Sync only ‘ssl_ca’ and ‘openstack_ca’ certificates to subclouds
The 'docker_registry', 'tpm_mode', and 'openstack' cert on the SystemController will have a CN and SAN with OAM IP Address, any related DNS Names for OAM IP Address and MGMT IP Address. If these certificate are synched to the subclouds, even if they are signed by a trusted CA, when any client connects to the subcloud OAM or MGMT IP, the certificate that comes back will not pass certificate validation because the certificate does not apply to the subcloud's IP Address. For this reason a fix is put in place to avoid only sync "ssl_ca" and "openstack_ca" certificates to subclouds. Change-Id: I17ac94d79beb04f559c46062dbe7826590fcdb06 Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com> Closes-Bug: 1865643
This commit is contained in:
parent
d18ff5e65f
commit
4f1c5db809
|
@ -51,7 +51,7 @@ class SysinvSyncThread(SyncThread):
|
|||
CERTIFICATE_SIG_NULL = 'NoCertificate'
|
||||
RESOURCE_UUID_NULL = 'NoResourceUUID'
|
||||
|
||||
AVOID_SYNC_CERTIFICATES = ["ssl"]
|
||||
SYNC_CERTIFICATES = ["ssl_ca", "openstack_ca"]
|
||||
|
||||
def __init__(self, subcloud_engine):
|
||||
super(SysinvSyncThread, self).__init__(subcloud_engine)
|
||||
|
@ -355,19 +355,20 @@ class SysinvSyncThread(SyncThread):
|
|||
extra=self.log_extra)
|
||||
return
|
||||
|
||||
if payload.get('certtype') in self.AVOID_SYNC_CERTIFICATES:
|
||||
return
|
||||
certificate, metadata = self._decode_certificate_payload(
|
||||
certificate_dict)
|
||||
|
||||
if isinstance(payload, dict):
|
||||
if payload.get('certtype') not in self.SYNC_CERTIFICATES:
|
||||
return
|
||||
signature = payload.get('signature')
|
||||
LOG.info("signature from dict={}".format(signature))
|
||||
else:
|
||||
if metadata.get('mode') not in self.SYNC_CERTIFICATES:
|
||||
return
|
||||
signature = rsrc.master_id
|
||||
LOG.info("signature from master_id={}".format(signature))
|
||||
|
||||
certificate, metadata = self._decode_certificate_payload(
|
||||
certificate_dict)
|
||||
|
||||
icertificate = None
|
||||
signature = rsrc.master_id
|
||||
if signature and signature != self.CERTIFICATE_SIG_NULL:
|
||||
|
@ -657,11 +658,11 @@ class SysinvSyncThread(SyncThread):
|
|||
|
||||
def get_certificates_resources(self, os_client):
|
||||
certificate_list = os_client.sysinv_client.get_certificates()
|
||||
# Filter SSL certificates to avoid sync
|
||||
# Only sync the specified certificates to subclouds
|
||||
filtered_list = [certificate
|
||||
for certificate in certificate_list
|
||||
if certificate.certtype not in
|
||||
self.AVOID_SYNC_CERTIFICATES]
|
||||
if certificate.certtype in
|
||||
self.SYNC_CERTIFICATES]
|
||||
return filtered_list
|
||||
|
||||
def get_user_resource(self, os_client):
|
||||
|
|
Loading…
Reference in New Issue