capv: allow no auth to vcenter

The assisted installer has no connection to vCenter
until day 2. Make sure that assets generation functions
for vSphere if there is no connection to vCenter.

Author: jcpowermac

pkg/asset/installconfig/vsphere/metadata.go

@@ -2,11 +2,14 @@ package vsphere
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"path"
+	"strings"
 	"sync"
 
 	"github.com/vmware/govmomi/object"
+	"github.com/vmware/govmomi/vim25/soap"
 	"sigs.k8s.io/cluster-api-provider-vsphere/pkg/session"
 
 	"github.com/openshift/installer/pkg/types/vsphere"
@@ -122,10 +125,33 @@ func (m *Metadata) unlockedSession(ctx context.Context, server string) (*session
 	return m.sessions[server], err
 }
 
+// unwrapToSoapFault is required because soapErrorFaul is not exported
+// and are unable to use errors.As()
+// https://github.com/vmware/govmomi/blob/main/vim25/soap/error.go#L38
+func unwrapToSoapFault(err error) error {
+	if err != nil {
+		if soapFault := soap.IsSoapFault(err); !soapFault {
+			return unwrapToSoapFault(errors.Unwrap(err))
+		}
+		return err
+	}
+	return err
+}
+
 // Networks populates VCenterContext and the ClusterNetworkMap based on the vCenter server url and the FailureDomains.
 func (m *Metadata) Networks(ctx context.Context, vcenter vsphere.VCenter, failureDomains []vsphere.FailureDomain) error {
 	_, err := m.Session(ctx, vcenter.Server)
 	if err != nil {
+		// Defense against potential issues with assisted installer
+		if soapErr := unwrapToSoapFault(err); soapErr != nil {
+			soapFault := soap.ToSoapFault(soapErr)
+			// The assisted installer provides bogus username and password
+			// values. Only return the soap error (fault) if it matches incorrect username or password.
+			if strings.Contains(soapFault.String, "Cannot complete login due to an incorrect user name or password") {
+				return soapErr
+			}
+		}
+		// if soapErr is nil then this is not a SOAP fault, return err
 		return err
 	}
 

pkg/asset/machines/clusterapi.go

@@ -3,11 +3,14 @@ package machines
 import (
 	"context"
 	"fmt"
+	"net"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"github.com/vmware/govmomi/vim25/soap"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -301,10 +304,41 @@ func (c *ClusterAPI) Generate(dependencies asset.Parents) error {
 		mpool.Set(pool.Platform.VSphere)
 
 		platform := ic.VSphere
+		resolver := &net.Resolver{
+			PreferGo: true,
+		}
 
 		for _, v := range platform.VCenters {
-			err := installConfig.VSphere.Networks(ctx, v, platform.FailureDomains)
+			// Defense against potential issues with assisted installer
+			// If the installer is unable to resolve vCenter there is a good possibility
+			// that the installer's install-config has been provided with bogus values.
+
+			// Timeout context for Lookup
+			ctx, cancel := context.WithTimeout(context.TODO(), 30*time.Second)
+			defer cancel()
+
+			_, err := resolver.LookupHost(ctx, v.Server)
+			if err != nil {
+				logrus.Warnf("unable to resolve vSphere server %s", v.Server)
+				return nil
+			}
+
+			// Timeout context for Networks
+			// vCenter APIs can be unreliable in performance, extended this context
+			// timeout to 60 seconds.
+			ctx, cancel = context.WithTimeout(context.TODO(), 60*time.Second)
+			defer cancel()
+
+			err = installConfig.VSphere.Networks(ctx, v, platform.FailureDomains)
 			if err != nil {
+				// If we are receiving an error as a Soap Fault this is caused by
+				// incorrect credentials and in the scenario of assisted installer
+				// the credentials are never valid. Since vCenter hostname is
+				// incorrect as well we shouldn't get this far.
+				if soap.IsSoapFault(err) {
+					logrus.Warn("authentication failure to vCenter, Cluster API machine manifests not created, cluster may not install")
+					return nil
+				}
 				return err
 			}
 		}