feat: support specifying bmc verify ca

zouy414 · dtantsur · commit a502e901dea7 · 2025-11-11T16:17:18.000+01:00
Signed-off-by: Zou Yu &lt;zouy.fnst@fujitsu.com&gt;
diff --git a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template
@@ -22,6 +22,9 @@ Volume=ironic.volume:/shared:z
 Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z
 {{ end }}
 Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z
+{{ if ne len(.PlatformData.BareMetal.BMCVerifyCA) 0 }}
+Volume=/tmp/cert/ca/bmc:/certs/ca/bmc:z
+{{ end }}
 Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"
 Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}"
 Environment="OS_CONDUCTOR__HEARTBEAT_TIMEOUT=120"
diff --git a/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh b/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh
@@ -23,6 +23,11 @@ build_ironic_env() {
     printf 'CUSTOMIZATION_IMAGE="%s"\n' "$(image_for machine-image-customization-controller)"
     printf 'MACHINE_OS_IMAGES_IMAGE="%s"\n' "$(image_for machine-os-images)"
 
+    if [[ "$BMC_VERIFY_CA" ]]; then
+        mkdir -p /tmp/cert/ca/bmc
+        echo "$BMC_VERIFY_CA" > /tmp/cert/ca/bmc/verify_ca.crt
+    fi
+
     # set password for ironic basic auth
     # The ironic container contains httpd (and thus httpd-tools), so rely on it
     # to supply the htpasswd command
diff --git a/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template b/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template
@@ -10,6 +10,7 @@ Environment="PROVISIONING_MAC={{.PlatformData.BareMetal.ProvisioningInterfaceMAC
 Environment="PROVISIONING_NETWORK_TYPE={{.PlatformData.BareMetal.ProvisioningNetwork}}"
 Environment="IRONIC_IP={{index .PlatformData.BareMetal.APIVIPs 0}}"
 Environment="IRONIC_USERNAME={{.PlatformData.BareMetal.IronicUsername}}"
+Environment="BMC_VERIFY_CA={{.PlatformData.BareMetal.BMCVerifyCA}}"
 ExecStart=/usr/local/bin/build-ironic-env.sh
 Type=oneshot
 RemainAfterExit=true
diff --git a/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh b/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh
@@ -13,7 +13,7 @@ function wait_for_api {
 }
 
 # This is required since the progress service (https://github.com/openshift/installer/blob/dd9047c4c119e942331f702a4b7da85c60042da5/data/data/bootstrap/files/usr/local/bin/report-progress.sh#L22-L33),
-# usually dedicated to creating the bootstrap ConfigMap, will fail to create this configmap in case of bootstrap-in-place single node deployment, 
+# usually dedicated to creating the bootstrap ConfigMap, will fail to create this configmap in case of bootstrap-in-place single node deployment,
 # due to the lack of a control plane when bootkube is complete
 function signal_bootstrap_complete {
   until oc get cm bootstrap -n kube-system &> /dev/null
@@ -24,6 +24,21 @@ function signal_bootstrap_complete {
   done
 }
 
+function create_bmc_verify_ca_cm {
+  local ca_storage_dir="/tmp/cert/ca/bmc"
+  local name="bmc-verify-ca"
+  local ns="openshift-machine-api"
+
+  [[ -d "$ca_storage_dir" ]] || return
+
+  until [ "$(oc get cm "${name}" -n "${ns}")" -eq 0 ];
+  do
+    echo "Creating bmc verify ca configmap ..."
+    oc create cm "${name}" -n "${ns}" --from-file="${ca_storage_dir}" || true
+    sleep 5
+  done
+}
+
 function release_lease {
   local ns="$1"
   local lease="$2"
@@ -130,6 +145,7 @@ function clean {
 
 wait_for_api
 signal_bootstrap_complete
+create_bmc_verify_ca_cm
 release_cvo_lease
 release_cpc_lease
 restore_cvo_overrides
diff --git a/pkg/asset/ignition/bootstrap/baremetal/template.go b/pkg/asset/ignition/bootstrap/baremetal/template.go
@@ -89,6 +89,8 @@ type TemplateData struct {
 
 	// AdditionalNTPServers holds a list of additional NTP servers to be used for provisioning
 	AdditionalNTPServers []string
+
+	BMCVerifyCA string
 }
 
 func externalURLs(apiVIPs []string, protocol string) (externalURLv4 string, externalURLv6 string) {
@@ -126,6 +128,7 @@ func GetTemplateData(config *baremetal.Platform, networks []types.MachineNetwork
 	templateData.ExternalStaticGateway = config.BootstrapExternalStaticGateway
 	templateData.ExternalStaticDNS = config.BootstrapExternalStaticDNS
 	templateData.ExternalMACAddress = config.ExternalMACAddress
+	templateData.BMCVerifyCA = config.BMCVerifyCA
 
 	if len(config.AdditionalNTPServers) > 0 {
 		templateData.AdditionalNTPServers = config.AdditionalNTPServers
diff --git a/pkg/types/baremetal/platform.go b/pkg/types/baremetal/platform.go
@@ -250,4 +250,6 @@ type Platform struct {
 	// +kubebuilder:validation:UniqueItems=true
 	//  +optional
 	AdditionalNTPServers []string `json:"additionalNTPServers,omitempty"`
+
+	BMCVerifyCA string `json:"bmcVerifyCA,omitempty"`
 }

Original file line number	Diff line number	Diff line change
`@@ -250,4 +250,6 @@ type Platform struct {`
`250`	`250`	`// +kubebuilder:validation:UniqueItems=true`
`251`	`251`	`// +optional`
`252`	`252`	AdditionalNTPServers []string `json:"additionalNTPServers,omitempty"`
	`253`	`+`
	`254`	+ BMCVerifyCA string `json:"bmcVerifyCA,omitempty"`
`253`	`255`	`}`