feat(nutanix): support API key auth and custom HTTP headers#358
Open
andrew-sumner wants to merge 6 commits intonutanix-cloud-native:mainfrom
Open
feat(nutanix): support API key auth and custom HTTP headers#358andrew-sumner wants to merge 6 commits intonutanix-cloud-native:mainfrom
andrew-sumner wants to merge 6 commits intonutanix-cloud-native:mainfrom
Conversation
Adds two new builder fields: - nutanix_api_key — uses the X-ntnx-api-key header in place of Basic auth. Falls back to the NUTANIX_API_KEY environment variable. - nutanix_custom_headers — extra HTTP headers attached to every Prism Central request (e.g. for Cloudflare Access service tokens). Headers can also be supplied via NUTANIX_HEADER_* env vars; config values take precedence. Authentication accepts either nutanix_api_key or the existing nutanix_username/nutanix_password pair; if both are set, the API key wins and a warning is emitted. The legacy service-account form (nutanix_username = "X-ntnx-api-key", nutanix_password = key) keeps working for backwards compatibility. Brings the plugin to parity with the equivalent changes in the terraform-provider-nutanix and nutanix.ansible projects.
…Lite S3
Extends nutanix_api_key and nutanix_custom_headers support to the two
remaining paths that were not covered by the initial PR:
VNC console websocket (boot_command):
step_vnc_connect.go now copies CustomHeaders into the WSS upgrade
request and prefers the explicit APIKey field over the legacy
Username == "X-ntnx-api-key" form. Without this, any service-token
gateway in front of Prism Central (e.g. Cloudflare Access) rejects
the websocket handshake and boot_command keystrokes never land.
Objects Lite S3 upload (source_image_path / cd_content):
CreateImageFile is reimplemented to build the AWS HTTP client through
a headerInjectingTransport that carries nutanix_custom_headers, then
calls v4Client.Images.Create separately. The upstream
prism-go-client ImagesService.Upload uses an unconfigured HTTP client
that silently drops any service-token headers. Note: Objects Lite
still validates AWS V4 signatures against Prism Central's user table,
so nutanix_username/nutanix_password are required for upload even when
nutanix_api_key handles all other API calls.
Documentation:
- nutanix_custom_headers description updated to list all three paths
(REST API, VNC websocket, Objects Lite S3)
- user_data documented for both Linux (cloud-init) and Windows
(Sysprep unattend.xml) — the code already handled both but the docs
only mentioned Linux
- Added caveat about Objects Lite requiring username/password
When the shutdown command triggers a VM power-off (e.g. sysprep /generalize /oobe /shutdown), the communicator drops before it can read the exit status. Previously this was treated as a fatal error, halting the build. Now log a warning and fall through to the power- state polling loop, which detects the VM is off and proceeds to image capture.
Without this, the Sysprep guest customization defaults to PREPARED, which tells Nutanix to auto-restart the VM after shutdown to apply the customization on first boot. For Packer ISO builds, the unattend is for a fresh install — the VM should stay off after sysprep so Packer can capture the disk.
When sysprep runs as a provisioner with /shutdown, the VM may be off before StepShutdown calls PowerOff(). Log a warning and fall through to the polling loop instead of halting.
Exposes the Nutanix V4 API InstallType field as a Packer config option (windows_install_type). Defaults to PREPARED (existing behaviour for template/clone deployments). Set to FRESH for ISO-based builds where the unattend is for a fresh install — prevents Nutanix from auto- restarting the VM after sysprep shutdown.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Adds two new builder configuration fields to authenticate with Prism Central:
nutanix_api_key— when set, requests use theX-ntnx-api-keyheader in place of HTTP Basic auth. Falls back to theNUTANIX_API_KEYenvironment variable.nutanix_custom_headers— extra HTTP headers attached to every Prism Central request (REST API, VNC console websocket, and Objects Lite S3 uploads), intended for environments fronted by a reverse proxy that requires additional auth headers (e.g. Cloudflare Access service tokens). Headers can also be supplied viaNUTANIX_HEADER_*environment variables; the prefix is stripped, underscores become dashes, and each segment is title-cased (NUTANIX_HEADER_CF_ACCESS_CLIENT_ID->Cf-Access-Client-Id). Config values take precedence over env vars.Authentication validation now accepts either
nutanix_api_keyor the existingnutanix_username+nutanix_passwordpair. If both are provided,nutanix_api_keywins and a warning is emitted. The legacy service-account form documented today (nutanix_username = "X-ntnx-api-key",nutanix_password = <key>) keeps working for backwards compatibility; the docs now steer users to the new field.Brings the plugin to parity with the equivalent changes in the sibling Nutanix projects:
Header propagation across all paths
The plugin communicates with Prism Central over three distinct transports. All three now honour
nutanix_api_keyandnutanix_custom_headers:applyCustomHeaderson each SDK ApiClient viaAddDefaultHeaderboot_commandkeystroke injectionstep_vnc_connect.gocopiesCustomHeaders+APIKeyonto the WSS upgradehttp.Headersource_image_path/cd_contentimage uploadCreateImageFilebuilds the AWS HTTP client with aheaderInjectingTransportthat carriesCustomHeadersObjects Lite caveat: Objects Lite always validates the AWS V4 signature against Prism Central's user table.
nutanix_username/nutanix_passwordare required for uploads even whennutanix_api_keyhandles all other API calls. Users can avoid the Objects Lite path entirely by usingsource_image_nameorsource_image_uriinstead ofsource_image_path.Windows guest customization:
windows_install_typeNew config option
windows_install_typecontrols the Nutanix V4 APIInstallTypefield for Windows Sysprep guest customization (user_datawithos_type = "Windows"):PREPARED(default) — for sysprepped template/clone deployments. AHV delivers the unattend asUnattend.xmland may auto-restart the VM to apply customization.FRESH— for ISO-based fresh installs. AHV delivers the unattend asAutounattend.xml(discoverable by Windows PE) and does not auto-restart the VM after shutdown.Without this option,
PREPAREDwas always used, which caused Nutanix to auto-restart VMs after sysprep/shutdown— preventing Packer from capturing the disk.Shutdown command resilience (defensive)
step_shutdown_vm.gonow tolerates communicator disconnects duringshutdown_commandexecution andPowerOff()errors when the VM is already off. Previously, if the shutdown command triggered a VM power-off (e.g. sysprep/shutdown), the communicator drop was treated as a fatal error, halting the build before reaching the power-state polling loop. Now the error is logged as a warning and the polling loop proceeds normally.This is a defensive improvement — with the recommended scheduled-task approach for sysprep, the shutdown command returns cleanly before sysprep starts and this code path is not triggered. But it prevents build failures if the timing is different or a different shutdown command is used.
Documentation updates
nutanix_custom_headersdescription lists all three propagation pathsuser_datadocumented for both Linux (cloud-init) and Windows (Sysprep unattend.xml)windows_install_typedocumented with FRESH/PREPARED options