octavia.certificates.manager package

Submodules

octavia.certificates.manager.barbican module

Cert manager implementation for Barbican using a single PKCS12 secret

class BarbicanCertManager[source]

Bases: CertManager

Certificate Manager that wraps the Barbican client API.

delete_cert(context, cert_ref, resource_ref, service_name=None)[source]

Deregister as a consumer for the specified cert.

Parameters:

  • context – Oslo context of the request

  • cert_ref – the UUID of the cert to retrieve

  • resource_ref – Full HATEOAS reference to the consuming resource

  • service_name – Friendly name for the consuming service

Raises:

Exception – if deregistration fails

get_cert(context, cert_ref, resource_ref=None, check_only=False, service_name=None)[source]

Retrieves the specified cert and registers as a consumer.

Parameters:

  • context – Oslo context of the request

  • cert_ref – the UUID of the cert to retrieve

  • resource_ref – Full HATEOAS reference to the consuming resource

  • check_only – Read Certificate data without registering

  • service_name – Friendly name for the consuming service

Returns:

octavia.certificates.common.Cert representation of the certificate data

Raises:

Exception – if certificate retrieval fails

get_secret(context, secret_ref)[source]

Retrieves a secret payload by reference.

Parameters:

  • context – Oslo context of the request

  • secret_ref – The secret reference ID

Returns:

The secret payload

Raises:

CertificateStorageException – if retrieval fails

set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, expiration=None, name='PKCS12 Certificate Bundle')[source]

Stores a certificate in the certificate manager.

Parameters:

  • context – Oslo context of the request

  • certificate – PEM encoded TLS certificate

  • private_key – private key for the supplied certificate

  • intermediates – ordered and concatenated intermediate certs

  • private_key_passphrase – optional passphrase for the supplied key

  • expiration – the expiration time of the cert in ISO 8601 format

  • name – a friendly name for the cert

Returns:

the container_ref of the stored cert

Raises:

Exception – if certificate storage fails

unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

octavia.certificates.manager.barbican_legacy module

Legacy cert manager implementation for Barbican (container+secrets)

class BarbicanCertManager(auth=None)[source]

Bases: CertManager

Certificate Manager that wraps the Barbican client API.

delete_cert(context, cert_ref, resource_ref, service_name=None)[source]

Deregister as a consumer for the specified cert.

Parameters:

  • context – Oslo context of the request

  • cert_ref – the UUID of the cert to retrieve

  • resource_ref – Full HATEOAS reference to the consuming resource

  • service_name – Friendly name for the consuming service

Raises:

Exception – if deregistration fails

get_cert(context, cert_ref, resource_ref=None, check_only=False, service_name=None)[source]

Retrieves the specified cert and registers as a consumer.

Parameters:

  • context – Oslo context of the request

  • cert_ref – the UUID of the cert to retrieve

  • resource_ref – Full HATEOAS reference to the consuming resource

  • check_only – Read Certificate data without registering

  • service_name – Friendly name for the consuming service

Returns:

octavia.certificates.common.Cert representation of the certificate data

Raises:

Exception – if certificate retrieval fails

get_secret(context, secret_ref)[source]

Retrieves a secret payload by reference.

If the specified secret does not exist, a CertificateStorageException should be raised.

set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, expiration=None, name=None)[source]

Stores a certificate in the certificate manager.

Parameters:

  • context – Oslo context of the request

  • certificate – PEM encoded TLS certificate

  • private_key – private key for the supplied certificate

  • intermediates – ordered and concatenated intermediate certs

  • private_key_passphrase – optional passphrase for the supplied key

  • expiration – the expiration time of the cert in ISO 8601 format

  • name – a friendly name for the cert

Returns:

the container_ref of the stored cert

Raises:

Exception – if certificate storage fails

unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

octavia.certificates.manager.castellan_mgr module

Cert manager implementation for Castellan

class CastellanCertManager[source]

Bases: CertManager

Certificate Manager for the Castellan library.

delete_cert(context, cert_ref, resource_ref, service_name=None)[source]

Deletes the specified cert.

If the specified cert does not exist, a CertificateStorageException should be raised.

get_cert(context, cert_ref, resource_ref=None, check_only=False, service_name=None)[source]

Retrieves the specified cert.

If check_only is True, don’t perform any sort of registration. If the specified cert does not exist, a CertificateStorageException should be raised.

get_secret(context, secret_ref)[source]

Retrieves a secret payload by reference.

If the specified secret does not exist, a CertificateStorageException should be raised.

set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, expiration=None, name='PKCS12 Certificate Bundle')[source]

Stores (i.e., registers) a cert with the cert manager.

This method stores the specified cert and returns its UUID that identifies it within the cert manager. If storage of the certificate data fails, a CertificateStorageException should be raised.

unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

octavia.certificates.manager.cert_mgr module

Certificate manager API

class CertManager[source]

Bases: object

Base Cert Manager Interface

A Cert Manager is responsible for managing certificates for TLS.

abstract delete_cert(context, cert_ref, resource_ref, service_name=None)[source]

Deletes the specified cert.

If the specified cert does not exist, a CertificateStorageException should be raised.

abstract get_cert(context, cert_ref, resource_ref=None, check_only=False, service_name=None)[source]

Retrieves the specified cert.

If check_only is True, don’t perform any sort of registration. If the specified cert does not exist, a CertificateStorageException should be raised.

abstract get_secret(context, secret_ref)[source]

Retrieves a secret payload by reference.

If the specified secret does not exist, a CertificateStorageException should be raised.

abstract set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

abstract store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, expiration=None, name=None)[source]

Stores (i.e., registers) a cert with the cert manager.

This method stores the specified cert and returns its UUID that identifies it within the cert manager. If storage of the certificate data fails, a CertificateStorageException should be raised.

abstract unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

octavia.certificates.manager.local module

class LocalCertManager[source]

Bases: CertManager

Cert Manager Interface that stores data locally.

static delete_cert(context, cert_ref, **kwargs)[source]

Deletes the specified cert.

Parameters:

  • context – Ignored in this implementation

  • cert_ref – the UUID of the cert to delete

Raises:

CertificateStorageException – if certificate deletion fails

static get_cert(context, cert_ref, **kwargs)[source]

Retrieves the specified cert.

Parameters:

  • context – Ignored in this implementation

  • cert_ref – the UUID of the cert to retrieve

Returns:

octavia.certificates.common.Cert representation of the certificate data

Raises:

CertificateStorageException – if certificate retrieval fails

static get_secret(context, secret_ref)[source]

Retrieves a secret payload by reference.

Parameters:

  • context – Ignored in this implementation

  • secret_ref – The secret reference ID

Returns:

The secret payload

Raises:

CertificateStorageException – if secret retrieval fails

set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

static store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, **kwargs)[source]

Stores (i.e., registers) a cert with the cert manager.

This method stores the specified cert to the filesystem and returns a UUID that can be used to retrieve it.

Parameters:

  • context – Ignored in this implementation

  • certificate – PEM encoded TLS certificate

  • private_key – private key for the supplied certificate

  • intermediates – ordered and concatenated intermediate certs

  • private_key_passphrase – optional passphrase for the supplied key

Returns:

the UUID of the stored cert

Raises:

CertificateStorageException – if certificate storage fails

unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

octavia.certificates.manager.noop module

class NoopCertManager[source]

Bases: CertManager

Cert manager implementation for no-op operations

delete_cert(context, cert_ref, resource_ref, service_name=None)[source]

Deletes the specified cert.

If the specified cert does not exist, a CertificateStorageException should be raised.

get_cert(context, cert_ref, check_only=True, **kwargs) Cert[source]

Retrieves the specified cert.

If check_only is True, don’t perform any sort of registration. If the specified cert does not exist, a CertificateStorageException should be raised.

get_secret(context, secret_ref) Cert[source]

Retrieves a secret payload by reference.

If the specified secret does not exist, a CertificateStorageException should be raised.

property local_cert
set_acls(context, cert_ref)[source]

Adds ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the addition of ACLs fails for any reason, a CertificateStorageException should be raised.

store_cert(context, certificate, private_key, intermediates=None, private_key_passphrase=None, **kwargs) Cert[source]

Stores (i.e., registers) a cert with the cert manager.

This method stores the specified cert to the filesystem and returns a UUID that can be used to retrieve it.

Parameters:

  • context – Ignored in this implementation

  • certificate – PEM encoded TLS certificate

  • private_key – private key for the supplied certificate

  • intermediates – ordered and concatenated intermediate certs

  • private_key_passphrase – optional passphrase for the supplied key

Returns:

the UUID of the stored cert

Raises:

CertificateStorageException – if certificate storage fails

unset_acls(context, cert_ref)[source]

Remove ACLs so Octavia can access the cert objects.

If the specified cert does not exist or the removal of ACLs fails for any reason, a CertificateStorageException should be raised.

Module contents