As part of rebuilding my VMware Cloud Foundation (VCF) 9.0.1 environment, a refresh of my VCF (Offline) Software Depot was needed to include the latest 9.0.1 binaries including various OVF/OVAs like Data Services Manager (DSM).
My VCF Software Depot has been configured with basic authentication, which is a requirement for the VCF Installer. This meant before I can import the DSM OVA into vCenter Server, I typically would need to download a local copy of the OVA, which got me thinking about this workflow ...
Can an OVF/OVA be deployed directly from a web server that requires basic authentication? 🤔
While I have imported numerous OVF/OVAs that were hosted on a web server, none that I could recall that contains authentication and more importantly, does vCenter Server even support this scenario?
I started my experimentation by using OVFTool and augmenting my deploy_data_services_manager.sh script to reference the URL where my DSM OVA was hosted. With the help from ChatGPT, I found that I could encode the basic auth (username and password) into the URL and while not the most secure, it would at least give me a chance to test whether this would even work. At first, it failed since I provided the URL encoding and then I thought maybe I just need to provide the username/password as-is and OVFTool will magically perform the encoding and that worked! ✅
DSM_OVA='http://vcf:[email protected]/PROD/COMP/DSM/dsm-va-9.0.1.0.24930659.ova'
The next experiment was to use this same URL within the vSphere UI and that also worked! ✅
Note: I did try to omitting the password from the URL and that eventually lead to an HTTP 401 error, so both username and password must be included in the URL.
Lastly, I wanted to also try HTTPS with basic auth and that nicely prompted to verify the self-signed TLS certificate and after doing so, that also worked! ✅
I never really had a need to deploy an OVF/OVA from a basic auth endpoint, but it is really good to know there is still a viable workaround if this is needed!
For the VCF 9 offline depot, is authentication mandatory? I've tried anonymous HTTP/HTTPS server and I put any fake username/password in VCF installer and VCF operations depot configuration. It worked.
Basic Auth is required manly due to input form (UI/API) but if you allow anonymous, then I guess any u/p would suffice 😅
Will this be restricted/checked in later release?
The goal is to reduce the requirements, so that if you would like to have authenticated endpoints, we'll support but we don't want to force