From 3a7c9115ebb29e92f0582d851dafc21141d5f7e1 Mon Sep 17 00:00:00 2001
From: Vasyl Saienko <vsaienko@mirantis.com>
Date: Mon, 19 Feb 2024 18:05:25 +0200
Subject: [PATCH 1/2] When we failed to load pkcs12 cert print warning

Print actual error when we failed to load pkcs12 cert and
falling back to the default implemntation, as exception may
not be related to certificate or its format like an issue
with wrong methods during cryptography version mismatch

*** AttributeError: module 'OpenSSL.crypto' has no attribute 'load_pkcs12'

Related-Prod: PRODX-39931
Change-Id: I85c8a615c4f2e08e28939805ae0e9b2028dadaed
---
 octavia/certificates/manager/barbican.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/octavia/certificates/manager/barbican.py b/octavia/certificates/manager/barbican.py
index 748759c394..049b23b067 100644
--- a/octavia/certificates/manager/barbican.py
+++ b/octavia/certificates/manager/barbican.py
@@ -115,7 +115,10 @@ def get_cert(self, context, cert_ref, resource_ref=None, check_only=False,
             return pkcs12.PKCS12Cert(cert_secret.payload)
         except exceptions.UnreadablePKCS12:
             raise
-        except Exception:
+        except Exception as e:
+            LOG.warning('Failed to load PKCS12Cert for secret %s with %s',
+                        cert_ref, str(e))
+            LOG.warning('Falling back to the barbican_legacy implementation.')
             # If our get fails, try with the legacy driver.
             # TODO(rm_work): Remove this code when the deprecation cycle for
             # the legacy driver is complete.

From f546b849ce30842cc040918cb05bcce39f76e08e Mon Sep 17 00:00:00 2001
From: Andrew Karpow <andrew.karpow@sap.com>
Date: Thu, 6 Jun 2024 18:36:03 +0200
Subject: [PATCH 2/2] barbican: only fallback to legacy secret container when
 missing pkcs12

---
 octavia/certificates/manager/barbican.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/octavia/certificates/manager/barbican.py b/octavia/certificates/manager/barbican.py
index 049b23b067..533f7daba6 100644
--- a/octavia/certificates/manager/barbican.py
+++ b/octavia/certificates/manager/barbican.py
@@ -19,6 +19,7 @@
 """
 from OpenSSL import crypto
 
+from barbicanclient import exceptions as barbican_exceptions
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import encodeutils
@@ -115,7 +116,12 @@ def get_cert(self, context, cert_ref, resource_ref=None, check_only=False,
             return pkcs12.PKCS12Cert(cert_secret.payload)
         except exceptions.UnreadablePKCS12:
             raise
-        except Exception as e:
+        except barbican_exceptions.HTTPClientError as e:
+            # we only want to try the legacy (container) based retrieval if the pkcs12 cert is not found,
+            # else, just raise the error so we retry the pkcs12 retrieval again
+            if e.status_code != 404:
+                raise
+
             LOG.warning('Failed to load PKCS12Cert for secret %s with %s',
                         cert_ref, str(e))
             LOG.warning('Falling back to the barbican_legacy implementation.')