Implement ability to pass CA bundle certificate for vCenter server

Glance with vsphere backend by default verifies vCenter server TLS/SSL
certificate using system truststore (e.g.
/etc/ssl/certs/ca-certificates.crt). Here is a problem with connection
to vCenter: if we consider case with default installation, then vCenter
starts with self-signed certificate which cannot be verified using linux
shipped CA bundle. Glance starts, but fails to do any useful work,
because it generates SSL errors due to inability to verify vCenter
TLS/SSL certificate.

User can provide its own CA bundle file for Glance to verify connection,
but currently puppet-glance does not support this. This patch aims to
fix this problem, it:
- introduces new optional parameter $vcenter_ca_file which undef by
  default, which means that value will not be written to glance-api.conf
- it switches default value of vmware_api_insecure to True
- provides rspec tests for changed behaviour

Change-Id: Icef5c35ad1128df465da548dd880a0dfeeadb5e1
Related-bug: #1559067
This commit is contained in:
Igor Zinovik 2016-04-01 16:41:20 +03:00
parent 035d1e6c71
commit a1fbd1a42c
2 changed files with 17 additions and 7 deletions

View File

@ -24,7 +24,14 @@
# [*vcenter_api_insecure*] # [*vcenter_api_insecure*]
# (optional) Allow to perform insecure SSL requests to vCenter/ESXi. # (optional) Allow to perform insecure SSL requests to vCenter/ESXi.
# Should be a valid string boolean value # Should be a valid string boolean value
# Defaults to 'False' # Defaults to 'True'
#
# [*vcenter_ca_file*]
# (optional) The name of the CA bundle file which will be used in
# verifying vCenter server certificate. If parameter is not set
# then system truststore is used. If parameter is set, vcenter_api_insecure
# value is ignored.
# Defaults to undef
# #
# [*vcenter_host*] # [*vcenter_host*]
# (required) vCenter/ESXi Server target system. # (required) vCenter/ESXi Server target system.
@ -72,7 +79,8 @@ class glance::backend::vsphere(
$vcenter_datacenter, $vcenter_datacenter,
$vcenter_datastore, $vcenter_datastore,
$vcenter_image_dir, $vcenter_image_dir,
$vcenter_api_insecure = 'False', $vcenter_ca_file = undef,
$vcenter_api_insecure = 'True',
$vcenter_task_poll_interval = '5', $vcenter_task_poll_interval = '5',
$vcenter_api_retry_count = '10', $vcenter_api_retry_count = '10',
$multi_store = false, $multi_store = false,
@ -81,6 +89,7 @@ class glance::backend::vsphere(
glance_api_config { glance_api_config {
'glance_store/vmware_api_insecure': value => $vcenter_api_insecure; 'glance_store/vmware_api_insecure': value => $vcenter_api_insecure;
'glance_store/vmware_ca_file': value => $vcenter_ca_file;
'glance_store/vmware_server_host': value => $vcenter_host; 'glance_store/vmware_server_host': value => $vcenter_host;
'glance_store/vmware_server_username': value => $vcenter_user; 'glance_store/vmware_server_username': value => $vcenter_user;
'glance_store/vmware_server_password': value => $vcenter_password; 'glance_store/vmware_server_password': value => $vcenter_password;
@ -94,6 +103,7 @@ class glance::backend::vsphere(
if $glare_enabled { if $glare_enabled {
glance_glare_config { glance_glare_config {
'glance_store/vmware_api_insecure': value => $vcenter_api_insecure; 'glance_store/vmware_api_insecure': value => $vcenter_api_insecure;
'glance_store/vmware_ca_file': value => $vcenter_ca_file;
'glance_store/vmware_server_host': value => $vcenter_host; 'glance_store/vmware_server_host': value => $vcenter_host;
'glance_store/vmware_server_username': value => $vcenter_user; 'glance_store/vmware_server_username': value => $vcenter_user;
'glance_store/vmware_server_password': value => $vcenter_password; 'glance_store/vmware_server_password': value => $vcenter_password;

View File

@ -41,7 +41,7 @@ describe 'glance::backend::vsphere' do
end end
it 'configures glance-api.conf' do it 'configures glance-api.conf' do
is_expected.to contain_glance_api_config('glance_store/default_store').with_value('vsphere') is_expected.to contain_glance_api_config('glance_store/default_store').with_value('vsphere')
is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('False') is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('True')
is_expected.to contain_glance_api_config('glance_store/vmware_server_host').with_value('10.0.0.1') is_expected.to contain_glance_api_config('glance_store/vmware_server_host').with_value('10.0.0.1')
is_expected.to contain_glance_api_config('glance_store/vmware_server_username').with_value('root') is_expected.to contain_glance_api_config('glance_store/vmware_server_username').with_value('root')
is_expected.to contain_glance_api_config('glance_store/vmware_server_password').with_value('123456') is_expected.to contain_glance_api_config('glance_store/vmware_server_password').with_value('123456')
@ -53,7 +53,7 @@ describe 'glance::backend::vsphere' do
end end
it 'not configures glance-glare.conf' do it 'not configures glance-glare.conf' do
is_expected.to_not contain_glance_glare_config('glance_store/default_store').with_value('vsphere') is_expected.to_not contain_glance_glare_config('glance_store/default_store').with_value('vsphere')
is_expected.to_not contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('False') is_expected.to_not contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('True')
is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_host').with_value('10.0.0.1') is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_host').with_value('10.0.0.1')
is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_username').with_value('root') is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_username').with_value('root')
is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_password').with_value('123456') is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_password').with_value('123456')
@ -74,20 +74,20 @@ describe 'glance::backend::vsphere' do
:vcenter_datacenter => 'Datacenter', :vcenter_datacenter => 'Datacenter',
:vcenter_datastore => 'Datastore', :vcenter_datastore => 'Datastore',
:vcenter_image_dir => '/openstack_glance', :vcenter_image_dir => '/openstack_glance',
:vcenter_api_insecure => 'True', :vcenter_ca_file => '/etc/glance/vcenter-ca.pem',
:vcenter_task_poll_interval => '6', :vcenter_task_poll_interval => '6',
:vcenter_api_retry_count => '11', :vcenter_api_retry_count => '11',
:glare_enabled => true, :glare_enabled => true,
} }
end end
it 'configures glance-api.conf' do it 'configures glance-api.conf' do
is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('True') is_expected.to contain_glance_api_config('glance_store/vmware_ca_file').with_value('/etc/glance/vcenter-ca.pem')
is_expected.to contain_glance_api_config('glance_store/vmware_task_poll_interval').with_value('6') is_expected.to contain_glance_api_config('glance_store/vmware_task_poll_interval').with_value('6')
is_expected.to contain_glance_api_config('glance_store/vmware_api_retry_count').with_value('11') is_expected.to contain_glance_api_config('glance_store/vmware_api_retry_count').with_value('11')
end end
it 'configures glance-glare.conf' do it 'configures glance-glare.conf' do
is_expected.to contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('True') is_expected.to contain_glance_glare_config('glance_store/vmware_ca_file').with_value('/etc/glance/vcenter-ca.pem')
is_expected.to contain_glance_glare_config('glance_store/vmware_task_poll_interval').with_value('6') is_expected.to contain_glance_glare_config('glance_store/vmware_task_poll_interval').with_value('6')
is_expected.to contain_glance_glare_config('glance_store/vmware_api_retry_count').with_value('11') is_expected.to contain_glance_glare_config('glance_store/vmware_api_retry_count').with_value('11')
end end