Fuel for OpenStack

Support custom CA bundle file to use in verifying the vCenter server certificate.

Registered by Alexander Arzhanov on 2016-05-17

The VMware driver for cinder-volume and nova-compute establishes connections to
vCenter over HTTPS, and VMware driver support the vCenter server certificate
verification as part of the connection process.
Currently, for cinder-volume we use ``vmware_insecure = True`` and for
nova-compute we set ``insecure = True`` options therefore the vCenter
server certificate is not verified.
In Fuel Web UI is not possible to select a certificate for cinder-volume
and nova-compute.
For Glance vSphere backend we can specify custom CA bundle file and it covers
the case where the vCenter is using a Self-Signed certificate. But if vCenter
server certificate was emitted by know CA (e.g. GeoTrust) and we don't specify
custom CA bundle file, certificate verification turn off, because by default we
set ``vmware_insecure = True``.
Use cases which cover this blueprint for cinder-volume , nova-compute
and Glance vSphere backend:

1. ``Case 1.`` Bypass vCenter certificate verification (default). Certificate
verification turn off. This case is useful for faster deployment and for testing
environment.

2. ``Case 2.`` vCenter is using a Self-Signed certificate. In this case the user
must upload custom CA bundle file certificate.

3. ``Case 3.`` vCenter server certificate was emitted by know CA
(e.g. GeoTrust). In this case user have to leave CA certificate bundle upload
field empty.

Blueprint information

Status:: Complete

Approver:: Andrian Noga

Priority:: High

Drafter:: Alexander Arzhanov

Direction:: Approved

Assignee:: Alexander Arzhanov

Definition:: Approved

Series goal:: Accepted for mitaka

Implementation:: Implemented

Milestone target:: 9.1

Started by: Alexander Arzhanov on 2016-07-14

Completed by: Alexey Shtokolov on 2016-09-27

Related branches

Related bugs

Bug #1616438: Need to add restriction for using CA certificate verification mode only if Bypass verification is disabled	Fix Released
Bug #1623478: [vCenter] CA file is not uploaded	Fix Released

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/custom-ca-bundle-verify-vcenter-cert,n,z

Addressed by: https://review.openstack.org/317327
Support custom CA bundle file to use in verifying the vCenter server certificate.

Addressed by: https://review.openstack.org/353605
Allow user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/354015
UI for user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/354106
Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings

Addressed by: https://review.openstack.org/359682
Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings

Addressed by: https://review.openstack.org/359770
Allow user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/369263
Implementation of TC with uploading CA bundle file for vCenter

Gerrit topic: https://review.openstack.org/#q,topic:bug/1623864,n,z

Addressed by: https://review.openstack.org/374624
Implementation of TC with uploading CA bundle file for vCenter

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Alexander Arzhanov