How to import third party certificates into VIO manager for uploading images from an HTTPS location
search cancel

How to import third party certificates into VIO manager for uploading images from an HTTPS location

book

Article ID: 321740

calendar_today

Updated On:

Products

VMware Integrated OpenStack

Issue/Introduction

Copy third party orchestration product's certificate into VIO manager.


Symptoms:

  • Customers who integrate third part orchestration solutions such as (Ericsson Orchestration Configuration Manager) into VMware Integrated Open stack would require the third-party certificate copied to the open stack manager. If not uploading images to glance will fail with errors similar to below:

2023-09-11 06:50:35.610 8 WARNING glance.common.scripts.image_import.main [-] Task ########-####-####-####-############ failed with exception HTTPSConnectionPool(host='xyx.vio.local', port=443): Max retries exceeded with url: /test/images/download/########-####-####-####-############(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))): requests.exceptions.SSLError: HTTPSConnectionPool(host='xyz.vio.local', port=443): Max retries exceeded with url: /test/images/download/########-####-####-####-############ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

  • Uploading Images to Glance repository fail with SSL error.

Environment

7.1, 7.2

Cause

 

 

Resolution

Addressed in 7.3

Workaround:

  1. Copy the certificate into the manager node:

vim /tmp/glance_cert.pem

  1. Create a Kubernetes Secret:

 osctl create secret generic glance-cert-secret --from-file=/tmp/glance_cert.pem

  1. Edit the glance-api deployment to mount the secret, then save it:

osctl edit deployment glance-api
==================================================================================
apiVersion: apps/v1
kind: Deployment
metadata:
  name: glance
spec:
  replicas: 2
  template:
    ...
    spec:
      containers:
      - name: glance-api
        ....
        volumeMounts:
        - name: glance-cert-volume
          mountPath: /etc/ssl/certs/glance-cert.pem
          readOnly: true
          subPath: glance-cert.pem

  volumes:
  - name: glance-cert-volume
    secret:
      secretName: glance-cert-secret
==================================================================================

  1.  Validate if the glance-cert.pem file is in the /etc/ssl/certs directory of the glance-api pod:

  osctl exec -it glance-api-xxx bash

  1. Execute the rehash.sh script so that the certificates can be loaded to the system. 

osctl edit configmap glance-bin

if [ -f /etc/ssl/certs/vcenter.pem ] || [ -f /etc/ssl/certs/<your_pem_file_name_in_glance_api_pod>.pem ]; then
   sudo /bin/rehash_ca_certificates.sh
fi

  1. Validate if the glance-api pods are restarted:



Powered by Wolken Software