Support custom CA bundle file to use in verifying the vCenter server certificate.

Registered by Alexander Arzhanov on 2016-05-17

The VMware driver for cinder-volume and nova-compute establishes connections to
vCenter over HTTPS, and VMware driver support the vCenter server certificate
verification as part of the connection process.
Currently, for cinder-volume we use ``vmware_insecure = True`` and for
nova-compute we set ``insecure = True`` options therefore the vCenter
server certificate is not verified.
In Fuel Web UI is not possible to select a certificate for cinder-volume
and nova-compute.
For Glance vSphere backend we can specify custom CA bundle file and it covers
the case where the vCenter is using a Self-Signed certificate. But if vCenter
server certificate was emitted by know CA (e.g. GeoTrust) and we don't specify
custom CA bundle file, certificate verification turn off, because by default we
set ``vmware_insecure = True``.
Use cases which cover this blueprint for cinder-volume , nova-compute
and Glance vSphere backend:

1. ``Case 1.`` Bypass vCenter certificate verification (default). Certificate
verification turn off. This case is useful for faster deployment and for testing
environment.

2. ``Case 2.`` vCenter is using a Self-Signed certificate. In this case the user
must upload custom CA bundle file certificate.

3. ``Case 3.`` vCenter server certificate was emitted by know CA
(e.g. GeoTrust). In this case user have to leave CA certificate bundle upload
field empty.

Blueprint information

Status:
Complete
Approver:
Andrian Noga
Priority:
High
Drafter:
Alexander Arzhanov
Direction:
Approved
Assignee:
Alexander Arzhanov
Definition:
Approved
Series goal:
Accepted for mitaka
Implementation:
Implemented
Milestone target:
milestone icon 9.1
Started by
Alexander Arzhanov on 2016-07-14
Completed by
Alexey Shtokolov on 2016-09-27

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/custom-ca-bundle-verify-vcenter-cert,n,z

Addressed by: https://review.openstack.org/317327
    Support custom CA bundle file to use in verifying the vCenter server certificate.

Addressed by: https://review.openstack.org/353605
    Allow user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/354015
    UI for user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/354106
    Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings

Addressed by: https://review.openstack.org/359682
    Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings

Addressed by: https://review.openstack.org/359770
    Allow user upload CA bundle file for VMware

Addressed by: https://review.openstack.org/369263
    Implementation of TC with uploading CA bundle file for vCenter

Gerrit topic: https://review.openstack.org/#q,topic:bug/1623864,n,z

Addressed by: https://review.openstack.org/374624
    Implementation of TC with uploading CA bundle file for vCenter

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.