_pool_set(self):
new_tls_id = 'test-tls-container-id'
new_tls_id, new_ca_id, new_crl_id = (
'test-tls-container-id', 'test-ca-tls-container-id',
'test-crl-container-id')
arglist = [self._po.id, '--name', 'new_name', '--tls-container-ref',
new_tls_id]
new_tls_id, '--ca-tls-container-ref', new_ca_id,
'--crl-container-ref', new_crl_id]
verifylist = [
('pool', self._po.id),
('name', 'new_name')
]
parsed_args = self.check_parser(self.cmd, arglist, verifylist)
self.cmd.take_action(parsed_args)
self.api_mock.pool_set.assert_called_with(
self._po.id, json={'pool': {'name': 'new_name',
'tls_container_ref': new_tls_id}})
'tls_container_ref': new_tls_id,
'ca_tls_container_ref': new_ca_id,
'crl_container_ref': new_crl_id}})