Support Let's Encrypt certs for Ironic HTTPS vmedia server

Add optional lzBmcHostname variable so that publicly trusted certificates
(e.g. Let's Encrypt) can be used for the Ironic HTTPS vmedia server.
Let's Encrypt only issues DNS SANs, not IP SANs, so the previous
requirement that the cert SAN cover lzBmcIP was incompatible with LE.

When lzBmcHostname is set, IRONIC_EXTERNAL_IP is set to the hostname
instead of lzBmcIP, producing vmedia URLs of the form
https://<hostname>:6183/... that the BMC can resolve via DNS. The
PROVISIONING_IP (used by Apache for socket binding) remains lzBmcIP.
Cert SAN validation in validations.sh is updated to check against the
hostname when set, falling back to lzBmcIP for the existing IP-SAN flow.
generate_ironic_cert.sh also emits a DNS+IP SAN when a hostname is
configured, keeping CI self-signed certs working in both modes.

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: rporres

config/certificates.example.yaml

@@ -50,7 +50,9 @@ sslCACertificate: |
 
 # Ironic HTTP Server TLS Certificate (optional)
 # Required when serving boot ISOs over HTTPS to the BMC.
-# The SAN on this certificate must cover lzBmcIP.
+# The SAN on this certificate must cover lzBmcHostname (DNS SAN, for Let's Encrypt certs)
+# or lzBmcIP (IP SAN, for private CA certs). Set lzBmcHostname in global.yaml when using
+# a publicly trusted certificate such as Let's Encrypt.
 ironicHTTPSCertificate: ""
 
 ironicHTTPSKey: ""

config/global.example.yaml

@@ -29,6 +29,12 @@ rendezvousIP: YOUR_RENDEZVOUS_IP      # Example: 192.168.2.24
 # LZ IP where HTTP server serves the installation ISO to IPMI nodes
 lzBmcIP: YOUR_LZ_WEB_SERVER_IP        # Example: 100.64.1.10
 
+# DNS hostname for the LZ BMC interface (optional).
+# When set, Ironic HTTPS vmedia URLs use this hostname instead of lzBmcIP.
+# Required when using publicly trusted certificates (e.g. Let's Encrypt), which
+# only support DNS SANs. The hostname must resolve to lzBmcIP from the BMC network.
+# lzBmcHostname: mirror.example.com
+
 # ============================================================================
 # Quay Registry Configuration
 # ============================================================================

docs/CONFIGURATION_REFERENCE.md

@@ -233,6 +233,25 @@ lzBmcIP: 100.64.1.10
 - ISO will be served at `http://{{ lzBmcIP }}/assisted/agent.x86_64.iso`
 - Ensure HTTP server (Apache/Nginx) is running on this host
 
+#### `lzBmcHostname`
+
+**Description**: DNS hostname for the LZ BMC interface. Optional. When set, Ironic constructs HTTPS vmedia URLs using this hostname instead of `lzBmcIP`.
+
+**Type**: String (DNS hostname)
+
+**Required**: No. Set this when using publicly trusted TLS certificates (e.g. Let's Encrypt) for the Ironic vmedia server. Let's Encrypt only issues DNS SANs, not IP SANs, so the certificate SAN must match a hostname rather than an IP address.
+
+**Example**:
+```yaml
+lzBmcHostname: mirror.example.com
+```
+
+**Notes**:
+- The hostname must resolve to `lzBmcIP` from the BMC network
+- When set, `ironicHTTPSCertificate` must have a DNS SAN matching this hostname
+- When not set, the IP-based flow is used and `ironicHTTPSCertificate` must have an IP SAN matching `lzBmcIP`
+- `PROVISIONING_IP` (used for Apache binding) always remains `lzBmcIP`; only the vmedia URL changes
+
 #### `defaultNtpServers`
 
 **Description**: Optional list of additional NTP server addresses for cluster nodes. When not set, the cluster uses its default NTP sources.
@@ -1098,7 +1117,9 @@ instead of plain HTTP.
 **Type**: String (PEM format)
 
 **Required**: Yes, when HTTPS vmedia is desired. Must be provided together
-with `ironicHTTPSKey`. The certificate SAN must cover `lzBmcIP`.
+with `ironicHTTPSKey`. The certificate SAN must cover `lzBmcHostname`
+(DNS SAN, for publicly trusted certs such as Let's Encrypt) or `lzBmcIP`
+(IP SAN, for private CA certs) depending on which is configured.
 
 **Example**:
 ```yaml

playbooks/tasks/deploy_ironic_containers.yaml

@@ -87,7 +87,7 @@
     ironic_env: >-
       {{ ironic_env | combine({
            'VMEDIA_TLS_PORT': '6183',
-           'IRONIC_EXTERNAL_IP': lzBmcIP
+           'IRONIC_EXTERNAL_IP': lzBmcHostname | default(lzBmcIP)
          }) }}
 
 - name: Run ironic container

playbooks/templates/quadlets/metal3-ironic-api.container.j2

@@ -34,7 +34,7 @@ Environment=WEBSERVER_CACERT_FILE=/certs/ca-bundle.crt
 {% endif %}
 {% if ironic_https_configured | default(false) | bool %}
 Environment=VMEDIA_TLS_PORT=6183
-Environment=IRONIC_EXTERNAL_IP={{ lzBmcIP }}
+Environment=IRONIC_EXTERNAL_IP={{ lzBmcHostname | default(lzBmcIP) }}
 {% endif %}
 Exec=/bin/runironic
 HealthCmd=curl -sf http://localhost:6385/

schemas/definitions.yaml

@@ -16,6 +16,10 @@ definitions:
     type: string
     minLength: 1
     description: A non-empty string value
+  hostname:
+    type: string
+    pattern: "^[a-zA-Z0-9]([a-zA-Z0-9\\-]*[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]*[a-zA-Z0-9])?)*$"
+    description: A valid DNS hostname
   disconnected:
     type: boolean
     description: >-

schemas/variables.yaml

@@ -60,6 +60,8 @@ properties:
             type: array
             items:
               type: string
+  lzBmcHostname:
+    "$ref": "#/definitions/hostname"
   lzBmcIP:
     "$ref": "#/definitions/ipv4Address"
   machineNetwork:

scripts/deployment/generate_ironic_cert.sh

@@ -62,16 +62,17 @@ if ! ssh_test_connection; then
     exit 1
 fi
 
-# Read lzBmcIP from config/global.yaml on the Landing Zone
+# Read lzBmcIP and optional lzBmcHostname from config/global.yaml on the Landing Zone
 LZ_BMC_IP=$(ssh_exec "awk '/^lzBmcIP:/ {print \$2}' ${LZ_ENCLAVE_DIR}/config/global.yaml")
 
 if [ -z "$LZ_BMC_IP" ]; then
     error "Could not read lzBmcIP from config/global.yaml on Landing Zone"
     exit 1
 fi
 
+LZ_BMC_HOSTNAME=$(ssh_exec "awk '/^lzBmcHostname:/ {print \$2}' ${LZ_ENCLAVE_DIR}/config/global.yaml" 2>/dev/null || echo "")
+
 info "Generating TLS certificate for Ironic ISO server"
-info "SAN: IP:${LZ_BMC_IP}"
 
 # Work in a temp directory; cleaned up on exit
 WORK_DIR=$(mktemp -d)
@@ -85,8 +86,15 @@ openssl req -new \
     -out "${WORK_DIR}/server.csr" \
     2>/dev/null
 
-# Write SAN extension to a file (process substitution does not work with sudo)
-echo "subjectAltName=IP:${LZ_BMC_IP}" > "${WORK_DIR}/san.ext"
+# Write SAN extension - include DNS SAN when lzBmcHostname is configured so that
+# publicly trusted (e.g. Let's Encrypt) certs can also be used
+if [[ -n "$LZ_BMC_HOSTNAME" ]]; then
+    info "SAN: DNS:${LZ_BMC_HOSTNAME},IP:${LZ_BMC_IP}"
+    echo "subjectAltName=DNS:${LZ_BMC_HOSTNAME},IP:${LZ_BMC_IP}" > "${WORK_DIR}/san.ext"
+else
+    info "SAN: IP:${LZ_BMC_IP}"
+    echo "subjectAltName=IP:${LZ_BMC_IP}" > "${WORK_DIR}/san.ext"
+fi
 
 # Sign with CA; serial file goes into the temp dir to avoid writing to the
 # sudo-owned SUSHY_DIR

validations.sh

@@ -341,9 +341,11 @@ checkCerts ingress "*.apps.$cluster_fqdn" .sslIngressCertificateKey .sslIngressC
 
 # Check Ironic HTTPS certificate (optional)
 lz_bmc_ip=$(getValue .lzBmcIP)
+lz_bmc_hostname=$(getValue .lzBmcHostname 2>/dev/null || echo "")
+ironic_cert_name="${lz_bmc_hostname:-$lz_bmc_ip}"
 ironic_https_cert=$(getValue .ironicHTTPSCertificate)
 if [[ -n "$ironic_https_cert" && "$ironic_https_cert" != "null" ]]; then
-    checkCerts ironic_https "$lz_bmc_ip" .ironicHTTPSKey .ironicHTTPSCertificate
+    checkCerts ironic_https "$ironic_cert_name" .ironicHTTPSKey .ironicHTTPSCertificate
 else
     validation pass ironic_https_skipped "Ironic HTTPS certificate not configured. Skipping validation"
 fi