How to establish TLS trust between a `VSphereSource` and a vCenter Server?
rguske opened this issue · 2 comments
rguske commented
What needs to be configured for a VSphereSource
to establish a full TLS trust when a vCenter Server uses a TLS certificate generated by an internal CA?
Basically, which requirements must be in place to use skipTLSVerify: false
?
rguske commented
Could it be done similar to how it is done for a ApacheKafkaSource
? Like Connecting to a TLS-enabled Kafka Broker.
gabo1208 commented
For this you'd want to divide this in two steps (assuming you already have the certs and all of that in the VSphere side configured):
- Make the VSphere resources, in this case the adapter deployment, recognize the certs. It could be done by mounting them in the /etc/ssl/certs dir for the pods created by the source. It would be modifying this: https://github.com/vmware-tanzu/sources-for-knative/blob/main/pkg/reconciler/vspheresource/resources/deployment.go#L33
An example of how to do it, can be found here: https://github.com/knative-extensions/eventing-rabbitmq/blob/c9c248ab5ae23dcc86d1766654e5f076381a7392/pkg/reconciler/source/resources/receive_adapter.go#L202 - Make the VSphere resources use the tls config in the communication channel with the vCenter. Use this tls config with the soap client used to poll events from the vcenter server: https://github.com/vmware-tanzu/sources-for-knative/blob/main/pkg/vsphere/adapter.go#L71
This Connecting to a TLS-enabled Kafka Broker is how to do it the Knative way, but it implies changes on the VSphere Adapter code