Enable TLS validation for Redfish emulator (#1812)

dtantsur · web-flow · commit 09fe9ba3c765 · 2025-12-02T16:22:49.000Z
Starting with 4.21, we can pass the CA certificate to the installer.

Signed-off-by: Dmitry Tantsur &lt;dtantsur@protonmail.com&gt;
diff --git a/01_install_requirements.sh b/01_install_requirements.sh
@@ -19,7 +19,7 @@ if [ -z "${METAL3_DEV_ENV}" ]; then
   # TODO -- come up with a plan for continuously updating this
   # Note we only do this in the case where METAL3_DEV_ENV is
   # unset, to enable developer testing of local checkouts
-  git reset 01530d036cce1ff0b4675768777af7a6c6de7487 --hard
+  git reset cb83ca7ae9cfabe827d7a784b28e537e098070ae --hard
 
   popd
 fi
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
@@ -361,6 +361,8 @@ function generate_ocp_install_config() {
       NETWORK_TYPE=OVNKubernetes
     fi
 
+    OCP_VERSION=$(openshift_version $OCP_DIR)
+
     cat > "${outdir}/install-config.yaml" << EOF
 apiVersion: v1
 baseDomain: ${BASE_DOMAIN}
@@ -409,6 +411,13 @@ EOF
 $(node_map_to_install_config_hosts $NUM_WORKERS $(( NUM_MASTERS + NUM_ARBITERS )) worker)
 $(node_map_to_install_config_hosts $NUM_ARBITERS $NUM_MASTERS arbiter)
 $(node_map_to_install_config_hosts $NUM_MASTERS 0 master)
+EOF
+  fi
+
+  if ! is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+    cat >> "${outdir}/install-config.yaml" << EOF
+    bmcVerifyCA: |
+$(sudo sed 's/^/      /' "${WORKING_DIR}/virtualbmc/sushy-tools/cert.pem")
 EOF
   fi
 
@@ -455,8 +464,12 @@ function generate_ocp_host_manifest() {
 
         encoded_username=$(echo -n "$username" | base64)
         encoded_password=$(echo -n "$password" | base64)
-        # Heads up, "verify_ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
-        disableCertificateVerification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+        if is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+          # Heads up, "verify_ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+          disableCertificateVerification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+        else
+          disableCertificateVerification=false
+        fi
 
         secret="---
 apiVersion: v1
diff --git a/utils.sh b/utils.sh
@@ -268,13 +268,15 @@ function node_map_to_install_config_hosts() {
 EOF
 
       if [[ "$driver_prefix" == "redfish" ]]; then
-          # Set disableCertificateVerification
-          # Heads up, "verify ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
-          verify_ca=$(node_val ${idx} "driver_info.redfish_verify_ca")
-          disable_certificate_verification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
-          cat << EOF
+          # Set disableCertificateVerification on older versions
+          if is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+              # Heads up, "verify ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+              verify_ca=$(node_val ${idx} "driver_info.redfish_verify_ca")
+              disable_certificate_verification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+              cat << EOF
           disableCertificateVerification: ${disable_certificate_verification}
 EOF
+          fi
       fi
 
 
