Support custom CA bundle file to use in verifying the vCenter server certificate.
The VMware driver for cinder-volume and nova-compute establishes connections to
vCenter over HTTPS, and VMware driver support the vCenter server certificate
verification as part of the connection process.
Currently, for cinder-volume we use ``vmware_insecure = True`` and for
nova-compute we set ``insecure = True`` options therefore the vCenter
server certificate is not verified.
In Fuel Web UI is not possible to select a certificate for cinder-volume
and nova-compute.
For Glance vSphere backend we can specify custom CA bundle file and it covers
the case where the vCenter is using a Self-Signed certificate. But if vCenter
server certificate was emitted by know CA (e.g. GeoTrust) and we don't specify
custom CA bundle file, certificate verification turn off, because by default we
set ``vmware_insecure = True``.
Use cases which cover this blueprint for cinder-volume , nova-compute
and Glance vSphere backend:
1. ``Case 1.`` Bypass vCenter certificate verification (default). Certificate
verification turn off. This case is useful for faster deployment and for testing
environment.
2. ``Case 2.`` vCenter is using a Self-Signed certificate. In this case the user
must upload custom CA bundle file certificate.
3. ``Case 3.`` vCenter server certificate was emitted by know CA
(e.g. GeoTrust). In this case user have to leave CA certificate bundle upload
field empty.
Blueprint information
- Status:
- Complete
- Approver:
- Andrian Noga
- Priority:
- High
- Drafter:
- Alexander Arzhanov
- Direction:
- Approved
- Assignee:
- Alexander Arzhanov
- Definition:
- Approved
- Series goal:
- Accepted for mitaka
- Implementation:
- Implemented
- Milestone target:
- 9.1
- Started by
- Alexander Arzhanov
- Completed by
- Alexey Shtokolov
Related branches
Related bugs
Bug #1616438: Need to add restriction for using CA certificate verification mode only if Bypass verification is disabled | Fix Released |
Bug #1623478: [vCenter] CA file is not uploaded | Fix Released |
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Support custom CA bundle file to use in verifying the vCenter server certificate.
Addressed by: https:/
Allow user upload CA bundle file for VMware
Addressed by: https:/
UI for user upload CA bundle file for VMware
Addressed by: https:/
Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings
Addressed by: https:/
Configure Glance vSphere backend, compute-vmware, cinder-vmware SSL verification settings
Addressed by: https:/
Allow user upload CA bundle file for VMware
Addressed by: https:/
Implementation of TC with uploading CA bundle file for vCenter
Gerrit topic: https:/
Addressed by: https:/
Implementation of TC with uploading CA bundle file for vCenter