Configure Glance SSL verification settings (VMware backend)

Fetch CA certificate bundle and pass it into puppet-glance module (glance::backend::vsphere class). Default behaviour of class is to turn off verification (we pass `undef' value to ::glance::backend::vsphere class), if `vcenter_ca_file' is provided certificate is verified. Support of CA certificate setting was introduced in change request of puppet-glance module Icef5c35ad1128df465da548dd880a0dfeeadb5e1 CA bundle file gets uploaded to `/etc/glance/'. Provide noop test case. Closes-bug: #1559067 Change-Id: Id0976706221dbac60c424ba9eb865d84411fc6d0
2016-04-04 10:39:15 +03:00 · 2016-04-04 10:39:15 +03:00 · ac2801b8ba
parent 77d84efa2f
commit ac2801b8ba
2 changed files with 25 additions and 1 deletions
--- a/deployment/puppet/openstack_tasks/manifests/glance/glance.pp
+++ b/deployment/puppet/openstack_tasks/manifests/glance/glance.pp
@ -72,6 +72,7 @@ class openstack_tasks::glance::glance {
  $glance_vcenter_datastore       = $glance_hash['vc_datastore']
  $glance_vcenter_image_dir       = $glance_hash['vc_image_dir']
  $glance_vcenter_api_retry_count = '20'
+  $glance_vcenter_ca_file         = $glance_hash['vc_ca_file']
  $glance_image_cache_max_size    = $glance_hash['image_cache_max_size']
  $pipeline                       = pick($glance_hash['pipeline'], 'keystone')
  $glance_large_object_size       = pick($glance_hash['large_object_size'], '5120')
@ -295,6 +296,22 @@ class openstack_tasks::glance::glance {
      }
    }
    'vmware': {
+      if ! empty($glance_vcenter_ca_file['content']) {
+        $vcenter_ca_filename = $glance_vcenter_ca_file['name']
+        $vcenter_ca_filepath = "/etc/glance/${glance_vcenter_ca_filename}"
+
+        file { $vcenter_ca_filepath:
+          ensure  => file,
+          content => $glance_vcenter_ca_file['content'],
+          mode    => '0644',
+          owner   => 'root',
+          group   => 'root',
+        }
+        Class['::glance::backend::vsphere']->File[$vcenter_ca_filepath]
+      } else {
+        $vcenter_ca_filepath = undef
+      }
+
      class { '::glance::backend::vsphere':
          vcenter_host            => $glance_vcenter_host,
          vcenter_user            => $glance_vcenter_user,
@ -303,6 +320,7 @@ class openstack_tasks::glance::glance {
          vcenter_datastore       => $glance_vcenter_datastore,
          vcenter_image_dir       => $glance_vcenter_image_dir,
          vcenter_api_retry_count => $glance_vcenter_api_retry_count,
+          vcenter_ca_file         => $vcenter_ca_filepath,
          glare_enabled           => true,
      }
    }
--- a/tests/noop/spec/hosts/glance/glance_spec.rb
+++ b/tests/noop/spec/hosts/glance/glance_spec.rb
@ -192,13 +192,19 @@ describe manifest do
      else
        show_image_direct_url = true
      end
-      let :params do { :glance_backend => 'vmware', } end
+      let :params do { :glance_backend => 'vmware', :glance_vcenter_ca_file => { 'name' => 'vcenter-ca.pem', 'content' => 'RSA'} } end
      it 'should declare vmware backend' do
        should contain_class('glance::backend::vsphere').with(:glare_enabled => true)
      end
      it 'should configure show_image_direct_url' do
        should contain_glance_api_config('DEFAULT/show_image_direct_url').with_value(show_image_direct_url)
      end
+      it 'should configure vmware_ca_file setting' do
+        should contain_glance_api_config('glance_store/vmware_ca_file').with_value('vcenter-ca.pem')
+      end
+      it 'should contain CA certificate for vCenter server' do
+        should contain_file('/etc/glance/vcenter-ca.pem').with_content('RSA')
+      end
    else
      if glance_config && glance_config.has_key?('show_image_direct_url')
        show_image_direct_url = glance_config['show_image_direct_url']