Support custom CA bundle

- Update driver
- Add support in templates and manifests. Agent will get CA from vcenter
  computes hash.

Change-Id: Ic41d93b95aa9f163284492da60c64e27e1de5c92
Implements: blueprint custom-ca-bundle-verify-vcenter-cert

deployment_scripts/puppet/modules/vmware_dvs/lib/puppet/parser/functions/get_agents_data.rb

@@ -20,6 +20,8 @@
         agent["vsphere_hostname"] = vc["vc_host"]
         agent["vsphere_login"] = vc["vc_user"]
         agent["vsphere_password"] = vc["vc_password"]
+        agent["vsphere_insecure"] = vc["vc_insecure"]
+        agent["vsphere_ca_file"] = vc["vc_ca_file"]
         cluster = vc["vc_cluster"]
         if netmaps.include? ':'
           vds = netmaps.split(";").collect{|k| k.split(":")}.select{|x| x[0] == cluster}.collect{|x| x[1]}[0]

deployment_scripts/puppet/modules/vmware_dvs/manifests/agent.pp

@@ -26,6 +26,17 @@
 # [*vsphere_password*]
 #   (required) String. This is a password of VMware vSphere user.
 #
+# [*vsphere_insecure*]
+#   (optional) If true, the ESX/vCenter server certificate is not verified.
+#   If false, then the default CA truststore is used for verification.
+#   Defaults to 'True'.
+#
+# [*vsphere_ca_file*]
+#   (optional) The hash name of the CA bundle file and data in format of:
+#   Example:
+#   "{"vc_ca_file"=>{"content"=>"RSA", "name"=>"vcenter-ca.pem"}}"
+#   Defaults to undef.
+#
 # [*network_maps*]
 #   (required) String. This is a name of DVS.
 #
@@ -50,6 +61,8 @@ define vmware_dvs::agent(
   $vsphere_hostname    = '192.168.0.1',
   $vsphere_login       = 'administrator@vsphere.local',
   $vsphere_password    = 'StrongPassword!',
+  $vsphere_insecure    = true,
+  $vsphere_ca_file     = undef,
   $network_maps        = 'physnet1:dvSwitch1',
   $use_fw_driver       = true,
   $neutron_url_timeout = '3600',
@@ -70,6 +83,11 @@ define vmware_dvs::agent(
   $ocf_pid_dir  = '/var/run/resource-agents/ocf-neutron-dvs-agent'
   $ocf_pid      = "${ocf_pid_dir}/${agent_name}.pid"
 
+  $vcenter_ca_file     = pick($vsphere_ca_file, {})
+  $vcenter_ca_content  = pick($vcenter_ca_file['content'], {})
+  $vcenter_ca_filepath = "/etc/neutron/vmware-${host}-ca.pem"
+
+
   if $use_fw_driver {
     $fw_driver = 'networking_vsphere.agent.firewalls.vcenter_firewall.DVSFirewallDriver'
   }
@@ -96,6 +114,22 @@ define vmware_dvs::agent(
     }
   }
 
+  if ! empty($vcenter_ca_content) and ! $vsphere_insecure {
+    $agent_vcenter_ca_filepath   = $vcenter_ca_filepath
+    $agent_vcenter_insecure_real = false
+
+    file { $vcenter_ca_filepath:
+      ensure  => file,
+      content => $vcenter_ca_content,
+      mode    => '0644',
+      owner   => 'root',
+      group   => 'root',
+    }
+  } else {
+    $agent_vcenter_ca_filepath   = $::os_service_default
+    $agent_vcenter_insecure_real = $vsphere_insecure
+  }
+
   file {$agent_config:
     ensure  => present,
     content => template('vmware_dvs/agent_config.erb'),

deployment_scripts/puppet/modules/vmware_dvs/templates/agent_config.erb

@@ -10,3 +10,8 @@ vsphere_login=<%= @vsphere_login %>
 network_maps=<%= @network_maps %>
 vsphere_hostname=<%= @vsphere_hostname %>
 vsphere_password=<%= @vsphere_password %>
+insecure=<%= @agent_vcenter_insecure_real %>
+<% if @agent_vcenter_ca_filepath and @agent_vcenter_ca_filepath \
+  != "<SERVICE DEFAULT>" and !@agent_vcenter_ca_filepath.empty? -%>
+ca_file=<%= @agent_vcenter_ca_filepath %>
+<% end -%>