Browse Source

Support custom CA bundle

- Update driver
- Add support in templates and manifests. Agent will get CA from vcenter
  computes hash.

Change-Id: Ic41d93b95aa9f163284492da60c64e27e1de5c92
Implements: blueprint custom-ca-bundle-verify-vcenter-cert
Alexander Arzhanov 2 years ago
parent
commit
5b7daa02e7

+ 2
- 0
deployment_scripts/puppet/modules/vmware_dvs/lib/puppet/parser/functions/get_agents_data.rb View File

@@ -20,6 +20,8 @@
20 20
         agent["vsphere_hostname"] = vc["vc_host"]
21 21
         agent["vsphere_login"] = vc["vc_user"]
22 22
         agent["vsphere_password"] = vc["vc_password"]
23
+        agent["vsphere_insecure"] = vc["vc_insecure"]
24
+        agent["vsphere_ca_file"] = vc["vc_ca_file"]
23 25
         cluster = vc["vc_cluster"]
24 26
         if netmaps.include? ':'
25 27
           vds = netmaps.split(";").collect{|k| k.split(":")}.select{|x| x[0] == cluster}.collect{|x| x[1]}[0]

+ 34
- 0
deployment_scripts/puppet/modules/vmware_dvs/manifests/agent.pp View File

@@ -26,6 +26,17 @@
26 26
 # [*vsphere_password*]
27 27
 #   (required) String. This is a password of VMware vSphere user.
28 28
 #
29
+# [*vsphere_insecure*]
30
+#   (optional) If true, the ESX/vCenter server certificate is not verified.
31
+#   If false, then the default CA truststore is used for verification.
32
+#   Defaults to 'True'.
33
+#
34
+# [*vsphere_ca_file*]
35
+#   (optional) The hash name of the CA bundle file and data in format of:
36
+#   Example:
37
+#   "{"vc_ca_file"=>{"content"=>"RSA", "name"=>"vcenter-ca.pem"}}"
38
+#   Defaults to undef.
39
+#
29 40
 # [*network_maps*]
30 41
 #   (required) String. This is a name of DVS.
31 42
 #
@@ -50,6 +61,8 @@ define vmware_dvs::agent(
50 61
   $vsphere_hostname    = '192.168.0.1',
51 62
   $vsphere_login       = 'administrator@vsphere.local',
52 63
   $vsphere_password    = 'StrongPassword!',
64
+  $vsphere_insecure    = true,
65
+  $vsphere_ca_file     = undef,
53 66
   $network_maps        = 'physnet1:dvSwitch1',
54 67
   $use_fw_driver       = true,
55 68
   $neutron_url_timeout = '3600',
@@ -70,6 +83,11 @@ define vmware_dvs::agent(
70 83
   $ocf_pid_dir  = '/var/run/resource-agents/ocf-neutron-dvs-agent'
71 84
   $ocf_pid      = "${ocf_pid_dir}/${agent_name}.pid"
72 85
 
86
+  $vcenter_ca_file     = pick($vsphere_ca_file, {})
87
+  $vcenter_ca_content  = pick($vcenter_ca_file['content'], {})
88
+  $vcenter_ca_filepath = "/etc/neutron/vmware-${host}-ca.pem"
89
+
90
+
73 91
   if $use_fw_driver {
74 92
     $fw_driver = 'networking_vsphere.agent.firewalls.vcenter_firewall.DVSFirewallDriver'
75 93
   }
@@ -96,6 +114,22 @@ define vmware_dvs::agent(
96 114
     }
97 115
   }
98 116
 
117
+  if ! empty($vcenter_ca_content) and ! $vsphere_insecure {
118
+    $agent_vcenter_ca_filepath   = $vcenter_ca_filepath
119
+    $agent_vcenter_insecure_real = false
120
+
121
+    file { $vcenter_ca_filepath:
122
+      ensure  => file,
123
+      content => $vcenter_ca_content,
124
+      mode    => '0644',
125
+      owner   => 'root',
126
+      group   => 'root',
127
+    }
128
+  } else {
129
+    $agent_vcenter_ca_filepath   = $::os_service_default
130
+    $agent_vcenter_insecure_real = $vsphere_insecure
131
+  }
132
+
99 133
   file {$agent_config:
100 134
     ensure  => present,
101 135
     content => template('vmware_dvs/agent_config.erb'),

+ 5
- 0
deployment_scripts/puppet/modules/vmware_dvs/templates/agent_config.erb View File

@@ -10,3 +10,8 @@ vsphere_login=<%= @vsphere_login %>
10 10
 network_maps=<%= @network_maps %>
11 11
 vsphere_hostname=<%= @vsphere_hostname %>
12 12
 vsphere_password=<%= @vsphere_password %>
13
+insecure=<%= @agent_vcenter_insecure_real %>
14
+<% if @agent_vcenter_ca_filepath and @agent_vcenter_ca_filepath \
15
+  != "<SERVICE DEFAULT>" and !@agent_vcenter_ca_filepath.empty? -%>
16
+ca_file=<%= @agent_vcenter_ca_filepath %>
17
+<% end -%>

BIN
repositories/ubuntu/python-networking-vsphere_0.0.1.dev378_all.deb View File


BIN
repositories/ubuntu/python-networking-vsphere_0.0.1.dev379_all.deb View File


Loading…
Cancel
Save