Skip to content

Commit

Permalink
Inject TLS ca cert into IPA ramdisk
Browse files Browse the repository at this point in the history
Jira: OSPRH-4541
  • Loading branch information
steveb committed Nov 14, 2024
1 parent bb9ef17 commit 613bc5e
Show file tree
Hide file tree
Showing 7 changed files with 83 additions and 49 deletions.
41 changes: 21 additions & 20 deletions pkg/ironic/initcontainer.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,26 +116,6 @@ func InitContainer(init APIDetails) []corev1.Container {

var containers []corev1.Container

if init.PxeInit {
pxeInit := corev1.Container{
Name: "pxe-init",
Image: init.PxeContainerImage,
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
},
Command: []string{
"/bin/bash",
},
Args: []string{
"-c",
PxeInitContainerCommand,
},
Env: envs,
VolumeMounts: init.VolumeMounts,
}
containers = append(containers, pxeInit)
}

initContainer := corev1.Container{
Name: "init",
Image: init.ContainerImage,
Expand Down Expand Up @@ -167,5 +147,26 @@ func InitContainer(init APIDetails) []corev1.Container {
containers = append(containers, ipaInit)
}

if init.PxeInit {
pxeInit := corev1.Container{
Name: "pxe-init",
Image: init.PxeContainerImage,
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
Privileged: &init.Privileged,
},
Command: []string{
"/bin/bash",
},
Args: []string{
"-c",
PxeInitContainerCommand,
},
Env: envs,
VolumeMounts: init.VolumeMounts,
}
containers = append(containers, pxeInit)
}

return containers
}
1 change: 1 addition & 0 deletions pkg/ironicconductor/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,7 @@ func StatefulSet(
VolumeMounts: initVolumeMounts,
PxeInit: true,
ConductorInit: true,
Privileged: true,
DeployHTTPURL: deployHTTPURL,
IngressDomain: ingressDomain,
ProvisionNetwork: instance.Spec.ProvisionNetwork,
Expand Down
33 changes: 19 additions & 14 deletions pkg/ironicinspector/initcontainer.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ const (

// PxeInitContainerCommand -
PxeInitContainerCommand = "/usr/local/bin/container-scripts/inspector-pxe-init.sh"

)

// InitContainer - init container for Ironic Inspector pods
Expand Down Expand Up @@ -129,12 +128,31 @@ func InitContainer(init APIDetails) []corev1.Container {
}
containers = append(containers, inspectorInit)

if init.IpaInit {
ipaInit := corev1.Container{
Name: "ironic-python-agent-init",
Image: init.IronicPythonAgentImage,
SecurityContext: &corev1.SecurityContext{
Privileged: &init.Privileged,
},
Env: imageCopyEnvs,
VolumeMounts: init.VolumeMounts,
}
containers = append(containers, ipaInit)
}

if init.PxeInit {
pxeInit := corev1.Container{
Name: "inspector-pxe-init",
Image: init.PxeContainerImage,
SecurityContext: &corev1.SecurityContext{
RunAsUser: &runAsUser,
Capabilities: &corev1.Capabilities{
Add: []corev1.Capability{
"SYS_CHROOT",
"SETFCAP",
},
},
},
Command: []string{
"/bin/bash",
Expand All @@ -146,18 +164,5 @@ func InitContainer(init APIDetails) []corev1.Container {
containers = append(containers, pxeInit)
}

if init.IpaInit {
ipaInit := corev1.Container{
Name: "ironic-python-agent-init",
Image: init.IronicPythonAgentImage,
SecurityContext: &corev1.SecurityContext{
Privileged: &init.Privileged,
},
Env: imageCopyEnvs,
VolumeMounts: init.VolumeMounts,
}
containers = append(containers, ipaInit)
}

return containers
}
1 change: 1 addition & 0 deletions pkg/ironicinspector/statefulset.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,7 @@ func StatefulSet(
VolumeMounts: initVolumeMounts,
PxeInit: true,
IpaInit: true,
Privileged: true,
InspectorHTTPURL: inspectorHTTPURL,
IngressDomain: ingressDomain,
InspectionNetwork: instance.Spec.InspectionNetwork,
Expand Down
40 changes: 38 additions & 2 deletions templates/common/bin/pxe-init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,12 @@ set -ex


# Create TFTP, HTTP serving directories
mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg
mkdir -p /var/lib/ironic/httpboot
if [ ! -d "/var/lib/ironic/tftpboot/pxelinux.cfg" ]; then
mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg
fi
if [ ! -d "/var/lib/ironic/httpboot" ]; then
mkdir -p /var/lib/ironic/httpboot
fi
# Check for expected EFI directories
if [ -d "/boot/efi/EFI/centos" ]; then
efi_dir=centos
Expand All @@ -39,3 +43,35 @@ for dir in httpboot tftpboot; do
# Ensure all files are readable
chmod -R +r /var/lib/ironic/$dir
done

# Patch ironic-python-agent with custom CA certificates
if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then
# Extract the initramfs
cd /
mkdir initramfs
pushd initramfs
zcat /var/lib/ironic/httpboot/ironic-python-agent.initramfs | cpio -idmV
popd

# Copy the CA certificates
cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/
echo update-ca-trust | unshare -r chroot ./initramfs

# Repack the initramfs
pushd initramfs
find . | cpio -o -c --quiet -R root:root | gzip -1 > /var/lib/ironic/httpboot/ironic-python-agent.initramfs
fi

# Build an ESP image
pushd /var/lib/ironic/httpboot
if [ ! -a "esp.img" ]; then
dd if=/dev/zero of=esp.img bs=4096 count=1024
mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img

mmd -i esp.img EFI
mmd -i esp.img EFI/BOOT
mcopy -i esp.img -v bootx64.efi ::EFI/BOOT
mcopy -i esp.img -v grubx64.efi ::EFI/BOOT
mdir -i esp.img ::EFI/BOOT;
fi
popd
13 changes: 0 additions & 13 deletions templates/ironicconductor/bin/init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -54,16 +54,3 @@ fi
if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then
mkdir /var/lib/ironic/ramdisk-logs
fi
# Build an ESP image
pushd /var/lib/ironic/httpboot
if [ ! -a "esp.img" ]; then
dd if=/dev/zero of=esp.img bs=4096 count=1024
mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img

mmd -i esp.img EFI
mmd -i esp.img EFI/BOOT
mcopy -i esp.img -v bootx64.efi ::EFI/BOOT
mcopy -i esp.img -v grubx64.efi ::EFI/BOOT
mdir -i esp.img ::EFI/BOOT;
fi
popd
3 changes: 3 additions & 0 deletions templates/ironicinspector/bin/init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ export TRANSPORTURL=${TransportURL:-""}

export CUSTOMCONF=${CustomConf:-""}

if [ ! -d "/var/lib/ironic/httpboot" ]; then
mkdir /var/lib/ironic/httpboot
fi
if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then
mkdir /var/lib/ironic/ramdisk-logs
fi
Expand Down

0 comments on commit 613bc5e

Please sign in to comment.