reverse engineering VMware Cloud Director API

As a continuation to my Cloud Director automation story, I started to dig a bit more into API calls used for configuring Cloud Director. Process is fairly simple, just turn on network monitoring in chrome developer tools and you can see which API calls the HTML5 portal does when actions are initiated.

I got couple basics done, adding vCenter and NSX-T manager, after which I already made quite significant learnings. One is that I now know why the API calls are not documented, they're completely inconsistent and there's pretty much no consistency across. Would be quite difficult to document :)

In practice those two actions mean four API calls, three of them different.

  • Add certificate as trusted (done twice, for both vCenter and NSX-T certificate)
    • https://{vcd_url}/cloudapi/1.0.0/ssl/trustedCertificates
  • Register vCenter
    • https://{vcd_url}/api/admin/extension/action/registervimserver
  • Register NSX-T
    • https://{vcd_url}/api/admin/extension/nsxtManagers
First when I started I thought that this is nice looking, clear JSON POST and nice looking structure. But that was just one of the APIs. All three are actually different, vCenter registration takes in XML, other two take in JSON but still require different headers for content type.

I created ansible playbooks which take parameters, mostly from variable file:

  • vCD username/password (environment variables, username should have @system suffix if local)
  • vCD url
  • vCD API version
  • vCenter url (ip)
  • vCenter username
  • vCenter password
  • NSX-T manager url (ip)
  • NSX-T username
  • NST-T password
The playbook first downloads the SSL certificate from the vCenter or NSX-T manager and then pushes it into the trusted certificate store in vCD and after that adds the resource into vCD.
There's currently no logic to check if the certificate has already been added and currently the script fails if it's run towards a resource which is already in the certificate store. This can be worked around by changing the certificate steps return value to 400, this way it considers the failure a success and proceeds.

Here are the playbooks for reference.

Add vCenter


---
- name: Config 
  hosts: localhost
  vars_files:
    - vars.yml
  tasks:
  - name: AUTH
    uri:
      url: https://{{vcd_url}}/api/sessions
      method: POST
      force: yes
      user: "{{ lookup('env', 'VCDUSER') }}"
      password: "{{ lookup('env', 'VCDPWD') }}"
      force_basic_auth: yes
      return_content: no
      status_code: 200
      validate_certs: no
      headers:
        Accept: application/*+xml;version={{api_ver}}
    register: login
  - name: Get certificate
    shell: "echo | openssl s_client -showcerts -connect {{vcenter_url}}:443 2>/dev/null | openssl x509 -inform pem"
    register: certificate
  - name: upload certificate
    uri:
      url: https://{{vcd_url}}/cloudapi/1.0.0/ssl/trustedCertificates
      method: POST
      force: yes
      return_content: no
      status_code: 201
      validate_certs: no
      body:
        id: null
        alias: "{{vcenter_url}}"
        certificate: "{{ certificate.stdout }}"
      body_format: json
      headers:
        Accept: application/json;version={{api_ver}}
        x-vcloud-authorization: "{{ login.x_vcloud_authorization }}"
        Content-Type: application/json
  - name: Register vCenter
    uri:
      url: https://{{vcd_url}}/api/admin/extension/action/registervimserver
      method: POST
      force: yes
      return_content: no
      status_code: 200
      validate_certs: no
      body: <root:RegisterVimServerParams xmlns:root="http://www.vmware.com/vcloud/extension/v1.5" xmlns:ns0="http://www.vmware.com/vcloud/v1.5"><root:VimServer name="vc7"><ns0:Description/><root:Username>{{vcenter_user}}</root:Username><root:Password>{{vcenter_pwd}}</root:Password><root:Url>https://{{vcenter_url}}</root:Url><root:IsEnabled>true</root:IsEnabled><root:UseVsphereService>false</root:UseVsphereService><root:VsphereWebClientServerUrl>https://{{vcenter_url}}/</root:VsphereWebClientServerUrl><root:tenantScoped>false</root:tenantScoped><root:proxyEnabled>false</root:proxyEnabled></root:VimServer></root:RegisterVimServerParams>
      body_format: raw
      headers:
        Accept: application/*+xml;version={{api_ver}}
        x-vcloud-authorization: "{{ login.x_vcloud_authorization }}"
        Content-Type: application/vnd.vmware.admin.registerVimServerParams+xml;charset=UTF-8

Add NSX-T

---
- name: Config 
  hosts: localhost
  vars_files:
    - vars.yml
  tasks:
  - name: AUTH
    uri:
      url: https://{{vcd_url}}/api/sessions
      method: POST
      force: yes
      user: "{{ lookup('env', 'VCDUSER') }}"
      password: "{{ lookup('env', 'VCDPWD') }}"
      force_basic_auth: yes
      return_content: no
      status_code: 200
      validate_certs: no
      headers:
        Accept: application/*+xml;version={{api_ver}}
    register: login
  - name: Get certificate
    shell: "echo | openssl s_client -showcerts -connect {{nsx_url}}:443 2>/dev/null | openssl x509 -inform pem"
    register: certificate
  - name: upload certificate
    uri:
      url: https://{{vcd_url}}/cloudapi/1.0.0/ssl/trustedCertificates
      method: POST
      force: yes
      return_content: no
      status_code: 201
      validate_certs: no
      body:
        id: null
        alias: "{{vcenter_url}}"
        certificate: "{{ certificate.stdout }}"
      body_format: json
      headers:
        Accept: application/json;version={{api_ver}}
        x-vcloud-authorization: "{{ login.x_vcloud_authorization }}"
        Content-Type: application/json
  - name: Register NSX
    uri:
      url: https://{{vcd_url}}/api/admin/extension/nsxtManagers
      method: POST
      force: yes
      return_content: no
      status_code: 200
      validate_certs: no
      body:
        name: "{{nsx_url}}"
        description: null
        url: "https://{{nsx_url}}"
        networkProviderScope: null
        username: "{{nsx_user}}"
        password: "{{nsx_pwd}}"
      body_format: json
      headers:
        Accept: application/*+json;version={{api_ver}}
        x-vcloud-authorization: "{{ login.x_vcloud_authorization }}"
        Content-Type: application/*+json

Variables

---
vcd_url: 
api_ver: 34.0
vcenter_url: 
vcenter_user: 
vcenter_pwd: 
nsx_url: 
nsx_user: 
nsx_pwd: 

Comments

  1. Anonymous23 January 2022 at 06:24

    Casino | Up to $4000 No Deposit Bonus! - Casinoworld
    Casino dafabet Bonus FAQ ミスティーノ · Free Spins: No Deposit bonus codes · 인카지노 Maximum Rewards: 100% up to $1000 · New Player Bonus: 50x · No Deposit Match Bonus: 100% up to $500

    ReplyDelete
  2. Unknown31 March 2022 at 13:17

    Vint Ceramic Art | TITNIA & TECHNOLOGY
    Explore an all new “Vint kadangpintar Ceramic Art” project on TITNIA & TECHNOLOGY. Our team of wooricasinos.info sculptors and deccasino artists have created 출장마사지 new microtouch solo titanium and

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is three nines better than four in cloud availability?

Image
In building our TietoEVRY Hybrid IaaS on VMware solution, there's been a lot discussions also about availability SLAs. We're changing quite many things also in this area, so wanted to take bit deeper look into this. What's different and how to make best use out of the new model. To look into the topic, let's first dive into few key contexts related to availability. Availability zone Availability zone is single physical location, essentially a data center, which is then sub divided into one or more failure domains.  On IaaS scope, availability zone is the maximum scope for any high availability. Any resiliency actions going across availability zones, are always disaster recovery and are expected to be disruptive by default. Meaning RTO greater than zero. Failure domain From facility perspective failure domains are separate fireproof sections, which are expected to limit local failures in power, cooling or fire.  From cloud perspective, they're they're clusters. E
Read more

Join VMware Photon to Active Directory

 Quick and simple task I assumed, get an individual VMware Photon instance to host one container for specific purpose and plug it into Active Directory for proper management. After all it's the baseline image for most of VMware appliances and all of those plug into AD very nicely. As it turns out, not so simple. Not so simple before you know how it's done that is, it took a bit reverse engineering to figure out how to do it. First Googling resulted in solution called Lightwave, which actually looks like a very nice solution but eventually it's for a different purpose. More for replacing Active Directory than integrating into it. Which is actually an activity that I've been looking for to my home lab, AD functionality but running on raspberry pi. So definitely worth looking into, but that in detail is a story for another day. By trying to do the integration with Lightwave, I accidentally then also stumbled into the right approach. Which is likewise. Firstly installing it
Read more