Ironic

  1. Bug #2040236
  2. Activity log

Activity log for bug #2040236

Date Who What changed Old value New value Message
2023-10-24 06:03:20 ZhouHao bug added bug
2023-10-24 06:07:32 ZhouHao ironic: assignee ZhouHao (zhouhao3)
2023-10-26 01:37:13 ZhouHao description This is a detailed implementation plan for proposal #1395(https://github.com/openshift/enhancements/pull/1395) in the OpenShift Ironic. The goal of this post is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. We can break down the implementation into two main steps: 1. Adding a new field for the certificate path Introduce a new option in Ironic to accept the path where the verification certificates are located. For instance, the following addition can be made in ironic/conf/conductor.py: --- a/ironic/conf/conductor.py +++ b/ironic/conf/conductor.py @@ -423,6 +423,9 @@ opts = [ 'seconds, or 30 minutes. If you need to wait longer ' 'than the maximum value, we recommend exploring ' 'hold steps.')), + cfg.StrOpt('default_verify_ca_path', + default='', + help=_('The default verify_ca path.')), ] 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. Below is an example of how it can be implemented in the iRMC driver: --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,7 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) - +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.conductor.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.conductor.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): """Gets the specific Node driver info. Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new field for the certificate path Introduce a new option in Ironic to accept the path where the verification certificates are located. For instance, the following addition can be made in ironic/conf/conductor.py: --- a/ironic/conf/conductor.py +++ b/ironic/conf/conductor.py @@ -423,6 +423,9 @@ opts = [                        'seconds, or 30 minutes. If you need to wait longer '                        'than the maximum value, we recommend exploring '                        'hold steps.')), + cfg.StrOpt('default_verify_ca_path', + default='', + help=_('The default verify_ca path.')),  ] 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. Below is an example of how it can be implemented in the iRMC driver: --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,7 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) - +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.conductor.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.conductor.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path  def parse_driver_info(node):      """Gets the specific Node driver info. Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-10-30 15:28:30 Jay Faulkner tags rfe needs-spec rfe
2023-11-19 14:50:32 Dmitry Tantsur ironic: status New Triaged
2023-11-19 14:50:35 Dmitry Tantsur ironic: importance Undecided Wishlist
2023-11-27 15:54:44 Dmitry Tantsur description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new field for the certificate path Introduce a new option in Ironic to accept the path where the verification certificates are located. For instance, the following addition can be made in ironic/conf/conductor.py: --- a/ironic/conf/conductor.py +++ b/ironic/conf/conductor.py @@ -423,6 +423,9 @@ opts = [                        'seconds, or 30 minutes. If you need to wait longer '                        'than the maximum value, we recommend exploring '                        'hold steps.')), + cfg.StrOpt('default_verify_ca_path', + default='', + help=_('The default verify_ca path.')),  ] 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. Below is an example of how it can be implemented in the iRMC driver: --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,7 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) - +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.conductor.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.conductor.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path  def parse_driver_info(node):      """Gets the specific Node driver info. Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option [conductor]default_verify_ca_path for the certificate path Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-11-29 01:47:22 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option [conductor]default_verify_ca_path for the certificate path Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example: [irmc] kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [ '/proc/cmdline. Mind severe cmdline size limit! Can be ' 'overridden by `instance_info/kernel_append_params` ' 'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = CONF.irmc.default_verify_ca_path + if CONF.conductor.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.conductor.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-11-29 05:27:16 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example: [irmc] kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [ '/proc/cmdline. Mind severe cmdline size limit! Can be ' 'overridden by `instance_info/kernel_append_params` ' 'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES) COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = CONF.irmc.default_verify_ca_path + if CONF.conductor.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.conductor.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default='', + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.irmc.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-11-29 05:29:17 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default='', + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.irmc.default_verify_ca_path != '' and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-11-29 05:38:30 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get(f'{node.driver}_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get('irmc_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-11-29 05:39:18 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get('irmc_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info[f'{node.driver}_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get('irmc_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info['irmc_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-12-07 08:32:00 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path for iRMC in ironic-image. For example:  [irmc]  kernel_append_params = nofb ...... +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -131,6 +131,15 @@ COMMON_PROPERTIES.update(SNMP_V3_REQUIRED_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_OPTIONAL_PROPERTIES)  COMMON_PROPERTIES.update(SNMP_V3_DEPRECATED_PROPERTIES) +def get_default_verify_ca_path(func): + def wrapper(node): + verify_ca = node.driver_info.get('irmc_verify_ca') + if CONF.irmc.default_verify_ca_path != None and (verify_ca == None or verify_ca == True): + node.driver_info['irmc_verify_ca'] = CONF.irmc.default_verify_ca_path + return func(node) + return wrapper + +@get_default_verify_ca_path def parse_driver_info(node): Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path in ironic-image. For example: +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py def parse_driver_info(node): ...... if verify_ca is None: - d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca + verify_ca = CONF.webserver_verify_ca + if verify_ca is None: + verify_ca = CONF.irmc.default_verify_ca_path + d_info['irmc_verify_ca'] = verify_ca + Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-12-07 08:40:11 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path in ironic-image. For example: +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py def parse_driver_info(node): ...... if verify_ca is None: - d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca + verify_ca = CONF.webserver_verify_ca + if verify_ca is None: + verify_ca = CONF.irmc.default_verify_ca_path + d_info['irmc_verify_ca'] = verify_ca + Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path in ironic-image. For example: [irmc] +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py def parse_driver_info(node): ......     if verify_ca is None: - d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca + verify_ca = CONF.webserver_verify_ca + if verify_ca is None: + verify_ca = CONF.irmc.default_verify_ca_path + d_info['irmc_verify_ca'] = verify_ca + Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option.
2023-12-13 08:32:17 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Introduce a new option in Ironic to accept the path where the verification certificates are located. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation might vary based on different vendors. The iRMC implementation will be added with this RFE. The following is a code example of iRMC implementation: 0. It is planned to increase the value of default_verify_ca_path in ironic-image. For example: [irmc] +{% if env.BMC_TLS_ENABLED == "true" %} +default_verify_ca_path = /tmp/bmc-tls.pem +{% endif %} 1. Adding a new option default_verify_ca_path for iRMC --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -139,6 +139,9 @@ opts = [                        '/proc/cmdline. Mind severe cmdline size limit! Can be '                        'overridden by `instance_info/kernel_append_params` '                        'property.')), + cfg.StrOpt('default_verify_ca_path', + default=None, + help=_('The default verify_ca path.')), 2. Retrieving the path before node verification --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py def parse_driver_info(node): ......     if verify_ca is None: - d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca + verify_ca = CONF.webserver_verify_ca + if verify_ca is None: + verify_ca = CONF.irmc.default_verify_ca_path + d_info['irmc_verify_ca'] = verify_ca + Further details need to be worked out based on the actual implementation scenario and the requirements of various vendors. Each vendor might require specific code adjustments to make efficient use of the new default_verify_ca_path option. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Adding a default_verify_ca_path option (same like kernel_append_params) to each driver's conf to accept the specified path. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation vary based on different vendors.
2023-12-13 08:40:07 ZhouHao description We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details along with the demo code. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Adding a default_verify_ca_path option (same like kernel_append_params) to each driver's conf to accept the specified path. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation vary based on different vendors. We have created an enhancement(https://github.com/openshift/enhancements/pull/1395) in openshift-enhancements that allows users to provide a local CA certificate for IPI installation or subsequent node management, ensuring secure communication with the bare metal BMC using a local CA issued certificate or using a self-signed certificate. This is a proposal for the specific implementation of the enhancement in Ironic. The goal of this proposal is to add an option for accepting a default verify_ca path. This path will then be used to access the certificate for verification during the communication between Ironic and the nodes. Below are our implementation details. We can break down the implementation into two main steps: 1. Adding a new option default_verify_ca_path for each driver Adding a default_verify_ca_path option (same like kernel_append_params) to each driver's conf to accept the specified path. 2. Retrieving the path before node verification Before performing the node verification, retrieve the certificate path, and pass it to verify_ca for validation. This implementation vary based on different vendors.