-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
2.8.5
-
Incidents & Support
-
False
-
-
True
-
-
-
Moderate
-
Customer Reported
Description of problem:
Attempting to do a warm migration using a RHV provider where we have checked "Skip certificate validation" fails, while a cold migration succeeds
Version-Release number of selected component (if applicable):
MTV 2.8.5
How reproducible:
Steps to Reproduce:
For my RHV provider I have Skip certificate validation set to true :
~~~
status:
conditions:
- category: Warn
lastTransitionTime: "2025-06-27T20:51:06Z"
message: TLS is susceptible to machine-in-the-middle attacks when certificate
verification is skipped.
reason: SkipTLSVerification
status: "True"
~~~
I attempt a warm migration which fails with
~~~
- 'Unable to connect to imageio data source: Error creating connection: tls_error:
TLS error, check your CA certificate settings (failed to validate the connection
(Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token":
tls: failed to verify certificate: x509: certificate signed by unknown authority))'
~~~
The importer prime pod logs show this:
~~~
$oc logs importer-prime-9514e767-0a32-4a6c-bb00-810b9343e074-checkpoint-f92ae88c-0795-405e-86df-24fdcb4b1332
I0627 20:56:06.713931 1 importer.go:107] Starting importer
I0627 20:56:06.714950 1 importer.go:182] begin import process
I0627 20:56:06.725498 1 http-datasource.go:262] Attempting to get certs from /certs/ca.pem
W0627 20:56:06.725525 1 http-datasource.go:270] No certs in /certs/ca.pem
I0627 20:56:06.725585 1 klog.go:22] Testing oVirt engine connection...
I0627 20:56:06.736948 1 klog.go:22] Giving up testing oVirt engine connection (tls_error: TLS error, check your CA certificate settings (failed to validate the connection (Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority)))
I0627 20:56:06.736976 1 imageio-datasource.go:652] No transfer to clean up.
E0627 20:56:06.736982 1 importer.go:347] tls_error: TLS error, check your CA certificate settings (failed to validate the connection (Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority))
Error creating connection
~~~
The pod has INSECURE_TLS set to false:
~~~
oc get pods importer-prime-9514e767-0a32-4a6c-bb00-810b9343e074-checkpoint-f92ae88c-0795-405e-86df-24fdcb4b1332 -o yaml | yq '.spec'
containers:
- name: INSECURE_TLS
value: "false"
~~~
When we do a cold migration (which succeeds) it looks like we pass the --insecure directly to the command line and it doesn't get put in a pod env variable
~~~
I0627 21:01:05.144385 1 ovirt-populator.go:95] Running command: /usr/bin/ovirt-img download-disk --output json --engine-url=https://rhev10-m.gsslab.rdu2.redhat.com --username=admin@internal --password-file=/tmp/ovirt.pass --insecure -f raw 9042c564-a987-4a73-b553-f4a9cfac59e8 /dev/block
~~~
Actual results:
Expected results:
warm migration with TLS insecure (skip cert validation) should work
Additional info:
