Inject Ironic CA Cert in IPA

diconico07 · diconico07 · commit e2bc69339eb3 · 2025-12-17T14:20:51.000+01:00
Signed-off-by: Nicolas Belouin &lt;nicolas.belouin@suse.com&gt;
diff --git a/README.md b/README.md
@@ -125,13 +125,20 @@ media HTTP server configuration:
 - `IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER` - Setting this variable to
   `true` will make the server enforce its cipher list ordering for TLS version
   up to 1.2, defaults to `false`
+- `IRONIC_INSECURE` - Setting this variable to `true` will add the `ipa-insecure=1`
+  flag to the kernel command line, disabling TLS certificate verification by the
+  IPA image.
 
 The following mountpoints can be passed in to customize run-time
 functionality:
 
 - `/certs/ca/bmc` - The storage path of BMC CA certificates. If the path exists
   and verify_ca field in driver_info is True or None, the certificates in this
   path will be used.
+- `/certs/ca/ipa` - The storage path of IPA CA certificates. If the path exists
+  and `IRONIC_INSECURE` variable is not set to `true`, the certificates in this
+  path will be used by the Ironic Python Agent. The Ironic CA bundle will be
+  added to the trusted CA automatically.
 
 MariaDB configuration:
 
diff --git a/ironic-config/inspector.ipxe.j2 b/ironic-config/inspector.ipxe.j2
@@ -5,6 +5,7 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent.kernel {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs initrd=ipa-cacert-bundle {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
 initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent.initramfs || goto retry_boot
+initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/ipa-cacert-bundle || goto retry_boot
 boot
diff --git a/ironic-config/ipxe_config.template b/ironic-config/ipxe_config.template
@@ -22,6 +22,8 @@ imgfree
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
 
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
+# Load ipa-cacert-bundle, path is relative to the ipxe script that will be located in /shared/html/{node_id}/
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %} ../ipa-cacert-bundle || goto retry
 boot
 
 :retry
@@ -41,6 +43,7 @@ poweroff
 imgfree
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %} ../ipa-cacert-bundle || goto boot_anaconda
 boot
 
 :boot_ramdisk
@@ -50,6 +53,7 @@ sanboot {{ pxe_options.boot_iso_url }}
 {%- else %}
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %} ../ipa-cacert-bundle || goto boot_ramdisk
 boot
 {%- endif %}
 
diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2
@@ -54,6 +54,7 @@ deploy_logs_local_path = /shared/log/ironic/deploy
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
 max_command_attempts = 30
 certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
+api_ca_file = {{ env.IPA_CACERT_FILE }}
 
 [api]
 {% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
@@ -227,7 +228,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal initrd=ipa-cacert-bundle {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -240,14 +241,14 @@ ipxe_config_template = /templates/ipxe_config.template
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 {% if env.BMC_TLS_ENABLED == "true" %}
 # idrac uses the same options as the redfish driver
 verify_ca = {{ env.BMC_CACERT_FILE }}
 {% endif %}
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 {% if env.BMC_TLS_ENABLED == "true" %}
 verify_ca = {{ env.BMC_CACERT_FILE }}
 {% endif %}
diff --git a/main-packages-list.txt b/main-packages-list.txt
@@ -1,3 +1,4 @@
+cpio
 dnsmasq
 dosfstools
 httpd
diff --git a/scripts/rundnsmasq b/scripts/rundnsmasq
@@ -20,6 +20,7 @@ if [[ "${DNS_IP:-}" == "provisioning" ]]; then
 fi
 
 mkdir -p /shared/tftpboot
+mkdir -p /shared/html
 
 # Copy files to shared mount
 if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
@@ -30,6 +31,12 @@ else
     cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
 fi
 
+generate_cacert_bundle_initrd /shared/tftpboot/ipa-cacert-bundle
+generate_cacert_bundle_initrd /shared/html/ipa-cacert-bundle
+
+# this will get dnsmasq killed on certificate update triggering a pod restart
+configure_restart_on_certificate_update "true" dnsmasq "${IPA_CACERTS_PATH}/*"
+
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
diff --git a/scripts/runironic b/scripts/runironic
@@ -24,4 +24,14 @@ if [[ "${BMC_TLS_ENABLED}" == "true" ]]; then
         "${BMC_CACERTS_PATH}" &
 fi
 
+if ls "${IPA_CACERTS_PATH}"/* > /dev/null 2>&1; then
+    # Ignore error if IRONIC_CACERT_FILE doesn't exist as it will still work as intended
+    # shellcheck disable=SC2034
+    watchmedo shell-command \
+        --patterns="*" \
+        --ignore-directories \
+        --command='cat "${IPA_CACERTS_PATH}"/* "${IRONIC_CACERT_FILE}" 2>/dev/null > "${IPA_CACERT_FILE}"' \
+        "${IPA_CACERTS_PATH}" &
+fi
+
 exec /usr/bin/ironic --config-dir "${IRONIC_CONF_DIR}"
diff --git a/scripts/tls-common.sh b/scripts/tls-common.sh
@@ -5,6 +5,8 @@ export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 
+export DEFAULT_CACERT_BUNDLE=${DEFAULT_CACERT_BUNDLE:-"/etc/ssl/cert.pem"}
+
 # Node image storage is using the same cert and port as the API
 export IRONIC_CERT_FILE=/certs/ironic/tls.crt
 export IRONIC_KEY_FILE=/certs/ironic/tls.key
@@ -23,6 +25,8 @@ export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 export BMC_CACERTS_PATH=/certs/ca/bmc
 export BMC_CACERT_FILE=/conf/bmc-tls.pem
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
+export IPA_CACERT_FILE=/conf/ipa-tls.pem
+export IPA_CACERTS_PATH=/certs/ca/ipa
 
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 
@@ -129,3 +133,37 @@ if ls "${BMC_CACERTS_PATH}"/* > /dev/null 2>&1; then
 else
     export BMC_TLS_ENABLED="false"
 fi
+
+if ls "${IPA_CACERTS_PATH}"/* > /dev/null 2>&1; then
+    cat "${IPA_CACERTS_PATH}"/* > "${IPA_CACERT_FILE}"
+else
+    if [ -f "${DEFAULT_CACERT_BUNDLE}" ]; then
+        copy_atomic "${DEFAULT_CACERT_BUNDLE}" "${IPA_CACERT_FILE}"
+    fi
+fi
+
+if [ -f "${IRONIC_CACERT_FILE}" ]; then
+    cat "${IRONIC_CACERT_FILE}" >> "${IPA_CACERT_FILE}"
+fi
+
+generate_cacert_bundle_initrd()
+(
+    local output_path="$1"
+    local temp_dir
+
+    temp_dir="$(mktemp -d)"
+
+    cd "${temp_dir}" || return
+
+    mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent
+    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt
+    cat > etc/ironic-python-agent.d/ironic-tls.conf <<EOF
+[DEFAULT]
+cafile = /etc/ironic-python-agent/ironic.crt
+EOF
+
+    find . | cpio -o -H newc --reproducible >> "${output_path}"
+
+    # Remove temp directory
+    cd && rm -rf "${temp_dir}"
+)

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+cpio`
`1`	`2`	`dnsmasq`
`2`	`3`	`dosfstools`
`3`	`4`	`httpd`