From dd7ac6ecb00d967131875f80fade1fe5225f3192 Mon Sep 17 00:00:00 2001
From: Igor Zinovik <izinovik@mirantis.com>
Date: Fri, 1 Apr 2016 16:41:20 +0300
Subject: [PATCH] Implement ability to pass CA bundle certificate for vCenter
 server

Glance with vsphere backend by default verifies vCenter server TLS/SSL
certificate using system truststore (e.g.
/etc/ssl/certs/ca-certificates.crt). Here is a problem with connection
to vCenter: if we consider case with default installation, then vCenter
starts with self-signed certificate which cannot be verified using linux
shipped CA bundle. Glance starts, but fails to do any useful work,
because it generates SSL errors due to inability to verify vCenter
TLS/SSL certificate.

User can provide its own CA bundle file for Glance to verify connection,
but currently puppet-glance does not support this. This patch aims to
fix this problem, it:
- introduces new optional parameter $vcenter_ca_file which undef by
  default, which means that value will not be written to glance-api.conf
- it switches default value of vmware_api_insecure to True
- provides rspec tests for changed behaviour

Change-Id: Icef5c35ad1128df465da548dd880a0dfeeadb5e1
Related-bug: #1559067
(cherry picked from commit a1fbd1a42cbd02a7dcf892fb7904dc012f7134b5)
---
 manifests/backend/vsphere.pp                | 14 ++++++++++++--
 spec/classes/glance_backend_vsphere_spec.rb | 10 +++++-----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/manifests/backend/vsphere.pp b/manifests/backend/vsphere.pp
index 5e1f0b2a..3dda70ce 100644
--- a/manifests/backend/vsphere.pp
+++ b/manifests/backend/vsphere.pp
@@ -24,7 +24,14 @@
 # [*vcenter_api_insecure*]
 #   (optional) Allow to perform insecure SSL requests to vCenter/ESXi.
 #   Should be a valid string boolean value
-#   Defaults to 'False'
+#   Defaults to 'True'
+#
+# [*vcenter_ca_file*]
+#   (optional) The name of the CA bundle file which will be used in
+#   verifying vCenter server certificate. If parameter is not set
+#   then system truststore is used. If parameter is set, vcenter_api_insecure
+#   value is ignored.
+#   Defaults to undef
 #
 # [*vcenter_host*]
 #   (required) vCenter/ESXi Server target system.
@@ -72,7 +79,8 @@ class glance::backend::vsphere(
   $vcenter_datacenter,
   $vcenter_datastore,
   $vcenter_image_dir,
-  $vcenter_api_insecure       = 'False',
+  $vcenter_ca_file            = undef,
+  $vcenter_api_insecure       = 'True',
   $vcenter_task_poll_interval = '5',
   $vcenter_api_retry_count    = '10',
   $multi_store                = false,
@@ -81,6 +89,7 @@ class glance::backend::vsphere(
 
   glance_api_config {
     'glance_store/vmware_api_insecure': value       => $vcenter_api_insecure;
+    'glance_store/vmware_ca_file': value            => $vcenter_ca_file;
     'glance_store/vmware_server_host': value        => $vcenter_host;
     'glance_store/vmware_server_username': value    => $vcenter_user;
     'glance_store/vmware_server_password': value    => $vcenter_password;
@@ -94,6 +103,7 @@ class glance::backend::vsphere(
   if $glare_enabled {
     glance_glare_config {
       'glance_store/vmware_api_insecure': value       => $vcenter_api_insecure;
+      'glance_store/vmware_ca_file': value            => $vcenter_ca_file;
       'glance_store/vmware_server_host': value        => $vcenter_host;
       'glance_store/vmware_server_username': value    => $vcenter_user;
       'glance_store/vmware_server_password': value    => $vcenter_password;
diff --git a/spec/classes/glance_backend_vsphere_spec.rb b/spec/classes/glance_backend_vsphere_spec.rb
index 2b8f9b48..2b103b22 100644
--- a/spec/classes/glance_backend_vsphere_spec.rb
+++ b/spec/classes/glance_backend_vsphere_spec.rb
@@ -41,7 +41,7 @@ describe 'glance::backend::vsphere' do
       end
       it 'configures glance-api.conf' do
         is_expected.to contain_glance_api_config('glance_store/default_store').with_value('vsphere')
-        is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('False')
+        is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('True')
         is_expected.to contain_glance_api_config('glance_store/vmware_server_host').with_value('10.0.0.1')
         is_expected.to contain_glance_api_config('glance_store/vmware_server_username').with_value('root')
         is_expected.to contain_glance_api_config('glance_store/vmware_server_password').with_value('123456')
@@ -53,7 +53,7 @@ describe 'glance::backend::vsphere' do
       end
       it 'not configures glance-glare.conf' do
         is_expected.to_not contain_glance_glare_config('glance_store/default_store').with_value('vsphere')
-        is_expected.to_not contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('False')
+        is_expected.to_not contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('True')
         is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_host').with_value('10.0.0.1')
         is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_username').with_value('root')
         is_expected.to_not contain_glance_glare_config('glance_store/vmware_server_password').with_value('123456')
@@ -74,20 +74,20 @@ describe 'glance::backend::vsphere' do
           :vcenter_datacenter         => 'Datacenter',
           :vcenter_datastore          => 'Datastore',
           :vcenter_image_dir          => '/openstack_glance',
-          :vcenter_api_insecure       => 'True',
+          :vcenter_ca_file            => '/etc/glance/vcenter-ca.pem',
           :vcenter_task_poll_interval => '6',
           :vcenter_api_retry_count    => '11',
           :glare_enabled              => true,
         }
       end
       it 'configures glance-api.conf' do
-        is_expected.to contain_glance_api_config('glance_store/vmware_api_insecure').with_value('True')
+        is_expected.to contain_glance_api_config('glance_store/vmware_ca_file').with_value('/etc/glance/vcenter-ca.pem')
         is_expected.to contain_glance_api_config('glance_store/vmware_task_poll_interval').with_value('6')
         is_expected.to contain_glance_api_config('glance_store/vmware_api_retry_count').with_value('11')
       end
 
       it 'configures glance-glare.conf' do
-        is_expected.to contain_glance_glare_config('glance_store/vmware_api_insecure').with_value('True')
+        is_expected.to contain_glance_glare_config('glance_store/vmware_ca_file').with_value('/etc/glance/vcenter-ca.pem')
         is_expected.to contain_glance_glare_config('glance_store/vmware_task_poll_interval').with_value('6')
         is_expected.to contain_glance_glare_config('glance_store/vmware_api_retry_count').with_value('11')
       end