NSXV: handle certificate bundles

Octavia may supply the driver with a bundle that contains multiple CA and signed certificate. The driver should avoid using CA certificates for the listener. So when the certificates are uploaded to NSX, the driver should look for the id of the signed certificate object within the bundle. Change-Id: I3b183a34f429573f35e343f15a5492d53e541660
2021-05-02 14:47:03 +03:00 · 2021-05-02 14:47:03 +03:00 · 3f7f1471eb
commit 3f7f1471eb
parent 348b3a3133
1 changed files with 12 additions and 1 deletions
--- a/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py
+++ b/vmware_nsx/services/lbaas/nsx_v/implementation/listener_mgr.py
@ -145,7 +145,18 @@ class EdgeListenerManagerFromDict(base_mgr.EdgeLoadbalancerBaseManager):
        cert_obj = self.vcns.upload_edge_certificate(edge_id, request)[1]
        cert_list = cert_obj.get('certificates', {})
        if cert_list:
-            edge_cert_id = cert_list[0]['objectId']
+            if len(cert_list) > 1:
+                LOG.warning(
+                    'Certificate object contains multiple certificates. '
+                    'Using first signed certificate of the bundle')
+            edge_cert_id = None
+            for cert in cert_list:
+                if cert['certificateType'] == 'certificate_signed':
+                    edge_cert_id = cert['objectId']
+                    break
+            if not edge_cert_id:
+                error = _("No signed certificate found in certificate bundle")
+                raise nsxv_exc.NsxPluginException(err_msg=error)
        else:
            error = _("Failed to upload a certificate to edge %s") % edge_id
            raise nsxv_exc.NsxPluginException(err_msg=error)