Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.21
Component/s: Bare Metal Hardware Provisioning / cluster-baremetal-operator
Labels:
- triaged

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
2
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.21.0
Release Blocker:
None
Sprint:
Metal Platform 281, Metal Platform 282
sprint_count:
2

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Bug Fix
Release Note Text:

Hide
After enabling readOnlyRootFileSystem for ironic containers, we had to use an extra ironic-ca-cert mount due to ironic trying to write at the readOnly IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt path. And fixing the issue of unset IRONIC_CACERT_FILE in ironic-image repo ( pr - https://github.com/openshift/ironic-image/pull/753 ) by using the already writable /conf directory, we no longer need the extra ironic-ca-cert mount, thus reducing the attack surface for the containers.

Show
After enabling readOnlyRootFileSystem for ironic containers, we had to use an extra ironic-ca-cert mount due to ironic trying to write at the readOnly IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt path. And fixing the issue of unset IRONIC_CACERT_FILE in ironic-image repo ( pr - https://github.com/openshift/ironic-image/pull/753 ) by using the already writable /conf directory, we no longer need the extra ironic-ca-cert mount, thus reducing the attack surface for the containers.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-67216. The following is the description of the original issue:
—
Description of problem:


After fixing the issue of ironic writing to the readOnly "/certs/ca/ironic" path when the ironic-ca-cert path is not set, remove the writable ironic-ca-cert mount at "/certs/ca/ironic" path.

clones

OCPBUGS-67216 CBO: remove the writable ironic-ca-cert mount

MODIFIED

is blocked by

OCPBUGS-67216 CBO: remove the writable ironic-ca-cert mount

MODIFIED

links to

openshift/cluster-baremetal-operator#541: [release-4.21] OCPBUGS-70163: Remove the writable ironic CA cert volume mount at /certs/ca/ironic path, ironic will use the writable /conf mount if needed

Assignee:: Himanshu Roy

Reporter:: Himanshu Roy

Need Info From:: None

Contributors:: None

QA Contact:: Jad Haj Yahya

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/12/23 11:19 AM

Updated:: 2026/01/07 6:06 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates