Disable cert validation if needed (#1757)

slintes · web-flow · commit 657f2f551100 · 2025-05-20T20:57:51.000Z
With the updated version of metal3-dev-env, the redfish endpoint will be TLS secured,
with a self signed certificate. This will be indicated by the https protocol in the
redfish address, and a redfish_verify_ca field set to False. We need to configure BMHs
with disableCertificateVerification = true in this case.

Signed-off-by: Marc Sluiter &lt;msluiter@redhat.com&gt;
diff --git a/01_install_requirements.sh b/01_install_requirements.sh
@@ -19,7 +19,7 @@ if [ -z "${METAL3_DEV_ENV}" ]; then
   # TODO -- come up with a plan for continuously updating this
   # Note we only do this in the case where METAL3_DEV_ENV is
   # unset, to enable developer testing of local checkouts
-  git reset 0cd943dfe68db8f20341588120f4434bc52ebb31 --hard
+  git reset fab747ef4805bea2f12f70a7a5fbcedfc12a0222 --hard
 
   popd
 fi
diff --git a/agent/05_agent_configure.sh b/agent/05_agent_configure.sh
@@ -318,6 +318,8 @@ function generate_cluster_manifests() {
   export AGENT_NODES_BMC_PASSWORDS_STR=${nodes_bmc_passwords::-1}
   nodes_bmc_addresses=$(printf '%s,' "${AGENT_NODES_BMC_ADDRESSES[@]}")
   export AGENT_NODES_BMC_ADDRESSES_STR=${nodes_bmc_addresses::-1}
+  nodes_bmc_verify_cas=$(printf '%s,' "${AGENT_NODES_BMC_VERIFY_CAS[@]}")
+  export AGENT_NODES_BMC_VERIFY_CAS_STR=${nodes_bmc_verify_cas::-1}
   set -x
 
   if [[ ! -z "$INSTALLER_PROXY" ]]; then
@@ -530,6 +532,7 @@ function get_nodes_bmc_info() {
     AGENT_NODES_BMC_USERNAMES=()
     AGENT_NODES_BMC_PASSWORDS=()
     AGENT_NODES_BMC_ADDRESSES=()
+    AGENT_NODES_BMC_VERIFY_CAS=()
 
     number_nodes=$NUM_MASTERS+$NUM_WORKERS
 
@@ -538,6 +541,7 @@ function get_nodes_bmc_info() {
       AGENT_NODES_BMC_USERNAMES+=($(node_val ${i} "driver_info.username"))
       AGENT_NODES_BMC_PASSWORDS+=($(node_val ${i} "driver_info.password"))
       AGENT_NODES_BMC_ADDRESSES+=($(node_val ${i} "driver_info.address"))
+      AGENT_NODES_BMC_VERIFY_CAS+=($(node_val ${i} "driver_info.redfish_verify_ca"))
     done
 
     if [ "$NODES_PLATFORM" = "libvirt" ]; then
diff --git a/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 b/agent/roles/manifests/templates/install-config_baremetal_yaml.j2
@@ -68,6 +68,7 @@ platform:
 {% set bmc_addresses = agent_nodes_bmc_addresses.split(',') %}
 {% set bmc_passwords = agent_nodes_bmc_passwords.split(',') %}
 {% set bmc_usernames = agent_nodes_bmc_usernames.split(',') %}
+{% set bmc_verify_cas = agent_nodes_bmc_verify_cas.split(',') %}
     provisioningHostIP: {{ cluster_provisioning_ip }}
     provisioningNetworkInterface: {{ cluster_provisioning_interface }}
     provisioningNetworkCIDR: {{ provisioning_network }}
@@ -80,7 +81,7 @@ platform:
         address: {{ bmc_addresses[loop.index0] }}
         username: {{ bmc_usernames[loop.index0] }}
         password: {{ bmc_passwords[loop.index0] }}
-        disableCertificateVerification: false
+        disableCertificateVerification: {% if bmc_verify_cas[loop.index0] == "False" %}true{% else %}false{% endif %}
       networkConfig:
         interfaces:
       {{ net.interfaces("eth0", macs[loop.index0])|indent(4, True) }}
diff --git a/agent/roles/manifests/vars/main.yml b/agent/roles/manifests/vars/main.yml
@@ -10,6 +10,7 @@ agent_nmstate_dhcp: "{{ lookup('env', 'AGENT_NMSTATE_DHCP') }}"
 agent_nodes_bmc_addresses: "{{ lookup('env', 'AGENT_NODES_BMC_ADDRESSES_STR') }}"
 agent_nodes_bmc_passwords: "{{ lookup('env', 'AGENT_NODES_BMC_PASSWORDS_STR') }}"
 agent_nodes_bmc_usernames: "{{ lookup('env', 'AGENT_NODES_BMC_USERNAMES_STR') }}"
+agent_nodes_bmc_verify_cas: "{{ lookup('env', 'AGENT_NODES_BMC_VERIFY_CAS_STR') }}"
 agent_nodes_macs: "{{ lookup('env', 'AGENT_NODES_MACS_STR') }}"
 agent_nodes_ips: "{{ lookup('env', 'AGENT_NODES_IPS_STR') }}"
 agent_nodes_ipsv6: "{{ lookup('env', 'AGENT_NODES_IPSV6_STR') }}"
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
@@ -404,11 +404,13 @@ function generate_ocp_host_manifest() {
     rm -f "${outdir}/extras/*"
 
     worker_index=0
-    jq --raw-output '.[] | .name + " " + .ports[0].address + " " + .driver_info.username + " " + .driver_info.password + " " + .driver_info.address' $host_input \
-       | while read name mac username password address ; do
+    jq --raw-output '.[] | .name + " " + .ports[0].address + " " + .driver_info.username + " " + .driver_info.password + " " + .driver_info.address + " " + .driver_info.redfish_verify_ca' $host_input \
+       | while read name mac username password address verify_ca; do
 
         encoded_username=$(echo -n "$username" | base64)
         encoded_password=$(echo -n "$password" | base64)
+        # Heads up, "verify_ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+        disableCertificateVerification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
 
         secret="---
 apiVersion: v1
@@ -432,7 +434,8 @@ spec:
   bootMACAddress: $mac
   bmc:
     address: $address
-    credentialsName: ${name}-bmc-secret"
+    credentialsName: ${name}-bmc-secret
+    disableCertificateVerification: ${disableCertificateVerification}"
 
         echo "${secret}${bmh}" >> "${outdir}/${host_output}"
 
diff --git a/utils.sh b/utils.sh
@@ -246,13 +246,15 @@ function node_map_to_install_config_hosts() {
           driver_prefix=ipmi
       elif [ $driver == "idrac" ] ; then
           driver_prefix=drac
+      else
+          driver_prefix=redfish
       fi
 
       port=$(node_val ${idx} "driver_info.port // \"\"")
       username=$(node_val ${idx} "driver_info.username")
       password=$(node_val ${idx} "driver_info.password")
       address=$(node_val ${idx} "driver_info.address")
-      disable_certificate_verification=$(node_val ${idx} "driver_info.disable_certificate_verification")
+
       boot_mode=$(node_val ${idx} "properties.boot_mode")
       if [[ "$boot_mode" == "null" ]]; then
              boot_mode="UEFI"
@@ -261,14 +263,25 @@ function node_map_to_install_config_hosts() {
       cat << EOF
       - name: ${name}
         role: ${node_role}
+        bootMACAddress: ${mac}
+        bootMode: ${boot_mode}
         bmc:
           address: ${address}
           username: ${username}
           password: ${password}
+EOF
+
+      if [[ "$driver_prefix" == "redfish" ]]; then
+          # Set disableCertificateVerification
+          # Heads up, "verify ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+          verify_ca=$(node_val ${idx} "driver_info.redfish_verify_ca")
+          disable_certificate_verification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+          cat << EOF
           disableCertificateVerification: ${disable_certificate_verification}
-        bootMACAddress: ${mac}
-        bootMode: ${boot_mode}
 EOF
+      fi
+
+
         if [ -n "${NETWORK_CONFIG_FOLDER:-}" ]; then
             node_network_config="${NETWORK_CONFIG_FOLDER}/${name}.yaml"
             if [ -e "$node_network_config" ]; then
