Support custom CA bundle
- Update driver - Add support in templates and manifests. Agent will get CA from vcenter computes hash. Change-Id: Ic41d93b95aa9f163284492da60c64e27e1de5c92 Implements: blueprint custom-ca-bundle-verify-vcenter-cert
This commit is contained in:
parent
db91c613b4
commit
5b7daa02e7
|
@ -20,6 +20,8 @@
|
|||
agent["vsphere_hostname"] = vc["vc_host"]
|
||||
agent["vsphere_login"] = vc["vc_user"]
|
||||
agent["vsphere_password"] = vc["vc_password"]
|
||||
agent["vsphere_insecure"] = vc["vc_insecure"]
|
||||
agent["vsphere_ca_file"] = vc["vc_ca_file"]
|
||||
cluster = vc["vc_cluster"]
|
||||
if netmaps.include? ':'
|
||||
vds = netmaps.split(";").collect{|k| k.split(":")}.select{|x| x[0] == cluster}.collect{|x| x[1]}[0]
|
||||
|
|
|
@ -26,6 +26,17 @@
|
|||
# [*vsphere_password*]
|
||||
# (required) String. This is a password of VMware vSphere user.
|
||||
#
|
||||
# [*vsphere_insecure*]
|
||||
# (optional) If true, the ESX/vCenter server certificate is not verified.
|
||||
# If false, then the default CA truststore is used for verification.
|
||||
# Defaults to 'True'.
|
||||
#
|
||||
# [*vsphere_ca_file*]
|
||||
# (optional) The hash name of the CA bundle file and data in format of:
|
||||
# Example:
|
||||
# "{"vc_ca_file"=>{"content"=>"RSA", "name"=>"vcenter-ca.pem"}}"
|
||||
# Defaults to undef.
|
||||
#
|
||||
# [*network_maps*]
|
||||
# (required) String. This is a name of DVS.
|
||||
#
|
||||
|
@ -50,6 +61,8 @@ define vmware_dvs::agent(
|
|||
$vsphere_hostname = '192.168.0.1',
|
||||
$vsphere_login = 'administrator@vsphere.local',
|
||||
$vsphere_password = 'StrongPassword!',
|
||||
$vsphere_insecure = true,
|
||||
$vsphere_ca_file = undef,
|
||||
$network_maps = 'physnet1:dvSwitch1',
|
||||
$use_fw_driver = true,
|
||||
$neutron_url_timeout = '3600',
|
||||
|
@ -70,6 +83,11 @@ define vmware_dvs::agent(
|
|||
$ocf_pid_dir = '/var/run/resource-agents/ocf-neutron-dvs-agent'
|
||||
$ocf_pid = "${ocf_pid_dir}/${agent_name}.pid"
|
||||
|
||||
$vcenter_ca_file = pick($vsphere_ca_file, {})
|
||||
$vcenter_ca_content = pick($vcenter_ca_file['content'], {})
|
||||
$vcenter_ca_filepath = "/etc/neutron/vmware-${host}-ca.pem"
|
||||
|
||||
|
||||
if $use_fw_driver {
|
||||
$fw_driver = 'networking_vsphere.agent.firewalls.vcenter_firewall.DVSFirewallDriver'
|
||||
}
|
||||
|
@ -96,6 +114,22 @@ define vmware_dvs::agent(
|
|||
}
|
||||
}
|
||||
|
||||
if ! empty($vcenter_ca_content) and ! $vsphere_insecure {
|
||||
$agent_vcenter_ca_filepath = $vcenter_ca_filepath
|
||||
$agent_vcenter_insecure_real = false
|
||||
|
||||
file { $vcenter_ca_filepath:
|
||||
ensure => file,
|
||||
content => $vcenter_ca_content,
|
||||
mode => '0644',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
}
|
||||
} else {
|
||||
$agent_vcenter_ca_filepath = $::os_service_default
|
||||
$agent_vcenter_insecure_real = $vsphere_insecure
|
||||
}
|
||||
|
||||
file {$agent_config:
|
||||
ensure => present,
|
||||
content => template('vmware_dvs/agent_config.erb'),
|
||||
|
|
|
@ -10,3 +10,8 @@ vsphere_login=<%= @vsphere_login %>
|
|||
network_maps=<%= @network_maps %>
|
||||
vsphere_hostname=<%= @vsphere_hostname %>
|
||||
vsphere_password=<%= @vsphere_password %>
|
||||
insecure=<%= @agent_vcenter_insecure_real %>
|
||||
<% if @agent_vcenter_ca_filepath and @agent_vcenter_ca_filepath \
|
||||
!= "<SERVICE DEFAULT>" and !@agent_vcenter_ca_filepath.empty? -%>
|
||||
ca_file=<%= @agent_vcenter_ca_filepath %>
|
||||
<% end -%>
|
||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue