From 00171546c10b65d735cacf624c342a689d868d65 Mon Sep 17 00:00:00 2001 From: Matt Crees Date: Mon, 24 Mar 2025 15:01:57 +0000 Subject: [PATCH 1/2] Support IPA download with authenticated requests This commit adds variables to configure authentication parameters in the bifrost-ironic-install role, where IPA images are downloaded. The new variables are ipa_download_url_username, ipa_download_url_password, ipa_download_force_basic_auth and ipa_download_unredirected_headers. Ramdisk and kernel images can be separately configured using ipa_ramdisk/ipa_kernel prefixes, e.g. ipa_ramdisk_download_url_username. See Ansible documentation for more details about these variables [1,2]. [1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html [2] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html Change-Id: I08e098b1d8aaed0f2793bf757bc12d3ca87e03ef Signed-off-by: Matt Crees --- .../bifrost-ironic-install/defaults/main.yml | 27 +++++++++++++++++++ .../tasks/download_ipa_image.yml | 16 +++++++++++ .../ipa-download-auth-c7ae9373b08dc514.yaml | 14 ++++++++++ 3 files changed, 57 insertions(+) create mode 100644 releasenotes/notes/ipa-download-auth-c7ae9373b08dc514.yaml diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 7a207171..d27b9a9c 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -108,6 +108,33 @@ update_ipa: "{{ update_repos }}" # Use the DIB dynamic-login element to insert the SSH key ipa_add_ssh_key: false +# Username for Digest, Basic or WSSE authentication. Default is unset, in which +# case the parameter is omitted. +ipa_download_url_username: +# Password for Digest, Basic or WSSE authentication. Default is unset, in which +# case the parameter is omitted. +ipa_download_url_password: +# Force sending the Basic authentication header upon initial request. Useful if +# the remote endpoint does not respond with HTTP 401 to the initial +# unauthenticated request. Must be a boolean. Default is unset, in which case +# the parameter is omitted. +ipa_download_force_basic_auth: +# List of header names that will not be sent on subsequent redirected requests. +# Set to ['Authorization'] if being redirected from an authenticated endpoint +# to an unauthenticated endpoint. Default is unset, in which case the parameter +# is omitted. +ipa_download_unredirected_headers: + +# Can be overridden if ramdisk and kernel require different authentication. +ipa_kernel_download_url_username: "{{ ipa_download_url_username }}" +ipa_kernel_download_url_password: "{{ ipa_download_url_password }}" +ipa_kernel_download_force_basic_auth: "{{ ipa_download_force_basic_auth }}" +ipa_kernel_download_unredirected_headers: "{{ ipa_download_unredirected_headers }}" +ipa_ramdisk_download_url_username: "{{ ipa_download_url_username }}" +ipa_ramdisk_download_url_password: "{{ ipa_download_url_password }}" +ipa_ramdisk_download_force_basic_auth: "{{ ipa_download_force_basic_auth }}" +ipa_ramdisk_download_unredirected_headers: "{{ ipa_download_unredirected_headers }}" + # Deployment image distribution, for selecting a default upstream image. Valid # options are "cirros", "centos", "rocky", "ubuntu". Default is "cirros". upstream_deploy_image_distribution: "cirros" diff --git a/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml b/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml index 194c6791..dfebb806 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/download_ipa_image.yml @@ -30,6 +30,10 @@ owner: ironic group: ironic mode: "0644" + url_username: "{{ ipa_kernel_download_url_username or omit }}" + url_password: "{{ ipa_kernel_download_url_password or omit }}" + force_basic_auth: "{{ ipa_kernel_download_force_basic_auth or omit }}" + unredirected_headers: "{{ ipa_kernel_download_unredirected_headers or omit }}" - name: "Extract IPA kernel checksum" command: awk '/{{ ipa_kernel_upstream_url | basename }}|^[a-z0-9]+$/{print $1}' "{{ ipa_kernel }}.{{ ipa_kernel_upstream_checksum_algo }}" @@ -52,6 +56,10 @@ headers: "{{ ipa_download_headers | default(omit, true) }}" # Keep downloading it until we get a good copy force: yes + url_username: "{{ ipa_kernel_download_url_username or omit }}" + url_password: "{{ ipa_kernel_download_url_password or omit }}" + force_basic_auth: "{{ ipa_kernel_download_force_basic_auth or omit }}" + unredirected_headers: "{{ ipa_kernel_download_unredirected_headers or omit }}" register: ipa_kernel_download_done until: ipa_kernel_download_done is succeeded or (ipa_kernel_download_done is failed) @@ -76,6 +84,10 @@ owner: ironic group: ironic mode: "0644" + url_username: "{{ ipa_ramdisk_download_url_username or omit }}" + url_password: "{{ ipa_ramdisk_download_url_password or omit }}" + force_basic_auth: "{{ ipa_ramdisk_download_force_basic_auth or omit }}" + unredirected_headers: "{{ ipa_ramdisk_download_unredirected_headers or omit }}" - name: "Extract IPA ramdisk checksum" command: awk '/{{ ipa_ramdisk_upstream_url | basename }}|^[a-z0-9]+$/{print $1}' "{{ ipa_ramdisk }}.{{ ipa_ramdisk_upstream_checksum_algo }}" @@ -98,6 +110,10 @@ timeout: 300 # Keep downloading it until we get a good copy force: yes + url_username: "{{ ipa_ramdisk_download_url_username or omit }}" + url_password: "{{ ipa_ramdisk_download_url_password or omit }}" + force_basic_auth: "{{ ipa_ramdisk_download_force_basic_auth or omit }}" + unredirected_headers: "{{ ipa_ramdisk_download_unredirected_headers or omit }}" register: ipa_ramdisk_download_done until: ipa_ramdisk_download_done is succeeded or (ipa_ramdisk_download_done is failed and ipa_ramdisk_download_done.status_code is defined and ipa_ramdisk_download_done.status_code == 404) diff --git a/releasenotes/notes/ipa-download-auth-c7ae9373b08dc514.yaml b/releasenotes/notes/ipa-download-auth-c7ae9373b08dc514.yaml new file mode 100644 index 00000000..ffa7fda5 --- /dev/null +++ b/releasenotes/notes/ipa-download-auth-c7ae9373b08dc514.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Adds variables to configure authentication parameters in the + ``bifrost-ironic-install`` role, where IPA images are downloaded. The new + variables are ``ipa_download_url_username``, ``ipa_download_url_password``, + ``ipa_download_force_basic_auth`` and + ``ipa_download_unredirected_headers``. Ramdisk and kernel images can be + separately configured using ``ipa_ramdisk``/``ipa_kernel`` prefixes, e.g. + ``ipa_ramdisk_download_url_username``. See documentation of the `get_url + `__ + and `uri + `__ + Ansible modules for more details on how to use these variables. From 2cefef38992d03655ae30316f58ec25a648e7177 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 30 Sep 2025 11:16:12 +0200 Subject: [PATCH 2/2] Add support for Rocky Linux 10 image download Change-Id: If3f3e2c48996c309e7c6fcb68757067075fb390e Signed-off-by: Pierre Riteau --- playbooks/roles/bifrost-ironic-install/defaults/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml index 7a207171..1c1f0c80 100644 --- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml +++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml @@ -142,6 +142,10 @@ deploy_image_sources: image: "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-GenericCloud.latest.x86_64.qcow2" checksum: "https://dl.rockylinux.org/pub/rocky/9/images/x86_64/CHECKSUM" checksum_algorithm: "sha256" + "10": + image: "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/Rocky-10-GenericCloud-Base.latest.x86_64.qcow2" + checksum: "https://dl.rockylinux.org/pub/rocky/10/images/x86_64/CHECKSUM" + checksum_algorithm: "sha256" centos: 9-stream: image: "https://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-latest.x86_64.qcow2"