Merge pull request #491 from steveb/injectca

Inject TLS ca cert into IPA ramdisk

controllers/ironicconductor_controller.go

@@ -837,6 +837,7 @@ func (r *IronicConductorReconciler) generateServiceConfigMaps(
 				"common.sh":      "/common/bin/common.sh",
 				"get_net_ip":     "/common/bin/get_net_ip",
 				"runlogwatch.sh": "/common/bin/runlogwatch.sh",
+				"pxe-init.sh":    "/common/bin/pxe-init.sh",
 			},
 			Labels: cmLabels,
 		},

controllers/ironicinspector_controller.go

@@ -1462,6 +1462,7 @@ func (r *IronicInspectorReconciler) generateServiceConfigMaps(
 				"common.sh":      "/common/bin/common.sh",
 				"get_net_ip":     "/common/bin/get_net_ip",
 				"runlogwatch.sh": "/common/bin/runlogwatch.sh",
+				"pxe-init.sh":    "/common/bin/pxe-init.sh",
 			},
 			Labels: cmLabels,
 		},

pkg/ironic/initcontainer.go

@@ -116,26 +116,6 @@ func InitContainer(init APIDetails) []corev1.Container {
 
 	var containers []corev1.Container
 
-	if init.PxeInit {
-		pxeInit := corev1.Container{
-			Name:  "pxe-init",
-			Image: init.PxeContainerImage,
-			SecurityContext: &corev1.SecurityContext{
-				RunAsUser: &runAsUser,
-			},
-			Command: []string{
-				"/bin/bash",
-			},
-			Args: []string{
-				"-c",
-				PxeInitContainerCommand,
-			},
-			Env:          envs,
-			VolumeMounts: init.VolumeMounts,
-		}
-		containers = append(containers, pxeInit)
-	}
-
 	initContainer := corev1.Container{
 		Name:  "init",
 		Image: init.ContainerImage,
@@ -167,5 +147,26 @@ func InitContainer(init APIDetails) []corev1.Container {
 		containers = append(containers, ipaInit)
 	}
 
+	if init.PxeInit {
+		pxeInit := corev1.Container{
+			Name:  "pxe-init",
+			Image: init.PxeContainerImage,
+			SecurityContext: &corev1.SecurityContext{
+				RunAsUser:  &runAsUser,
+				Privileged: &init.Privileged,
+			},
+			Command: []string{
+				"/bin/bash",
+			},
+			Args: []string{
+				"-c",
+				PxeInitContainerCommand,
+			},
+			Env:          envs,
+			VolumeMounts: init.VolumeMounts,
+		}
+		containers = append(containers, pxeInit)
+	}
+
 	return containers
 }

pkg/ironicconductor/statefulset.go

@@ -340,6 +340,7 @@ func StatefulSet(
 		VolumeMounts:           initVolumeMounts,
 		PxeInit:                true,
 		ConductorInit:          true,
+		Privileged:             true,
 		DeployHTTPURL:          deployHTTPURL,
 		IngressDomain:          ingressDomain,
 		ProvisionNetwork:       instance.Spec.ProvisionNetwork,

pkg/ironicinspector/initcontainer.go

@@ -46,7 +46,7 @@ const (
 	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
 
 	// PxeInitContainerCommand -
-	PxeInitContainerCommand = "/usr/local/bin/container-scripts/pxe-init.sh"
+	PxeInitContainerCommand = "/usr/local/bin/container-scripts/inspector-pxe-init.sh"
 )
 
 // InitContainer - init container for Ironic Inspector pods
@@ -128,12 +128,31 @@ func InitContainer(init APIDetails) []corev1.Container {
 	}
 	containers = append(containers, inspectorInit)
 
+	if init.IpaInit {
+		ipaInit := corev1.Container{
+			Name:  "ironic-python-agent-init",
+			Image: init.IronicPythonAgentImage,
+			SecurityContext: &corev1.SecurityContext{
+				Privileged: &init.Privileged,
+			},
+			Env:          imageCopyEnvs,
+			VolumeMounts: init.VolumeMounts,
+		}
+		containers = append(containers, ipaInit)
+	}
+
 	if init.PxeInit {
 		pxeInit := corev1.Container{
 			Name:  "inspector-pxe-init",
 			Image: init.PxeContainerImage,
 			SecurityContext: &corev1.SecurityContext{
 				RunAsUser: &runAsUser,
+				Capabilities: &corev1.Capabilities{
+					Add: []corev1.Capability{
+						"SYS_CHROOT",
+						"SETFCAP",
+					},
+				},
 			},
 			Command: []string{
 				"/bin/bash",
@@ -145,18 +164,5 @@ func InitContainer(init APIDetails) []corev1.Container {
 		containers = append(containers, pxeInit)
 	}
 
-	if init.IpaInit {
-		ipaInit := corev1.Container{
-			Name:  "ironic-python-agent-init",
-			Image: init.IronicPythonAgentImage,
-			SecurityContext: &corev1.SecurityContext{
-				Privileged: &init.Privileged,
-			},
-			Env:          imageCopyEnvs,
-			VolumeMounts: init.VolumeMounts,
-		}
-		containers = append(containers, ipaInit)
-	}
-
 	return containers
 }

pkg/ironicinspector/statefulset.go

@@ -351,6 +351,7 @@ func StatefulSet(
 		VolumeMounts:           initVolumeMounts,
 		PxeInit:                true,
 		IpaInit:                true,
+		Privileged:             true,
 		InspectorHTTPURL:       inspectorHTTPURL,
 		IngressDomain:          ingressDomain,
 		InspectionNetwork:      instance.Spec.InspectionNetwork,

templates/common/bin/common.sh

@@ -1,4 +1,4 @@
-#!/bin//bash
+#!/bin/bash
 #
 # Copyright 2022 Red Hat Inc.
 #

templates/common/bin/ironic-init.sh

@@ -1,4 +1,4 @@
-#!/bin//bash
+#!/bin/bash
 #
 # Copyright 2023 Red Hat Inc.
 #

templates/ironicconductor/bin/pxe-init.sh → templates/common/bin/pxe-init.sh

@@ -1,4 +1,4 @@
-#!/bin//bash
+#!/bin/bash
 #
 # Copyright 2020 Red Hat Inc.
 #
@@ -15,12 +15,14 @@
 # under the License.
 set -ex
 
+
 # Create TFTP, HTTP serving directories
-mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg
+if [ ! -d "/var/lib/ironic/tftpboot/pxelinux.cfg" ]; then
+    mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg
+fi
 if [ ! -d "/var/lib/ironic/httpboot" ]; then
-    mkdir /var/lib/ironic/httpboot
+    mkdir -p /var/lib/ironic/httpboot
 fi
-
 # Check for expected EFI directories
 if [ -d "/boot/efi/EFI/centos" ]; then
     efi_dir=centos
@@ -41,3 +43,35 @@ for dir in httpboot tftpboot; do
     # Ensure all files are readable
     chmod -R +r /var/lib/ironic/$dir
 done
+
+# Patch ironic-python-agent with custom CA certificates
+if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ironic/httpboot/ironic-python-agent.initramfs" ]; then
+    # Extract the initramfs
+    cd /
+    mkdir initramfs
+    pushd initramfs
+    zcat /var/lib/ironic/httpboot/ironic-python-agent.initramfs | cpio -idmV
+    popd
+
+    # Copy the CA certificates
+    cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/
+    echo update-ca-trust | unshare -r chroot ./initramfs
+
+    # Repack the initramfs
+    pushd initramfs
+    find . | cpio -o -c --quiet -R root:root | gzip -1 > /var/lib/ironic/httpboot/ironic-python-agent.initramfs
+fi
+
+# Build an ESP image
+pushd /var/lib/ironic/httpboot
+if [ ! -a "esp.img" ]; then
+    dd if=/dev/zero of=esp.img bs=4096 count=1024
+    mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img
+
+    mmd -i esp.img EFI
+    mmd -i esp.img EFI/BOOT
+    mcopy -i esp.img -v bootx64.efi ::EFI/BOOT
+    mcopy -i esp.img -v grubx64.efi ::EFI/BOOT
+    mdir -i esp.img ::EFI/BOOT;
+fi
+popd

templates/common/bin/runlogwatch.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 
 # Ramdisk logs path
 LOG_DIR=${LOG_DIR:-/var/lib/ironic/ramdisk-logs}

templates/ironicconductor/bin/init.sh

@@ -1,4 +1,4 @@
-#!/bin//bash
+#!/bin/bash
 #
 # Copyright 2020 Red Hat Inc.
 #
@@ -54,16 +54,3 @@ fi
 if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then
     mkdir /var/lib/ironic/ramdisk-logs
 fi
-# Build an ESP image
-pushd /var/lib/ironic/httpboot
-if [ ! -a "esp.img" ]; then
-    dd if=/dev/zero of=esp.img bs=4096 count=1024
-    mkfs.msdos -F 12 -n 'ESP_IMAGE' esp.img
-
-    mmd -i esp.img EFI
-    mmd -i esp.img EFI/BOOT
-    mcopy -i esp.img -v bootx64.efi ::EFI/BOOT
-    mcopy -i esp.img -v grubx64.efi ::EFI/BOOT
-    mdir -i esp.img ::EFI/BOOT;
-fi
-popd

templates/ironicinspector/bin/init.sh

@@ -1,4 +1,4 @@
-#!/bin//bash
+#!/bin/bash
 #
 # Copyright 2023 Red Hat Inc.
 #
@@ -20,6 +20,9 @@ export TRANSPORTURL=${TransportURL:-""}
 
 export CUSTOMCONF=${CustomConf:-""}
 
+if [ ! -d "/var/lib/ironic/httpboot" ]; then
+    mkdir /var/lib/ironic/httpboot
+fi
 if [ ! -d "/var/lib/ironic/ramdisk-logs" ]; then
     mkdir /var/lib/ironic/ramdisk-logs
 fi

templates/ironicinspector/bin/pxe-init.sh → templates/ironicinspector/bin/inspector-pxe-init.sh

@@ -18,10 +18,6 @@ set -ex
 # Get the statefulset pod index
 export PODINDEX=$(echo ${HOSTNAME##*-})
 
-# Create TFTP, HTTP serving directories
-mkdir -p /var/lib/ironic/tftpboot/pxelinux.cfg
-mkdir -p /var/lib/ironic/httpboot
-
 # DHCP server configuration
 export InspectorNetworkIP=$(/usr/local/bin/container-scripts/get_net_ip ${InspectionNetwork})
 export INSPECTOR_HTTP_URL=$(python3 -c 'import os; print(os.environ["InspectorHTTPURL"] % os.environ)')
@@ -38,23 +34,5 @@ envsubst < ${DNSMASQ_CFG} | tee ${DNSMASQ_CFG}
 export INSPECTOR_IPXE=/var/lib/config-data/merged/inspector.ipxe
 envsubst < ${INSPECTOR_IPXE} | tee ${INSPECTOR_IPXE}
 
-# Check for expected EFI directories
-if [ -d "/boot/efi/EFI/centos" ]; then
-    efi_dir=centos
-elif [ -d "/boot/efi/EFI/redhat" ]; then
-    efi_dir=redhat
-else
-    echo "No EFI directory detected"
-    exit 1
-fi
-
-# Copy iPXE and grub files to tftpboot, httpboot
-for dir in httpboot tftpboot; do
-    cp /usr/share/ipxe/ipxe-snponly-x86_64.efi /var/lib/ironic/$dir/snponly.efi
-    cp /usr/share/ipxe/undionly.kpxe           /var/lib/ironic/$dir/undionly.kpxe
-    cp /usr/share/ipxe/ipxe.lkrn               /var/lib/ironic/$dir/ipxe.lkrn
-    cp /boot/efi/EFI/$efi_dir/shimx64.efi      /var/lib/ironic/$dir/bootx64.efi
-    cp /boot/efi/EFI/$efi_dir/grubx64.efi      /var/lib/ironic/$dir/grubx64.efi
-    # Ensure all files are readable
-    chmod -R +r /var/lib/ironic/$dir
-done
+# run common pxe-init script
+/usr/local/bin/container-scripts/pxe-init.sh