Support custom CA bundle
- Update driver - Add support in templates and manifests. Agent will get CA from vcenter computes hash. Change-Id: Ic41d93b95aa9f163284492da60c64e27e1de5c92 Implements: blueprint custom-ca-bundle-verify-vcenter-cert
This commit is contained in:
parent
db91c613b4
commit
5b7daa02e7
|
@ -20,6 +20,8 @@
|
||||||
agent["vsphere_hostname"] = vc["vc_host"]
|
agent["vsphere_hostname"] = vc["vc_host"]
|
||||||
agent["vsphere_login"] = vc["vc_user"]
|
agent["vsphere_login"] = vc["vc_user"]
|
||||||
agent["vsphere_password"] = vc["vc_password"]
|
agent["vsphere_password"] = vc["vc_password"]
|
||||||
|
agent["vsphere_insecure"] = vc["vc_insecure"]
|
||||||
|
agent["vsphere_ca_file"] = vc["vc_ca_file"]
|
||||||
cluster = vc["vc_cluster"]
|
cluster = vc["vc_cluster"]
|
||||||
if netmaps.include? ':'
|
if netmaps.include? ':'
|
||||||
vds = netmaps.split(";").collect{|k| k.split(":")}.select{|x| x[0] == cluster}.collect{|x| x[1]}[0]
|
vds = netmaps.split(";").collect{|k| k.split(":")}.select{|x| x[0] == cluster}.collect{|x| x[1]}[0]
|
||||||
|
|
|
@ -26,6 +26,17 @@
|
||||||
# [*vsphere_password*]
|
# [*vsphere_password*]
|
||||||
# (required) String. This is a password of VMware vSphere user.
|
# (required) String. This is a password of VMware vSphere user.
|
||||||
#
|
#
|
||||||
|
# [*vsphere_insecure*]
|
||||||
|
# (optional) If true, the ESX/vCenter server certificate is not verified.
|
||||||
|
# If false, then the default CA truststore is used for verification.
|
||||||
|
# Defaults to 'True'.
|
||||||
|
#
|
||||||
|
# [*vsphere_ca_file*]
|
||||||
|
# (optional) The hash name of the CA bundle file and data in format of:
|
||||||
|
# Example:
|
||||||
|
# "{"vc_ca_file"=>{"content"=>"RSA", "name"=>"vcenter-ca.pem"}}"
|
||||||
|
# Defaults to undef.
|
||||||
|
#
|
||||||
# [*network_maps*]
|
# [*network_maps*]
|
||||||
# (required) String. This is a name of DVS.
|
# (required) String. This is a name of DVS.
|
||||||
#
|
#
|
||||||
|
@ -50,6 +61,8 @@ define vmware_dvs::agent(
|
||||||
$vsphere_hostname = '192.168.0.1',
|
$vsphere_hostname = '192.168.0.1',
|
||||||
$vsphere_login = 'administrator@vsphere.local',
|
$vsphere_login = 'administrator@vsphere.local',
|
||||||
$vsphere_password = 'StrongPassword!',
|
$vsphere_password = 'StrongPassword!',
|
||||||
|
$vsphere_insecure = true,
|
||||||
|
$vsphere_ca_file = undef,
|
||||||
$network_maps = 'physnet1:dvSwitch1',
|
$network_maps = 'physnet1:dvSwitch1',
|
||||||
$use_fw_driver = true,
|
$use_fw_driver = true,
|
||||||
$neutron_url_timeout = '3600',
|
$neutron_url_timeout = '3600',
|
||||||
|
@ -70,6 +83,11 @@ define vmware_dvs::agent(
|
||||||
$ocf_pid_dir = '/var/run/resource-agents/ocf-neutron-dvs-agent'
|
$ocf_pid_dir = '/var/run/resource-agents/ocf-neutron-dvs-agent'
|
||||||
$ocf_pid = "${ocf_pid_dir}/${agent_name}.pid"
|
$ocf_pid = "${ocf_pid_dir}/${agent_name}.pid"
|
||||||
|
|
||||||
|
$vcenter_ca_file = pick($vsphere_ca_file, {})
|
||||||
|
$vcenter_ca_content = pick($vcenter_ca_file['content'], {})
|
||||||
|
$vcenter_ca_filepath = "/etc/neutron/vmware-${host}-ca.pem"
|
||||||
|
|
||||||
|
|
||||||
if $use_fw_driver {
|
if $use_fw_driver {
|
||||||
$fw_driver = 'networking_vsphere.agent.firewalls.vcenter_firewall.DVSFirewallDriver'
|
$fw_driver = 'networking_vsphere.agent.firewalls.vcenter_firewall.DVSFirewallDriver'
|
||||||
}
|
}
|
||||||
|
@ -96,6 +114,22 @@ define vmware_dvs::agent(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ! empty($vcenter_ca_content) and ! $vsphere_insecure {
|
||||||
|
$agent_vcenter_ca_filepath = $vcenter_ca_filepath
|
||||||
|
$agent_vcenter_insecure_real = false
|
||||||
|
|
||||||
|
file { $vcenter_ca_filepath:
|
||||||
|
ensure => file,
|
||||||
|
content => $vcenter_ca_content,
|
||||||
|
mode => '0644',
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$agent_vcenter_ca_filepath = $::os_service_default
|
||||||
|
$agent_vcenter_insecure_real = $vsphere_insecure
|
||||||
|
}
|
||||||
|
|
||||||
file {$agent_config:
|
file {$agent_config:
|
||||||
ensure => present,
|
ensure => present,
|
||||||
content => template('vmware_dvs/agent_config.erb'),
|
content => template('vmware_dvs/agent_config.erb'),
|
||||||
|
|
|
@ -10,3 +10,8 @@ vsphere_login=<%= @vsphere_login %>
|
||||||
network_maps=<%= @network_maps %>
|
network_maps=<%= @network_maps %>
|
||||||
vsphere_hostname=<%= @vsphere_hostname %>
|
vsphere_hostname=<%= @vsphere_hostname %>
|
||||||
vsphere_password=<%= @vsphere_password %>
|
vsphere_password=<%= @vsphere_password %>
|
||||||
|
insecure=<%= @agent_vcenter_insecure_real %>
|
||||||
|
<% if @agent_vcenter_ca_filepath and @agent_vcenter_ca_filepath \
|
||||||
|
!= "<SERVICE DEFAULT>" and !@agent_vcenter_ca_filepath.empty? -%>
|
||||||
|
ca_file=<%= @agent_vcenter_ca_filepath %>
|
||||||
|
<% end -%>
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue