From a502e901dea7f3b4c795975f06d7bafb3d8cf4b0 Mon Sep 17 00:00:00 2001 From: Zou Yu Date: Tue, 25 Mar 2025 13:37:13 +0800 Subject: [PATCH 1/4] feat: support specifying bmc verify ca Signed-off-by: Zou Yu --- .../systemd/ironic.container.template | 3 +++ .../files/usr/local/bin/build-ironic-env.sh | 5 +++++ .../units/build-ironic-env.service.template | 1 + .../bootstrap-in-place-post-reboot.sh | 18 +++++++++++++++++- .../ignition/bootstrap/baremetal/template.go | 3 +++ pkg/types/baremetal/platform.go | 2 ++ 6 files changed, 31 insertions(+), 1 deletion(-) diff --git a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template index 43e456f2eff..525c2266844 100644 --- a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template +++ b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template @@ -22,6 +22,9 @@ Volume=ironic.volume:/shared:z Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z {{ end }} Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z +{{ if ne len(.PlatformData.BareMetal.BMCVerifyCA) 0 }} +Volume=/tmp/cert/ca/bmc:/certs/ca/bmc:z +{{ end }} Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}" Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}" Environment="OS_CONDUCTOR__HEARTBEAT_TIMEOUT=120" diff --git a/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh b/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh index b330cd53ac6..c1178b35c03 100644 --- a/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh +++ b/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh @@ -23,6 +23,11 @@ build_ironic_env() { printf 'CUSTOMIZATION_IMAGE="%s"\n' "$(image_for machine-image-customization-controller)" printf 'MACHINE_OS_IMAGES_IMAGE="%s"\n' "$(image_for machine-os-images)" + if [[ "$BMC_VERIFY_CA" ]]; then + mkdir -p /tmp/cert/ca/bmc + echo "$BMC_VERIFY_CA" > /tmp/cert/ca/bmc/verify_ca.crt + fi + # set password for ironic basic auth # The ironic container contains httpd (and thus httpd-tools), so rely on it # to supply the htpasswd command diff --git a/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template b/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template index 94a8ece3b18..0f5ed5d0fc1 100644 --- a/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template +++ b/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template @@ -10,6 +10,7 @@ Environment="PROVISIONING_MAC={{.PlatformData.BareMetal.ProvisioningInterfaceMAC Environment="PROVISIONING_NETWORK_TYPE={{.PlatformData.BareMetal.ProvisioningNetwork}}" Environment="IRONIC_IP={{index .PlatformData.BareMetal.APIVIPs 0}}" Environment="IRONIC_USERNAME={{.PlatformData.BareMetal.IronicUsername}}" +Environment="BMC_VERIFY_CA={{.PlatformData.BareMetal.BMCVerifyCA}}" ExecStart=/usr/local/bin/build-ironic-env.sh Type=oneshot RemainAfterExit=true diff --git a/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh b/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh index ea5f5e1fb84..2f867813444 100755 --- a/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh +++ b/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh @@ -13,7 +13,7 @@ function wait_for_api { } # This is required since the progress service (https://github.com/openshift/installer/blob/dd9047c4c119e942331f702a4b7da85c60042da5/data/data/bootstrap/files/usr/local/bin/report-progress.sh#L22-L33), -# usually dedicated to creating the bootstrap ConfigMap, will fail to create this configmap in case of bootstrap-in-place single node deployment, +# usually dedicated to creating the bootstrap ConfigMap, will fail to create this configmap in case of bootstrap-in-place single node deployment, # due to the lack of a control plane when bootkube is complete function signal_bootstrap_complete { until oc get cm bootstrap -n kube-system &> /dev/null @@ -24,6 +24,21 @@ function signal_bootstrap_complete { done } +function create_bmc_verify_ca_cm { + local ca_storage_dir="/tmp/cert/ca/bmc" + local name="bmc-verify-ca" + local ns="openshift-machine-api" + + [[ -d "$ca_storage_dir" ]] || return + + until [ "$(oc get cm "${name}" -n "${ns}")" -eq 0 ]; + do + echo "Creating bmc verify ca configmap ..." + oc create cm "${name}" -n "${ns}" --from-file="${ca_storage_dir}" || true + sleep 5 + done +} + function release_lease { local ns="$1" local lease="$2" @@ -130,6 +145,7 @@ function clean { wait_for_api signal_bootstrap_complete +create_bmc_verify_ca_cm release_cvo_lease release_cpc_lease restore_cvo_overrides diff --git a/pkg/asset/ignition/bootstrap/baremetal/template.go b/pkg/asset/ignition/bootstrap/baremetal/template.go index a873ec91af8..01bf61e282d 100644 --- a/pkg/asset/ignition/bootstrap/baremetal/template.go +++ b/pkg/asset/ignition/bootstrap/baremetal/template.go @@ -89,6 +89,8 @@ type TemplateData struct { // AdditionalNTPServers holds a list of additional NTP servers to be used for provisioning AdditionalNTPServers []string + + BMCVerifyCA string } func externalURLs(apiVIPs []string, protocol string) (externalURLv4 string, externalURLv6 string) { @@ -126,6 +128,7 @@ func GetTemplateData(config *baremetal.Platform, networks []types.MachineNetwork templateData.ExternalStaticGateway = config.BootstrapExternalStaticGateway templateData.ExternalStaticDNS = config.BootstrapExternalStaticDNS templateData.ExternalMACAddress = config.ExternalMACAddress + templateData.BMCVerifyCA = config.BMCVerifyCA if len(config.AdditionalNTPServers) > 0 { templateData.AdditionalNTPServers = config.AdditionalNTPServers diff --git a/pkg/types/baremetal/platform.go b/pkg/types/baremetal/platform.go index 311faebfa61..ab9b46f2d53 100644 --- a/pkg/types/baremetal/platform.go +++ b/pkg/types/baremetal/platform.go @@ -250,4 +250,6 @@ type Platform struct { // +kubebuilder:validation:UniqueItems=true // +optional AdditionalNTPServers []string `json:"additionalNTPServers,omitempty"` + + BMCVerifyCA string `json:"bmcVerifyCA,omitempty"` } From 6d3497d0678dfa04db1793956190d2a04fc3b6fb Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Tue, 11 Nov 2025 16:47:35 +0100 Subject: [PATCH 2/4] Change BMC CA logic to use assets Signed-off-by: Dmitry Tantsur --- .../bootstrap-in-place-post-reboot.sh | 16 --- .../install.openshift.io_installconfigs.yaml | 2 + pkg/asset/manifests/bmcverifycaconfigmap.go | 99 +++++++++++++++++++ pkg/asset/manifests/operators.go | 5 +- 4 files changed, 105 insertions(+), 17 deletions(-) create mode 100644 pkg/asset/manifests/bmcverifycaconfigmap.go diff --git a/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh b/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh index 2f867813444..c45ac4c061c 100755 --- a/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh +++ b/data/data/bootstrap/bootstrap-in-place/files/opt/openshift/bootstrap-in-place/bootstrap-in-place-post-reboot.sh @@ -24,21 +24,6 @@ function signal_bootstrap_complete { done } -function create_bmc_verify_ca_cm { - local ca_storage_dir="/tmp/cert/ca/bmc" - local name="bmc-verify-ca" - local ns="openshift-machine-api" - - [[ -d "$ca_storage_dir" ]] || return - - until [ "$(oc get cm "${name}" -n "${ns}")" -eq 0 ]; - do - echo "Creating bmc verify ca configmap ..." - oc create cm "${name}" -n "${ns}" --from-file="${ca_storage_dir}" || true - sleep 5 - done -} - function release_lease { local ns="$1" local lease="$2" @@ -145,7 +130,6 @@ function clean { wait_for_api signal_bootstrap_complete -create_bmc_verify_ca_cm release_cvo_lease release_cpc_lease restore_cvo_overrides diff --git a/data/data/install.openshift.io_installconfigs.yaml b/data/data/install.openshift.io_installconfigs.yaml index 3ae593b1da5..0cc0e74b875 100644 --- a/data/data/install.openshift.io_installconfigs.yaml +++ b/data/data/install.openshift.io_installconfigs.yaml @@ -5366,6 +5366,8 @@ spec: maxItems: 2 type: array uniqueItems: true + bmcVerifyCA: + type: string bootstrapExternalStaticDNS: description: |- BootstrapExternalStaticDNS is the static network DNS of the bootstrap node. diff --git a/pkg/asset/manifests/bmcverifycaconfigmap.go b/pkg/asset/manifests/bmcverifycaconfigmap.go new file mode 100644 index 00000000000..e17b8b0d66c --- /dev/null +++ b/pkg/asset/manifests/bmcverifycaconfigmap.go @@ -0,0 +1,99 @@ +package manifests + +import ( + "context" + "path" + + "github.com/pkg/errors" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/installconfig" + "github.com/openshift/installer/pkg/types/baremetal" +) + +var ( + bmcVerifyCAConfigMapFileName = path.Join("manifests", "bmc-verify-ca-configmap.yaml") +) + +const ( + bmcVerifyCAConfigMapName = "bmc-verify-ca" + bmcVerifyCAConfigMapNamespace = "openshift-machine-api" + bmcVerifyCAConfigMapDataKey = "verify_ca.crt" +) + +// BMCVerifyCAConfigMap generates the bmc-verify-ca ConfigMap. +type BMCVerifyCAConfigMap struct { + ConfigMap *corev1.ConfigMap + File *asset.File +} + +var _ asset.WritableAsset = (*BMCVerifyCAConfigMap)(nil) + +// Name returns a human friendly name for the asset. +func (*BMCVerifyCAConfigMap) Name() string { + return "BMC Verify CA ConfigMap" +} + +// Dependencies returns all of the dependencies directly needed to generate +// the asset. +func (*BMCVerifyCAConfigMap) Dependencies() []asset.Asset { + return []asset.Asset{ + &installconfig.InstallConfig{}, + } +} + +// Generate generates the BMC Verify CA ConfigMap. +func (bvc *BMCVerifyCAConfigMap) Generate(_ context.Context, dependencies asset.Parents) error { + installConfig := &installconfig.InstallConfig{} + dependencies.Get(installConfig) + + // Only generate the ConfigMap for baremetal platform with BMCVerifyCA configured + if installConfig.Config.Platform.Name() != baremetal.Name { + return nil + } + + if installConfig.Config.Platform.BareMetal == nil || installConfig.Config.Platform.BareMetal.BMCVerifyCA == "" { + return nil + } + + cm := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: corev1.SchemeGroupVersion.String(), + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Namespace: bmcVerifyCAConfigMapNamespace, + Name: bmcVerifyCAConfigMapName, + }, + Data: map[string]string{ + bmcVerifyCAConfigMapDataKey: installConfig.Config.Platform.BareMetal.BMCVerifyCA, + }, + } + + cmData, err := yaml.Marshal(cm) + if err != nil { + return errors.Wrapf(err, "failed to create %s manifest", bvc.Name()) + } + bvc.ConfigMap = cm + bvc.File = &asset.File{ + Filename: bmcVerifyCAConfigMapFileName, + Data: cmData, + } + return nil +} + +// Files returns the files generated by the asset. +func (bvc *BMCVerifyCAConfigMap) Files() []*asset.File { + if bvc.File != nil { + return []*asset.File{bvc.File} + } + return []*asset.File{} +} + +// Load loads the already-rendered files back from disk. +func (bvc *BMCVerifyCAConfigMap) Load(f asset.FileFetcher) (bool, error) { + return false, nil +} diff --git a/pkg/asset/manifests/operators.go b/pkg/asset/manifests/operators.go index 74a36deb62c..da7abccc196 100644 --- a/pkg/asset/manifests/operators.go +++ b/pkg/asset/manifests/operators.go @@ -85,6 +85,7 @@ func (m *Manifests) Dependencies() []asset.Asset { &bootkube.MachineConfigServerCAConfigMap{}, &bootkube.MachineConfigServerTLSSecret{}, &bootkube.OpenshiftConfigSecretPullSecret{}, + &BMCVerifyCAConfigMap{}, } } @@ -101,8 +102,9 @@ func (m *Manifests) Generate(_ context.Context, dependencies asset.Parents) erro clusterCSIDriverConfig := &ClusterCSIDriverConfig{} imageDigestMirrorSet := &ImageDigestMirrorSet{} mcoCfgTemplate := &manifests.MCO{} + bmcVerifyCAConfigMap := &BMCVerifyCAConfigMap{} - dependencies.Get(installConfig, ingress, dns, network, infra, proxy, scheduler, imageContentSourcePolicy, imageDigestMirrorSet, clusterCSIDriverConfig, mcoCfgTemplate) + dependencies.Get(installConfig, ingress, dns, network, infra, proxy, scheduler, imageContentSourcePolicy, imageDigestMirrorSet, clusterCSIDriverConfig, mcoCfgTemplate, bmcVerifyCAConfigMap) redactedConfig, err := redactedInstallConfig(*installConfig.Config) if err != nil { @@ -140,6 +142,7 @@ func (m *Manifests) Generate(_ context.Context, dependencies asset.Parents) erro m.FileList = append(m.FileList, imageContentSourcePolicy.Files()...) m.FileList = append(m.FileList, clusterCSIDriverConfig.Files()...) m.FileList = append(m.FileList, imageDigestMirrorSet.Files()...) + m.FileList = append(m.FileList, bmcVerifyCAConfigMap.Files()...) asset.SortFiles(m.FileList) From d0bcd09d52fbd2716a247fd099b2339eec651ab3 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 17 Nov 2025 13:29:24 +0100 Subject: [PATCH 3/4] Refactor BMC CA injection to make it a bootstrap asset Signed-off-by: Dmitry Tantsur --- .../systemd/ironic.container.template | 2 +- .../files/usr/local/bin/build-ironic-env.sh | 5 -- .../units/build-ironic-env.service.template | 1 - pkg/asset/ignition/bootstrap/common.go | 2 + pkg/asset/manifests/bmcverifycaconfigmap.go | 20 +++--- pkg/asset/tls/bmcverifyca.go | 65 +++++++++++++++++++ 6 files changed, 76 insertions(+), 19 deletions(-) create mode 100644 pkg/asset/tls/bmcverifyca.go diff --git a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template index 525c2266844..0212862765a 100644 --- a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template +++ b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template @@ -23,7 +23,7 @@ Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z {{ end }} Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z {{ if ne len(.PlatformData.BareMetal.BMCVerifyCA) 0 }} -Volume=/tmp/cert/ca/bmc:/certs/ca/bmc:z +Volume=/opt/openshift/bmc-ca:/certs/ca/bmc:z {{ end }} Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}" Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}" diff --git a/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh b/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh index c1178b35c03..b330cd53ac6 100644 --- a/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh +++ b/data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh @@ -23,11 +23,6 @@ build_ironic_env() { printf 'CUSTOMIZATION_IMAGE="%s"\n' "$(image_for machine-image-customization-controller)" printf 'MACHINE_OS_IMAGES_IMAGE="%s"\n' "$(image_for machine-os-images)" - if [[ "$BMC_VERIFY_CA" ]]; then - mkdir -p /tmp/cert/ca/bmc - echo "$BMC_VERIFY_CA" > /tmp/cert/ca/bmc/verify_ca.crt - fi - # set password for ironic basic auth # The ironic container contains httpd (and thus httpd-tools), so rely on it # to supply the htpasswd command diff --git a/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template b/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template index 0f5ed5d0fc1..94a8ece3b18 100644 --- a/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template +++ b/data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template @@ -10,7 +10,6 @@ Environment="PROVISIONING_MAC={{.PlatformData.BareMetal.ProvisioningInterfaceMAC Environment="PROVISIONING_NETWORK_TYPE={{.PlatformData.BareMetal.ProvisioningNetwork}}" Environment="IRONIC_IP={{index .PlatformData.BareMetal.APIVIPs 0}}" Environment="IRONIC_USERNAME={{.PlatformData.BareMetal.IronicUsername}}" -Environment="BMC_VERIFY_CA={{.PlatformData.BareMetal.BMCVerifyCA}}" ExecStart=/usr/local/bin/build-ironic-env.sh Type=oneshot RemainAfterExit=true diff --git a/pkg/asset/ignition/bootstrap/common.go b/pkg/asset/ignition/bootstrap/common.go index 074b61ec2b6..094b8161630 100644 --- a/pkg/asset/ignition/bootstrap/common.go +++ b/pkg/asset/ignition/bootstrap/common.go @@ -171,6 +171,7 @@ func (a *Common) Dependencies() []asset.Asset { &tls.RootCA{}, &tls.ServiceAccountKeyPair{}, &tls.IronicTLSCert{}, + &tls.BMCVerifyCA{}, &releaseimage.Image{}, new(rhcos.Image), } @@ -671,6 +672,7 @@ func (a *Common) addParentFiles(dependencies asset.Parents) { &tls.ServiceAccountKeyPair{}, &tls.JournalCertKey{}, &tls.IronicTLSCert{}, + &tls.BMCVerifyCA{}, } { dependencies.Get(asset) diff --git a/pkg/asset/manifests/bmcverifycaconfigmap.go b/pkg/asset/manifests/bmcverifycaconfigmap.go index e17b8b0d66c..1e3b38f93b5 100644 --- a/pkg/asset/manifests/bmcverifycaconfigmap.go +++ b/pkg/asset/manifests/bmcverifycaconfigmap.go @@ -10,8 +10,7 @@ import ( "sigs.k8s.io/yaml" "github.com/openshift/installer/pkg/asset" - "github.com/openshift/installer/pkg/asset/installconfig" - "github.com/openshift/installer/pkg/types/baremetal" + "github.com/openshift/installer/pkg/asset/tls" ) var ( @@ -41,21 +40,18 @@ func (*BMCVerifyCAConfigMap) Name() string { // the asset. func (*BMCVerifyCAConfigMap) Dependencies() []asset.Asset { return []asset.Asset{ - &installconfig.InstallConfig{}, + &tls.BMCVerifyCA{}, } } // Generate generates the BMC Verify CA ConfigMap. func (bvc *BMCVerifyCAConfigMap) Generate(_ context.Context, dependencies asset.Parents) error { - installConfig := &installconfig.InstallConfig{} - dependencies.Get(installConfig) + bmcVerifyCA := &tls.BMCVerifyCA{} + dependencies.Get(bmcVerifyCA) - // Only generate the ConfigMap for baremetal platform with BMCVerifyCA configured - if installConfig.Config.Platform.Name() != baremetal.Name { - return nil - } - - if installConfig.Config.Platform.BareMetal == nil || installConfig.Config.Platform.BareMetal.BMCVerifyCA == "" { + // Only generate the ConfigMap if BMCVerifyCA has content + files := bmcVerifyCA.Files() + if len(files) == 0 { return nil } @@ -69,7 +65,7 @@ func (bvc *BMCVerifyCAConfigMap) Generate(_ context.Context, dependencies asset. Name: bmcVerifyCAConfigMapName, }, Data: map[string]string{ - bmcVerifyCAConfigMapDataKey: installConfig.Config.Platform.BareMetal.BMCVerifyCA, + bmcVerifyCAConfigMapDataKey: string(files[0].Data), }, } diff --git a/pkg/asset/tls/bmcverifyca.go b/pkg/asset/tls/bmcverifyca.go new file mode 100644 index 00000000000..0e336f07127 --- /dev/null +++ b/pkg/asset/tls/bmcverifyca.go @@ -0,0 +1,65 @@ +package tls + +import ( + "context" + + "github.com/openshift/installer/pkg/asset" + "github.com/openshift/installer/pkg/asset/installconfig" + "github.com/openshift/installer/pkg/types/baremetal" +) + +// BMCVerifyCA is the asset for the user-provided BMC verify CA certificate file. +// This CA certificate is used to verify BMC TLS certificates. +type BMCVerifyCA struct { + File *asset.File +} + +var _ asset.WritableAsset = (*BMCVerifyCA)(nil) + +// Name returns the human-friendly name of the asset. +func (*BMCVerifyCA) Name() string { + return "BMC Verify CA Certificate" +} + +// Dependencies returns the dependency of the asset. +func (*BMCVerifyCA) Dependencies() []asset.Asset { + return []asset.Asset{ + &installconfig.InstallConfig{}, + } +} + +// Generate generates the BMC verify CA file from the install config. +func (a *BMCVerifyCA) Generate(_ context.Context, dependencies asset.Parents) error { + installConfig := &installconfig.InstallConfig{} + dependencies.Get(installConfig) + + // Only generate the file for baremetal platform with BMCVerifyCA configured + if installConfig.Config.Platform.Name() != baremetal.Name { + return nil + } + + if installConfig.Config.Platform.BareMetal == nil || installConfig.Config.Platform.BareMetal.BMCVerifyCA == "" { + return nil + } + + // Create the file at rootDir/bmc-ca/verify_ca.crt (rootDir = /opt/openshift) + a.File = &asset.File{ + Filename: "bmc-ca/verify_ca.crt", + Data: []byte(installConfig.Config.Platform.BareMetal.BMCVerifyCA), + } + + return nil +} + +// Files returns the files generated by the asset. +func (a *BMCVerifyCA) Files() []*asset.File { + if a.File != nil { + return []*asset.File{a.File} + } + return []*asset.File{} +} + +// Load loads the already-generated files back from disk. +func (a *BMCVerifyCA) Load(f asset.FileFetcher) (bool, error) { + return false, nil +} From 6f362cf458ea124e0fd1b95e760c5603af4aa080 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 17 Nov 2025 13:32:08 +0100 Subject: [PATCH 4/4] Simplify check on BMCVerifyCA in template Signed-off-by: Dmitry Tantsur --- .../files/etc/containers/systemd/ironic.container.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template index 0212862765a..2546c50016f 100644 --- a/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template +++ b/data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template @@ -22,7 +22,7 @@ Volume=ironic.volume:/shared:z Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z {{ end }} Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z -{{ if ne len(.PlatformData.BareMetal.BMCVerifyCA) 0 }} +{{ if .PlatformData.BareMetal.BMCVerifyCA }} Volume=/opt/openshift/bmc-ca:/certs/ca/bmc:z {{ end }} Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"