VMware: verify vCenter server certificate

Two configuration properties are being added: 'ca_file': Specify a CA bundle file to use in verifying the vCenter server certificate 'insecure': If true, the vCenter server certificate is not verified. If false, then the default CA truststore is used for verification. This option is ignored if 'ca_file' is set. Closes-Bug: #1276207 DocImpact Change-Id: I86a04fbd70f726206ddd95caf87685f3559d2ad8
author: Radoslav Gerganov <rgerganov@vmware.com> 2015-05-04 11:18:58 +0300
committer: Radoslav Gerganov <rgerganov@vmware.com> 2015-06-16 10:28:29 +0300
commit: 823766637d2cdd45df75716553656e4650cb49ec (patch)
tree: faf4206287cc9b4202afea53caa9eaa15b1456be
parent: 50e77aa9b8b864ba867a80d74e525aa55010a942 (diff)
download: nova-823766637d2cdd45df75716553656e4650cb49ec.tar.gz
1 files changed, 15 insertions, 3 deletions
diff --git a/nova/virt/vmwareapi/driver.py b/nova/virt/vmwareapi/driver.py
index 20003c86d4..d8b500a261 100644
--- a/nova/virt/vmwareapi/driver.py
+++ b/nova/virt/vmwareapi/driver.py
@@ -58,6 +58,15 @@ vmwareapi_opts = [
     cfg.StrOpt('host_password',
                help='Password for connection to VMware vCenter host.',
                secret=True),
+    cfg.StrOpt('ca_file',
+               help='Specify a CA bundle file to use in verifying the '
+                    'vCenter server certificate.'),
+    cfg.BoolOpt('insecure',
+                default=False,
+                help='If true, the vCenter server certificate is not '
+                     'verified. If false, then the default CA truststore is '
+                     'used for verification. This option is ignored if '
+                     '"ca_file" is set.'),
     cfg.MultiStrOpt('cluster_name',
                     help='Name of a VMware Cluster ComputeResource.'),
     cfg.StrOpt('datastore_regex',
@@ -696,7 +705,9 @@ class VMwareAPISession(api.VMwareAPISession):
                  username=CONF.vmware.host_username,
                  password=CONF.vmware.host_password,
                  retry_count=CONF.vmware.api_retry_count,
-                 scheme="https"):
+                 scheme="https",
+                 cacert=CONF.vmware.ca_file,
+                 insecure=CONF.vmware.insecure):
         super(VMwareAPISession, self).__init__(
                 host=host_ip,
                 port=host_port,
@@ -706,8 +717,9 @@ class VMwareAPISession(api.VMwareAPISession):
                 task_poll_interval=CONF.vmware.task_poll_interval,
                 scheme=scheme,
                 create_session=True,
-                wsdl_loc=CONF.vmware.wsdl_location
-                )
+                wsdl_loc=CONF.vmware.wsdl_location,
+                cacert=cacert,
+                insecure=insecure)
 
     def _is_vim_object(self, module):
         """Check if the module is a VIM Object instance."""
author	Radoslav Gerganov <rgerganov@vmware.com>	2015-05-04 11:18:58 +0300
committer	Radoslav Gerganov <rgerganov@vmware.com>	2015-06-16 10:28:29 +0300
commit	823766637d2cdd45df75716553656e4650cb49ec (patch)
tree	faf4206287cc9b4202afea53caa9eaa15b1456be
parent	50e77aa9b8b864ba867a80d74e525aa55010a942 (diff)
download	nova-823766637d2cdd45df75716553656e4650cb49ec.tar.gz