:sparkles: Inject Ironic CA Cert in IPA by diconico07 · Pull Request #851 · metal3-io/ironic-image

diconico07 · 2025-12-15T10:40:45Z

What this PR does / why we need it:

This PR adds a way to inject the Ironic CA as well as additional CA certificates into the IPA image, it allows removing the ipa-insecure flag and actually validate the Ironic certificate from the IPA.

This solution should work for both virtualmedia and PXE based deployments.

Checklist:

Documentation has been updated, if necessary.
Integration tests have been added, if necessary.

metal3-io-bot · 2025-12-15T10:40:52Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign iurygregory for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

metal3-io-bot · 2025-12-15T10:40:58Z

Hi @diconico07. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

diconico07 · 2025-12-15T10:44:46Z

Putting as draft for now, as I didn't get time to test it works as expected in all situations (in particular I'll try to setup a PXE environment to test it works with PXE).
This is not the solution we currently use at SUSE to get rid of the ipa-insecure flag (we do the injection in the ipa downloader), but this one should be more future-proof as we can get IPA images that are not coming from the ipa downloader.

Rozzii · 2025-12-16T15:28:11Z

/ok-to-test

Rozzii · 2025-12-16T15:28:51Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

Rozzii · 2025-12-16T15:29:52Z

scripts/tls-common.sh

+    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt
+
+    find . | cpio -o -H newc --reproducible >> "${output_path}"
+)


Fix the unexpected EOF please.

Rozzii · 2025-12-16T15:31:00Z

scripts/tls-common.sh

+EOF
+    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt
+
+    find . | cpio -o -H newc --reproducible >> "${output_path}"


Just checking.
If I remember correctly you have mentioned this only works with an initrd that is compressed with "zstd" or some other specific compression method right?

Not this one, the way we currently do it at SUSE in the IPA downloader only works with "zstd" or other compression methods where you can simply append to the file.
Here it is a different initrd file that is loaded by PXE in addition to the IPA one (I do not compress it actually since I don't think it would be relevant, but we could also compress it here if needed)

Copilot

Pull request overview

This PR implements a mechanism to inject the Ironic CA certificate and additional CA certificates into the IPA (Ironic Python Agent) image, enabling proper TLS certificate verification. The key changes make the ipa-insecure flag conditional (controlled by the IRONIC_INSECURE environment variable) instead of being always enabled, improving the security posture of both PXE and virtual media deployments.

Creates an initrd bundle containing the CA certificates and IPA configuration
Modifies kernel parameters across multiple boot methods to conditionally enable TLS verification
Adds support for dynamic certificate updates via watchmedo monitoring

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
scripts/tls-common.sh	Defines IPA certificate paths, creates CA bundle combining custom and Ironic CAs, and implements generate_cacert_bundle_initrd function to create initrd with certificate configuration
scripts/runironic	Adds watchmedo monitoring to update IPA_CACERT_FILE when IPA certificates change
scripts/rundnsmasq	Generates ipa-cacert-bundle initrd files for both TFTP and HTTP paths, and sets up certificate update monitoring
ironic-config/ironic.conf.j2	Configures api_ca_cert parameter and makes ipa-insecure flag conditional across pxe, redfish, and irmc drivers
ironic-config/ipxe_config.template	Adds ipa-cacert-bundle initrd loading to deploy, anaconda, and ramdisk boot paths
ironic-config/inspector.ipxe.j2	Adds ipa-cacert-bundle initrd loading and makes ipa-insecure flag conditional for inspection boot
README.md	Documents the new IRONIC_INSECURE environment variable and /certs/ca/ipa mount point

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

scripts/tls-common.sh

Copilot · 2025-12-16T15:41:00Z

scripts/tls-common.sh

+[DEFAULT]
+cafile = /etc/ironic-python-agent/ironic.crt
+EOF
+    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt


The cp command for IPA_CACERT_FILE doesn't check if the source file exists or if the copy was successful. If IPA_CACERT_FILE doesn't exist or the copy fails, the function will continue to create an incomplete initrd bundle, which could cause TLS verification failures in IPA.

Consider adding validation that IPA_CACERT_FILE exists and the copy succeeds before proceeding to create the cpio archive.

Suggested change

cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt

if [ ! -f "${IPA_CACERT_FILE}" ]; then

echo "ERROR: IPA_CACERT_FILE '${IPA_CACERT_FILE}' does not exist. Cannot create initrd bundle." >&2

exit 1

fi

if ! cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt; then

echo "ERROR: Failed to copy '${IPA_CACERT_FILE}' to 'etc/ironic-python-agent/ironic.crt'." >&2

exit 1

fi

scripts/runironic

scripts/tls-common.sh

ironic-config/ironic.conf.j2

ironic-config/ipxe_config.template

scripts/rundnsmasq

Copilot · 2025-12-16T15:41:02Z

scripts/rundnsmasq

+generate_cacert_bundle_initrd /shared/tftpboot/ipa-cacert-bundle
+generate_cacert_bundle_initrd /shared/html/images/ipa-cacert-bundle


The generate_cacert_bundle_initrd function calls are missing error handling. If the function fails (e.g., due to disk space issues, permission problems, or missing IPA_CACERT_FILE), the script will continue without any indication of the failure. This could lead to deployments using an outdated or missing CA certificate bundle.

Consider checking the return value of these function calls or adding set -e error handling to catch failures.

Copilot · 2025-12-16T15:41:02Z

ironic-config/ironic.conf.j2


 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes


The kernel_append_params for the irmc driver is missing the initrd=ipa-cacert-bundle parameter that was added to the pxe driver. This means virtual media deployments using the irmc driver won't have the CA certificate bundle injected, breaking TLS verification for IPA in irmc-based deployments.

The initrd=ipa-cacert-bundle parameter should be added to this line, similar to line 231.

Suggested change

kernel_append_params = nofb nomodeset vga=normal {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes

kernel_append_params = nofb nomodeset vga=normal initrd=ipa-cacert-bundle {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes

diconico07 · 2025-12-17T10:45:11Z

/retest

diconico07 · 2025-12-17T10:47:58Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

diconico07 · 2025-12-17T14:06:46Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

Copilot

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ironic-config/inspector.ipxe.j2

Copilot · 2025-12-17T14:32:18Z

scripts/tls-common.sh

+
+    cd "${temp_dir}" || return
+
+    mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent


The mkdir -p commands for creating the directory structure do not have error checking. If the directory creation fails (e.g., due to permissions), the subsequent cp command will fail. While the function will return an error due to the subshell ( usage and bash's error propagation, it would be clearer to check the result explicitly or ensure the script has proper error handling enabled with set -e within the subshell.

Copilot · 2025-12-17T14:32:19Z

ironic-config/ironic.conf.j2

 certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
+api_ca_file = {{ env.IPA_CACERT_FILE }}


The api_ca_file configuration is unconditionally set to {{ env.IPA_CACERT_FILE }}, but this file may not exist in all scenarios (e.g., when no IPA CA certificates are provided, no default CA bundle exists, and no Ironic CA certificate is available). This could cause Ironic to fail if it expects a valid file path. Consider adding a conditional check similar to the webserver_verify_ca pattern above (lines 32-36) to only set this when the file exists.

Suggested change

certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}

api_ca_file = {{ env.IPA_CACERT_FILE }}

certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}

{% if env.IPA_CACERT_FILE %}

api_ca_file = {{ env.IPA_CACERT_FILE }}

{% endif %}

to me an empty file would denote a configuration issue (default bundle path not correctly set) and thus I'm not sure we want to make it conditional here, but I'm not opposed to do so if you see other benefits to it.

Copilot · 2025-12-17T14:32:19Z

scripts/tls-common.sh

+
+    cd "${temp_dir}" || return
+
+    mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent


The generate_cacert_bundle_initrd function may fail silently if the IPA_CACERT_FILE does not exist. This can happen when there are no IPA CA certificates and no default CA bundle available. The function should check if the source file exists before attempting to copy it, or handle the error explicitly.

Suggested change

mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent

mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent

if [ ! -f "${IPA_CACERT_FILE}" ]; then

echo "ERROR: IPA CA certificate bundle '${IPA_CACERT_FILE}' not found; cannot generate initrd bundle." >&2

return 1

fi

scripts/tls-common.sh

scripts/runironic

Copilot · 2025-12-17T14:32:20Z

README.md

+- `/certs/ca/ipa` - The storage path of IPA CA certificates. If the path exists
+  and `IRONIC_INSECURE` variable is not set to `true`, the certificates in this
+  path will be used by the Ironic Python Agent. The Ironic CA bundle will be
+  added to the trusted CA automatically.


The documentation states that when IRONIC_INSECURE is not set to true, the IPA certificates will be used. However, this is misleading because the default value of IRONIC_INSECURE is set to false in scripts/tls-common.sh line 3. The documentation should clarify that the default behavior is to use TLS certificate verification (i.e., secure by default), and setting IRONIC_INSECURE=true explicitly disables it.

scripts/tls-common.sh

Copilot · 2025-12-17T14:32:21Z

ironic-config/ipxe_config.template

 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry

 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
+# Load ipa-cacert-bundle, path is relative to the ipxe script that will be located in /shared/html/{node_id}/


The initrd reference path ../ipa-cacert-bundle is relative and assumes a specific directory structure. This may break if the iPXE script location changes. Consider using an absolute path or documenting the expected directory structure more explicitly in the comment.

Suggested change

# Load ipa-cacert-bundle, path is relative to the ipxe script that will be located in /shared/html/{node_id}/

# Load ipa-cacert-bundle. The "../ipa-cacert-bundle" path is intentionally relative to the iPXE script,

# which is expected to be located in /shared/html/{node_id}/, with ipa-cacert-bundle in its parent directory.

# If the script location or directory layout changes, this relative path must be updated accordingly.

Path is intentionally relative to the script, but as we generate the ipa-cacert-bundle in another script, not sure if it's useful to say more here.

scripts/tls-common.sh

diconico07 · 2026-02-11T09:48:20Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

tuminoid · 2026-02-23T09:44:33Z

/test metal3-ubuntu-e2e-integration-test-main

Rozzii · 2026-02-23T10:18:22Z

ironic-config/ipxe_config.template

-{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
-{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
-{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
-{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
-{%- endif %}
-{%- if pxe_options.deployment_ari_path %}
-{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
-{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
-{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
-{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
-{%- endif %}


Is there any particular reason why we don't need this section anymore? This is for TLS enabled IPXE firmware and not related to the certs within the IPA image.

To properly inject the CA when using iPXE it needs to always use the custom templated version (see the change in ironic.conf.j2).
I then remembered #898 that stated this is no longer needed, if this is not true (wasn't able to check as I don't have TLS enabled on my local PXE setup), then we'll likely need to use a different template whether we are in TLS enabled setup or not.

Looked again, more closely and found it safer to go back to having this, put a conditional to only use it when we're in HTTPS iPXE (look at the change in runironic for how it's handled)

diconico07 · 2026-02-24T13:20:38Z

Made a bunch of changes to how it works:

Use WEBSERVER_CACERT_FILE instead of a specific new directory for base CA bundle
Check if we can actually verify the Ironic cert with the generated bundle and if not set IPA_INSECURE to 1 (so reverting to old behavior if we're not able to verify Ironic cert)
Allow override of IRONIC_CACERT_FILE path to ease configuration, e.g. when using Cert Manager it may put the CA cert in the certificate secret as ca.crt key, so this will enable users that are in this case to just override the CACERT path rather than mount another secret with the CA

With these changes, as we fall back to IPA_INSECURE if we are not able to verify certificate both IrSO and regular e2e test suite should work.

diconico07 · 2026-02-24T13:21:57Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

diconico07 · 2026-02-25T07:12:13Z

/retest

tuminoid · 2026-02-25T08:22:26Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

diconico07 · 2026-02-25T09:37:18Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

diconico07 · 2026-03-09T15:18:25Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

elfosardo · 2026-03-10T09:32:46Z

scripts/tls-common.sh

+cafile = /etc/ironic-python-agent/ironic.crt
+EOF
+
+    find . | cpio -o -H newc -R +0:+0 --reproducible >> "${output_path}"


I wonder if we could find an alternative to a piped method
if we can't, let's maybe sort before using cpio

The piped method is the easiest one, as other methods would involve either manual listing of the files (error prone) or creating a filelist using the exact same find mechanism, added a sort though

scripts/tls-common.sh

tuminoid

Some nits, but some concerns as well. Hope you can follow the chain of though through the review comments (I use ... to signal the next step is next comment)

tuminoid · 2026-03-11T07:22:12Z

scripts/configure-ironic.sh

 fi

+if [[ "${IPXE_TLS_SETUP,,}" == "true" ]]; then
+    sed -i 's/set ipxe_tls_setup = false/set ipxe_tls_setup = true/' /templates/ipxe_config.template


/templates is on read-only filesystem when read-only filesystem hardening is enabled.

Moved the template to /conf then

scripts/tls-common.sh

scripts/runironic

scripts/tls-common.sh

tuminoid · 2026-03-11T07:30:55Z

scripts/tls-common.sh

+    copy_atomic "${WEBSERVER_CACERT_FILE}" "${IPA_CACERT_FILE}"
+elif [ -f "${DEFAULT_CACERT_BUNDLE}" ]; then
+    copy_atomic "${DEFAULT_CACERT_BUNDLE}" "${IPA_CACERT_FILE}"
+fi


There is no else here...

would a

else echo "Missing TLS CA Bundle" exit 1

be okay for you, or should I find another way ?

tuminoid · 2026-03-11T07:31:12Z

scripts/tls-common.sh

+    copy_atomic "${DEFAULT_CACERT_BUNDLE}" "${IPA_CACERT_FILE}"
+fi
+
+if [ -f "${IRONIC_CACERT_FILE}" ]; then


and we might not have this either....

tuminoid · 2026-03-11T07:32:19Z

scripts/tls-common.sh

+
+if ! openssl verify -CAfile "${IPA_CACERT_FILE}" "${IRONIC_CERT_FILE}" > /dev/null 2>&1; then
+    # if we are unable to verify the Ironic cert file set IPA_INSECURE to true
+    export IRONIC_IPA_INSECURE="1"


...which leads to IPA being insecure, fine...

tuminoid · 2026-03-11T07:33:17Z

scripts/tls-common.sh

+    cd "${temp_dir}" || return
+
+    mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent
+    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt


...then we end up here copying non-existent files, and doing bad configs....

tuminoid · 2026-03-11T07:33:49Z

ironic-config/inspector.ipxe.j2

 # ironic-inspector-image and configuration in configure-ironic.sh
 {{ kernel_cmdline('${ipa_kernel}', '${ipa_ramdisk_name}') }}
 initrd --timeout 60000 ${ipa_ramdisk} || goto retry_boot
+initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/ipa-cacert-bundle || goto retry_boot


...and eventually we end up here doing reboot loop?

- Use WEBSERVER_CACERT_FILE as base bundle if set - Use image's default otherwise - Append Ironic CA if available - Check if Ironic cert can be verified to set IPA insecure mode - Always use templated version of iPXE script Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>

diconico07 · 2026-03-13T10:59:41Z

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

metal3-io-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 15, 2025

metal3-io-bot requested review from Rozzii and elfosardo December 15, 2025 10:40

metal3-io-bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 15, 2025

metal3-io-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Dec 15, 2025

diconico07 force-pushed the inject_cacert branch from f51be45 to 09155fc Compare December 16, 2025 13:44

diconico07 marked this pull request as ready for review December 16, 2025 13:53

metal3-io-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 16, 2025

metal3-io-bot requested a review from tuminoid December 16, 2025 13:53

metal3-io-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 16, 2025

Rozzii reviewed Dec 16, 2025

View reviewed changes

Rozzii requested a review from Copilot December 16, 2025 15:31

Copilot started reviewing on behalf of Rozzii December 16, 2025 15:32 View session

Copilot AI reviewed Dec 16, 2025

View reviewed changes

diconico07 force-pushed the inject_cacert branch from 09155fc to dfe04e5 Compare December 17, 2025 10:36

diconico07 force-pushed the inject_cacert branch from dfe04e5 to e2bc693 Compare December 17, 2025 13:20

tuminoid requested a review from Copilot December 17, 2025 14:21

Copilot started reviewing on behalf of tuminoid December 17, 2025 14:21 View session

Copilot AI reviewed Dec 17, 2025

View reviewed changes

diconico07 force-pushed the inject_cacert branch from e2bc693 to a38467e Compare February 11, 2026 09:12

diconico07 mentioned this pull request Feb 19, 2026

Pass CA certificates in addition to just key/certificate metal3-io/ironic-standalone-operator#90

Open

Rozzii reviewed Feb 23, 2026

View reviewed changes

diconico07 force-pushed the inject_cacert branch from 286d905 to 5966f7c Compare February 24, 2026 12:57

metal3-io-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 24, 2026

diconico07 force-pushed the inject_cacert branch from 5966f7c to 6ddb3ea Compare February 24, 2026 13:07

metal3-io-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 24, 2026

diconico07 force-pushed the inject_cacert branch from 6ddb3ea to a9bf65e Compare February 24, 2026 14:08

diconico07 force-pushed the inject_cacert branch from a9bf65e to da46845 Compare February 25, 2026 08:32

metal3-io-bot added the needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. label Mar 1, 2026

diconico07 force-pushed the inject_cacert branch from da46845 to 39902d5 Compare March 9, 2026 15:14

metal3-io-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 9, 2026

elfosardo reviewed Mar 10, 2026

View reviewed changes

tuminoid reviewed Mar 11, 2026

View reviewed changes

diconico07 force-pushed the inject_cacert branch from 39902d5 to af4ca2a Compare March 13, 2026 09:14

metal3-io-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 13, 2026

diconico07 force-pushed the inject_cacert branch from af4ca2a to 41e8dab Compare March 13, 2026 09:53

-    cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt
+    if [ ! -f "${IPA_CACERT_FILE}" ]; then
+        echo "ERROR: IPA_CACERT_FILE '${IPA_CACERT_FILE}' does not exist. Cannot create initrd bundle." >&2
+        exit 1
+    fi
+    if ! cp "${IPA_CACERT_FILE}" etc/ironic-python-agent/ironic.crt; then
+        echo "ERROR: Failed to copy '${IPA_CACERT_FILE}' to 'etc/ironic-python-agent/ironic.crt'." >&2
+        exit 1
+    fi

		generate_cacert_bundle_initrd /shared/tftpboot/ipa-cacert-bundle
		generate_cacert_bundle_initrd /shared/html/images/ipa-cacert-bundle

	kernel_append_params = nofb nomodeset vga=normal {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA\|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY\|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS\|trim }} systemd.journald.forward_to_console=yes
	kernel_append_params = nofb nomodeset vga=normal initrd=ipa-cacert-bundle {% if env.IRONIC_INSECURE %}ipa-insecure=1{% endif %} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA\|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY\|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS\|trim }} systemd.journald.forward_to_console=yes


		cd "${temp_dir}" \|\| return

		mkdir -p etc/ironic-python-agent.d etc/ironic-python-agent

		certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
		api_ca_file = {{ env.IPA_CACERT_FILE }}

-# Load ipa-cacert-bundle, path is relative to the ipxe script that will be located in /shared/html/{node_id}/
+# Load ipa-cacert-bundle. The "../ipa-cacert-bundle" path is intentionally relative to the iPXE script,
+# which is expected to be located in /shared/html/{node_id}/, with ipa-cacert-bundle in its parent directory.
+# If the script location or directory layout changes, this relative path must be updated accordingly.

Conversation

diconico07 commented Dec 15, 2025

Uh oh!

metal3-io-bot commented Dec 15, 2025

Uh oh!

metal3-io-bot commented Dec 15, 2025

Uh oh!

diconico07 commented Dec 15, 2025

Uh oh!

Rozzii commented Dec 16, 2025

Uh oh!

Rozzii commented Dec 16, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

diconico07 Dec 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

Uh oh!

diconico07 commented Dec 17, 2025

Uh oh!

diconico07 commented Dec 17, 2025

Uh oh!

diconico07 commented Dec 17, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Copilot AI Dec 17, 2025

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

diconico07 commented Feb 11, 2026

Uh oh!

tuminoid commented Feb 23, 2026

Uh oh!

Choose a reason for hiding this comment

diconico07 Dec 16, 2025 •

edited

Loading

tuminoid Mar 11, 2026 •

edited

Loading