Skip to content

Commit

Permalink
Fix ironic-python-agent - CA bundle inject
Browse files Browse the repository at this point in the history
The ironic-python-agent needs the internal-ca-bundle.pem.

Add a volume mount for the internal-ca-bundle.pem as well and update the
pxe-init script to copy both certificates to the ramdisk image.

Jira: OSPRH-12526
  • Loading branch information
hjensas committed Dec 19, 2024
1 parent 6e7951e commit 60436cd
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
3 changes: 3 additions & 0 deletions pkg/ironicconductor/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
common "github.com/openstack-k8s-operators/lib-common/modules/common"
affinity "github.com/openstack-k8s-operators/lib-common/modules/common/affinity"
env "github.com/openstack-k8s-operators/lib-common/modules/common/env"
tls "github.com/openstack-k8s-operators/lib-common/modules/common/tls"

appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -170,6 +171,8 @@ func StatefulSet(
dnsmasqVolumeMounts = append(dnsmasqVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
ramdiskLogsVolumeMounts = append(ramdiskLogsVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
initVolumeMounts = append(initVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
InternalTLSCABundlePath := fmt.Sprintf("%s-%s", "/etc/pki/ca-trust/extracted/pem/", tls.InternalCABundleKey)
initVolumeMounts = append(initVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(&InternalTLSCABundlePath)...)
}

resourceName := fmt.Sprintf("%s-%s", ironic.ServiceName, ironic.ConductorComponent)
Expand Down
3 changes: 3 additions & 0 deletions pkg/ironicinspector/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ limitations under the License.
package ironicinspector

import (
"fmt"
"net"

ironicv1 "github.com/openstack-k8s-operators/ironic-operator/api/v1beta1"
Expand Down Expand Up @@ -157,6 +158,8 @@ func StatefulSet(
dnsmasqVolumeMounts = append(dnsmasqVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
ramdiskLogsVolumeMounts = append(ramdiskLogsVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
initVolumeMounts = append(initVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
InternalTLSCABundlePath := fmt.Sprintf("%s/%s", "/etc/pki/ca-trust/extracted/pem", tls.InternalCABundleKey)
initVolumeMounts = append(initVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(&InternalTLSCABundlePath)...)
}

for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
Expand Down
9 changes: 7 additions & 2 deletions templates/common/bin/pxe-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ for dir in httpboot tftpboot; do
done

# Patch ironic-python-agent with custom CA certificates
if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then
if [[ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" || -f "/etc/pki/ca-trust/extracted/pem/internal-ca-bundle.pem" ]] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then
# Extract the initramfs
cd /
mkdir initramfs
Expand All @@ -54,7 +54,12 @@ if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/
popd

# Copy the CA certificates
cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/
if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ]; then
cp /etc/pki/ca-trust/extracted/pem/internal-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/
fi
if [ -f "/etc/pki/ca-trust/extracted/pem/internal-ca-bundle.pem" ]; then
cp /etc/pki/ca-trust/extracted/pem/internal-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/
fi
echo update-ca-trust | unshare -r chroot ./initramfs

# Repack the initramfs
Expand Down

0 comments on commit 60436cd

Please sign in to comment.