Add support to NSXv3 driver to verify certs

NSXv3 driver was missing certification verification. This patch
add cert verification

DocImpact
Closes-Bug: #1488692

Change-Id: I8892103225b62ccc526e91e688f01f4150b42cc6

devstack/lib/vmware_nsx_v3

@@ -110,6 +110,8 @@ function neutron_plugin_configure_service {
     _nsxv3_ini_set nsx_user $NSX_USER
     _nsxv3_ini_set nsx_password $NSX_PASSWORD
     _nsxv3_ini_set retries $NSX_RETRIES
+    _nsxv3_ini_set insecure $NSX_INSECURE
+    _nsxv3_ini_set ca_file $NSX_CA_FILE
 }
 
 function neutron_plugin_setup_interface_driver {

vmware_nsx/etc/nsx.ini

@@ -315,3 +315,12 @@
 
 # Maximum number of times to retry API requests
 # retries = 10
+
+# Specify a CA bundle file to use in verifying the NSX Manager
+# server certificate.
+# ca_file =
+
+# If true, the NSX Manager server certificate is not verified. If false,
+# then the default CA truststore is used for verification. This option
+# is ignored if "ca_file" is set.
+# insecure = true

vmware_nsx/neutron/plugins/vmware/common/config.py

@@ -185,7 +185,16 @@ nsx_v3_opts = [
                help=_("Default edge cluster identifier")),
     cfg.IntOpt('retries',
                default=10,
-               help=_('Maximum number of times to retry API request'))
+               help=_('Maximum number of times to retry API request')),
+    cfg.StrOpt('ca_file',
+               help=_('Specify a CA bundle file to use in verifying the NSX '
+                      'Manager server certificate.')),
+    cfg.BoolOpt('insecure',
+                default=True,
+                help=_('If true, the NSX Manager server certificate is not '
+                       'verified. If false, then the default CA truststore is '
+                       'used for verification. This option is ignored if '
+                       '"ca_file" is set.')),
 ]
 
 DEFAULT_STATUS_CHECK_INTERVAL = 2000
@@ -207,14 +216,14 @@ nsxv_opts = [
                deprecated_group="vcns",
                help=_('uri for vsm')),
     cfg.StrOpt('ca_file',
-               help='Specify a CA bundle file to use in verifying the NSXv '
+               help=_('Specify a CA bundle file to use in verifying the NSXv '
-                    'server certificate.'),
+                      'server certificate.')),
     cfg.BoolOpt('insecure',
                 default=True,
-                help='If true, the NSXv server certificate is not verified. '
+                help=_('If true, the NSXv server certificate is not verified. '
                        'If false, then the default CA truststore is used for '
                        'verification. This option is ignored if "ca_file" is '
-                     'set.'),
+                       'set.')),
     cfg.ListOpt('cluster_moid',
                 default=[],
                 help=_('Parameter listing the IDs of the clusters '

vmware_nsx/neutron/plugins/vmware/nsxlib/v3/client.py

@@ -32,7 +32,8 @@ def _get_manager_endpoint():
     manager = _get_manager_ip()
     username = cfg.CONF.nsx_v3.nsx_user
     password = cfg.CONF.nsx_v3.nsx_password
-    return "https://%s" % manager, username, password
+    verify_cert = not cfg.CONF.nsx_v3.insecure
+    return "https://%s" % manager, username, password, verify_cert
 
 
 def _get_manager_ip():
@@ -65,46 +66,49 @@ def _validate_result(result, expected, operation):
 
 
 def get_resource(resource):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
     url = manager + "/api/v1/%s" % resource
     headers = {'Accept': 'application/json'}
     result = requests.get(url, auth=auth.HTTPBasicAuth(user, password),
-                          verify=False, headers=headers)
+                          verify=verify, headers=headers,
+                          cert=cfg.CONF.nsx_v3.ca_file)
     _validate_result(result, [requests.codes.ok],
                      _("reading resource: %s") % resource)
     return result.json()
 
 
 def create_resource(resource, data):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
     url = manager + "/api/v1/%s" % resource
     headers = {'Content-Type': 'application/json',
                'Accept': 'application/json'}
     result = requests.post(url, auth=auth.HTTPBasicAuth(user, password),
-                           verify=False, headers=headers,
+                           verify=verify, headers=headers,
-                           data=jsonutils.dumps(data))
+                           data=jsonutils.dumps(data),
+                           cert=cfg.CONF.nsx_v3.ca_file)
     _validate_result(result, [requests.codes.created],
                      _("creating resource at: %s") % resource)
     return result.json()
 
 
 def update_resource(resource, data):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
     url = manager + "/api/v1/%s" % resource
     headers = {'Content-Type': 'application/json',
                'Accept': 'application/json'}
     result = requests.put(url, auth=auth.HTTPBasicAuth(user, password),
-                          verify=False, headers=headers,
+                          verify=verify, headers=headers,
-                          data=jsonutils.dumps(data))
+                          data=jsonutils.dumps(data),
+                          cert=cfg.CONF.nsx_v3.ca_file)
     _validate_result(result, [requests.codes.ok],
                      _("updating resource: %s") % resource)
     return result.json()
 
 
 def delete_resource(resource):
-    manager, user, password = _get_manager_endpoint()
+    manager, user, password, verify = _get_manager_endpoint()
     url = manager + "/api/v1/%s" % resource
     result = requests.delete(url, auth=auth.HTTPBasicAuth(user, password),
-                             verify=False)
+                             verify=verify, cert=cfg.CONF.nsx_v3.ca_file)
     _validate_result(result, [requests.codes.ok],
                      _("deleting resource: %s") % resource)