vmware-tanzu / velero-plugin-for-vsphere

Plugin to support Velero on vSphere
Other
59 stars 49 forks source link

Support for SAML token authentication #192

Open marratj opened 4 years ago

marratj commented 4 years ago

Hello,

we currently use the vSphere CSI Driver with SAML Token authentication (using a dedicated vSphere solution user per K8s cluster) in our environment, which is working fine.

However, it seems that the configured solution user cert/key from the csi-vsphere.conf in the vsphere-config-secret is not supported by the Velero vSphere plugin, as the Velero plugin throws a ServerFaultCode: Cannot complete login due to an incorrect user name or password upon trying to create a snapshot, whereas with a "normal" vSphere user/password combo it works.

So is there currently a way to get vSphere SAML token authentication working in Velero or does that require changes in the plugin first?

lintongj commented 4 years ago

So is there currently a way to get vSphere SAML token authentication working in Velero or does that require changes in the plugin first?

The plugin doesn't support the SAML token authentication yet. It requires a change in plugin.

marratj commented 4 years ago

Is this planned for the near future from your side?

If not, could you give me a hint where authentication is handled (I figured this is in the astrolabe/ivd/newIVDProtectedEntityTypeManagerFromURL) so I can take a look if I can add the code to get this to work similar to how it's handled in the CSI plugin?

lintongj commented 4 years ago

Is this planned for the near future from your side?

We don't have such a plan in near term.

If not, could you give me a hint where authentication is handled (I figured this is in the astrolabe/ivd/newIVDProtectedEntityTypeManagerFromURL) so I can take a look if I can add the code to get this to work similar to how it's handled in the CSI plugin?

That would be great.

You actually looked at the right place. At https://github.com/vmware-tanzu/astrolabe/blob/e69f9550d091d5b4a1c40d682a53cabce692760b/pkg/ivd/ivd_protected_entity_type_manager.go#L78.

In SAML token authentication case, the csi-vsphere.conf in the vsphere-config-secret contains SAML token cert& private in the places of the regular username&password. Please feel free to refer to vSphere CSI Driver (https://github.com/kubernetes-sigs/vsphere-csi-driver/blob/master/pkg/common/cns-lib/vsphere/virtualcenter.go#L119-L125) as an example.