Skip to content

Commit 72eeb51

Browse files
committed
Add BMCSettingsApplyResultEntry type to BMCSettings status for ETag-based drift detection
Add the BMCSettingsApplyResultEntry struct to api/v1alpha1/bmcsettings_types.go and the AppliedETags field to BMCSettingsStatus: type BMCSettingsApplyResultEntry struct { URI string `json:"uri,omitempty"` ETag string `json:"etag,omitempty"` ValueHash string `json:"valueHash,omitempty"` } AppliedETags map[string]BMCSettingsApplyResultEntry `json:"appliedETags,omitempty"` - URI: the Redfish resource URI from the apply response (Location header for POST-created resources; request URI for PATCH) - ETag: drift-detection token after the last successful apply — either a real ETag returned by the BMC (e.g. W/"20B77DA6") or a SHA-256 hash of the GET response prefixed with "hash:sha256:" for BMCs that do not return ETag headers - ValueHash: SHA-256 of the effective (resolved) value at apply time, used to detect desired-state changes from ConfigMap/Secret rotation without relying on metadata.generation The type is named BMCSettingsApplyResultEntry (rather than ApplyResultEntry) to follow the existing sub-type naming convention (BMCSettingsSpec, BMCSettingsStatus, BMCSettingsSetStatus, etc.) and to scope it clearly to the BMCSettings resource. Regenerate CRD manifests and deepcopy/applyconfiguration code via `make manifests generate`. No controller logic changes in this commit. Fixes #915 Part of #858 Signed-off-by: Andrew Dodds <andrew.dodds@sap.com>
1 parent e0b34f0 commit 72eeb51

60 files changed

Lines changed: 171536 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

BMC-AD-Config.md

Lines changed: 312 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,312 @@
1+
# BMC Directory Service Configuration - Requirements Definition - Extracted from sap.baremetal - deve-_role - bmc_directory
2+
3+
## Overview
4+
This document defines the functional requirements for BMC (Baseboard Management Controller) Active Directory/LDAP integration, based on existing automation for Dell iDRAC, HPE iLO, Lenovo XCC, and Lenovo IMM systems.
5+
6+
## Functional Requirements
7+
8+
### 1. Multi-Vendor BMC Support
9+
The solution must configure Active Directory integration for:
10+
- Dell iDRAC (versions < 10 and iDRAC 10)
11+
- HPE iLO
12+
- Lenovo XCC (XCC, XCC2, XCC3 variants)
13+
- Lenovo IMM (legacy systems)
14+
15+
### 2. Active Directory/LDAP Integration
16+
17+
#### 2.1 LDAP Server Configuration
18+
The solution must configure:
19+
- Domain controller hostname/IP address
20+
- LDAPS port (636)
21+
- Base Distinguished Name derived from domain (e.g., `DC=ad,DC=region,DC=cloud,DC=sap`)
22+
- Search username attribute: `sAMAccountName`
23+
- Authentication type: Username/Password
24+
25+
**Current Implementation:**
26+
- **Dell iDRAC**: PATCH to `/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DellAttributes/iDRAC.Embedded.1` with attributes:
27+
- `ActiveDirectory.1.DomainController1`: `<dc-hostname>`
28+
- `UserDomain.1.Name`: `<domain-name>`
29+
- `ActiveDirectory.1.AuthTimeout`: `120`
30+
- **HPE iLO**: PATCH to `/redfish/v1/AccountService/` with body:
31+
```json
32+
{
33+
"LDAP": {
34+
"ServiceAddresses": ["<dc-hostname>"],
35+
"Authentication": {
36+
"Username": "DC=<DN>"
37+
}
38+
}
39+
}
40+
```
41+
- **Lenovo XCC**: PATCH to `/redfish/v1/AccountService` with:
42+
```json
43+
{
44+
"LDAP": {
45+
"ServiceAddresses": ["<dc-hostname>:636"],
46+
"LDAPService": {
47+
"SearchSettings": {
48+
"BaseDistinguishedNames": ["DC=<DN>"],
49+
"UsernameAttribute": "sAMAccountName"
50+
}
51+
}
52+
}
53+
}
54+
```
55+
- **Lenovo IMM**: Raw CLI command: `ldap -s1ip <dc-hostname> -s1pn 636 -r <DN> -u sAMAccountName`
56+
57+
#### 2.2 Authentication Mode Configuration
58+
The solution must:
59+
- Enable local account authentication as fallback
60+
- Enable LDAP/Active Directory authentication
61+
- Configure hybrid authentication mode (LDAP + local)
62+
63+
**Current Implementation:**
64+
- **Dell iDRAC**: Sets `ActiveDirectory.1.Enable: "Enabled"` via manager attributes
65+
- **HPE iLO**: Sets `LocalAccountAuth: "Enabled"` in AccountService
66+
- **Lenovo XCC**: Sets `LocalAccountAuth: Fallback` in AccountService
67+
- **Lenovo IMM**: Raw CLI: `accseccfg -am ldaplocal`
68+
69+
#### 2.3 AD Group to Role Mapping
70+
The solution must:
71+
- Map multiple Active Directory groups to BMC administrator roles
72+
- Support region-specific group mappings (production vs QA/lab)
73+
- Clear existing group mappings before applying new configuration
74+
- Support vendor-specific slot/privilege models
75+
76+
**Current Implementation:**
77+
78+
**Dell iDRAC** (15 slots):
79+
- PATCH manager attributes with combined group data:
80+
```json
81+
{
82+
"ADGroup.1.Name": "<group-name>",
83+
"ADGroup.1.Privilege": 511, // full admin
84+
"ADGroup.1.Domain": "<domain>",
85+
"ADGroup.2.Name": "",
86+
"ADGroup.2.Privilege": 000, // empty slot
87+
...
88+
}
89+
```
90+
- iDRAC 10 uses `ADGroup.X.Role: "Administrator"` instead of Privilege
91+
92+
**HPE iLO** (dynamic):
93+
- PATCH to `/redfish/v1/AccountService/`:
94+
```json
95+
{
96+
"ActiveDirectory": {
97+
"RemoteRoleMapping": [
98+
{"LocalRole": "Administrator", "RemoteGroup": "<group1>"},
99+
{"LocalRole": "Administrator", "RemoteGroup": "<group2>"}
100+
]
101+
}
102+
}
103+
```
104+
105+
**Lenovo XCC2/XCC3** (dynamic):
106+
- PATCH to `/redfish/v1/AccountService`:
107+
```json
108+
{
109+
"LDAP": {
110+
"RemoteRoleMapping": [
111+
{"LocalRole": "Administrator", "RemoteGroup": "CP_CONV_BMAAS"}
112+
]
113+
}
114+
}
115+
```
116+
117+
**Lenovo XCC** (16 slots - legacy):
118+
- First, create empty mapping array, then update group profiles:
119+
- PATCH to `/redfish/v1/AccountService/Oem/Lenovo/GroupProfiles/Group<N>`:
120+
```json
121+
{
122+
"Privilege": ["Supervisor"],
123+
"GroupName": "<ad-group>"
124+
}
125+
```
126+
127+
**Lenovo IMM** (16 slots):
128+
- Get existing: `gprofile`
129+
- Delete all: `gprofile -<N> -clear`
130+
- Create new: `gprofile -<N> -n <group-name> -a super`
131+
132+
#### 2.4 DNS Configuration (Dell only)
133+
The solution must configure DNS servers for name resolution.
134+
135+
**Current Implementation:**
136+
- **Dell iDRAC < 10**: Manager attributes `IPv4Static.1.DNS1`, `IPv4Static.1.DNS2`
137+
- **Dell iDRAC 10**: Manager attributes `IPv4.1.StaticDNS1`, `IPv4.1.StaticDNS2`
138+
139+
### 3. SSL/TLS Certificate Management
140+
141+
#### 3.1 CA Certificate Installation
142+
The solution must:
143+
- Download CA certificate from specified URL
144+
- Install CA certificate on BMC for LDAPS validation
145+
- Enable certificate validation after installation
146+
147+
**Current Implementation:**
148+
149+
**Dell iDRAC**:
150+
- Download certificate via HTTP GET
151+
- POST to certificate endpoint with certificate content:
152+
- iDRAC < 10: `/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate`
153+
- iDRAC 10: Different path (version-specific)
154+
- Body: `{"CertificateType": "CA", "SSLCertificateFile": "<pem-content>"}`
155+
- Sets `ActiveDirectory.1.CertValidationEnable: "Enabled"`
156+
157+
**HPE iLO**:
158+
- Download certificate via HTTP GET
159+
- POST to `/redfish/v1/AccountService/ExternalAccountProviders/LDAP/Certificates/`:
160+
```json
161+
{
162+
"CertificateType": "PEM",
163+
"CertificateString": "<pem-content>"
164+
}
165+
```
166+
167+
**Lenovo XCC**:
168+
1. GET existing certificates: `/redfish/v1/AccountService/LDAP/Certificates`
169+
2. Disable LDAPS: PATCH `/redfish/v1/Managers/1/Oem/Lenovo/Security` with `{"SSLSettings": {"EnableLDAPS": false}}`
170+
3. Wait 5 seconds
171+
4. DELETE each existing certificate via returned `@odata.id`
172+
5. POST new certificate to `/redfish/v1/AccountService/LDAP/Certificates`:
173+
```json
174+
{
175+
"CertificateType": "PEM",
176+
"CertificateString": "<pem-content>"
177+
}
178+
```
179+
6. Wait 5 seconds
180+
7. Enable LDAPS: PATCH Security endpoint with `{"SSLSettings": {"EnableLDAPS": true}}`
181+
182+
**Lenovo IMM**:
183+
1. Disable SSL: `sslcfg -client disabled`
184+
2. Delete existing: `sslcfg -tc1 remove`, `sslcfg -tc2 remove`, etc. (4 slots)
185+
3. Import new: `sslcfg -tc1 import -i <tftp-server> -l <cert-path>`
186+
4. Check for self-signed cert: `sslcfg`
187+
5. Create if missing: `sslcfg -cert client -c DE -sp "BW" -cl "St. Leon Rot" -on "SAP SE" -hn <hostname>`
188+
6. Enable SSL: `sslcfg -client enabled`
189+
190+
#### 3.2 Certificate Validation
191+
The solution must enable LDAPS certificate validation after certificate installation.
192+
193+
**Current Implementation:**
194+
- **Dell**: Sets manager attribute `ActiveDirectory.1.CertValidationEnable: "Enabled"`
195+
- **HPE**: Automatic when certificate is installed
196+
- **Lenovo XCC**: Enables via `EnableLDAPS: true` in Security settings
197+
- **Lenovo IMM**: Enables via `sslcfg -client enabled`
198+
199+
### 4. Session Management
200+
201+
#### 4.1 Authentication Session Lifecycle
202+
The solution must:
203+
- Create authenticated session before configuration operations
204+
- Use session token for subsequent API calls
205+
- Delete session after operations complete
206+
207+
**Current Implementation (Redfish BMCs):**
208+
- **Session Creation**: POST to `/redfish/v1/SessionService/Sessions` with credentials, returns token
209+
- **Token Usage**: Include `X-Auth-Token: <token>` in all request headers
210+
- **Session Deletion**: DELETE to session URI after completion
211+
212+
**Lenovo IMM**: Uses SSH connection with username/password for raw CLI commands
213+
214+
### 5. Region-Specific Configuration
215+
216+
#### 5.1 Environment-Based Group Selection
217+
The solution must:
218+
- Identify deployment region (production, QA, lab)
219+
- Select appropriate AD groups based on region
220+
- Override production groups with QA-specific groups in test environments
221+
222+
**Current Implementation:**
223+
- Checks if `region in qa_regions` or `region in lab_regions`
224+
- Overrides `ad_group` variable with `ad_group_qa` when condition is true
225+
- Applies overridden groups to role mapping configuration
226+
227+
### 6. Vendor-Specific Requirements
228+
229+
#### 6.1 Dell iDRAC Version Detection
230+
The solution must detect iDRAC version and adjust configuration accordingly.
231+
232+
**Current Implementation:**
233+
- Checks if `model in idrac10_models`
234+
- Uses different manager attributes and API endpoints for iDRAC 10:
235+
- GC Root Domain setting: `ActiveDirectory.1.GCRootDomain: "<domain>"`
236+
- GC Lookup: `ActiveDirectory.1.GCLookupEnable: "Enabled"`
237+
- Different DNS attributes: `IPv4.1.StaticDNS1` vs `IPv4Static.1.DNS1`
238+
- Role-based privileges: `ADGroup.X.Role` vs `ADGroup.X.Privilege`
239+
240+
#### 6.2 Lenovo XCC Variant Detection
241+
The solution must detect XCC variant (XCC, XCC2, XCC3) and use appropriate API structure.
242+
243+
**Current Implementation:**
244+
- Checks `lenovo_xcc_type` variable
245+
- XCC2/XCC3: Use LDAP configuration in AccountService directly
246+
- XCC (legacy): Use separate GroupProfiles endpoint for privilege mapping
247+
- PATCH to `/redfish/v1/Managers/1/NetworkProtocol/Oem/Lenovo/LDAPClient` for initial LDAP client setup (all versions)
248+
249+
#### 6.3 HPE-Specific Settings
250+
The solution must configure HPE OEM-specific directory settings.
251+
252+
**Current Implementation:**
253+
- PATCH to `/redfish/v1/AccountService/` includes:
254+
```json
255+
{
256+
"Oem": {
257+
"Hpe": {
258+
"DirectorySettings": {
259+
"LdapAuthenticationMode": "DefaultSchema"
260+
}
261+
}
262+
}
263+
}
264+
```
265+
266+
### 7. Error Handling and Validation
267+
268+
#### 7.1 Operation Verification
269+
The solution must:
270+
- Verify successful HTTP status codes (200, 201, 202, 204)
271+
- Validate command output for CLI-based operations (check for "ok" in stdout)
272+
- Detect and report errors (import failures, authentication errors)
273+
274+
**Current Implementation:**
275+
- Ansible URI module: `status_code: [200, 201, 202, 204]`
276+
- Ansible raw CLI: `changed_when: '"ok" in stdout'` and `failed_when: '"Error" in stdout'`
277+
278+
#### 7.2 Timeout Configuration
279+
The solution must handle long-running operations with appropriate timeouts.
280+
281+
**Current Implementation:**
282+
- API timeouts range from 15 to 360 seconds depending on operation
283+
- Certificate operations: 120-300 seconds
284+
- Standard configuration: 120-360 seconds
285+
286+
### 8. Operational Requirements
287+
288+
#### 8.1 Wait Periods
289+
The solution must respect vendor timing requirements between operations.
290+
291+
**Current Implementation:**
292+
- Lenovo XCC: 5-second pause after disabling LDAPS and after certificate import
293+
- Implemented via: `ansible.builtin.pause: seconds: 5`
294+
295+
#### 8.2 Idempotency
296+
The solution must:
297+
- Clear existing configurations before applying new settings
298+
- Support re-running without creating duplicate entries
299+
- Only modify configurations that differ from desired state
300+
301+
**Current Implementation:**
302+
- Dell: Overwrites all 15 slots (populated and empty)
303+
- Lenovo IMM: Deletes all existing gprofiles before creating new ones
304+
- Lenovo XCC: Deletes all existing LDAP certificates before importing new one
305+
- HPE: Replaces entire RemoteRoleMapping array
306+
307+
#### 8.3 Certificate Validation Bypass
308+
The solution must disable SSL certificate validation when communicating with BMCs (self-signed certificates).
309+
310+
**Current Implementation:**
311+
- All Redfish API calls: `validate_certs: false`
312+
- Allows connection to BMCs with self-signed certificates

api/v1alpha1/applyconfiguration/api/v1alpha1/bmcsettingsapplyresultentry.go

Lines changed: 53 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/v1alpha1/applyconfiguration/api/v1alpha1/bmcsettingsstatus.go

Lines changed: 17 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)