-
Spike
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
-
False
-
?
-
?
-
?
-
?
-
-
-
HardProv
When a custom certificate is used for TLS the certificate need to be added to ironic-python-agent image.
Investigate the possibility to use an init container to automate this process.
Capturing how we can add the certs manually to the IPA initramfs mkdir /home/zuul/ipa cd /home/zuul/ipa oc get secrets -n openstack combined-ca-bundle -o json \ | jq -r '.data["internal-ca-bundle.pem"] | @base64d' \ > internal-ca-bundle.pem oc get secrets -n openstack combined-ca-bundle -o json \ | jq -r '.data["tls-ca-bundle.pem"] | @base64d' \ > tls-ca-bundle.pem podman run \ --volume /home/zuul/ipa/:/target:Z \ quay.io/podified-antelope-centos9/ironic-python-agent@sha256:23a2112f70ce189b815976ef426c6c32fa22c5aff0c090be9816b3db047226c2 mkdir initramfs pushd ./initramfs zcat ../ironic-python-agent.initramfs | cpio -idmv popd cp internal-ca-bundle.pem initramfs/etc/pki/ca-trust/source/anchors/ unshare -r chroot ./initramfs << EOF_CHROOT_SCRIPT update-ca-trust EOF_CHROOT_SCRIPT pushd ./initramfs find . \ | sudo cpio -o -c -R root:root \ | gzip -9 \ > ../tls-ironic-python-agent.initramfs popd oc cp \ ./tls-ironic-python-agent.initramfs \ openstack/openstackclient:/tmp/tls-ironic-python-agent.initramfs oc cp \ ./ironic-python-agent.kernel \ openstack/openstackclient:/tmp/ironic-python-agent.kernel openstack image create deploy-kernel \ --public \ --container-format aki \ --disk-format aki \ --file /tmp/ironic-python-agent.kernel openstack image create deploy-ramdisk \ --public --container-format ari \ --disk-format ari \ --file /tmp/tls-ironic-python-agent.initramfs openstack baremetal node set ironic-0 \ --driver-info deploy_ramdisk=06373275-f7e6-4b53-8eb9-1f6351375106 \ --driver-info deploy_kernel=400b3c92-e3c1-4642-81ca-6d84d7469ab6