Merge pull request 'metal3: Introduce TLS variables for ironic vmedia server' (#281) from nbelouin/Factory:ironic-tls-cipher into main

Reviewed-on: suse-edge/Factory#281
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>

ironic-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%
 
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -41,8 +41,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="29.0.4.3"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE%"
+LABEL org.opencontainers.image.version="29.0.4.4"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"

ironic-image/ironic-config/apache2-vmedia.conf.j2

@@ -11,6 +11,19 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }}
     SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
 
+    {% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
+    SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
+    SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
+    {% endif %}
+    {% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
+    SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
+    {% endif %}
+    {% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
+    SSLHonorCipherOrder on
+    {% endif %}
+
     <Directory "/shared/html/">
         Options Indexes FollowSymLinks
         AllowOverride None

metal3-chart/Chart.yaml

@@ -1,7 +1,7 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.17_up0.12.7
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.17_up0.12.7-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.18_up0.12.8
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.18_up0.12.8-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.6
+appVersion: 0.12.8
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
@@ -10,7 +10,7 @@ dependencies:
 - alias: metal3-ironic
   name: ironic
   repository: file://./charts/ironic
-  version: 0.11.4
+  version: 0.11.5
 - alias: metal3-mariadb
   condition: global.enable_mariadb
   name: mariadb
@@ -20,9 +20,9 @@ dependencies:
   condition: global.enable_metal3_media_server
   name: media
   repository: file://./charts/media
-  version: 0.7.0
+  version: 0.7.1
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.17+up0.12.7"
+version: "%%CHART_MAJOR%%.0.18+up0.12.8"

metal3-chart/charts/ironic/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 29.0.4
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.4
+version: 0.11.5

metal3-chart/charts/ironic/templates/configmap.yaml

@@ -52,3 +52,6 @@ data:
   {{- else }}
   IRONIC_USE_MARIADB: "false"
   {{- end }}
+  {{- with .Values.ironicExtraEnv -}}
+  {{ toYaml . | nindent 2 }}  
+  {{- end -}}

metal3-chart/charts/ironic/values.yaml

@@ -64,7 +64,7 @@ images:
   ironic:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
     pullPolicy: IfNotPresent
-    tag: 29.0.4.3
+    tag: 29.0.4.4
   ironicIPADownloader:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
     pullPolicy: IfNotPresent
@@ -138,6 +138,8 @@ baremetaloperator:
 debug:
   ironicRamdiskSshKey: ""
 
+ironicExtraEnv: {}
+
 tlscerts:
   cacert: ""
   key: ""

metal3-chart/charts/media/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 1.21.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.7.0
+version: 0.7.1

metal3-chart/charts/media/values.yaml

@@ -42,8 +42,8 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext:
-  runAsUser: 10475
-  fsGroup: 10475
+  runAsUser: 486
+  fsGroup: 499
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -102,11 +102,16 @@ volumes:
   - name: assets
     persistentVolumeClaim:
       claimName: media
+  - name: run
+    emptyDir:
+      sizeLimit: 10Mi
 
 # volume mounts
 volumeMounts:
   - mountPath: /srv/www/htdocs
     name: assets
+  - mountPath: /run
+    name: run
 
 # media volume settings
 mediaVolume:

release-manifest-image/release_manifest.yaml

@@ -171,7 +171,7 @@ spec:
         - prettyName: Metal3
           releaseName: metal3
           chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metal3'
-          version: '%%CHART_MAJOR%%.0.17+up0.12.7'
+          version: '%%CHART_MAJOR%%.0.18+up0.12.8'
         - prettyName: RancherTurtles
           releaseName: rancher-turtles
           chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles'