CAPV should support SHA-256 thumbprints when connecting to the vSphere API

[rgcostea]

/kind feature

Describe the solution you'd like
Currently, CAPV only supports SHA-1 thumbprints when creating VSphereClusters. We would like to see support for SHA-256 thumbprints as well.

Anything else you would like to add:

Environment:

• Cluster-api-provider-vsphere version: v1.9.2
• Kubernetes version: (use kubectl version): 1.26.8
• OS (e.g. from /etc/os-release): ubuntu

[neolit123]

cc @yastij @dougm @chrischdi

@rgcostea pinged the VMware slack about this. my findings are:

• the CAPV session client to a VC seems to have two modes, insecure (without a SHA1 thumbprint) and secure using a SHA1 thumbprint
• the code is here

  cluster-api-provider-vsphere/pkg/session/session.go

  Lines 241 to 259 in 26932c8

  	func newClient(ctx context.Context, sessionKey string, url *url.URL, thumbprint string, feature Feature) (*govmomi.Client, error) {
  	log := ctrl.LoggerFrom(ctx)
  	insecure := thumbprint == ""
  	soapClient := soap.NewClient(url, insecure)
  	if !insecure {
  	soapClient.SetThumbprint(url.Host, thumbprint)
  	}
  	vimClient, err := vim25.NewClient(ctx, soapClient)
  	if err != nil {
  	return nil, errors.Wrapf(err, "failed to create client")
  	}
  	vimClient.UserAgent = "k8s-capv-useragent"
  	c := &govmomi.Client{
  	Client: vimClient,
  	SessionManager: session.NewManager(vimClient),
  	}

• cannot find a way to feed standard cert, key, CA cert - i.e. for mTLS.
• without a thumbprint what happens is that the new client is created here with InsecureSkipVerify as Doug said https://github.com/vmware/govmomi/blob/main/vim25/soap/client.go#L136-L163
• CAPV seems transparent to what type the SHA is, but govmomi expects SHA1.
  https://github.com/vmware/govmomi/blob/main/vim25/soap/client.go#L421

[chrischdi]

xref: govmomi support for sha256 thumbprints:

• Add support for SHA256 thumbprint based vCenter authentication vmware/govmomi#3384

Should be part of the next govmomi release.

---

Thanks @neolit123 for sumarizing.

Regarding support of sha256 thumbprints:

• We now have to wait for the next govmomi release and bump the dependency (which then is v0.37.0?!)

Regarding support of using a ca certificate instead of the thumbprint:

• I think here is room to improve CAPV
• In CAPV we currently pass through the thumprint in the session package to the newClient function

cluster-api-provider-vsphere/pkg/session/session.go

Line 194 in b4d0893

client, err := newClient(ctx, sessionKey, soapURL, params.thumbprint, params.feature)

• If the thumprint is set to empty string, capv passes through insecure as true to govmomi's soap.NewClient function.

cluster-api-provider-vsphere/pkg/session/session.go

Lines 244 to 245 in b4d0893

	insecure := thumbprint == ""
	soapClient := soap.NewClient(url, insecure)

• So there is no way of using CA based verification, if we don't want to set a thumbprint currently.

  • (Note: there is the workaround of setting a garbage thumbprint, but I don't know if that would lead to other issues)

• It would propably be good to be able to mount a CA certificate as file and properly pass it through to tls configuration if set, without running as insecure and without having to add it to the containers root CAs.

[chrischdi]

Govmomi v0.36.1 got released. So bumping to that version should bring in support for sha256 thumbprints.