Allow to customize the TLS config for the govmomi client

Signed-off-by: Martin Necas <[email protected]>
kubev2v · Nov 5, 2024 · f9ccd1b · f9ccd1b
1 parent 9de3139
commit f9ccd1b
Show file tree

Hide file tree

Showing 4 changed files with 140 additions and 3 deletions.
diff --git a/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2 b/operator/roles/forkliftcontroller/templates/controller/deployment-controller.yml.j2
@@ -111,6 +111,14 @@ spec:
         - name: VSPHERE_OS_MAP
           value: {{ vsphere_osmap_configmap_name }}
 {% endif %}
+{% if vsphere_tls_ciphers is defined %}
+        - name: VSPHERE_TLS_CIPHERS
+          value: {{ vsphere_tls_ciphers }}
+{% endif %}
+{% if vsphere_tls_max_version is defined %}
+        - name: VSPHERE_TLS_MAX_VERSION
+          value: {{ vsphere_tls_max_version }}
+{% endif %}
 {% if virt_customize_configmap_name is defined %}
         - name: VIRT_CUSTOMIZE_MAP
           value: {{ virt_customize_configmap_name }}
@@ -190,6 +198,14 @@ spec:
         - name: LOG_LEVEL
           value: "{{ controller_log_level }}"
 {% endif %}
+{% if vsphere_tls_ciphers is defined %}
+        - name: VSPHERE_TLS_CIPHERS
+          value: {{ vsphere_tls_ciphers }}
+{% endif %}
+{% if vsphere_tls_max_version is defined %}
+        - name: VSPHERE_TLS_MAX_VERSION
+          value: {{ vsphere_tls_max_version }}
+{% endif %}
 {% if controller_profile_kind is defined and controller_profile_path is defined and controller_profile_duration is defined %}
         - name: PROFILE_KIND
           value: "{{ controller_profile_kind }}"

diff --git a/pkg/controller/plan/adapter/vsphere/client.go b/pkg/controller/plan/adapter/vsphere/client.go
@@ -2,9 +2,13 @@ package vsphere
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
+	"net/http"
 	liburl "net/url"
+	"os"
 	"strconv"
+	"strings"
 
 	"github.com/konveyor/forklift-controller/pkg/apis/forklift/v1beta1"
 	planapi "github.com/konveyor/forklift-controller/pkg/apis/forklift/v1beta1/plan"
@@ -28,8 +32,10 @@ import (
 )
 
 const (
-	snapshotName = "forklift-migration-precopy"
-	snapshotDesc = "Forklift Operator warm migration precopy"
+	snapshotName         = "forklift-migration-precopy"
+	snapshotDesc         = "Forklift Operator warm migration precopy"
+	VsphereTlsCiphers    = "VSPHERE_TLS_CIPHERS"
+	VsphereTlsMaxVersion = "VSPHERE_TLS_MAX_VERSION"
 )
 
 // vSphere VM Client
@@ -318,6 +324,58 @@ func (r *Client) getClient(vm *model.VM, hosts util.HostsFunc) (client *vim25.Cl
 	return
 }
 
+// CipherSuiteId copied and edited the CipherSuiteName from tls lib
+func CipherSuiteId(name string) uint16 {
+	for _, c := range tls.CipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	for _, c := range tls.InsecureCipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	return 0
+}
+
+func GetCipherSuitesIds(names []string) []uint16 {
+	var resp []uint16
+	for _, name := range names {
+		if id := CipherSuiteId(name); id != 0 {
+			resp = append(resp, id)
+		}
+	}
+	return resp
+}
+
+func VersionNumber(versionName string) uint16 {
+	switch versionName {
+	case "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	default:
+		return 0
+	}
+}
+
+func SetTLSClientConfig(c *tls.Config) {
+	if tlsCiphers := os.Getenv(VsphereTlsCiphers); tlsCiphers != "" {
+		tlsCiphersList := strings.Split(tlsCiphers, ",")
+		c.CipherSuites = GetCipherSuitesIds(tlsCiphersList)
+	}
+	if tlsMaxVersion := os.Getenv(VsphereTlsMaxVersion); tlsMaxVersion != "" {
+		if version := VersionNumber(tlsMaxVersion); version != 0 {
+			c.MaxVersion = version
+		}
+	}
+}
+
 func (r *Client) getHostClient(hostDef *v1beta1.Host, host *model.Host) (client *vim25.Client, err error) {
 	url, err := liburl.Parse("https://" + hostDef.Spec.IpAddress + "/sdk")
 	if err != nil {
@@ -338,9 +396,9 @@ func (r *Client) getHostClient(hostDef *v1beta1.Host, host *model.Host) (client
 		err = liberr.Wrap(err)
 		return
 	}
-
 	url.User = liburl.UserPassword(string(secret.Data["user"]), string(secret.Data["password"]))
 	soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
+	SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
 	soapClient.SetThumbprint(url.Host, host.Thumbprint)
 	vimClient, err := vim25.NewClient(context.TODO(), soapClient)
 	if err != nil {
@@ -427,6 +485,7 @@ func (r *Client) connect() error {
 	}
 	url.User = liburl.UserPassword(r.user(), r.password())
 	soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
+	SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
 	soapClient.SetThumbprint(url.Host, r.thumbprint())
 	vimClient, err := vim25.NewClient(context.TODO(), soapClient)
 	if err != nil {

diff --git a/pkg/controller/plan/adapter/vsphere/host.go b/pkg/controller/plan/adapter/vsphere/host.go
@@ -2,6 +2,7 @@ package vsphere
 
 import (
 	"context"
+	"net/http"
 	liburl "net/url"
 	"strconv"
 	"time"
@@ -74,6 +75,7 @@ func (r *EsxHost) connect(ctx context.Context) (err error) {
 		r.user(),
 		r.password())
 	soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
+	SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
 	soapClient.SetThumbprint(url.Host, r.thumbprint())
 	vimClient, err := vim25.NewClient(ctx, soapClient)
 	if err != nil {

diff --git a/pkg/controller/provider/container/vsphere/collector.go b/pkg/controller/provider/container/vsphere/collector.go
@@ -2,8 +2,10 @@ package vsphere
 
 import (
 	"context"
+	"crypto/tls"
 	"net/http"
 	liburl "net/url"
+	"os"
 	"path"
 	"strconv"
 	"strings"
@@ -25,6 +27,11 @@ import (
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+const (
+	VsphereTlsCiphers    = "VSPHERE_TLS_CIPHERS"
+	VsphereTlsMaxVersion = "VSPHERE_TLS_MAX_VERSION"
+)
+
 // Settings
 const (
 	// Connect retry delay.
@@ -488,6 +495,58 @@ func (r *Collector) watch() (list []*libmodel.Watch) {
 	return
 }
 
+// CipherSuiteId copied and edited the CipherSuiteName from tls lib
+func CipherSuiteId(name string) uint16 {
+	for _, c := range tls.CipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	for _, c := range tls.InsecureCipherSuites() {
+		if c.Name == name {
+			return c.ID
+		}
+	}
+	return 0
+}
+
+func GetCipherSuitesIds(names []string) []uint16 {
+	var resp []uint16
+	for _, name := range names {
+		if id := CipherSuiteId(name); id != 0 {
+			resp = append(resp, id)
+		}
+	}
+	return resp
+}
+
+func VersionNumber(versionName string) uint16 {
+	switch versionName {
+	case "1.0":
+		return tls.VersionTLS10
+	case "1.1":
+		return tls.VersionTLS11
+	case "1.2":
+		return tls.VersionTLS12
+	case "1.3":
+		return tls.VersionTLS13
+	default:
+		return 0
+	}
+}
+
+func SetTLSClientConfig(c *tls.Config) {
+	if tlsCiphers := os.Getenv(VsphereTlsCiphers); tlsCiphers != "" {
+		tlsCiphersList := strings.Split(tlsCiphers, ",")
+		c.CipherSuites = GetCipherSuitesIds(tlsCiphersList)
+	}
+	if tlsMaxVersion := os.Getenv(VsphereTlsMaxVersion); tlsMaxVersion != "" {
+		if version := VersionNumber(tlsMaxVersion); version != 0 {
+			c.MaxVersion = version
+		}
+	}
+}
+
 // Build the client.
 func (r *Collector) connect(ctx context.Context) (status int, err error) {
 	r.close()
@@ -500,6 +559,7 @@ func (r *Collector) connect(ctx context.Context) (status int, err error) {
 		r.user(),
 		r.password())
 	soapClient := soap.NewClient(url, r.getInsecureSkipVerifyFlag())
+	SetTLSClientConfig(soapClient.Client.Transport.(*http.Transport).TLSClientConfig)
 	soapClient.SetThumbprint(url.Host, r.thumbprint())
 	vimClient, err := vim25.NewClient(ctx, soapClient)
 	if err != nil {