diff --git a/playbooks/convert_metadata.yml b/playbooks/convert_metadata.yml index a102bf87..bc2c5fee 100644 --- a/playbooks/convert_metadata.yml +++ b/playbooks/convert_metadata.yml @@ -19,7 +19,7 @@ - name: Import flavors from YAML os_migrate.vmware_migration_kit.import_flavor: - cloud: "{{ dst_cloud }}" + cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}" flavors_file: "{{ os_migrate_vmw_data_dir }}/{{ vm_name }}/flavors.yml" register: imported_flavors loop: "{{ vms }}" diff --git a/plugins/module_utils/nbdkit/nbdkit.go b/plugins/module_utils/nbdkit/nbdkit.go index 24d9cbb8..4e90ae31 100644 --- a/plugins/module_utils/nbdkit/nbdkit.go +++ b/plugins/module_utils/nbdkit/nbdkit.go @@ -42,6 +42,7 @@ type NbdkitConfig struct { Compression string UUID string UseSocks bool + Insecure bool VddkConfig *vmware.VddkConfig } @@ -102,7 +103,7 @@ func (c *NbdkitConfig) RunNbdKit(diskName string) (*NbdkitServer, error) { } func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) { - thumbprint, err := vmware.GetThumbprint(c.Server, "443") + thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure) if err != nil { return nil, err } @@ -152,7 +153,7 @@ func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) { } func (c *NbdkitConfig) RunNbdKitSocks(diskName string) (*NbdkitServer, error) { - thumbprint, err := vmware.GetThumbprint(c.Server, "443") + thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure) if err != nil { return nil, err } diff --git a/plugins/module_utils/openstack/openstack.go b/plugins/module_utils/openstack/openstack.go index ca3aa9cb..253ec8d9 100644 --- a/plugins/module_utils/openstack/openstack.go +++ b/plugins/module_utils/openstack/openstack.go @@ -44,6 +44,7 @@ type DstCloud struct { RegionName string `json:"region_name"` Interface string `json:"interface"` IdentityAPIVersion int `json:"identity_api_version"` + OpenStackInsecure bool `json:"openstack_insecure"` } type Auth struct { @@ -81,9 +82,14 @@ type CinderManageConfig struct { } func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.ProviderClient, error) { + insecureSkipVerify := moduleOpts.OpenStackInsecure var opts gophercloud.AuthOptions + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled for OpenStack client") + } + authURL := os.Getenv("OS_AUTH_URL") - if authURL != "" { + if authURL != "" && moduleOpts.AuthURL == "" { var err error opts, err = openstack.AuthOptionsFromEnv() if err != nil { @@ -100,7 +106,11 @@ func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.Provi AllowReauth: true, } } - provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})) + tlsConfig := &tls.Config{ + InsecureSkipVerify: insecureSkipVerify, + MinVersion: tls.VersionTLS12, + } + provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(tlsConfig)) if err != nil { return nil, err } diff --git a/plugins/module_utils/vmware/vmware.go b/plugins/module_utils/vmware/vmware.go index e8cdfaca..17b271a7 100644 --- a/plugins/module_utils/vmware/vmware.go +++ b/plugins/module_utils/vmware/vmware.go @@ -48,10 +48,13 @@ type VddkConfig struct { const maxChunkSize = 64 * 1024 * 1024 -func VMWareAuth(ctx context.Context, server string, user string, password string) (*govmomi.Client, error) { +func VMWareAuth(ctx context.Context, server string, user string, password string, insecureSkipVerify bool) (*govmomi.Client, error) { u, _ := url.Parse("https://" + server + "/sdk") ProcessUrl(u, user, password) - c, err := govmomi.NewClient(ctx, u, true) + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled for VMware client") + } + c, err := govmomi.NewClient(ctx, u, insecureSkipVerify) if err != nil { logger.Log.Infof("Failed to authenticate to VMware client %v", err) return nil, err @@ -88,9 +91,14 @@ func ProcessUrl(u *url.URL, user string, password string) { } } -func GetThumbprint(host string, port string) (string, error) { +func GetThumbprint(host string, port string, insecureSkipVerify bool) (string, error) { + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled while retrieving VMware thumbprint") + } + config := tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: insecureSkipVerify, + MinVersion: tls.VersionTLS12, } if port == "" { port = "443" diff --git a/plugins/modules/migrate.py b/plugins/modules/migrate.py index 4d1b54fc..fcb45b7e 100644 --- a/plugins/modules/migrate.py +++ b/plugins/modules/migrate.py @@ -130,8 +130,8 @@ type: bool default: false required: false - vsphere_insecure: # Common optional parameter for vSphere connections - description: If C(true), SSL certificate verification for the vSphere C(server) will be skipped. + vmware_insecure: # SSL verification for VMware connections + description: If C(true), SSL certificate verification for the VMware C(server) will be skipped. type: bool default: false required: false @@ -169,7 +169,7 @@ # convhostname: "{{ specific_conversion_host | default(omit) }}" compression: "zstd" debug_mode: true - vsphere_insecure: true + vmware_insecure: true wait: true timeout: 7200 register: migrate_vm_output diff --git a/plugins/modules/src/migrate/migrate.go b/plugins/modules/src/migrate/migrate.go index 282ac08d..ff88990e 100644 --- a/plugins/modules/src/migrate/migrate.go +++ b/plugins/modules/src/migrate/migrate.go @@ -123,8 +123,10 @@ type ModuleArgs struct { ExternalVolume bool VolumeName string HostPool string - BootScript string - ExtraOpts string + BootScript string + ExtraOpts string + VmwareInsecure bool `json:"vmware_insecure"` + } func (c *MigrationConfig) VMMigration(parentCtx context.Context, runV2V bool) (string, error) { @@ -428,15 +430,14 @@ func main() { extraOpts := ansible.DefaultIfEmpty(moduleArgs.ExtraOpts, "") volAz := ansible.DefaultIfEmpty(moduleArgs.VolumeAz, "") volType := ansible.DefaultIfEmpty(moduleArgs.VolumeType, "") - assumeZero := moduleArgs.AssumeZero cbtsync := moduleArgs.CBTSync cutover := moduleArgs.CutOver skipV2V := moduleArgs.SkipConversion socks := moduleArgs.UseSocks instanceUUid := moduleArgs.InstanceUUID debug := moduleArgs.Debug + vmwareInsecure := moduleArgs.VmwareInsecure localDisk := moduleArgs.LocalDiskPath - // Cinder manage options externalVolume := moduleArgs.ExternalVolume volumeName := moduleArgs.VolumeName hostPool := moduleArgs.HostPool @@ -452,7 +453,7 @@ func main() { logger.InitLogger(LogFile) ctx, cancel := context.WithCancel(context.Background()) defer cancel() - c, err := vmware.VMWareAuth(ctx, server, user, password) + c, err := vmware.VMWareAuth(ctx, server, user, password, vmwareInsecure) if err != nil { logger.Log.Infof("Failed to initiate Vmware client: %v", err) response.Msg = "Failed to initiate Vmware client: " + err.Error() @@ -525,6 +526,7 @@ func main() { Compression: compression, UUID: r, UseSocks: socks, + Insecure: vmwareInsecure, VddkConfig: &vmware.VddkConfig{ VirtualMachine: vm, SnapshotReference: types.ManagedObjectReference{}, @@ -551,7 +553,6 @@ func main() { CloudOpts: moduleArgs.DstCloud, VolumeType: volType, VolumeAz: volAz, - AssumeZero: assumeZero, } volUUID, err := VMMigration.VMMigration(ctx, runV2V) if err != nil { diff --git a/roles/convert_metadata/tasks/main.yml b/roles/convert_metadata/tasks/main.yml index c2b1dc16..0d38e01e 100644 --- a/roles/convert_metadata/tasks/main.yml +++ b/roles/convert_metadata/tasks/main.yml @@ -6,7 +6,7 @@ - name: Get best matches for flavors os_migrate.vmware_migration_kit.best_match_flavor: - cloud: "{{ dst_cloud }}" + cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}" guest_info_path: "{{ convert_metadata_guest_info_path }}" disk_info_path: "{{ convert_metadata_disk_info_path }}" register: flavor_name diff --git a/roles/import_workloads/defaults/main.yml b/roles/import_workloads/defaults/main.yml index 8c449091..46425986 100644 --- a/roles/import_workloads/defaults/main.yml +++ b/roles/import_workloads/defaults/main.yml @@ -12,6 +12,8 @@ import_workloads_skip_conversion: "{{ skip_conversion | default(false) | bool }} import_workloads_os_migrate_virt_v2v: "{{ os_migrate_virt_v2v | default(false) | bool }}" import_workloads_os_migrate_nbdkit: "{{ os_migrate_nbdkit | default(true) | bool }}" import_workloads_debug: "{{ debug | default(false) | bool }}" +import_workloads_vmware_insecure: "{{ vmware_insecure | default(false) | bool }}" +import_workloads_openstack_insecure: "{{ openstack_insecure | default(false) | bool }}" import_workloads_local_disk_path: "{{ local_disk_path | default(omit) }}" import_workloads_libdir: "{{ libdir | default('/usr/lib/vmware-vix-disklib') }}" import_workloads_extra_opts: "{{ extra_opts | default(omit) }}" diff --git a/roles/import_workloads/tasks/nbdkit.yml b/roles/import_workloads/tasks/nbdkit.yml index 0853e03a..05ed19c2 100644 --- a/roles/import_workloads/tasks/nbdkit.yml +++ b/roles/import_workloads/tasks/nbdkit.yml @@ -60,7 +60,7 @@ - name: Migrate Guest from Vmware using nbdkit {{ vm_name }} os_migrate.vmware_migration_kit.migrate: - dst_cloud: "{{ dst_cloud }}" + dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}" user: "{{ vcenter_username }}" password: "{{ vcenter_password }}" server: "{{ vcenter_hostname }}" @@ -79,6 +79,7 @@ skipconversion: "{{ import_workloads_skip_conversion | bool }}" instanceuuid: "{{ import_workloads_instance_uuid }}" debug: "{{ import_workloads_debug | bool }}" + vmware_insecure: "{{ import_workloads_vmware_insecure | bool }}" localdiskpath: "{{ import_workloads_local_disk_path | default(omit) }}" libdir: "{{ import_workloads_libdir | default(omit) }}" volume_type_mapping: "{{ import_workloads_volume_type_mapping | default([]) }}" @@ -115,7 +116,7 @@ - name: Get volume metadata info register: volume_info_metadata os_migrate.vmware_migration_kit.volume_metadata_info: - dst_cloud: "{{ dst_cloud }}" + dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}" volume_id: "{{ uuid }}" loop: "{{ volume_uuid }}" loop_control: