From 621f1c567db394a4614903261f44c421b1a097de Mon Sep 17 00:00:00 2001 From: Fernando Diaz Date: Mon, 20 Apr 2026 11:48:42 +0200 Subject: [PATCH 1/5] Add insegure connection parameters --- plugins/module_utils/nbdkit/nbdkit.go | 5 +++-- plugins/module_utils/openstack/openstack.go | 12 +++++++++++- plugins/module_utils/vmware/vmware.go | 18 ++++++++++++------ plugins/modules/src/migrate/migrate.go | 12 +++++++----- roles/import_workloads/defaults/main.yml | 2 ++ roles/import_workloads/tasks/nbdkit.yml | 5 +++-- 6 files changed, 38 insertions(+), 16 deletions(-) diff --git a/plugins/module_utils/nbdkit/nbdkit.go b/plugins/module_utils/nbdkit/nbdkit.go index 24d9cbb8..4e90ae31 100644 --- a/plugins/module_utils/nbdkit/nbdkit.go +++ b/plugins/module_utils/nbdkit/nbdkit.go @@ -42,6 +42,7 @@ type NbdkitConfig struct { Compression string UUID string UseSocks bool + Insecure bool VddkConfig *vmware.VddkConfig } @@ -102,7 +103,7 @@ func (c *NbdkitConfig) RunNbdKit(diskName string) (*NbdkitServer, error) { } func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) { - thumbprint, err := vmware.GetThumbprint(c.Server, "443") + thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure) if err != nil { return nil, err } @@ -152,7 +153,7 @@ func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) { } func (c *NbdkitConfig) RunNbdKitSocks(diskName string) (*NbdkitServer, error) { - thumbprint, err := vmware.GetThumbprint(c.Server, "443") + thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure) if err != nil { return nil, err } diff --git a/plugins/module_utils/openstack/openstack.go b/plugins/module_utils/openstack/openstack.go index ca3aa9cb..477bc072 100644 --- a/plugins/module_utils/openstack/openstack.go +++ b/plugins/module_utils/openstack/openstack.go @@ -44,6 +44,7 @@ type DstCloud struct { RegionName string `json:"region_name"` Interface string `json:"interface"` IdentityAPIVersion int `json:"identity_api_version"` + OpenStackInsecure bool `json:"openstack_insecure"` } type Auth struct { @@ -81,7 +82,12 @@ type CinderManageConfig struct { } func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.ProviderClient, error) { + insecureSkipVerify := moduleOpts.OpenStackInsecure var opts gophercloud.AuthOptions + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled for OpenStack client") + } + authURL := os.Getenv("OS_AUTH_URL") if authURL != "" { var err error @@ -100,7 +106,11 @@ func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.Provi AllowReauth: true, } } - provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(&tls.Config{InsecureSkipVerify: true})) + tlsConfig := &tls.Config{ + InsecureSkipVerify: insecureSkipVerify, + MinVersion: tls.VersionTLS12, + } + provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(tlsConfig)) if err != nil { return nil, err } diff --git a/plugins/module_utils/vmware/vmware.go b/plugins/module_utils/vmware/vmware.go index e8cdfaca..0776e28e 100644 --- a/plugins/module_utils/vmware/vmware.go +++ b/plugins/module_utils/vmware/vmware.go @@ -24,9 +24,7 @@ import ( "errors" "fmt" "net/url" - "os" "regexp" - "strconv" "strings" "syscall" "time" @@ -48,10 +46,13 @@ type VddkConfig struct { const maxChunkSize = 64 * 1024 * 1024 -func VMWareAuth(ctx context.Context, server string, user string, password string) (*govmomi.Client, error) { +func VMWareAuth(ctx context.Context, server string, user string, password string, insecureSkipVerify bool) (*govmomi.Client, error) { u, _ := url.Parse("https://" + server + "/sdk") ProcessUrl(u, user, password) - c, err := govmomi.NewClient(ctx, u, true) + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled for VMware client") + } + c, err := govmomi.NewClient(ctx, u, insecureSkipVerify) if err != nil { logger.Log.Infof("Failed to authenticate to VMware client %v", err) return nil, err @@ -88,9 +89,14 @@ func ProcessUrl(u *url.URL, user string, password string) { } } -func GetThumbprint(host string, port string) (string, error) { +func GetThumbprint(host string, port string, insecureSkipVerify bool) (string, error) { + if insecureSkipVerify { + logger.Log.Warnf("TLS certificate verification is disabled while retrieving VMware thumbprint") + } + config := tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: insecureSkipVerify, + MinVersion: tls.VersionTLS12, } if port == "" { port = "443" diff --git a/plugins/modules/src/migrate/migrate.go b/plugins/modules/src/migrate/migrate.go index 282ac08d..8e156c50 100644 --- a/plugins/modules/src/migrate/migrate.go +++ b/plugins/modules/src/migrate/migrate.go @@ -123,8 +123,10 @@ type ModuleArgs struct { ExternalVolume bool VolumeName string HostPool string - BootScript string - ExtraOpts string + BootScript string + ExtraOpts string + VmwareInsecure bool `json:"vmware_insecure"` + } func (c *MigrationConfig) VMMigration(parentCtx context.Context, runV2V bool) (string, error) { @@ -435,8 +437,8 @@ func main() { socks := moduleArgs.UseSocks instanceUUid := moduleArgs.InstanceUUID debug := moduleArgs.Debug + vmwareInsecure := moduleArgs.VmwareInsecure localDisk := moduleArgs.LocalDiskPath - // Cinder manage options externalVolume := moduleArgs.ExternalVolume volumeName := moduleArgs.VolumeName hostPool := moduleArgs.HostPool @@ -452,7 +454,7 @@ func main() { logger.InitLogger(LogFile) ctx, cancel := context.WithCancel(context.Background()) defer cancel() - c, err := vmware.VMWareAuth(ctx, server, user, password) + c, err := vmware.VMWareAuth(ctx, server, user, password, vmwareInsecure) if err != nil { logger.Log.Infof("Failed to initiate Vmware client: %v", err) response.Msg = "Failed to initiate Vmware client: " + err.Error() @@ -525,6 +527,7 @@ func main() { Compression: compression, UUID: r, UseSocks: socks, + Insecure: vmwareInsecure, VddkConfig: &vmware.VddkConfig{ VirtualMachine: vm, SnapshotReference: types.ManagedObjectReference{}, @@ -551,7 +554,6 @@ func main() { CloudOpts: moduleArgs.DstCloud, VolumeType: volType, VolumeAz: volAz, - AssumeZero: assumeZero, } volUUID, err := VMMigration.VMMigration(ctx, runV2V) if err != nil { diff --git a/roles/import_workloads/defaults/main.yml b/roles/import_workloads/defaults/main.yml index 8c449091..46425986 100644 --- a/roles/import_workloads/defaults/main.yml +++ b/roles/import_workloads/defaults/main.yml @@ -12,6 +12,8 @@ import_workloads_skip_conversion: "{{ skip_conversion | default(false) | bool }} import_workloads_os_migrate_virt_v2v: "{{ os_migrate_virt_v2v | default(false) | bool }}" import_workloads_os_migrate_nbdkit: "{{ os_migrate_nbdkit | default(true) | bool }}" import_workloads_debug: "{{ debug | default(false) | bool }}" +import_workloads_vmware_insecure: "{{ vmware_insecure | default(false) | bool }}" +import_workloads_openstack_insecure: "{{ openstack_insecure | default(false) | bool }}" import_workloads_local_disk_path: "{{ local_disk_path | default(omit) }}" import_workloads_libdir: "{{ libdir | default('/usr/lib/vmware-vix-disklib') }}" import_workloads_extra_opts: "{{ extra_opts | default(omit) }}" diff --git a/roles/import_workloads/tasks/nbdkit.yml b/roles/import_workloads/tasks/nbdkit.yml index 0853e03a..05ed19c2 100644 --- a/roles/import_workloads/tasks/nbdkit.yml +++ b/roles/import_workloads/tasks/nbdkit.yml @@ -60,7 +60,7 @@ - name: Migrate Guest from Vmware using nbdkit {{ vm_name }} os_migrate.vmware_migration_kit.migrate: - dst_cloud: "{{ dst_cloud }}" + dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}" user: "{{ vcenter_username }}" password: "{{ vcenter_password }}" server: "{{ vcenter_hostname }}" @@ -79,6 +79,7 @@ skipconversion: "{{ import_workloads_skip_conversion | bool }}" instanceuuid: "{{ import_workloads_instance_uuid }}" debug: "{{ import_workloads_debug | bool }}" + vmware_insecure: "{{ import_workloads_vmware_insecure | bool }}" localdiskpath: "{{ import_workloads_local_disk_path | default(omit) }}" libdir: "{{ import_workloads_libdir | default(omit) }}" volume_type_mapping: "{{ import_workloads_volume_type_mapping | default([]) }}" @@ -115,7 +116,7 @@ - name: Get volume metadata info register: volume_info_metadata os_migrate.vmware_migration_kit.volume_metadata_info: - dst_cloud: "{{ dst_cloud }}" + dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}" volume_id: "{{ uuid }}" loop: "{{ volume_uuid }}" loop_control: From 87b7c5089155386d7c08c6f6c94431bb93aae987 Mon Sep 17 00:00:00 2001 From: Fernando Diaz Date: Mon, 20 Apr 2026 13:06:28 +0200 Subject: [PATCH 2/5] missing imports --- plugins/module_utils/vmware/vmware.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/plugins/module_utils/vmware/vmware.go b/plugins/module_utils/vmware/vmware.go index 0776e28e..17b271a7 100644 --- a/plugins/module_utils/vmware/vmware.go +++ b/plugins/module_utils/vmware/vmware.go @@ -24,7 +24,9 @@ import ( "errors" "fmt" "net/url" + "os" "regexp" + "strconv" "strings" "syscall" "time" From 1212aab41782bf48c8f7fd9cc034b99e83dec38e Mon Sep 17 00:00:00 2001 From: Fernando Diaz Date: Mon, 20 Apr 2026 13:26:41 +0200 Subject: [PATCH 3/5] Remove unused variable --- plugins/modules/src/migrate/migrate.go | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/modules/src/migrate/migrate.go b/plugins/modules/src/migrate/migrate.go index 8e156c50..ff88990e 100644 --- a/plugins/modules/src/migrate/migrate.go +++ b/plugins/modules/src/migrate/migrate.go @@ -430,7 +430,6 @@ func main() { extraOpts := ansible.DefaultIfEmpty(moduleArgs.ExtraOpts, "") volAz := ansible.DefaultIfEmpty(moduleArgs.VolumeAz, "") volType := ansible.DefaultIfEmpty(moduleArgs.VolumeType, "") - assumeZero := moduleArgs.AssumeZero cbtsync := moduleArgs.CBTSync cutover := moduleArgs.CutOver skipV2V := moduleArgs.SkipConversion From 7791f35a368803beb6b124151077e9dfdce6b0fd Mon Sep 17 00:00:00 2001 From: Fernando Diaz Date: Mon, 20 Apr 2026 13:54:42 +0200 Subject: [PATCH 4/5] propagate openstack_insecure parameter --- playbooks/convert_metadata.yml | 2 +- plugins/module_utils/openstack/openstack.go | 2 +- roles/convert_metadata/tasks/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/convert_metadata.yml b/playbooks/convert_metadata.yml index a102bf87..bc2c5fee 100644 --- a/playbooks/convert_metadata.yml +++ b/playbooks/convert_metadata.yml @@ -19,7 +19,7 @@ - name: Import flavors from YAML os_migrate.vmware_migration_kit.import_flavor: - cloud: "{{ dst_cloud }}" + cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}" flavors_file: "{{ os_migrate_vmw_data_dir }}/{{ vm_name }}/flavors.yml" register: imported_flavors loop: "{{ vms }}" diff --git a/plugins/module_utils/openstack/openstack.go b/plugins/module_utils/openstack/openstack.go index 477bc072..253ec8d9 100644 --- a/plugins/module_utils/openstack/openstack.go +++ b/plugins/module_utils/openstack/openstack.go @@ -89,7 +89,7 @@ func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.Provi } authURL := os.Getenv("OS_AUTH_URL") - if authURL != "" { + if authURL != "" && moduleOpts.AuthURL == "" { var err error opts, err = openstack.AuthOptionsFromEnv() if err != nil { diff --git a/roles/convert_metadata/tasks/main.yml b/roles/convert_metadata/tasks/main.yml index c2b1dc16..0d38e01e 100644 --- a/roles/convert_metadata/tasks/main.yml +++ b/roles/convert_metadata/tasks/main.yml @@ -6,7 +6,7 @@ - name: Get best matches for flavors os_migrate.vmware_migration_kit.best_match_flavor: - cloud: "{{ dst_cloud }}" + cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}" guest_info_path: "{{ convert_metadata_guest_info_path }}" disk_info_path: "{{ convert_metadata_disk_info_path }}" register: flavor_name From f23b335a5fa99a59e553c303287195bf7c451deb Mon Sep 17 00:00:00 2001 From: Fernando Diaz Date: Wed, 29 Apr 2026 13:33:34 +0200 Subject: [PATCH 5/5] Change the param name to vmware --- plugins/modules/migrate.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/modules/migrate.py b/plugins/modules/migrate.py index 4d1b54fc..fcb45b7e 100644 --- a/plugins/modules/migrate.py +++ b/plugins/modules/migrate.py @@ -130,8 +130,8 @@ type: bool default: false required: false - vsphere_insecure: # Common optional parameter for vSphere connections - description: If C(true), SSL certificate verification for the vSphere C(server) will be skipped. + vmware_insecure: # SSL verification for VMware connections + description: If C(true), SSL certificate verification for the VMware C(server) will be skipped. type: bool default: false required: false @@ -169,7 +169,7 @@ # convhostname: "{{ specific_conversion_host | default(omit) }}" compression: "zstd" debug_mode: true - vsphere_insecure: true + vmware_insecure: true wait: true timeout: 7200 register: migrate_vm_output