Uploaded image for project: 'Migration Toolkit for Virtualization'
  1. Migration Toolkit for Virtualization
  2. MTV-2811

Warm migration with RHV provider fails if Skipping certificate validation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.8.5
    • Controller
    • Incidents & Support
    • False
    • Hide

      None

      Show
      None
    • True
    • Moderate
    • Customer Reported

      Description of problem:

      Attempting to do a warm migration using a RHV provider where we have checked "Skip certificate validation" fails, while a cold migration succeeds

      Version-Release number of selected component (if applicable):

      MTV 2.8.5

      How reproducible:

      Steps to Reproduce:

      For my RHV provider I have Skip certificate validation set to true :
      
      ~~~
      status:
        conditions:
        - category: Warn
          lastTransitionTime: "2025-06-27T20:51:06Z"
          message: TLS is susceptible to machine-in-the-middle attacks when certificate
            verification is skipped.
          reason: SkipTLSVerification
          status: "True"
      ~~~
      
      I attempt a warm migration which fails with 
      
      ~~~
           - 'Unable to connect to imageio data source: Error creating connection: tls_error:
                TLS error, check your CA certificate settings (failed to validate the connection
                (Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token":
                tls: failed to verify certificate: x509: certificate signed by unknown authority))'
      ~~~
      
      The importer prime pod logs show this: 
      ~~~
      $oc logs importer-prime-9514e767-0a32-4a6c-bb00-810b9343e074-checkpoint-f92ae88c-0795-405e-86df-24fdcb4b1332
      I0627 20:56:06.713931       1 importer.go:107] Starting importer
      I0627 20:56:06.714950       1 importer.go:182] begin import process
      I0627 20:56:06.725498       1 http-datasource.go:262] Attempting to get certs from /certs/ca.pem
      W0627 20:56:06.725525       1 http-datasource.go:270] No certs in /certs/ca.pem
      I0627 20:56:06.725585       1 klog.go:22] Testing oVirt engine connection...
      I0627 20:56:06.736948       1 klog.go:22] Giving up testing oVirt engine connection (tls_error: TLS error, check your CA certificate settings (failed to validate the connection (Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority)))
      I0627 20:56:06.736976       1 imageio-datasource.go:652] No transfer to clean up.
      E0627 20:56:06.736982       1 importer.go:347] tls_error: TLS error, check your CA certificate settings (failed to validate the connection (Post "https://rhev10-m.gsslab.rdu2.redhat.com/ovirt-engine/sso/oauth/token": tls: failed to verify certificate: x509: certificate signed by unknown authority))
      Error creating connection
      ~~~
      
      
      The pod has INSECURE_TLS set to false:
      ~~~
      oc get pods importer-prime-9514e767-0a32-4a6c-bb00-810b9343e074-checkpoint-f92ae88c-0795-405e-86df-24fdcb4b1332 -o yaml | yq '.spec'
      containers:
            - name: INSECURE_TLS
              value: "false"
      ~~~
      
      
      When we do a cold migration (which succeeds) it looks like we pass the --insecure directly to the command line and it doesn't get put in a pod env variable
      
      
      ~~~
      I0627 21:01:05.144385       1 ovirt-populator.go:95] Running command: /usr/bin/ovirt-img download-disk --output json --engine-url=https://rhev10-m.gsslab.rdu2.redhat.com --username=admin@internal --password-file=/tmp/ovirt.pass --insecure -f raw 9042c564-a987-4a73-b553-f4a9cfac59e8 /dev/block
      ~~~ 

      Actual results:

       

      Expected results:

      warm migration with TLS insecure (skip cert validation) should work

      Additional info:

       

        1. importer.logs
          2 kB
          Ameen Barakat
        2. plan.logs
          0.1 kB
          Ameen Barakat
        3. forklift-controller-inventory.logs
          3.15 MB
          Ameen Barakat
        4. forklift-controller-main.logs
          1.62 MB
          Ameen Barakat

              gcheresh@redhat.com Genadi Chereshnya
              shaselde@redhat.com Sean Haselden
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: