20 KiB
Support custom CA bundle file to use in verifying the vCenter server cert
https://blueprints.launchpad.net/fuel/+spec/custom-ca-bundle-verify-vcenter-cert
After implementation this blueprint, user can specify CA bundle file to use in verifying the vCenter server certificate for nova-compute1 and cinder-volume2. Also we improve use cases for Glance vSphere backend and CA bundle file.
Problem description
The VMware driver for cinder-volume and nova-compute establishes
connections to vCenter over HTTPS, and VMware driver support the vCenter
server certificate verification as part of the connection process.
Currently, for cinder-volume3 we use
vmware_insecure = True
4 and for nova-compute5 we set
insecure = True
6 options therefore the
vCenter server certificate is not verified. In Fuel Web UI is not
possible to select a certificate for cinder-volume7 and
nova-compute8. For Glance vSphere backend we can
specify custom CA bundle file and it covers the case where the vCenter
is using a Self-Signed certificate. But if vCenter server certificate
was emitted by know CA (e.g. GeoTrust) and we don't specify custom CA
bundle file, certificate verification turn off, because by default we
set vmware_insecure = True
9.
Use cases which cover this blueprint for cinder-volume10,
nova-compute11 and Glance vSphere backend:
1. Case 1.
Bypass vCenter certificate verification
(default). Certificate verification turn off. This case is useful for
faster deployment and for testing environment.
2. Case 2.
vCenter is using a Self-Signed certificate.
In this case the user must upload custom CA bundle file certificate.
3. Case 3.
vCenter server certificate was emitted by
know CA (e.g. GeoTrust). In this case user have to leave CA certificate
bundle upload field empty.
Proposed changes
The following changes need to be done to implement this feature:
- [Web UI] Add file upload support that allows certificate upload on the VMware tab12.
- [Web UI] Implement restrictions13 support on VMware tab14.
- [Nailgun] Add field that allows user to upload CA certificate that emitted vCenters TLS/SSL certificate.
- [Nailgun] Add checkbox "Bypass vCenter certificate verification".
- [Fuel Library] Fetch CA certificate bundle and deploy services with using certificate.
Web UI
On VMware tab15 in the availability zone section need to add the ability to certificate upload and restrictions16 support.
Availability zone section on VMware tab17:
For the case 1
availability zone section on VMware tab18 will look like:
For the case 2
availability zone section on VMware tab19 will look like:
For the case 3
availability zone section on VMware tab20 will look like:
Description of the above cases can be found in section
Problem description
.
It will use the same logic for the Glance vSphere backend (Glance section on VMware tab21).
Nailgun
Data model
Nailgun should be able to serialize CA certificate data and pass it
into astute.yaml file, astute.yaml for case 2
:
/etc/astute.yaml
...
vcenter:
computes:
- availability_zone_name: vcenter
datastore_regex: .*
service_name: vmcluster1
target_node: controllers
vc_cluster: Cluster1
vc_host: 172.16.0.254
vc_password: Qwer!1234
vc_user: administrator@vsphere.local
vc_insecure : false
vc_ca_file:
content: RSA
name: vcenter-ca.pem
- availability_zone_name: vcenter
datastore_regex: .*
service_name: vmcluster2
target_node: controllers
vc_cluster: Cluster2
vc_host: 172.16.0.254
vc_password: Qwer!1234
vc_user: administrator@vsphere.local
vc_insecure: false
vc_ca_file:
content: RSA
name: vcenter-ca.pem
...
cinder:
...
instances:
- availability_zone_name: vcenter
vc_host: 172.16.0.254
vc_password: Qwer!1234
vc_user: administrator@vsphere.local
vc_insecure: false
vc_ca_file:
content: RSA
name: vcenter-ca.pem
...
glance:
...
vc_insecure: false
vc_ca_file:
content: RSA
name: vcenter-ca.pem
vc_datacenter: Datacenter
vc_datastore: nfs
vc_host: 172.16.0.254
vc_password: Qwer!1234
vc_user: administrator@vsphere.local
...
REST API
GET /api/clusters/%cluster_id%/vmware_attributes/
method
should return data with the following structure:
[{
"pk": 1,
"editable": {
"metadata": [
{
"fields": [
{
"type": "text",
"description": "Availability zone name",
"name": "az_name",
"label": "AZ name"
},
{
"type": "text",
"description": "vCenter host or IP",
"name": "vcenter_host",
"label": "vCenter host"
},
{
"type": "text",
"description": "vCenter username",
"name": "vcenter_username",
"label": "vCenter username"
},
{
"type": "password",
"description": "vCenter password",
"name": "vcenter_password",
"label": "vCenter password"
},
{
"type": "checkbox",
"name": "vcenter_insecure",
"label": "Bypass vCenter certificate verification"
},
{
"type": "file",
"description": "vCenter CA file",
"name": "vcenter_ca_file",
"label": "CA file",
"restrictions": [
{
"message": "Bypass vCenter certificate verification should be disabled.",
"condition": "currentVCenter:vcenter_insecure == true"
}
]
},
{
"fields": [
{
"type": "text",
"description": "vSphere Cluster",
"name": "vsphere_cluster",
"label": "vSphere Cluster",
"regex": {
"source": "\\S",
"error": "Empty cluster"
}
},
{
"type": "text",
"description": "Service name",
"name": "service_name",
"label": "Service name"
},
{
"type": "text",
"description": "Datastore regex",
"name": "datastore_regex",
"label": "Datastore regex"
},
{
"type": "select",
"description": "Target node for nova-compute service",
"name": "target_node",
"label": "Target node"
}
],
"type": "array",
"name": "nova_computes"
}
],
"type": "array",
"name": "availability_zones"
},
{
"fields": [
{
"type": "text",
"description": "VLAN interface",
"name": "esxi_vlan_interface",
"label": "VLAN interface"
}
],
"type": "object",
"name": "network"
},
{
"fields": [
{
"type": "text",
"description": "VCenter host or IP",
"name": "vcenter_host",
"label": "VCenter Host",
"regex": {
"source": "\\S",
"error": "Empty host"
}
},
{
"type": "text",
"description": "vCenter username",
"name": "vcenter_username",
"label": "vCenter username",
"regex": {
"source": "\\S",
"error": "Empty username"
}
},
{
"type": "password",
"description": "vCenter password",
"name": "vcenter_password",
"label": "vCenter password",
"regex": {
"source": "\\S",
"error": "Empty password"
}
},
{
"type": "text",
"description": "Datacenter",
"name": "datacenter",
"label": "Datacenter",
"regex": {
"source": "\\S",
"error": "Empty datacenter"
}
},
{
"type": "text",
"description": "Datastore",
"name": "datastore",
"label": "Datastore",
"regex": {
"source": "\\S",
"error": "Empty datastore"
}
},
{
"type": "checkbox",
"name": "vcenter_insecure",
"label": "Bypass vCenter certificate verification"
},
{
"type": "file",
"description": "File containing the trusted CA bundle that emitted vCenter server certificate. If empty vCenters certificate is not verified.",
"name": "ca_file",
"label": "CA file",
"restrictions": [
{
"message": "Bypass vCenter certificate verification should be disabled.",
"condition": "Glance:vcenter_insecure == true"
}
]
}
],
"type": "object",
"name": "glance",
"restrictions": [
{
"action": "hide",
"condition": "settings:storage.images_vcenter.value == false or settings:common.use_vcenter.value == false"
}
]
}
],
"value": {
"availability_zones": [
{
"az_name": "Zone 1",
"vcenter_host": "1.2.3.4",
"vcenter_username": "admin",
"vcenter_password": "secret",
"vcenter_insecure": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
"vsphere_cluster": "cluster1",
"service_name": "Compute 1",
"datastore_regex": "",
"target_node": {
"current": {
"id": "test_target_node"
}
}
},
{
"vsphere_cluster": "cluster2",
"service_name": "Compute 3",
"datastore_regex": "",
"target_node": {
"current": {
"id": "test_target_node"
}
}
}
]
},
{
"az_name": "Zone 2",
"vcenter_host": "1.2.3.6",
"vcenter_username": "user$",
"vcenter_password": "pass$word",
"vcenter_insecure": "true",
"vcenter_ca_file": "file_blob",
"nova_computes": [
{
"vsphere_cluster": "cluster1",
"service_name": "Compute 4",
"datastore_regex": "^openstack-[0-9]$"
},
{
"vsphere_cluster": "",
"service_name": "Compute 7",
"datastore_regex": ""
}
]
}
],
"glance": {
"vcenter_host": "1.2.3.4",
"vcenter_username": "admin",
"vcenter_password": "secret",
"datacenter": "test_datacenter",
"datastore": "test_datastore",
"vcenter_insecure": "true",
"ca_file": "file_blob",
},
"network": {
"esxi_vlan_interface": "eth0"
}
}
}
}]
Orchestration
None
RPC Protocol
None
Fuel Client
None
Plugins
Specification might affect plugins that connect to vCenter server:
Fuel Library
Changes to Puppet manifests:
- vmware::cinder::vmdk
- vmware::compute_vmware
- vmware::ceilometer::compute_vmware
- vmware::controller
- vmware::ceilometer
- parse_vcenter_settings function
Alternatives
None
Upgrade impact
None
Security impact
None
Notifications impact
None
End user impact
- The user can upload in VMware tab24 CA certificate that emitted vCenters TLS/SSL certificate.
- The user can check or uncheck
Bypass vCenter certificate verification
in VMware tab25.
Performance impact
None
Deployment impact
None
Developer impact
None
Infrastructure impact
None
Documentation impact
Document how to use CA file
field and
Bypass vCenter certificate verification
checkbox on VMware
tab in the availability zone section and in Glance section.
Implementation
Assignee(s)
Primary assignee | - Alexander Arzhanov <aarzhanov@mirantis.com> |
Developers |
|
QA engineers | - Ilya Bumarskov <ibumarskov@mirantis.com> |
Mandatory design review |
|
Work Items
- [Web UI] Add file upload support that allows certificate upload on the VMware tab26.
- [Web UI] Implement restrictions27 support on VMware tab28.
- [Nailgun] Add field that allows user to upload CA certificate that
emitted vCenters TLS/SSL certificate. Need to make changes:
- openstack.yaml
- vmware_attributes.json
- base_serializers.py
- [Nailgun] Add checkbox
Bypass vCenter certificate verification
. - [Fuel Library] Fetch CA certificate bundle and deploy services with
using certificate. Need to make changes:
- vmware::cinder::vmdk
- vmware::compute_vmware
- vmware::ceilometer::compute_vmware
- vmware::controller
- vmware::ceilometer
- parse_vcenter_settings function
Dependencies
None
Testing, QA
Necessary to check scenarios:
- insecure connections for nova-compute29, cinder-volume30 and Glance vSphere backend.
- secure connections for nova-compute31 and cinder-volume32. and Glance vSphere backend (with CA bundle file for vCenter).
Acceptance criteria
User can upload the CA certificate for vCenter and after deploy
nova-compute 33, cinder-volume34
and Glance vSphere backend service works. If the user does not upload
the CA certificate for vCenter and enable
Bypass vCenter certificate verification
checkbox everything
works too.
References
configured with VMwareVCDriver↩︎
configured with VMwareVcVmdkDriver↩︎
configured with VMwareVcVmdkDriver↩︎
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/vmware/templates/cinder-volume.conf.erb#L81↩︎
configured with VMwareVCDriver↩︎
https://github.com/openstack/fuel-library/blob/master/deployment/puppet/vmware/templates/nova-compute.conf.erb#L17↩︎
configured with VMwareVcVmdkDriver↩︎
configured with VMwareVCDriver↩︎
https://github.com/openstack/puppet-glance/blob/master/manifests/backend/vsphere.pp#L112↩︎
configured with VMwareVcVmdkDriver↩︎
configured with VMwareVCDriver↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://wiki.openstack.org/wiki/Fuel/Plugins#What_are_restrictions.3F↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://wiki.openstack.org/wiki/Fuel/Plugins#What_are_restrictions.3F↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
https://wiki.openstack.org/wiki/Fuel/Plugins#What_are_restrictions.3F↩︎
https://blueprints.launchpad.net/fuel/+spec/vmware-ui-settings↩︎
configured with VMwareVCDriver↩︎
configured with VMwareVcVmdkDriver↩︎
configured with VMwareVCDriver↩︎
configured with VMwareVcVmdkDriver↩︎
configured with VMwareVCDriver↩︎
configured with VMwareVcVmdkDriver↩︎