Add HTTPS support for Ironic vmedia server with CI trust chain

[rporres]

Introduce end-to-end HTTPS serving for Ironic virtual media ISOs,
including a CA-based trust chain for CI.

HTTPS vmedia support (Ansible)

• Rename http_server_* variables to protocol-neutral iso_server_* names.
• Derive ironic_https_configured from ironicHttpsCertificate.
• Mount vmedia TLS cert/key as podman secrets into both the httpd and
  ironic containers; set IRONIC_EXTERNAL_IP and VMEDIA_TLS_PORT so
  configure-ironic.sh generates https:// virtual media URLs.
• Expose VMEDIA_TLS_PORT in the httpd container env (default 6183);
  replace all hardcoded port references with ironic_vmedia_https_port.
• Replace the temporary Python HTTP server with an /iso bind-mount into
  the Ironic container, using a file:// URL for boot_iso.
• Health-check the HTTPS vmedia port with wait_for wrapped in a
  block/rescue: on timeout, capture podman logs httpd and re-fail with a
  descriptive message.

CA trust chain for CI

• generate_ironic_ca.sh: generate a CA before infrastructure starts;
  write key+cert to ironic-ca/ (never relabeled by container SELinux
  mounts) and copy into the sushy-tools working directory.
• generate_ironic_cert.sh: after the Landing Zone is up, read lzBmcIP
  via SSH, sign a server CSR with the CA, export cert+key to GITHUB_ENV.
• start_sushy_tools.sh: install the CA into the container trust store via
  podman exec update-ca-trust; log when CA is absent.
• deploy_phase.sh: inject ENCLAVE_IRONIC_HTTPS, ENCLAVE_IRONIC_CERT, and
  ENCLAVE_IRONIC_KEY into phase_vars.yaml as YAML block scalars; use
  printf "%s\n" when feeding PEM values to while-read to prevent the
  closing PEM marker from being silently dropped.

Test HTTPS in connected, HTTP in disconnected

• e2e-deployment.yml: enable HTTPS in e2e-connected. e2e-disconnected job
  only exercises the HTTP-only code path (port 6180, no certs injected).
• Add if: env.ENCLAVE_IRONIC_HTTPS == 'true' guard to the
  Generate Ironic ISO server TLS certificate step in both jobs so the
  step is skipped when HTTPS is not configured.
• Makefile.ci: wrap generate_ironic_ca.sh in an ENCLAVE_IRONIC_HTTPS
  check so the disconnected run skips CA generation and logs an
  informative message instead.

Signed-off-by: Rafa Porres Molina rporresm@redhat.com

Assisted-by: Claude noreply@anthropic.com

https://redhat.atlassian.net/browse/MGMT-22877

Summary by CodeRabbit

• New Features

  • Optional HTTPS support for serving boot ISOs/vmedia with configurable certificate, key, and CA.

• Chores

  • Automatic CA and short-lived server certificate generation and provisioning for vmedia HTTPS.
  • Hosting now supports HTTP or HTTPS and will restart when protocol, certificate, or key changes.
  • Deployment validates that certificate and key are provided together and installs the CA into local trust stores when present.
  • CI deployment flows add CA/cert generation steps and propagate HTTPS flags into deployments.

• Tests/Validation

  • Optional validation step now checks provided Ironic HTTPS certificates (skips if not provided).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds optional HTTPS support for the Ironic ISO/vmedia server: new CA/cert generation scripts, an HTTPS static server, playbook/task updates to conditionally start/use TLS and manage secrets, CI workflow steps/env to generate and export certs, deployment script updates to inject certs, and validation for the optional cert.

Changes

Cohort / File(s)	Summary
Workflow & CI .github/workflows/e2e-deployment.yml	Sets ENCLAVE_IRONIC_HTTPS: 'true', inserts generate_ironic_ca and generate_ironic_cert steps into e2e jobs, and updates failure-detection mapping to include the new steps.
Config Example config/certificates.example.yaml	Adds ironicHttpsCertificate: "" and ironicHttpsKey: "" example keys with comment noting SAN must cover lzBmcIP.
Playbooks — ISO server setup/teardown/bootstrap playbooks/tasks/configure_hardware_ironic_setup.yaml, playbooks/tasks/configure_hardware_ironic_cleanup.yaml, playbooks/tasks/configure_hardware_ironic_boot.yaml	Replaces http_server_* with iso_server_*, implements protocol-aware HTTP/HTTPS start/stop (mode/pid tracking), writes/reads cert/key temp files, switches ISO URL scheme/port based on TLS config, expands cleanup to remove TLS artifacts and vmedia secrets.
Ironic Deployment Tasks playbooks/tasks/deploy_ironic.yaml	Adds ironic_https_configured detection and assertion, conditionally creates Podman secrets ironic-vmedia-cert/-key, mounts secrets into httpd when TLS enabled, restarts httpd on secret change, sets VMEDIA_TLS_PORT, and adds HTTPS vmedia readiness check using CA when present.
Deployment Orchestration scripts/deployment/deploy_phase.sh	Injects multiline ironicHttpsCertificate/ironicHttpsKey/ironicHttpsCaCertificate into generated phase vars when corresponding env vars are set and logs HTTPS enablement.
Certificate Generation Scripts scripts/deployment/generate_ironic_ca.sh, scripts/deployment/generate_ironic_cert.sh	Adds CA generator (self-signed CA) and cert generator (CSR signed by CA, SAN = LZ BMC IP). generate_ironic_cert.sh exports ENCLAVE_IRONIC_CERT/ENCLAVE_IRONIC_KEY/ENCLAVE_IRONIC_CA to GITHUB_ENV or prints to stdout.
HTTPS Static Server scripts/deployment/https_server.py	Adds a TLS-capable static file server (args: port, directory, certfile, keyfile) using Python ssl + http.server.
Infrastructure scripts/infrastructure/start_sushy_tools.sh	Installs generated CA into sushy-tools container trust store when ${SUSHY_DIR}/ca.crt exists.
Validation validations.sh	Adds conditional certificate validation ironic_https: validates provided ironicHttpsCertificate/ironicHttpsKey against the LZ BMC IP when present; otherwise records a skip.

Sequence Diagram(s)

sequenceDiagram
    participant CI as CI Workflow
    participant GenCA as generate_ironic_ca.sh
    participant GenCert as generate_ironic_cert.sh
    participant Deploy as deploy_phase.sh
    participant Ansible as Ansible Playbooks
    participant VMedia as https_server.py / http server
    participant Ironic as Ironic/node

    CI->>GenCA: run to create CA (ca.crt, ca.key)
    GenCA-->>CI: CA artifacts
    CI->>GenCert: run to create server cert/key (SAN = lzBmcIP)
    GenCert-->>CI: ENCLAVE_IRONIC_CERT/KEY/CA
    CI->>Deploy: inject cert/key/ca into phase_vars
    Deploy->>Ansible: start playbooks with HTTPS vars
    Ansible->>VMedia: start vmedia server (https_server.py) or http server
    VMedia-->>Ansible: server ready on (https|http)://lzBmcIP:iso_port
    Ansible->>Ironic: configure boot ISO URL (choose http/https)
    Ironic->>VMedia: request agent.x86_64.iso
    VMedia-->>Ironic: serve ISO

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add HTTPS support for Ironic vmedia server with CI trust chain' accurately reflects the main objective of the PR: adding HTTPS support to the Ironic ISO server and establishing a CI-based certificate trust chain, which is the central focus of the substantial changes across multiple files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ironic-https-server-MGMT-22877

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (1)

scripts/deployment/https_server.py (1)

6-9: Consider adding argument validation for clearer error messages.

If arguments are missing, IndexError will be raised with an unclear message. Since the Ansible task controls invocation, this is low risk, but explicit validation would aid debugging.

♻️ Proposed argument validation

+if len(sys.argv) != 5:
+    sys.exit(f"Usage: {sys.argv[0]} <port> <directory> <certfile> <keyfile>")
+
 port = int(sys.argv[1])
 directory = sys.argv[2]
 certfile = sys.argv[3]
 keyfile = sys.argv[4]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/deployment/https_server.py` around lines 6 - 9, Add explicit argument
validation in https_server.py before using sys.argv to avoid IndexError: check
that len(sys.argv) >= 5 (or use argparse) and if not, raise a clear error or
print a usage message indicating required arguments (port, directory, certfile,
keyfile). Place the check above the assignments to port, directory, certfile,
keyfile so the script fails with a descriptive message instead of an IndexError.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playbooks/tasks/configure_hardware_ironic_setup.yaml`:
- Around line 19-29: The current PID-only liveness checks (tasks using
iso_server_pidfile and iso_server_check) must be made config-aware: when a PID
exists and the process is running, inspect the process command/args or bound
socket to determine if it was started with the current ironic_https_configured
value and current certs; if there is a mismatch (protocol or cert fingerprint
differs) treat the server as stale and restart it (terminate PID and start
fresh). Also update the PEM rewrite tasks (the tasks that rewrite PEM files) to
trigger the same restart flow after cert rotation so an existing HTTPS process
is restarted and begins serving the new certificate.

In `@playbooks/tasks/deploy_ironic.yaml`:
- Around line 38-40: The current check sets ironic_https_configured true if only
ironicHttpsCertificate exists, which later causes undefined-variable errors when
ironicHttpsKey is missing; update the ansible.builtin.set_fact that sets
ironic_https_configured to require both ironicHttpsCertificate and
ironicHttpsKey to be defined and non-empty (e.g., test both | defined and |
length > 0) so HTTPS is only enabled when both PEM values are present, and
ensure downstream tasks that dereference ironicHttpsKey (in
playbooks/tasks/configure_hardware_ironic_setup.yaml and this task) will only
run when ironic_https_configured is true.

In `@scripts/deployment/generate_ironic_ca.sh`:
- Around line 27-46: The script writes the CA private key into SUSHY_DIR and
makes it world-readable; move ca.key out of the mounted SUSHY_DIR into a
non-mounted, restricted location (e.g. a local secure dir under WORKING_DIR like
WORKING_DIR/ironic-ca or a secure temp dir), write ca.crt into SUSHY_DIR only,
set strict permissions on the private key (chmod 600) and avoid sudoing it to
644, and update the other script generate_ironic_cert.sh to reference the new
private-key path (keep ca.crt path unchanged for start_sushy_tools.sh). Ensure
you modify references to ca.key and ca.crt in generate_ironic_ca.sh and
generate_ironic_cert.sh accordingly.

In `@scripts/deployment/generate_ironic_cert.sh`:
- Around line 42-49: The script loads dev-scripts config using
ENCLAVE_CLUSTER_NAME but then computes LZ_VM_NAME from CLUSTER_NAME, causing
mismatched cluster selection; update the code so ENCLAVE_CLUSTER_NAME is the
single source of truth: ensure ENCLAVE_CLUSTER_NAME is initialized
(ENCLAVE_CLUSTER_NAME="${ENCLAVE_CLUSTER_NAME:-enclave-test}"), call
load_devscripts_config, and then derive LZ_VM_NAME from ENCLAVE_CLUSTER_NAME
(e.g., LZ_VM_NAME="${ENCLAVE_CLUSTER_NAME}_landingzone_0") instead of using
CLUSTER_NAME, and remove or sync CLUSTER_NAME to avoid divergence.

In `@scripts/deployment/https_server.py`:
- Around line 14-16: The SSLContext initialization using ssl.PROTOCOL_TLS_SERVER
allows older TLS versions; update the context created in the code that sets ctx
= ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) to explicitly enforce TLS 1.2+ by
setting the context's minimum_version (e.g., ctx.minimum_version =
ssl.TLSVersion.TLSv1_2) or equivalent API before calling ctx.load_cert_chain and
ctx.wrap_socket; adjust the code around ctx, load_cert_chain, and server.socket
= ctx.wrap_socket(server.socket, server_side=True) to ensure only TLSv1.2 and
higher are permitted.

---

Nitpick comments:
In `@scripts/deployment/https_server.py`:
- Around line 6-9: Add explicit argument validation in https_server.py before
using sys.argv to avoid IndexError: check that len(sys.argv) >= 5 (or use
argparse) and if not, raise a clear error or print a usage message indicating
required arguments (port, directory, certfile, keyfile). Place the check above
the assignments to port, directory, certfile, keyfile so the script fails with a
descriptive message instead of an IndexError.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 26c4be6b-b693-4f2d-bc12-00e3ede704bf

📥 Commits

Reviewing files that changed from the base of the PR and between c34c4d9 and 53b389a.

📒 Files selected for processing (12)

• .github/workflows/e2e-deployment.yml
• config/certificates.example.yaml
• playbooks/tasks/configure_hardware_ironic_boot.yaml
• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• playbooks/tasks/configure_hardware_ironic_setup.yaml
• playbooks/tasks/deploy_ironic.yaml
• scripts/deployment/deploy_phase.sh
• scripts/deployment/generate_ironic_ca.sh
• scripts/deployment/generate_ironic_cert.sh
• scripts/deployment/https_server.py
• scripts/infrastructure/start_sushy_tools.sh
• validations.sh

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playbooks/tasks/configure_hardware_ironic_setup.yaml`:
- Around line 25-29: The current check only tests PID existence; update the
"Check if ISO server process is running" task (the task that reads
iso_server_pidfile and registers iso_server_check) to validate the process
command before trusting the pidfile: read /proc/{{ iso_server_pidfile }}
contents to get pid, then inspect /proc/<pid>/cmdline or use ps -o args= for
that pid and confirm it matches expected identifiers (e.g., "http.server" or
"https_server.py") and only then set iso_server_check as authoritative; apply
the same validated-check logic to the later tasks that decide to kill or skip
starting the ISO server (the tasks that act on iso_server_check and the pidfile)
so you never kill or reuse a recycled/unrelated PID.

In `@playbooks/tasks/deploy_ironic.yaml`:
- Around line 66-82: Update the two containers.podman.podman_secret tasks for
"ironic-vmedia-cert" and "ironic-vmedia-key" to use force: true so Podman
actually updates secrets on reruns, and ensure the httpd container task that
currently uses state: started will be restarted when those secrets change—either
change that task to state: restarted (or set recreate: true if supported) or add
a notify/handler (e.g., "Restart httpd container") and have the secret tasks
notify it so the httpd container is recreated/restarted after secret rotation.

In `@scripts/deployment/generate_ironic_cert.sh`:
- Around line 109-128: The script generate_ironic_cert.sh currently exports only
ENCLAVE_IRONIC_CERT and ENCLAVE_IRONIC_KEY to GITHUB_ENV; also export the CA
certificate referenced by CA_CRT (the CA PEM at variable CA_CRT) as
ENCLAVE_IRONIC_CA in the same GITHUB_ENV/stdout blocks and ensure
phase_vars.yaml is populated with that CA value so downstream playbooks can
consume it; then update playbooks playbooks/tasks/deploy_ironic.yaml and
playbooks/tasks/configure_hardware_ironic_setup.yaml to stop using
validate_certs: false and instead point ansible.builtin.uri’s ca_path parameter
to the deployed CA file (from phase_vars ENCLAVE_IRONIC_CA) so HTTPS readiness
probes validate against the correct trust chain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 44b3ce9d-f89b-48b6-96e8-bfbcd2e52011

📥 Commits

Reviewing files that changed from the base of the PR and between 53b389a and 21db3c8.

📒 Files selected for processing (6)

• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• playbooks/tasks/configure_hardware_ironic_setup.yaml
• playbooks/tasks/deploy_ironic.yaml
• scripts/deployment/generate_ironic_ca.sh
• scripts/deployment/generate_ironic_cert.sh
• scripts/deployment/https_server.py

🚧 Files skipped from review as they are similar to previous changes (3)

• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• scripts/deployment/https_server.py
• scripts/deployment/generate_ironic_ca.sh

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playbooks/tasks/configure_hardware_ironic_setup.yaml`:
- Around line 150-159: The HTTPS verification task "Verify ISO is accessible via
temporary HTTPS server" currently unconditionally sets ca_path to "{{
ironic_ca_certfile | default(omit) }}", which can still pass an empty value;
change the task to only provide ca_path when a custom CA is actually set by
replacing the ca_path assignment with a conditional that uses omit when
ironic_ca_certfile is undefined or empty (e.g. use a Jinja expression testing
ironic_ca_certfile is defined and not empty, otherwise omit). Ensure the
variable name referenced is ironic_ca_certfile and mirror the same conditional
fix applied in deploy_ironic.yaml.

In `@playbooks/tasks/deploy_ironic.yaml`:
- Around line 66-79: The task sets ironic_ca_certfile whenever
ironic_https_configured is true but only writes the file when
ironicHttpsCaCertificate is provided, so ca_path may point to a non-existent
file; update the playbook to only define/set the ironic_ca_certfile variable
when ironicHttpsCaCertificate is defined and non-empty (i.e., add the same
conditional used for the copy task), and ensure any downstream use of ca_path
(the verification task that consumes ironic_ca_certfile) checks that
ironic_ca_certfile is defined before passing it to ca_path to avoid referencing
a missing file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 949748e8-b7db-4a41-b15f-aec0d7900689

📥 Commits

Reviewing files that changed from the base of the PR and between 21db3c8 and 88d14c5.

📒 Files selected for processing (5)

• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• playbooks/tasks/configure_hardware_ironic_setup.yaml
• playbooks/tasks/deploy_ironic.yaml
• scripts/deployment/deploy_phase.sh
• scripts/deployment/generate_ironic_cert.sh

🚧 Files skipped from review as they are similar to previous changes (3)

• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• scripts/deployment/deploy_phase.sh
• scripts/deployment/generate_ironic_cert.sh

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

scripts/infrastructure/start_sushy_tools.sh (1)

243-251: LGTM - Consider adding a debug log for the skip case.

The CA installation logic is correct: path mapping aligns with the container mount, the trust anchor location is appropriate for RHEL/Fedora-based images, and the && chain ensures atomicity. With set -euo pipefail, a failure to install an expected CA will correctly abort the script rather than silently continuing with broken TLS.

For observability, you might want to add an else branch with a debug/info message when the CA file isn't found, which can help during troubleshooting:

💡 Optional improvement for observability

 if [ -f "${SUSHY_DIR}/ca.crt" ]; then
     info "Installing Ironic ISO server CA into sushy-tools container trust store..."
     sudo podman exec "$CONTAINER_NAME" bash -c \
         "cp /root/sushy/ca.crt /etc/pki/ca-trust/source/anchors/ironic-iso-ca.crt && update-ca-trust"
     success "Ironic ISO server CA installed in sushy-tools trust store"
+else
+    info "No Ironic ISO server CA found, skipping trust store update (HTTPS not configured)"
 fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/infrastructure/start_sushy_tools.sh` around lines 243 - 251, Add an
else branch to the existing CA-installation if-block so we log when the CA file
is missing; specifically, in the block that checks [ -f "${SUSHY_DIR}/ca.crt" ]
(which currently calls info, podman exec cp/update-ca-trust, and success), add
an else that emits a concise info/debug message (using the same info function)
like "CA not found at ${SUSHY_DIR}/ca.crt; skipping Ironic ISO CA installation
for ${CONTAINER_NAME}" to improve observability when the install is skipped.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playbooks/tasks/deploy_ironic.yaml`:
- Around line 295-305: The HTTPS vmedia verification task "Verify HTTPS vmedia
server accessibility" uses a hardcoded port 8083 which doesn't exist; replace
the literal ":8083" on the URL with a configurable port variable (e.g.,
vmedia_https_port) and default it to the actual service port (use the
metal3-ironic HTTP_PORT value 6180 or the existing iso_server_port) so the URL
becomes "https://{{ lzBmcIP }}:{{ vmedia_https_port }} /" (ensure
vmedia_https_port is set or defaults to iso_server_port or 6180) and keep the
existing conditional use of ironic_ca_certfile and ironic_https_configured
unchanged.

---

Nitpick comments:
In `@scripts/infrastructure/start_sushy_tools.sh`:
- Around line 243-251: Add an else branch to the existing CA-installation
if-block so we log when the CA file is missing; specifically, in the block that
checks [ -f "${SUSHY_DIR}/ca.crt" ] (which currently calls info, podman exec
cp/update-ca-trust, and success), add an else that emits a concise info/debug
message (using the same info function) like "CA not found at
${SUSHY_DIR}/ca.crt; skipping Ironic ISO CA installation for ${CONTAINER_NAME}"
to improve observability when the install is skipped.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 251c3d46-1675-480d-8ffc-e7fd92aca715

📥 Commits

Reviewing files that changed from the base of the PR and between 88d14c5 and 2be96de.

📒 Files selected for processing (12)

• .github/workflows/e2e-deployment.yml
• config/certificates.example.yaml
• playbooks/tasks/configure_hardware_ironic_boot.yaml
• playbooks/tasks/configure_hardware_ironic_cleanup.yaml
• playbooks/tasks/configure_hardware_ironic_setup.yaml
• playbooks/tasks/deploy_ironic.yaml
• scripts/deployment/deploy_phase.sh
• scripts/deployment/generate_ironic_ca.sh
• scripts/deployment/generate_ironic_cert.sh
• scripts/deployment/https_server.py
• scripts/infrastructure/start_sushy_tools.sh
• validations.sh

✅ Files skipped from review due to trivial changes (2)

• config/certificates.example.yaml
• playbooks/tasks/configure_hardware_ironic_cleanup.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• playbooks/tasks/configure_hardware_ironic_boot.yaml
• scripts/deployment/https_server.py
• .github/workflows/e2e-deployment.yml
• scripts/deployment/generate_ironic_ca.sh
• scripts/deployment/generate_ironic_cert.sh

[github-actions]

Tarball created: quay.io/edge-infrastructure/enclave:236c9a1ad938944141fa44c1aa76c712338b9bcf (236c9a1)