METAL-1105: support specifying CA to verify BMC connections

[dtantsur]

Implements the most important parts of https://github.com/openshift/enhancements/blob/master/enhancements/security/bmc-ca-certificate-support.md
by creating a new asset that conditionally generates a ConfigMap in the openshift-machine-api namespace.

Co-Authored-By: Zou Yu [email protected]
Assisted-By: Claude Code (commercial license)

[openshift-ci-robot]

@dtantsur: This pull request references METAL-1105 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.21.0" version, but no target version was set.

In response to this:

Implements the most important parts of https://github.com/openshift/enhancements/blob/master/enhancements/security/bmc-ca-certificate-support.md
by creating a new asset that conditionally generates a ConfigMap in the openshift-machine-api namespace.

Co-Authored-By: Zou Yu [email protected]
Assisted-By: Claude Code (commercial license)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dtantsur]

/cc @zaneb

[dtantsur]

/retest

[dtantsur]

/retest

OFCIR migration

[dtantsur]

/verified by @dtantsur

I have tested #10072 + openshift/cluster-baremetal-operator#527 + openshift/ironic-image#691 with the help of openshift-metal3/dev-scripts#1812 on a local environment. Neither install-config nor BMH definitions contain disableCertificateVerification any more. Initial deployment passed, and so did provisioning workers.

[openshift-ci-robot]

@dtantsur: This PR has been marked as verified by @dtantsur.

In response to this:

/verified by @dtantsur

I have tested #10072 + openshift/cluster-baremetal-operator#527 + openshift/ironic-image#691 with the help of openshift-metal3/dev-scripts#1812 on a local environment. Neither install-config nor BMH definitions contain disableCertificateVerification any more. Initial deployment passed, and so did provisioning workers.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[patrickdillon]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [patrickdillon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zaneb]

This looks correct, but can be simplified so that you only have to deal with the data in 2 places instead of 3.

[zaneb]

nit: unintentional whitespace change?

[zaneb]

Since you already have BMCVerifyCA in the PlatformData, instead of doing this you could just create a file at data/data/bootstrap/baremetal/files/opt/openshift/bmc-ca/verify_ca.crt.template with the content:

{{ .PlatformData.BareMetal.BMCVerifyCA }}

Then you wouldn't need the BMCVerifyCA asset at all, and its one line of code could be rolled straight into the BMCVerifyCAConfigMap asset.

[dtantsur]

Hmm, I need to digest this. I guess one issue is that we'll get an empty file by default, which may confuse Ironic. Can I make a file creation conditional?

[zaneb]

You already made mounting the volume conditional.

[dtantsur]

@zaneb if the general logic is okay, can we continue this discussion in a follow-up work? Testing each change is a bit cumbersome, and we're so close to FF.

[zaneb]

/lgtm

[dtantsur]

/test e2e-aws-ovn

[dtantsur]

/test e2e-aws-ovn

Repo problems

[dtantsur]

/verified later @dtantsur

I don't have reasons to believe that a rebase caused the feature to get broken, but I cannot verify it now because building images in dev-scripts is currently broken

[openshift-ci-robot]

@dtantsur: This PR has been marked to be verified later by @dtantsur.

In response to this:

/verified later @dtantsur

I don't have reasons to believe that a rebase caused the feature to get broken, but I cannot verify it now because building images in dev-scripts is currently broken

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dtantsur]

/test e2e-aws-ovn

I see improvements locally, so hopefully the repos will work this time.

[dtantsur]

/test e2e-aws-ovn

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 0e43b96 and 2 for PR HEAD 2cb7563 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 386dca3 and 1 for PR HEAD 2cb7563 in total

[openshift-ci]

@dtantsur: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-assisted	2cb7563	link	false	/test e2e-metal-assisted
ci/prow/e2e-metal-ovn-two-node-arbiter	2cb7563	link	false	/test e2e-metal-ovn-two-node-arbiter
ci/prow/e2e-metal-ovn-two-node-fencing	2cb7563	link	false	/test e2e-metal-ovn-two-node-fencing
ci/prow/e2e-metal-single-node-live-iso	2cb7563	link	false	/test e2e-metal-single-node-live-iso

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b3eccf7 and 0 for PR HEAD 2cb7563 in total