Skip to content

Commit

Permalink
Allow to customize the TLS config for the govmomi client
Browse files Browse the repository at this point in the history
Signed-off-by: Martin Necas <[email protected]>
  • Loading branch information
mnecas committed Nov 6, 2024
1 parent 9de3139 commit b13d21e
Show file tree
Hide file tree
Showing 4 changed files with 87 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,14 @@ spec:
- name: VSPHERE_OS_MAP
value: {{ vsphere_osmap_configmap_name }}
{% endif %}
{% if vsphere_tls_ciphers is defined %}
- name: VSPHERE_TLS_CIPHERS
value: {{ vsphere_tls_ciphers }}
{% endif %}
{% if vsphere_tls_max_version is defined %}
- name: VSPHERE_TLS_MAX_VERSION
value: {{ vsphere_tls_max_version }}
{% endif %}
{% if virt_customize_configmap_name is defined %}
- name: VIRT_CUSTOMIZE_MAP
value: {{ virt_customize_configmap_name }}
Expand Down Expand Up @@ -190,6 +198,14 @@ spec:
- name: LOG_LEVEL
value: "{{ controller_log_level }}"
{% endif %}
{% if vsphere_tls_ciphers is defined %}
- name: VSPHERE_TLS_CIPHERS
value: {{ vsphere_tls_ciphers }}
{% endif %}
{% if vsphere_tls_max_version is defined %}
- name: VSPHERE_TLS_MAX_VERSION
value: {{ vsphere_tls_max_version }}
{% endif %}
{% if controller_profile_kind is defined and controller_profile_path is defined and controller_profile_duration is defined %}
- name: PROFILE_KIND
value: "{{ controller_profile_kind }}"
Expand Down
11 changes: 8 additions & 3 deletions pkg/controller/plan/adapter/vsphere/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package vsphere
import (
"context"
"fmt"
"net/http"
liburl "net/url"
"strconv"

Expand All @@ -11,6 +12,7 @@ import (
"github.com/konveyor/forklift-controller/pkg/apis/forklift/v1beta1/ref"
plancontext "github.com/konveyor/forklift-controller/pkg/controller/plan/context"
"github.com/konveyor/forklift-controller/pkg/controller/plan/util"
vsphereclient "github.com/konveyor/forklift-controller/pkg/controller/provider/container/vsphere"
model "github.com/konveyor/forklift-controller/pkg/controller/provider/web/vsphere"
liberr "github.com/konveyor/forklift-controller/pkg/lib/error"
"github.com/konveyor/forklift-controller/pkg/settings"
Expand All @@ -28,8 +30,10 @@ import (
)

const (
snapshotName = "forklift-migration-precopy"
snapshotDesc = "Forklift Operator warm migration precopy"
snapshotName = "forklift-migration-precopy"
snapshotDesc = "Forklift Operator warm migration precopy"
VsphereTlsCiphers = "VSPHERE_TLS_CIPHERS"
VsphereTlsMaxVersion = "VSPHERE_TLS_MAX_VERSION"
)

// vSphere VM Client
Expand Down Expand Up @@ -338,9 +342,9 @@ func (r *Client) getHostClient(hostDef *v1beta1.Host, host *model.Host) (client
err = liberr.Wrap(err)
return
}

url.User = liburl.UserPassword(string(secret.Data["user"]), string(secret.Data["password"]))
soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
vsphereclient.SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
soapClient.SetThumbprint(url.Host, host.Thumbprint)
vimClient, err := vim25.NewClient(context.TODO(), soapClient)
if err != nil {
Expand Down Expand Up @@ -427,6 +431,7 @@ func (r *Client) connect() error {
}
url.User = liburl.UserPassword(r.user(), r.password())
soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
vsphereclient.SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
soapClient.SetThumbprint(url.Host, r.thumbprint())
vimClient, err := vim25.NewClient(context.TODO(), soapClient)
if err != nil {
Expand Down
3 changes: 3 additions & 0 deletions pkg/controller/plan/adapter/vsphere/host.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@ package vsphere

import (
"context"
"net/http"
liburl "net/url"
"strconv"
"time"

vsphereclient "github.com/konveyor/forklift-controller/pkg/controller/provider/container/vsphere"
model "github.com/konveyor/forklift-controller/pkg/controller/provider/web/vsphere"
liberr "github.com/konveyor/forklift-controller/pkg/lib/error"
"github.com/vmware/govmomi"
Expand Down Expand Up @@ -74,6 +76,7 @@ func (r *EsxHost) connect(ctx context.Context) (err error) {
r.user(),
r.password())
soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
vsphereclient.SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
soapClient.SetThumbprint(url.Host, r.thumbprint())
vimClient, err := vim25.NewClient(ctx, soapClient)
if err != nil {
Expand Down
60 changes: 60 additions & 0 deletions pkg/controller/provider/container/vsphere/collector.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ package vsphere

import (
"context"
"crypto/tls"
"net/http"
liburl "net/url"
"os"
"path"
"strconv"
"strings"
Expand All @@ -25,6 +27,11 @@ import (
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
)

const (
VsphereTlsCiphers = "VSPHERE_TLS_CIPHERS"
VsphereTlsMaxVersion = "VSPHERE_TLS_MAX_VERSION"
)

// Settings
const (
// Connect retry delay.
Expand Down Expand Up @@ -488,6 +495,58 @@ func (r *Collector) watch() (list []*libmodel.Watch) {
return
}

// CipherSuiteId copied and edited the CipherSuiteName from tls lib
func CipherSuiteId(name string) uint16 {
for _, c := range tls.CipherSuites() {
if c.Name == name {
return c.ID
}
}
for _, c := range tls.InsecureCipherSuites() {
if c.Name == name {
return c.ID
}
}
return 0
}

func GetCipherSuitesIds(names []string) []uint16 {
var resp []uint16
for _, name := range names {
if id := CipherSuiteId(name); id != 0 {
resp = append(resp, id)
}
}
return resp
}

func VersionNumber(versionName string) uint16 {
switch versionName {
case "1.0":
return tls.VersionTLS10
case "1.1":
return tls.VersionTLS11
case "1.2":
return tls.VersionTLS12
case "1.3":
return tls.VersionTLS13
default:
return 0
}
}

func SetTLSClientConfig(c *tls.Config) {
if tlsCiphers := os.Getenv(VsphereTlsCiphers); tlsCiphers != "" {
tlsCiphersList := strings.Split(tlsCiphers, ",")
c.CipherSuites = GetCipherSuitesIds(tlsCiphersList)
}
if tlsMaxVersion := os.Getenv(VsphereTlsMaxVersion); tlsMaxVersion != "" {
if version := VersionNumber(tlsMaxVersion); version != 0 {
c.MaxVersion = version
}
}
}

// Build the client.
func (r *Collector) connect(ctx context.Context) (status int, err error) {
r.close()
Expand All @@ -500,6 +559,7 @@ func (r *Collector) connect(ctx context.Context) (status int, err error) {
r.user(),
r.password())
soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
soapClient.SetThumbprint(url.Host, r.thumbprint())
vimClient, err := vim25.NewClient(ctx, soapClient)
if err != nil {
Expand Down

0 comments on commit b13d21e

Please sign in to comment.