Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-70156

Set the tls cacert path to writable mount when the IRONIC_CACERT_FILE is unset

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • 2
    • None
    • None
    • None
    • Rejected
    • Metal Platform 281
    • 1
    • Done
    • Bug Fix
    • Hide
      * Before this update, the Ironic image default IRONIC_CACERT_FILE was a Read-only path, which caused failure when you copied cert files for self-signed certificates. As a consequence, cert files were not copied because of the Read-only path in `ironic-image`. With this release, the IRONIC_CACERT_FILE default path is changed from Read-only to CUSTOM_CONFIG_DIR in the accepted release 4.21.0-0.nightly-2025-12-24-191318. As a result, Ironic-image successfully copies cert files in self-signed scenarios. (link:https://issues.redhat.com/browse/OCPBUGS-70156[OCPBUGS-70156])

      The current default IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt is a readOnly path in ironic-image, which will fail when we copy the cert file to cacert file to cover for self-signed certs scenario, link - https://github.com/openshift/ironic-image/blob/main/scripts/tls-common.sh#L69-L70.

      So, setting the default under CUSTOM_CONFIG_DIR=/conf, IRONIC_CACERT_FILE=/conf/certs/ca/ironic/tls.crt, should fix the problem.
      Show
      * Before this update, the Ironic image default IRONIC_CACERT_FILE was a Read-only path, which caused failure when you copied cert files for self-signed certificates. As a consequence, cert files were not copied because of the Read-only path in `ironic-image`. With this release, the IRONIC_CACERT_FILE default path is changed from Read-only to CUSTOM_CONFIG_DIR in the accepted release 4.21.0-0.nightly-2025-12-24-191318. As a result, Ironic-image successfully copies cert files in self-signed scenarios. (link: https://issues.redhat.com/browse/OCPBUGS-70156 [ OCPBUGS-70156 ]) The current default IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt is a readOnly path in ironic-image, which will fail when we copy the cert file to cacert file to cover for self-signed certs scenario, link - https://github.com/openshift/ironic-image/blob/main/scripts/tls-common.sh#L69-L70 . So, setting the default under CUSTOM_CONFIG_DIR=/conf, IRONIC_CACERT_FILE=/conf/certs/ca/ironic/tls.crt, should fix the problem.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-65969. The following is the description of the original issue:

      Description of problem:

      The current default IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt is a readOnly path in ironic-image, which will fail when we copy the cert file to cacert file to cover for self-signed certs scenario, link - https://github.com/openshift/ironic-image/blob/main/scripts/tls-common.sh#L69-L70.

      So, setting the default under CUSTOM_CONFIG_DIR=/conf, IRONIC_CACERT_FILE=/conf/certs/ca/ironic/tls.crt, should fix the problem.

              hroy@redhat.com Himanshu Roy
              hroy@redhat.com Himanshu Roy
              None
              None
              Jad Haj Yahya Jad Haj Yahya
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: