Update VCH inspect API to output TLS friendly addresses for VCH docker and admin portal endpoint #7321
Labels
area/api
The Vritual Container Host management API
kind/defect
Behavior that is inconsistent with what's intended
priority/p1
team/lifecycle
Milestone
Problem Statement
The VCH inspect API outputs IP address for docker endpoint and admin portal, and this IP address is the client network IP that user specifies.
However this client IP might fail docker TLS verification (if tls verify is on for this VCH) for some certificate configuration. For example, client could use FQDN resolved from
/etc/hosts
, and it's possible that it doesn't match what's in the host certificate if there's no alt name matched for it.Possible Solution
The CLI gets around it by grabbing all candidate IPs from the allowed common host names and alternative names according to the configured certificate, and checking one by one to find an IP/FQDN that passes the tls verification. Once we find such IP, we turn it into FQDN and output this as docker endpoint.
(The PR that added this process: https://github.com/vmware/vic/pull/2744/files#diff-ab6c58c594b80369f767fa321a81c06e)
API code should be updated to determine appropriate IP address for the VCH according to the configured certificate, instead of just using client network IP address.
Acceptance Criteria
Cc: @hickeng @zjs
The text was updated successfully, but these errors were encountered: