OCPEDGE-1825: [TNF] Reworked TNF logic to render fencing block conditionally.

jaypoulz · jaypoulz · commit fad6268ccfa4 · 2025-05-07T14:03:53.000-04:00
Two Node OpenShift with Fencing (TNF) is a deployment topology with two control-plane nodes that was introduce as a Dev Preview in OpenShift 4.19. This commit updates the logic around TNF to only render fencing credentials in releases 4.19 and up, and also the sslInsecure parameter so that it uses certificateVerification in 4.20 and up, as introduced in openshift/installer#9640.
diff --git a/02_configure_host.sh b/02_configure_host.sh
@@ -128,9 +128,17 @@ if [[ $(uname -m) == "aarch64" ]]; then
   echo "libvirt_cdrombus: scsi" >> vm_setup_vars.yml
 fi
 
+ironic_prefix_env_var="ironic_prefix=${CLUSTER_NAME}_"
+# If this is a Two Node OpenShift with Fencing (TNF) installation
+# the name of the entry in the infra_nodes.json must match the hostname
+# of the created host so that the fencing secret can be found
+if  [[ -z "${ENABLE_ARBITER:-}" ]] && [[ "${NUM_MASTERS}" -eq 2 ]]; then
+    ironic_prefix_env_var="ironic_prefix=''"
+fi
+
 ansible-playbook \
     -e @vm_setup_vars.yml \
-    -e "ironic_prefix=${CLUSTER_NAME}_" \
+    -e "${ironic_prefix_dev_env}" \
     -e "cluster_name=${CLUSTER_NAME}" \
     -e "provisioning_network_name=${PROVISIONING_NETWORK_NAME}" \
     -e "baremetal_network_name=${BAREMETAL_NETWORK_NAME}" \
diff --git a/utils.sh b/utils.sh
@@ -304,6 +304,13 @@ EOF
 }
 
 function node_map_to_install_config_fencing_credentials() {
+  TNF_ENABLED_RELEASE=4.19
+
+  # If we didn't support TNF in this release, we skip rendering the fencing block
+  if is_lower_version "$(openshift_version "${OCP_DIR}")" "$TNF_ENABLED_RELEASE"; then
+    return 0
+  fi
+
   if  [[ -z "${ENABLE_ARBITER:-}" ]] && [[ "${NUM_MASTERS}" -eq 2 ]]; then
 	cat <<EOF
   fencing:
@@ -320,7 +327,15 @@ EOF
       address: ${address}
       username: ${username}
       password: ${password}
-      sslInsecure: true
+EOF
+      # We don't support overriding certificateVerification in 4.19
+      if [ $(openshift_version "${OCP_DIR}") == "$TNF_ENABLED_RELEASE" ]; then
+        continue
+      fi
+
+      certificate_verification=$([ node_val ${idx} "driver_info.disableCertificateVerification" | tr '[:upper:]' '[:lower:]' == "true" ] && echo -n "Disabled" || echo -n "Enabled")
+      cat <<EOF
+      certificateVerification: ${certificate_verification}
 EOF
 	done
 	fi
