Merge pull request #8276 from jcpowermac/capv-no-auth

openshift-merge-bot[bot] · web-flow · commit 906d5d131391 · 2024-04-22T11:44:01.000Z
SPLAT-1585: capv - allow no auth to vcenter
diff --git a/pkg/asset/installconfig/vsphere/metadata.go b/pkg/asset/installconfig/vsphere/metadata.go
@@ -2,11 +2,14 @@ package vsphere
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"path"
+	"strings"
 	"sync"
 
 	"github.com/vmware/govmomi/object"
+	"github.com/vmware/govmomi/vim25/soap"
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
 
 	"github.com/openshift/installer/pkg/types/vsphere"
@@ -122,10 +125,33 @@ func (m *Metadata) unlockedSession(ctx context.Context, server string) (*session
 	return m.sessions[server], err
 }
 
+// unwrapToSoapFault is required because soapErrorFaul is not exported
+// and are unable to use errors.As()
+// https://github.com/vmware/govmomi/blob/main/vim25/soap/error.go#L38
+func unwrapToSoapFault(err error) error {
+	if err != nil {
+		if soapFault := soap.IsSoapFault(err); !soapFault {
+			return unwrapToSoapFault(errors.Unwrap(err))
+		}
+		return err
+	}
+	return err
+}
+
 // Networks populates VCenterContext and the ClusterNetworkMap based on the vCenter server url and the FailureDomains.
 func (m *Metadata) Networks(ctx context.Context, vcenter vsphere.VCenter, failureDomains []vsphere.FailureDomain) error {
 	_, err := m.Session(ctx, vcenter.Server)
 	if err != nil {
+		// Defense against potential issues with assisted installer
+		if soapErr := unwrapToSoapFault(err); soapErr != nil {
+			soapFault := soap.ToSoapFault(soapErr)
+			// The assisted installer provides bogus username and password
+			// values. Only return the soap error (fault) if it matches incorrect username or password.
+			if strings.Contains(soapFault.String, "Cannot complete login due to an incorrect user name or password") {
+				return soapErr
+			}
+		}
+		// if soapErr is nil then this is not a SOAP fault, return err
 		return err
 	}
 
diff --git a/pkg/asset/machines/clusterapi.go b/pkg/asset/machines/clusterapi.go
@@ -3,11 +3,14 @@ package machines
 import (
 	"context"
 	"fmt"
+	"net"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/vmware/govmomi/vim25/soap"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -303,10 +306,41 @@ func (c *ClusterAPI) Generate(dependencies asset.Parents) error {
 		mpool.Set(pool.Platform.VSphere)
 
 		platform := ic.VSphere
+		resolver := &net.Resolver{
+			PreferGo: true,
+		}
 
 		for _, v := range platform.VCenters {
-			err := installConfig.VSphere.Networks(ctx, v, platform.FailureDomains)
+			// Defense against potential issues with assisted installer
+			// If the installer is unable to resolve vCenter there is a good possibility
+			// that the installer's install-config has been provided with bogus values.
+
+			// Timeout context for Lookup
+			ctx, cancel := context.WithTimeout(context.TODO(), 30*time.Second)
+			defer cancel()
+
+			_, err := resolver.LookupHost(ctx, v.Server)
+			if err != nil {
+				logrus.Warnf("unable to resolve vSphere server %s", v.Server)
+				return nil
+			}
+
+			// Timeout context for Networks
+			// vCenter APIs can be unreliable in performance, extended this context
+			// timeout to 60 seconds.
+			ctx, cancel = context.WithTimeout(context.TODO(), 60*time.Second)
+			defer cancel()
+
+			err = installConfig.VSphere.Networks(ctx, v, platform.FailureDomains)
 			if err != nil {
+				// If we are receiving an error as a Soap Fault this is caused by
+				// incorrect credentials and in the scenario of assisted installer
+				// the credentials are never valid. Since vCenter hostname is
+				// incorrect as well we shouldn't get this far.
+				if soap.IsSoapFault(err) {
+					logrus.Warn("authentication failure to vCenter, Cluster API machine manifests not created, cluster may not install")
+					return nil
+				}
 				return err
 			}
 		}
