Skip to content

Make source/destination cloud insecure connection configurable #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
matbu merged 6 commits into from
May 4, 2026
Merged

Make source/destination cloud insecure connection configurable #240

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
621f1c5
Add insegure connection parameters
fdiazbra Apr 20, 2026
87b7c50
missing imports
fdiazbra Apr 20, 2026
1212aab
Remove unused variable
fdiazbra Apr 20, 2026
7791f35
propagate openstack_insecure parameter
fdiazbra Apr 20, 2026
f23b335
Change the param name to vmware
fdiazbra Apr 29, 2026
47f1ebb
Merge branch 'main' into insecure-verify
fdiazbra Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion playbooks/convert_metadata.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@

- name: Import flavors from YAML
os_migrate.vmware_migration_kit.import_flavor:
cloud: "{{ dst_cloud }}"
cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}"
flavors_file: "{{ os_migrate_vmw_data_dir }}/{{ vm_name }}/flavors.yml"
register: imported_flavors
loop: "{{ vms }}"
Expand Down
5 changes: 3 additions & 2 deletions plugins/module_utils/nbdkit/nbdkit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ type NbdkitConfig struct {
Compression string
UUID string
UseSocks bool
Insecure bool
VddkConfig *vmware.VddkConfig
}

Expand Down Expand Up @@ -102,7 +103,7 @@ func (c *NbdkitConfig) RunNbdKit(diskName string) (*NbdkitServer, error) {
}

func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) {
thumbprint, err := vmware.GetThumbprint(c.Server, "443")
thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -152,7 +153,7 @@ func (c *NbdkitConfig) RunNbdKitURI(diskName string) (*NbdkitServer, error) {
}

func (c *NbdkitConfig) RunNbdKitSocks(diskName string) (*NbdkitServer, error) {
thumbprint, err := vmware.GetThumbprint(c.Server, "443")
thumbprint, err := vmware.GetThumbprint(c.Server, "443", c.Insecure)
if err != nil {
return nil, err
}
Expand Down
14 changes: 12 additions & 2 deletions plugins/module_utils/openstack/openstack.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ type DstCloud struct {
RegionName string `json:"region_name"`
Interface string `json:"interface"`
IdentityAPIVersion int `json:"identity_api_version"`
OpenStackInsecure bool `json:"openstack_insecure"`
}

type Auth struct {
Expand Down Expand Up @@ -81,9 +82,14 @@ type CinderManageConfig struct {
}

func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.ProviderClient, error) {
insecureSkipVerify := moduleOpts.OpenStackInsecure
var opts gophercloud.AuthOptions
if insecureSkipVerify {
logger.Log.Warnf("TLS certificate verification is disabled for OpenStack client")
}

authURL := os.Getenv("OS_AUTH_URL")
if authURL != "" {
if authURL != "" && moduleOpts.AuthURL == "" {
var err error
opts, err = openstack.AuthOptionsFromEnv()
if err != nil {
Expand All @@ -100,7 +106,11 @@ func OpenstackAuth(ctx context.Context, moduleOpts DstCloud) (*gophercloud.Provi
AllowReauth: true,
}
}
provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(&tls.Config{InsecureSkipVerify: true}))
tlsConfig := &tls.Config{
InsecureSkipVerify: insecureSkipVerify,
MinVersion: tls.VersionTLS12,
}
provider, err := config.NewProviderClient(ctx, opts, config.WithTLSConfig(tlsConfig))
if err != nil {
return nil, err
}
Expand Down
16 changes: 12 additions & 4 deletions plugins/module_utils/vmware/vmware.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,13 @@ type VddkConfig struct {

const maxChunkSize = 64 * 1024 * 1024

func VMWareAuth(ctx context.Context, server string, user string, password string) (*govmomi.Client, error) {
func VMWareAuth(ctx context.Context, server string, user string, password string, insecureSkipVerify bool) (*govmomi.Client, error) {
u, _ := url.Parse("https://" + server + "/sdk")
ProcessUrl(u, user, password)
c, err := govmomi.NewClient(ctx, u, true)
if insecureSkipVerify {
logger.Log.Warnf("TLS certificate verification is disabled for VMware client")
}
c, err := govmomi.NewClient(ctx, u, insecureSkipVerify)
if err != nil {
logger.Log.Infof("Failed to authenticate to VMware client %v", err)
return nil, err
Expand Down Expand Up @@ -88,9 +91,14 @@ func ProcessUrl(u *url.URL, user string, password string) {
}
}

func GetThumbprint(host string, port string) (string, error) {
func GetThumbprint(host string, port string, insecureSkipVerify bool) (string, error) {
if insecureSkipVerify {
logger.Log.Warnf("TLS certificate verification is disabled while retrieving VMware thumbprint")
}

config := tls.Config{
InsecureSkipVerify: true,
InsecureSkipVerify: insecureSkipVerify,
MinVersion: tls.VersionTLS12,
}
if port == "" {
port = "443"
Expand Down
6 changes: 3 additions & 3 deletions plugins/modules/migrate.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@
type: bool
default: false
required: false
vsphere_insecure: # Common optional parameter for vSphere connections
description: If C(true), SSL certificate verification for the vSphere C(server) will be skipped.
vmware_insecure: # SSL verification for VMware connections
description: If C(true), SSL certificate verification for the VMware C(server) will be skipped.
type: bool
default: false
required: false
Expand Down Expand Up @@ -169,7 +169,7 @@
# convhostname: "{{ specific_conversion_host | default(omit) }}"
compression: "zstd"
debug_mode: true
vsphere_insecure: true
vmware_insecure: true
wait: true
timeout: 7200
register: migrate_vm_output
Expand Down
13 changes: 7 additions & 6 deletions plugins/modules/src/migrate/migrate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,10 @@ type ModuleArgs struct {
ExternalVolume bool
VolumeName string
HostPool string
BootScript string
ExtraOpts string
BootScript string
ExtraOpts string
VmwareInsecure bool `json:"vmware_insecure"`

}

func (c *MigrationConfig) VMMigration(parentCtx context.Context, runV2V bool) (string, error) {
Expand Down Expand Up @@ -428,15 +430,14 @@ func main() {
extraOpts := ansible.DefaultIfEmpty(moduleArgs.ExtraOpts, "")
volAz := ansible.DefaultIfEmpty(moduleArgs.VolumeAz, "")
volType := ansible.DefaultIfEmpty(moduleArgs.VolumeType, "")
assumeZero := moduleArgs.AssumeZero
cbtsync := moduleArgs.CBTSync
cutover := moduleArgs.CutOver
skipV2V := moduleArgs.SkipConversion
socks := moduleArgs.UseSocks
instanceUUid := moduleArgs.InstanceUUID
debug := moduleArgs.Debug
vmwareInsecure := moduleArgs.VmwareInsecure
localDisk := moduleArgs.LocalDiskPath
// Cinder manage options
externalVolume := moduleArgs.ExternalVolume
volumeName := moduleArgs.VolumeName
hostPool := moduleArgs.HostPool
Expand All @@ -452,7 +453,7 @@ func main() {
logger.InitLogger(LogFile)
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
c, err := vmware.VMWareAuth(ctx, server, user, password)
c, err := vmware.VMWareAuth(ctx, server, user, password, vmwareInsecure)
if err != nil {
logger.Log.Infof("Failed to initiate Vmware client: %v", err)
response.Msg = "Failed to initiate Vmware client: " + err.Error()
Expand Down Expand Up @@ -525,6 +526,7 @@ func main() {
Compression: compression,
UUID: r,
UseSocks: socks,
Insecure: vmwareInsecure,
VddkConfig: &vmware.VddkConfig{
VirtualMachine: vm,
SnapshotReference: types.ManagedObjectReference{},
Expand All @@ -551,7 +553,6 @@ func main() {
CloudOpts: moduleArgs.DstCloud,
VolumeType: volType,
VolumeAz: volAz,
AssumeZero: assumeZero,
}
volUUID, err := VMMigration.VMMigration(ctx, runV2V)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion roles/convert_metadata/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

- name: Get best matches for flavors
os_migrate.vmware_migration_kit.best_match_flavor:
cloud: "{{ dst_cloud }}"
cloud: "{{ dst_cloud | combine({'openstack_insecure': openstack_insecure | default(false) | bool}, recursive=True) }}"
guest_info_path: "{{ convert_metadata_guest_info_path }}"
disk_info_path: "{{ convert_metadata_disk_info_path }}"
register: flavor_name
Expand Down
2 changes: 2 additions & 0 deletions roles/import_workloads/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ import_workloads_skip_conversion: "{{ skip_conversion | default(false) | bool }}
import_workloads_os_migrate_virt_v2v: "{{ os_migrate_virt_v2v | default(false) | bool }}"
import_workloads_os_migrate_nbdkit: "{{ os_migrate_nbdkit | default(true) | bool }}"
import_workloads_debug: "{{ debug | default(false) | bool }}"
import_workloads_vmware_insecure: "{{ vmware_insecure | default(false) | bool }}"
import_workloads_openstack_insecure: "{{ openstack_insecure | default(false) | bool }}"
import_workloads_local_disk_path: "{{ local_disk_path | default(omit) }}"
import_workloads_libdir: "{{ libdir | default('/usr/lib/vmware-vix-disklib') }}"
import_workloads_extra_opts: "{{ extra_opts | default(omit) }}"
Expand Down
5 changes: 3 additions & 2 deletions roles/import_workloads/tasks/nbdkit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@

- name: Migrate Guest from Vmware using nbdkit {{ vm_name }}
os_migrate.vmware_migration_kit.migrate:
dst_cloud: "{{ dst_cloud }}"
dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}"
user: "{{ vcenter_username }}"
password: "{{ vcenter_password }}"
server: "{{ vcenter_hostname }}"
Expand All @@ -79,6 +79,7 @@
skipconversion: "{{ import_workloads_skip_conversion | bool }}"
instanceuuid: "{{ import_workloads_instance_uuid }}"
debug: "{{ import_workloads_debug | bool }}"
vmware_insecure: "{{ import_workloads_vmware_insecure | bool }}"
localdiskpath: "{{ import_workloads_local_disk_path | default(omit) }}"
libdir: "{{ import_workloads_libdir | default(omit) }}"
volume_type_mapping: "{{ import_workloads_volume_type_mapping | default([]) }}"
Expand Down Expand Up @@ -115,7 +116,7 @@
- name: Get volume metadata info
register: volume_info_metadata
os_migrate.vmware_migration_kit.volume_metadata_info:
dst_cloud: "{{ dst_cloud }}"
dst_cloud: "{{ dst_cloud | combine({'openstack_insecure': import_workloads_openstack_insecure | bool}, recursive=True) }}"
volume_id: "{{ uuid }}"
loop: "{{ volume_uuid }}"
loop_control:
Expand Down
Loading