T6178: Check that certificate exists during reverse-proxy commit

1 files changed, 32 insertions, 0 deletions

diff --git a/src/conf_mode/load-balancing_reverse-proxy.py b/src/conf_mode/load-balancing_reverse-proxy.py
index 7338fe573..2a0acd84a 100755
--- a/src/conf_mode/load-balancing_reverse-proxy.py
+++ b/src/conf_mode/load-balancing_reverse-proxy.py
@@ -55,6 +55,29 @@ def get_config(config=None):
     return lb
 
 
+def _verify_cert(lb: dict, config: dict) -> None:
+    if 'ca_certificate' in config['ssl']:
+        ca_name = config['ssl']['ca_certificate']
+        pki_ca = lb['pki'].get('ca')
+        if pki_ca is None:
+            raise ConfigError(f'CA certificates does not exist in PKI')
+        else:
+            ca = pki_ca.get(ca_name)
+            if ca is None:
+                raise ConfigError(f'CA certificate "{ca_name}" does not exist')
+
+    elif 'certificate' in config['ssl']:
+        cert_names = config['ssl']['certificate']
+        pki_certs = lb['pki'].get('certificate')
+        if pki_certs is None:
+            raise ConfigError(f'Certificates does not exist in PKI')
+
+        for cert_name in cert_names:
+            pki_cert = pki_certs.get(cert_name)
+            if pki_cert is None:
+                raise ConfigError(f'Certificate "{cert_name}" does not exist')
+
+
 def verify(lb):
     if not lb:
         return None
@@ -83,6 +106,15 @@ def verify(lb):
             if {'send_proxy', 'send_proxy_v2'} <= set(bk_server_conf):
                 raise ConfigError(f'Cannot use both "send-proxy" and "send-proxy-v2" for server "{bk_server}"')
 
+    for front, front_config in lb['service'].items():
+        if 'ssl' in front_config:
+            _verify_cert(lb, front_config)
+
+    for back, back_config in lb['backend'].items():
+        if 'ssl' in back_config:
+            _verify_cert(lb, back_config)
+
+
 def generate(lb):
     if not lb:
         # Delete /run/haproxy/haproxy.cfg