Certificate and CA management is broken #1200
Comments
|
soapClient := soap.NewClient(u, false)
err = soapClient.SetRootCAs("/path/to/file")
if err != nil {
log.Fatal(err)
}
vim25Client, err := vim25.NewClient(ctx, soapClient)
if err != nil {
log.Fatal(err)
} |
|
So I can't use govmomi.NewClient() if I want to specify a custom CA chain? I'd like to avoid having to use the lower level functions if possible. govmomi.NewClient() creates both the vim25 client and the soap client without any chance of intervening. What do you think of the idea of letting callers pass a TLSConfiguration? It would work as a catch-all for any TLS customization a caller would like to make. I can issue a PR if there's interest. |
|
From govmomi.NewClient. After line 80, it's too late to set up any CA chain, since the connection would already have failed. Lines 80 to 85 in 5bb443a |
|
I'd prefer to deprecate |
|
Not that you asked for my opinion, but I'll give it anyway.... :) I think removing Could we still consider adding a |
|
This behavior seems to be by design and a functioning workaround to my issue has been provided. I'm closing this. |
|
Meant to follow up on this.. we could improve the doc at least. I hesitate to add more methods to govmomi.Client as there are a number of other config options, auth methods, RoundTrip wrappers (retry, keepalive), etc., that need to happen in between |
…ent call (#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. #1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
…ent call (open-telemetry#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
…ent call (open-telemetry#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
…ent call (open-telemetry#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
…ent call (open-telemetry#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
…ent call (open-telemetry#36482) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description The `govmomi` client used in the receiver attempts to validate the connection to vcenter before the existing code sets the TLS options (other than insecure) in the client. This is a limitation of the `govmomi` wrapper, as discussed on this issue: vmware/govmomi#1200 . <!-- Issue number (e.g. open-telemetry#1234) or full URL to issue, if applicable. --> #### Link to tracking issue Related issue in Grafana Alloy: grafana/alloy#193 <!--Describe what testing was performed and which tests were added.--> #### Testing ~~This has not been tested, I would appreciate the assistance of any codeowner that could test.~~ See comments on the PR for test. <!--Please delete paragraphs that you did not use before submitting.--> --------- Co-authored-by: Daniel Jaglowski <[email protected]>
It doesn't seem to be possible to set certificates and custom CAs on a Client, since they require an existing client and vim25.NewClient, as well as govmomi.NewClient send traffic through the client.
Here's the smoking gun:
govmomi/vim25/client.go
Line 79 in 5bb443a
GetServiceContent is called on the connection, which causes traffic to be sent across the transport. If the CA chain is not set up and the server presents a certificate from a private CA, the call will fail and the client never gets connected.
Suggested solution: Remove SetRootCAs et al and allow callers to NewClient to pass a TLSConfig instead. To preserve backward compatibility, we may want to introduce a NewClientWithTLSConfig instead.
The text was updated successfully, but these errors were encountered: