How to establish TLS trust between a `VSphereSource` and a vCenter Server?

[rguske]

What needs to be configured for a VSphereSource to establish a full TLS trust when a vCenter Server uses a TLS certificate generated by an internal CA?

Basically, which requirements must be in place to use skipTLSVerify: false?

[rguske]

Could it be done similar to how it is done for a ApacheKafkaSource? Like Connecting to a TLS-enabled Kafka Broker.

[gabo1208]

For this you'd want to divide this in two steps (assuming you already have the certs and all of that in the VSphere side configured):

• Make the VSphere resources, in this case the adapter deployment, recognize the certs. It could be done by mounting them in the /etc/ssl/certs dir for the pods created by the source. It would be modifying this: https://github.com/vmware-tanzu/sources-for-knative/blob/main/pkg/reconciler/vspheresource/resources/deployment.go#L33 An example of how to do it, can be found here: https://github.com/knative-extensions/eventing-rabbitmq/blob/c9c248ab5ae23dcc86d1766654e5f076381a7392/pkg/reconciler/source/resources/receive_adapter.go#L202
• Make the VSphere resources use the tls config in the communication channel with the vCenter. Use this tls config with the soap client used to poll events from the vcenter server: https://github.com/vmware-tanzu/sources-for-knative/blob/main/pkg/vsphere/adapter.go#L71

This Connecting to a TLS-enabled Kafka Broker is how to do it the Knative way, but it implies changes on the VSphere Adapter code