Sync only ‘ssl_ca’ and ‘openstack_ca’ certificates to subclouds

The 'docker_registry', 'tpm_mode', and 'openstack' cert on the SystemController will have a CN and SAN with OAM IP Address, any related DNS Names for OAM IP Address and MGMT IP Address. If these certificate are synched to the subclouds, even if they are signed by a trusted CA, when any client connects to the subcloud OAM or MGMT IP, the certificate that comes back will not pass certificate validation because the certificate does not apply to the subcloud's IP Address. For this reason a fix is put in place to avoid only sync "ssl_ca" and "openstack_ca" certificates to subclouds. Change-Id: I17ac94d79beb04f559c46062dbe7826590fcdb06 Signed-off-by: Jessica Castelino <jessica.castelino@windriver.com> Closes-Bug: 1865643
2020-06-30 14:08:43 -04:00 · 2020-06-30 14:08:43 -04:00 · 4f1c5db809
parent d18ff5e65f
commit 4f1c5db809
1 changed files with 10 additions and 9 deletions
--- a/distributedcloud/dcorch/engine/sync_services/sysinv.py
+++ b/distributedcloud/dcorch/engine/sync_services/sysinv.py
@ -51,7 +51,7 @@ class SysinvSyncThread(SyncThread):
    CERTIFICATE_SIG_NULL = 'NoCertificate'
    RESOURCE_UUID_NULL = 'NoResourceUUID'

-    AVOID_SYNC_CERTIFICATES = ["ssl"]
+    SYNC_CERTIFICATES = ["ssl_ca", "openstack_ca"]

    def __init__(self, subcloud_engine):
        super(SysinvSyncThread, self).__init__(subcloud_engine)
@ -355,19 +355,20 @@ class SysinvSyncThread(SyncThread):
                     extra=self.log_extra)
            return

-        if payload.get('certtype') in self.AVOID_SYNC_CERTIFICATES:
-            return
+        certificate, metadata = self._decode_certificate_payload(
+            certificate_dict)

        if isinstance(payload, dict):
+            if payload.get('certtype') not in self.SYNC_CERTIFICATES:
+                return
            signature = payload.get('signature')
            LOG.info("signature from dict={}".format(signature))
        else:
+            if metadata.get('mode') not in self.SYNC_CERTIFICATES:
+                return
            signature = rsrc.master_id
            LOG.info("signature from master_id={}".format(signature))

-        certificate, metadata = self._decode_certificate_payload(
-            certificate_dict)
-
        icertificate = None
        signature = rsrc.master_id
        if signature and signature != self.CERTIFICATE_SIG_NULL:
@ -657,11 +658,11 @@ class SysinvSyncThread(SyncThread):

    def get_certificates_resources(self, os_client):
        certificate_list = os_client.sysinv_client.get_certificates()
-        # Filter SSL certificates to avoid sync
+        # Only sync the specified certificates to subclouds
        filtered_list = [certificate
                         for certificate in certificate_list
-                         if certificate.certtype not in
-                         self.AVOID_SYNC_CERTIFICATES]
+                         if certificate.certtype in
+                         self.SYNC_CERTIFICATES]
        return filtered_list

    def get_user_resource(self, os_client):