octavia 13.0.0.0rc1__py3-none-any.whl → 13.0.1__py3-none-any.whl

octavia/amphorae/backends/agent/api_server/keepalivedlvs.py

@@ -230,6 +230,15 @@ class KeepalivedLvs(lvs_listener_base.LvsListenerApiServerBase):
                             .format(action, listener_id)),
                 'details': e.output}, status=500)
 
+        is_vrrp = (CONF.controller_worker.loadbalancer_topology ==
+                   consts.TOPOLOGY_ACTIVE_STANDBY)
+        # TODO(gthiemonge) remove RESTART from the list (same as previous todo
+        # in this function)
+        if not is_vrrp and action in [consts.AMP_ACTION_START,
+                                      consts.AMP_ACTION_RESTART,
+                                      consts.AMP_ACTION_RELOAD]:
+            util.send_vip_advertisements(listener_id=listener_id)
+
         return webob.Response(
             json={'message': 'OK',
                   'details': 'keepalivedlvs listener {listener_id} '

octavia/amphorae/backends/agent/api_server/osutils.py

@@ -38,8 +38,7 @@ class BaseOS(object):
     @classmethod
     def _get_subclasses(cls):
         for subclass in cls.__subclasses__():
-            for sc in subclass._get_subclasses():
-                yield sc
+            yield from subclass._get_subclasses()
             yield subclass
 
     @classmethod

octavia/amphorae/backends/agent/api_server/util.py

@@ -392,7 +392,37 @@ def get_haproxy_vip_addresses(lb_id):
     return vips
 
 
-def send_vip_advertisements(lb_id):
+def get_lvs_vip_addresses(listener_id: str) -> tp.List[str]:
+    """Get the VIP addresses for a LVS load balancer.
+
+    :param listener_id: The listener ID to get VIP addresses from.
+    :returns: List of VIP addresses (IPv4 and IPv6)
+    """
+    vips = []
+    # Extract the VIP addresses from keepalived configuration
+    # Format is
+    # virtual_server_group ipv<n>-group {
+    #     vip_address1 port1
+    #     vip_address2 port2
+    # }
+    # it can be repeated in case of dual-stack LBs
+    with open(keepalived_lvs_cfg_path(listener_id), encoding='utf-8') as file:
+        vsg_section = False
+        for line in file:
+            current_line = line.strip()
+            if vsg_section:
+                if current_line.startswith('}'):
+                    vsg_section = False
+                else:
+                    vip_address = current_line.split(' ')[0]
+                    vips.append(vip_address)
+            elif line.startswith('virtual_server_group '):
+                vsg_section = True
+    return vips
+
+
+def send_vip_advertisements(lb_id: tp.Optional[str] = None,
+                            listener_id: tp.Optional[str] = None):
     """Sends address advertisements for each load balancer VIP.
 
     This method will send either GARP (IPv4) or neighbor advertisements (IPv6)
@@ -402,7 +432,10 @@ def send_vip_advertisements(lb_id):
     :returns: None
     """
     try:
-        vips = get_haproxy_vip_addresses(lb_id)
+        if lb_id:
+            vips = get_haproxy_vip_addresses(lb_id)
+        else:
+            vips = get_lvs_vip_addresses(listener_id)
 
         for vip in vips:
             interface = network_utils.get_interface_name(

octavia/amphorae/backends/utils/interface.py

@@ -356,11 +356,10 @@ class InterfaceController(object):
                               **rule)
 
     def _scripts_up(self, interface, current_state):
-        if current_state == consts.IFACE_DOWN:
-            for script in interface.scripts[consts.IFACE_UP]:
-                LOG.debug("%s: Running command '%s'",
-                          interface.name, script[consts.COMMAND])
-                subprocess.check_output(script[consts.COMMAND].split())
+        for script in interface.scripts[consts.IFACE_UP]:
+            LOG.debug("%s: Running command '%s'",
+                      interface.name, script[consts.COMMAND])
+            subprocess.check_output(script[consts.COMMAND].split())
 
     def down(self, interface):
         LOG.info("Setting interface %s down", interface.name)

octavia/amphorae/drivers/driver_base.py

@@ -14,6 +14,9 @@
 # under the License.
 
 import abc
+from typing import Optional
+
+from octavia.db import models as db_models
 
 
 class AmphoraLoadBalancerDriver(object, metaclass=abc.ABCMeta):
@@ -236,6 +239,19 @@ class AmphoraLoadBalancerDriver(object, metaclass=abc.ABCMeta):
         :type timeout_dict: dict
         """
 
+    @abc.abstractmethod
+    def check(self, amphora: db_models.Amphora,
+              timeout_dict: Optional[dict] = None):
+        """Check connectivity to the amphora.
+
+        :param amphora: The amphora to query.
+        :param timeout_dict: Dictionary of timeout values for calls to the
+                             amphora. May contain: req_conn_timeout,
+                             req_read_timeout, conn_max_retries,
+                             conn_retry_interval
+        :raises TimeOutException: The amphora didn't reply
+        """
+
 
 class VRRPDriverMixin(object, metaclass=abc.ABCMeta):
     """Abstract mixin class for VRRP support in loadbalancer amphorae

octavia/amphorae/drivers/haproxy/rest_api_driver.py

@@ -111,6 +111,11 @@ class HaproxyAmphoraLoadBalancerDriver(
 
         return api_version
 
+    def check(self, amphora: db_models.Amphora,
+              timeout_dict: Optional[dict] = None):
+        """Check connectivity to the amphora."""
+        self._populate_amphora_api_version(amphora, timeout_dict)
+
     def update_amphora_listeners(self, loadbalancer, amphora,
                                  timeout_dict=None):
         """Update the amphora with a new configuration.
@@ -579,15 +584,15 @@ class HaproxyAmphoraLoadBalancerDriver(
                              req_read_timeout, conn_max_retries,
                              conn_retry_interval
         :type timeout_dict: dict
-        :returns: None if not found, the interface name string if found.
+        :returns: the interface name string if found.
+        :raises octavia.amphorae.drivers.haproxy.exceptions.NotFound:
+                No interface found on the amphora
+        :raises TimeOutException: The amphora didn't reply
         """
-        try:
-            self._populate_amphora_api_version(amphora, timeout_dict)
-            response_json = self.clients[amphora.api_version].get_interface(
-                amphora, ip_address, timeout_dict, log_error=False)
-            return response_json.get('interface', None)
-        except (exc.NotFound, driver_except.TimeOutException):
-            return None
+        self._populate_amphora_api_version(amphora, timeout_dict)
+        response_json = self.clients[amphora.api_version].get_interface(
+            amphora, ip_address, timeout_dict, log_error=False)
+        return response_json.get('interface', None)
 
 
 # Check a custom hostname

octavia/amphorae/drivers/keepalived/jinja/jinja_cfg.py

@@ -123,7 +123,6 @@ class KeepalivedJinjaTemplater(object):
                 peers_ips.append(amp.vrrp_ip)
         return self.get_template(self.keepalived_template).render(
             {'vrrp_group_name': loadbalancer.vrrp_group.vrrp_group_name,
-             'amp_role': amphora.role,
              'amp_intf': amphora.vrrp_interface,
              'amp_vrrp_id': amphora.vrrp_id,
              'amp_priority': amphora.vrrp_priority,

octavia/amphorae/drivers/keepalived/jinja/templates/keepalived_base.template

@@ -21,7 +21,6 @@ vrrp_script check_script {
 }
 
 vrrp_instance {{ vrrp_group_name }} {
-    state {{ amp_role }}
     interface {{ amp_intf }}
     virtual_router_id {{ amp_vrrp_id }}
     priority {{ amp_priority }}

octavia/amphorae/drivers/keepalived/vrrp_rest_driver.py

@@ -88,7 +88,8 @@ class KeepalivedAmphoraDriverMixin(driver_base.VRRPDriverMixin):
 
         LOG.info("Start amphora %s VRRP Service.", amphora.id)
 
-        self._populate_amphora_api_version(amphora)
+        self._populate_amphora_api_version(amphora,
+                                           timeout_dict=timeout_dict)
         self.clients[amphora.api_version].start_vrrp(amphora,
                                                      timeout_dict=timeout_dict)
 

octavia/amphorae/drivers/noop_driver/driver.py

@@ -196,3 +196,6 @@ class NoopAmphoraLoadBalancerDriver(
 
     def reload_vrrp_service(self, loadbalancer):
         pass
+
+    def check(self, amphora, timeout_dict=None):
+        pass

octavia/api/common/pagination.py

@@ -169,7 +169,7 @@ class PaginationHelper(object):
             # TODO(rm_work) Do we need to know when there are more vs exact?
             # We safely know if we have a full page, but it might include the
             # last element or it might not, it is unclear
-            if len(model_list) >= self.limit:
+            if self.limit is None or len(model_list) >= self.limit:
                 next_attr.append("marker={}".format(model_list[-1].get('id')))
                 next_link = {
                     "rel": "next",

octavia/api/v2/controllers/health_monitor.py

@@ -188,7 +188,9 @@ class HealthMonitorController(base.BaseController):
             request.type == consts.HEALTH_MONITOR_UDP_CONNECT)
         conf_min_delay = (
             CONF.api_settings.udp_connect_min_interval_health_monitor)
-        if hm_is_type_udp and request.delay < conf_min_delay:
+        if (hm_is_type_udp and
+                not isinstance(request.delay, wtypes.UnsetType) and
+                request.delay < conf_min_delay):
             raise exceptions.ValidationException(detail=_(
                 "The request delay value %(delay)s should be larger than "
                 "%(conf_min_delay)s for %(type)s health monitor type.") % {
@@ -238,7 +240,6 @@ class HealthMonitorController(base.BaseController):
         context.session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     context.session,
                     data_models.HealthMonitor,
                     health_monitor.project_id):

octavia/api/v2/controllers/l7policy.py

@@ -151,7 +151,6 @@ class L7PolicyController(base.BaseController):
         lock_session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     lock_session,
                     data_models.L7Policy,
                     l7policy.project_id):

octavia/api/v2/controllers/l7rule.py

@@ -154,7 +154,6 @@ class L7RuleController(base.BaseController):
         context.session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     context.session,
                     data_models.L7Rule,
                     l7rule.project_id):

octavia/api/v2/controllers/listener.py

@@ -372,7 +372,6 @@ class ListenersController(base.BaseController):
         context.session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     context.session,
                     data_models.Listener,
                     listener.project_id):

octavia/api/v2/controllers/load_balancer.py

@@ -465,7 +465,6 @@ class LoadBalancersController(base.BaseController):
         lock_session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     lock_session,
                     data_models.LoadBalancer,
                     load_balancer.project_id):
@@ -552,8 +551,15 @@ class LoadBalancersController(base.BaseController):
                     subnet_id=add_vip.subnet_id)
 
             if listeners or pools:
+                # expire_all is required here, it ensures that the loadbalancer
+                # will be re-fetched with its associated vip in _graph_create.
+                # without expire_all the vip attributes that have been updated
+                # just before this call may not be set correctly in the
+                # loadbalancer object.
+                lock_session.expire_all()
+
                 db_pools, db_lists = self._graph_create(
-                    context.session, lock_session, db_lb, listeners, pools)
+                    lock_session, db_lb, listeners, pools)
 
             # Prepare the data for the driver data model
             driver_lb_dict = driver_utils.lb_dict_to_provider_dict(
@@ -583,7 +589,7 @@ class LoadBalancersController(base.BaseController):
             db_lb, lb_types.LoadBalancerFullResponse)
         return lb_types.LoadBalancerFullRootResponse(loadbalancer=result)
 
-    def _graph_create(self, session, lock_session, db_lb, listeners, pools):
+    def _graph_create(self, session, db_lb, listeners, pools):
         # Track which pools must have a full specification
         pools_required = set()
         # Look through listeners and find any extra pools, and move them to the
@@ -642,7 +648,7 @@ class LoadBalancersController(base.BaseController):
 
         # Check quotas for pools.
         if pools and self.repositories.check_quota_met(
-                session, lock_session, data_models.Pool, db_lb.project_id,
+                session, data_models.Pool, db_lb.project_id,
                 count=len(pools)):
             raise exceptions.QuotaException(resource=data_models.Pool._name())
 
@@ -661,13 +667,13 @@ class LoadBalancersController(base.BaseController):
             p['load_balancer_id'] = db_lb.id
             p['project_id'] = db_lb.project_id
             new_pool = (pool.PoolsController()._graph_create(
-                session, lock_session, p))
+                session, p))
             new_pools.append(new_pool)
             pool_name_ids[new_pool.name] = new_pool.id
 
         # Now check quotas for listeners
         if listeners and self.repositories.check_quota_met(
-                session, lock_session, data_models.Listener, db_lb.project_id,
+                session, data_models.Listener, db_lb.project_id,
                 count=len(listeners)):
             raise exceptions.QuotaException(
                 resource=data_models.Listener._name())
@@ -687,7 +693,7 @@ class LoadBalancersController(base.BaseController):
             li['load_balancer_id'] = db_lb.id
             li['project_id'] = db_lb.project_id
             new_lists.append(listener.ListenersController()._graph_create(
-                lock_session, li, pool_name_ids=pool_name_ids))
+                session, li, pool_name_ids=pool_name_ids))
 
         return new_pools, new_lists
 

octavia/api/v2/controllers/member.py

@@ -31,6 +31,7 @@ from octavia.common import data_models
 from octavia.common import exceptions
 from octavia.common import validate
 from octavia.db import prepare as db_prepare
+from octavia.i18n import _
 
 
 LOG = logging.getLogger(__name__)
@@ -165,7 +166,6 @@ class MemberController(base.BaseController):
         context.session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     context.session,
                     data_models.Member,
                     member.project_id):
@@ -336,7 +336,6 @@ class MembersController(MemberController):
 
         with context.session.begin():
             db_pool = self._get_db_pool(context.session, self.pool_id)
-            old_members = db_pool.members
 
             project_id, provider = self._get_lb_project_id_provider(
                 context.session, db_pool.load_balancer_id)
@@ -354,6 +353,11 @@ class MembersController(MemberController):
         with context.session.begin():
             self._test_lb_and_listener_and_pool_statuses(context.session)
 
+            # Reload the pool, the members may have been updated between the
+            # first query in this function and the lock of the loadbalancer
+            db_pool = self._get_db_pool(context.session, self.pool_id)
+            old_members = db_pool.members
+
             old_member_uniques = {
                 (m.ip_address, m.protocol_port): m.id for m in old_members}
             new_member_uniques = [
@@ -362,12 +366,21 @@ class MembersController(MemberController):
             # Find members that are brand new or updated
             new_members = []
             updated_members = []
+            updated_member_uniques = set()
             for m in members:
-                if (m.address, m.protocol_port) not in old_member_uniques:
+                key = (m.address, m.protocol_port)
+                if key not in old_member_uniques:
                     validate.ip_not_reserved(m.address)
                     new_members.append(m)
                 else:
-                    m.id = old_member_uniques[(m.address, m.protocol_port)]
+                    m.id = old_member_uniques[key]
+                    if key in updated_member_uniques:
+                        LOG.error("Member %s is updated multiple times in "
+                                  "the same batch request.", m.id)
+                        raise exceptions.ValidationException(
+                            detail=_("Member must be updated only once in the "
+                                     "same request."))
+                    updated_member_uniques.add(key)
                     updated_members.append(m)
 
             # Find members that are deleted
@@ -387,7 +400,7 @@ class MembersController(MemberController):
             else:
                 member_count_diff = len(new_members) - len(deleted_members)
             if member_count_diff > 0 and self.repositories.check_quota_met(
-                    context.session, context.session, data_models.Member,
+                    context.session, data_models.Member,
                     db_pool.project_id, count=member_count_diff):
                 raise exceptions.QuotaException(
                     resource=data_models.Member._name())

octavia/api/v2/controllers/pool.py

@@ -260,7 +260,6 @@ class PoolsController(base.BaseController):
         context.session.begin()
         try:
             if self.repositories.check_quota_met(
-                    context.session,
                     context.session,
                     data_models.Pool,
                     pool.project_id):
@@ -304,18 +303,18 @@ class PoolsController(base.BaseController):
         result = self._convert_db_to_type(db_pool, pool_types.PoolResponse)
         return pool_types.PoolRootResponse(pool=result)
 
-    def _graph_create(self, session, lock_session, pool_dict):
+    def _graph_create(self, session, pool_dict):
         load_balancer_id = pool_dict['load_balancer_id']
         pool_dict = db_prepare.create_pool(
             pool_dict, load_balancer_id)
         members = pool_dict.pop('members', []) or []
         hm = pool_dict.pop('health_monitor', None)
         db_pool = self._validate_create_pool(
-            lock_session, pool_dict)
+            session, pool_dict)
 
         # Check quotas for healthmonitors
         if hm and self.repositories.check_quota_met(
-                session, lock_session, data_models.HealthMonitor,
+                session, data_models.HealthMonitor,
                 db_pool.project_id):
             raise exceptions.QuotaException(
                 resource=data_models.HealthMonitor._name())
@@ -325,7 +324,7 @@ class PoolsController(base.BaseController):
             hm[constants.POOL_ID] = db_pool.id
             hm[constants.PROJECT_ID] = db_pool.project_id
             new_hm = health_monitor.HealthMonitorController()._graph_create(
-                lock_session, hm)
+                session, hm)
             if db_pool.protocol in (constants.PROTOCOL_UDP,
                                     lib_consts.PROTOCOL_SCTP):
                 health_monitor.HealthMonitorController(
@@ -344,7 +343,7 @@ class PoolsController(base.BaseController):
 
         # Now check quotas for members
         if members and self.repositories.check_quota_met(
-                session, lock_session, data_models.Member,
+                session, data_models.Member,
                 db_pool.project_id, count=len(members)):
             raise exceptions.QuotaException(
                 resource=data_models.Member._name())
@@ -357,7 +356,7 @@ class PoolsController(base.BaseController):
             m['project_id'] = db_pool.project_id
             new_members.append(
                 member.MembersController(db_pool.id)._graph_create(
-                    lock_session, m))
+                    session, m))
         db_pool.members = new_members
         return db_pool
 

octavia/api/v2/types/pool.py

@@ -106,7 +106,7 @@ class PoolResponse(BasePoolType):
         if cls._full_response():
             del pool.loadbalancers
             member_model = member.MemberFullResponse
-            if pool.healthmonitor:
+            if data_model.health_monitor:
                 pool.healthmonitor = (
                     health_monitor.HealthMonitorFullResponse
                     .from_data_model(data_model.health_monitor))

octavia/certificates/common/pkcs12.py

@@ -18,7 +18,7 @@ Common classes for pkcs12 based certificate handling
 """
 
 from cryptography.hazmat.primitives import serialization
-from OpenSSL import crypto
+from cryptography.hazmat.primitives.serialization import pkcs12
 
 from octavia.certificates.common import cert
 from octavia.common import exceptions
@@ -28,21 +28,21 @@ class PKCS12Cert(cert.Cert):
     """Representation of a Cert for local storage."""
     def __init__(self, certbag):
         try:
-            p12 = crypto.load_pkcs12(certbag)
-        except crypto.Error as e:
+            p12 = pkcs12.load_pkcs12(certbag, None)
+        except (TypeError, ValueError) as e:
             raise exceptions.UnreadablePKCS12(error=str(e))
-        self.certificate = p12.get_certificate()
-        self.intermediates = p12.get_ca_certificates()
-        self.private_key = p12.get_privatekey()
+        self.certificate = p12.cert
+        self.intermediates = p12.additional_certs
+        self.private_key = p12.key
 
     def get_certificate(self):
-        return self.certificate.to_cryptography().public_bytes(
+        return self.certificate.certificate.public_bytes(
             encoding=serialization.Encoding.PEM).strip()
 
     def get_intermediates(self):
         if self.intermediates:
             int_data = [
-                ic.to_cryptography().public_bytes(
+                ic.certificate.public_bytes(
                     encoding=serialization.Encoding.PEM).strip()
                 for ic in self.intermediates
             ]
@@ -50,7 +50,7 @@ class PKCS12Cert(cert.Cert):
         return None
 
     def get_private_key(self):
-        return self.private_key.to_cryptography_key().private_bytes(
+        return self.private_key.private_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PrivateFormat.TraditionalOpenSSL,
             encryption_algorithm=serialization.NoEncryption()).strip()

octavia/certificates/manager/barbican.py

@@ -17,8 +17,9 @@
 """
 Cert manager implementation for Barbican using a single PKCS12 secret
 """
-from OpenSSL import crypto
-
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.serialization import pkcs12 as c_pkcs12
+from cryptography import x509
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import encodeutils
@@ -64,25 +65,29 @@ class BarbicanCertManager(cert_mgr.CertManager):
         connection = self.auth.get_barbican_client(context.project_id)
 
         LOG.info("Storing certificate secret '%s' in Barbican.", name)
-        p12 = crypto.PKCS12()
-        p12.set_friendlyname(encodeutils.to_utf8(name))
-        x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
-        p12.set_certificate(x509_cert)
-        x509_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
-        p12.set_privatekey(x509_pk)
-        if intermediates:
-            cert_ints = list(cert_parser.get_intermediates_pems(intermediates))
-            x509_ints = [
-                crypto.load_certificate(crypto.FILETYPE_PEM, ci)
-                for ci in cert_ints]
-            p12.set_ca_certificates(x509_ints)
+
         if private_key_passphrase:
             raise exceptions.CertificateStorageException(
                 "Passphrase protected PKCS12 certificates are not supported.")
 
+        x509_cert = x509.load_pem_x509_certificate(certificate)
+        x509_pk = serialization.load_pem_private_key(private_key, None)
+        cas = None
+        if intermediates:
+            cert_ints = list(cert_parser.get_intermediates_pems(intermediates))
+            cas = [
+                x509.load_pem_x509_certificate(ci)
+                for ci in cert_ints]
+
         try:
             certificate_secret = connection.secrets.create(
-                payload=p12.export(),
+                payload=c_pkcs12.serialize_key_and_certificates(
+                    name=encodeutils.safe_encode(name),
+                    key=x509_pk,
+                    cert=x509_cert,
+                    cas=cas,
+                    encryption_algorithm=serialization.NoEncryption()
+                ),
                 expiration=expiration,
                 name=name
             )
@@ -115,7 +120,10 @@ class BarbicanCertManager(cert_mgr.CertManager):
             return pkcs12.PKCS12Cert(cert_secret.payload)
         except exceptions.UnreadablePKCS12:
             raise
-        except Exception:
+        except Exception as e:
+            LOG.warning('Failed to load PKCS12Cert for secret %s with %s',
+                        cert_ref, str(e))
+            LOG.warning('Falling back to the barbican_legacy implementation.')
             # If our get fails, try with the legacy driver.
             # TODO(rm_work): Remove this code when the deprecation cycle for
             # the legacy driver is complete.

octavia/certificates/manager/castellan_mgr.py

@@ -18,7 +18,8 @@ Cert manager implementation for Castellan
 """
 from castellan.common.objects import opaque_data
 from castellan import key_manager
-from OpenSSL import crypto
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.serialization import pkcs12 as c_pkcs12
 from oslo_config import cfg
 from oslo_log import log as logging
 
@@ -41,16 +42,20 @@ class CastellanCertManager(cert_mgr.CertManager):
     def store_cert(self, context, certificate, private_key, intermediates=None,
                    private_key_passphrase=None, expiration=None,
                    name="PKCS12 Certificate Bundle"):
-        p12 = crypto.PKCS12()
-        p12.set_certificate(certificate)
-        p12.set_privatekey(private_key)
-        if intermediates:
-            p12.set_ca_certificates(intermediates)
         if private_key_passphrase:
             raise exceptions.CertificateStorageException(
                 "Passphrases protected PKCS12 certificates are not supported.")
 
-        p12_data = opaque_data.OpaqueData(p12.export(), name=name)
+        p12_data = opaque_data.OpaqueData(
+            c_pkcs12.serialize_key_and_certificates(
+                name=None,
+                key=private_key,
+                cert=certificate,
+                cas=intermediates,
+                encryption_algorithm=serialization.NoEncryption()
+            ),
+            name=name
+        )
         self.manager.store(context, p12_data)
 
     def get_cert(self, context, cert_ref, resource_ref=None, check_only=False,