From d18aef225ea417a04a4027f6a50f1545746085555ad914bd4fea525dfaa379a7 Mon Sep 17 00:00:00 2001 From: Marco Chiappero Date: Tue, 12 Aug 2025 15:21:45 +0000 Subject: [PATCH 1/3] Clear IRONIC_IP when PROVISIONING_IP is IPv6 Make sure that only IRONIC_IPV6 is set with a valid value when PROVISIONING_IP is an IPv6 address by also clearing IRONIC_IP Signed-off-by: Marco Chiappero --- ironic-image/scripts/ironic-common.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ironic-image/scripts/ironic-common.sh b/ironic-image/scripts/ironic-common.sh index 4b9e653..d2c3215 100644 --- a/ironic-image/scripts/ironic-common.sh +++ b/ironic-image/scripts/ironic-common.sh @@ -5,7 +5,7 @@ set -euxo pipefail # Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in # e.g. dnsmasq configuration export IRONIC_IP="${IRONIC_IP:-}" -export IRONIC_IPV6="${IRONIC_IPV6:-}" +IRONIC_IPV6="${IRONIC_IPV6:-}" PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}" PROVISIONING_IP="${PROVISIONING_IP:-}" PROVISIONING_MACS="${PROVISIONING_MACS:-}" @@ -160,6 +160,7 @@ wait_for_interface_or_ip() # If the IP contains a colon, then it's an IPv6 address if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then export IRONIC_IPV6="$PROVISIONING_IP" + export IRONIC_IP="" else export IRONIC_IP="$PROVISIONING_IP" fi -- 2.51.1 From a11bb47c197fc8c207020d4466a4e7342e068a4bb814786322a024a0fc24832d Mon Sep 17 00:00:00 2001 From: Marco Chiappero Date: Wed, 13 Aug 2025 10:00:06 +0000 Subject: [PATCH 2/3] Always generate IRONIC_EXTERNAL_HTTP_URL Commit 03d7a39 introduced the possibility to externally configure IRONIC_EXTERNAL_HTTP_URL, while removing also the value when the host was not user provided. Revert this last behaviour, by always adding the variable in the ironic ConfigMap even if the host is not set in values, leveraging either ironicIP or provisioningIP. This is required to fix the use of VMedia TLS. Signed-off-by: Marco Chiappero --- .../charts/ironic/templates/_helpers.tpl | 18 +++++++++++------- .../charts/ironic/templates/configmap.yaml | 13 +------------ 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/metal3-chart/charts/ironic/templates/_helpers.tpl b/metal3-chart/charts/ironic/templates/_helpers.tpl index e5d022f..4ddd909 100644 --- a/metal3-chart/charts/ironic/templates/_helpers.tpl +++ b/metal3-chart/charts/ironic/templates/_helpers.tpl @@ -85,16 +85,20 @@ Get ironic CA volumeMounts {{- end }} {{/* -Get the formatted "External" hostname or IP address +Get the formatted "External" hostname or IP based URL */}} -{{- define "ironic.externalHttpHost" }} -{{- with .Values.global }} -{{- if regexMatch ".*:.*" .externalHttpHost }} -{{- print "[" .externalHttpHost "]" }} -{{- else }} -{{- .externalHttpHost }} +{{- define "ironic.externalHttpUrl" }} +{{- $host := ternary (include "metal3.provisioningIP" .) .Values.global.externalHttpHost (empty .Values.global.externalHttpHost) }} +{{- if regexMatch ".*:.*" $host }} +{{- $host = print "[" $host "]" }} {{- end }} +{{- $protocol := "http" }} +{{- $port := "6180" }} +{{- if .Values.global.enable_vmedia_tls }} +{{- $protocol = "https" }} +{{- $port = .Values.global.vmediaTLSPort | default "6185" }} {{- end }} +{{- print $protocol "://" $host ":" $port }} {{- end }} {{/* diff --git a/metal3-chart/charts/ironic/templates/configmap.yaml b/metal3-chart/charts/ironic/templates/configmap.yaml index 260e4c0..05f690a 100644 --- a/metal3-chart/charts/ironic/templates/configmap.yaml +++ b/metal3-chart/charts/ironic/templates/configmap.yaml @@ -5,9 +5,6 @@ metadata: labels: {{- include "ironic.labels" . | nindent 4 }} data: - {{- $enableTLS := .Values.global.enable_tls }} - {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }} - {{- $protocol := ternary "https" "http" $enableTLS }} {{- $deployArch := .Values.global.deployArchitecture }} {{- if ( .Values.global.enable_dnsmasq ) }} @@ -20,15 +17,7 @@ data: {{- end }} HTTP_PORT: "6180" PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}" - # Switch VMedia to HTTP if enable_vmedia_tls is false - {{- if and $enableTLS $enableVMediaTLS }} - {{- $protocol = "https" }} - {{- else }} - {{- $protocol = "http" }} - {{- end }} - {{- if .Values.global.externalHttpHost }} - IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ include "ironic.externalHttpHost" . }}:6385 - {{- end }} + IRONIC_EXTERNAL_HTTP_URL: {{ include "ironic.externalHttpUrl" . }} DEPLOY_ARCHITECTURE: {{ $deployArch }} ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}" {{- if .Values.global.provisioningInterface }} -- 2.51.1 From 5bf3812659d32cf6ae84c4e3760c62c8b3b965f60686f78259900f2ab964e58b Mon Sep 17 00:00:00 2001 From: Marco Chiappero Date: Wed, 13 Aug 2025 18:15:15 +0000 Subject: [PATCH 3/3] Let every media download go through HTTPS if set up Update some URLs to leverage HTTPs whenever VMEDIA_TLS_PORT is set. Signed-off-by: Marco Chiappero --- ironic-image/ironic-config/ironic.conf.j2 | 10 +++++++--- ironic-image/scripts/configure-ironic.sh | 5 +++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ironic-image/ironic-config/ironic.conf.j2 b/ironic-image/ironic-config/ironic.conf.j2 index 7333c37..3c7ea0e 100644 --- a/ironic-image/ironic-config/ironic.conf.j2 +++ b/ironic-image/ironic-config/ironic.conf.j2 @@ -91,7 +91,11 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }} # Power state is checked every 60 seconds and BMC activity should # be avoided more often than once every sixty seconds. send_sensor_data_interval = 160 +{% if env.VMEDIA_TLS_PORT %} +bootloader = {{ env.IRONIC_HTTPS_VMEDIA_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img +{% else %} bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img +{% endif %} verify_step_priority_override = management.clear_job_queue:90 # We don't use this feature, and it creates an additional load on the database node_history = False @@ -123,15 +127,15 @@ default_boot_option = local erase_devices_metadata_priority = 10 erase_devices_priority = 0 http_root = /shared/html/ -http_url = {{ env.IRONIC_HTTP_URL }} +http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %} fast_track = {{ env.IRONIC_FAST_TRACK }} {% if env.IRONIC_BOOT_ISO_SOURCE %} ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }} {% endif %} {% if env.IRONIC_EXTERNAL_HTTP_URL %} external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }} -{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %} -external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }} +{% elif env.VMEDIA_TLS_PORT %} +external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }} {% endif %} {% if env.IRONIC_EXTERNAL_CALLBACK_URL %} external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }} diff --git a/ironic-image/scripts/configure-ironic.sh b/ironic-image/scripts/configure-ironic.sh index 7b0d00b..149812f 100755 --- a/ironic-image/scripts/configure-ironic.sh +++ b/ironic-image/scripts/configure-ironic.sh @@ -3,6 +3,7 @@ set -euxo pipefail IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}" +export VMEDIA_TLS_PORT="${VMEDIA_TLS_PORT:-}" # Define the VLAN interfaces to be included in introspection report, e.g. # all - all VLANs on all interfaces using LLDP information @@ -59,6 +60,10 @@ else export IRONIC_HOST_IP="$IRONIC_IP" fi +if [[ "${VMEDIA_TLS_PORT}" ]]; then + export IRONIC_HTTPS_VMEDIA_URL="https://${IRONIC_URL_HOST}:${VMEDIA_TLS_PORT}" +fi + # Hostname to use for the current conductor instance. export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}} -- 2.51.1