From 3908eaf24f290ebf538fb668e3545a437c0b0b41 Mon Sep 17 00:00:00 2001
From: khramshinr <khramshinr@gmail.com>
Date: Mon, 1 Apr 2024 17:31:47 +0800
Subject: T6178: Check that certificate exists during reverse-proxy commit
(cherry picked from commit 320fe827b4842b0c0da1ec5fee3d41a5730334d5)
---
src/conf_mode/load-balancing_reverse-proxy.py | 32 +++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
(limited to 'src')
diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 7338fe573..2a0acd84a 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -55,6 +55,29 @@ def get_config(config=None):
return lb
+def _verify_cert(lb: dict, config: dict) -> None:
+ if 'ca_certificate' in config['ssl']:
+ ca_name = config['ssl']['ca_certificate']
+ pki_ca = lb['pki'].get('ca')
+ if pki_ca is None:
+ raise ConfigError(f'CA certificates does not exist in PKI')
+ else:
+ ca = pki_ca.get(ca_name)
+ if ca is None:
+ raise ConfigError(f'CA certificate "{ca_name}" does not exist')
+
+ elif 'certificate' in config['ssl']:
+ cert_names = config['ssl']['certificate']
+ pki_certs = lb['pki'].get('certificate')
+ if pki_certs is None:
+ raise ConfigError(f'Certificates does not exist in PKI')
+
+ for cert_name in cert_names:
+ pki_cert = pki_certs.get(cert_name)
+ if pki_cert is None:
+ raise ConfigError(f'Certificate "{cert_name}" does not exist')
+
+
def verify(lb):
if not lb:
return None
@@ -83,6 +106,15 @@ def verify(lb):
if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
+ for front, front_config in lb['service'].items():
+ if 'ssl' in front_config:
+ _verify_cert(lb, front_config)
+
+ for back, back_config in lb['backend'].items():
+ if 'ssl' in back_config:
+ _verify_cert(lb, back_config)
+
+
def generate(lb):
if not lb:
# Delete /run/haproxy/haproxy.cfg
--
cgit v1.2.3