From f60348562e324689b3c7e60b091b9f2bc5d5a804f528553e055d7bf7ac9177ba Mon Sep 17 00:00:00 2001 From: Nicolas Belouin Date: Fri, 3 Oct 2025 09:31:53 +0200 Subject: [PATCH] metal3: Introduce TLS variables for ironic vmedia server port of https://github.com/metal3-io/ironic-image/pull/759 Expose it in chart with a new `ironic.ironicExtraEnv` value that allows passing arbitrary extra environment variables to allow for advanced configuration we may not want to keep as not for the faint of heart. Signed-off-by: Nicolas Belouin --- ironic-image/Dockerfile | 8 ++++---- ironic-image/ironic-config/apache2-vmedia.conf.j2 | 13 +++++++++++++ metal3-chart/Chart.yaml | 12 ++++++------ metal3-chart/charts/ironic/Chart.yaml | 2 +- metal3-chart/charts/ironic/templates/configmap.yaml | 3 +++ metal3-chart/charts/ironic/values.yaml | 4 +++- metal3-chart/charts/media/Chart.yaml | 2 +- metal3-chart/charts/media/values.yaml | 9 +++++++-- release-manifest-image/release_manifest.yaml | 4 ++-- 9 files changed, 40 insertions(+), 17 deletions(-) diff --git a/ironic-image/Dockerfile b/ironic-image/Dockerfile index b137d4f..671f1f5 100644 --- a/ironic-image/Dockerfile +++ b/ironic-image/Dockerfile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 -#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3 -#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4 +#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE% ARG SLE_VERSION FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro @@ -41,8 +41,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.vendor="SUSE LLC" -LABEL org.opencontainers.image.version="29.0.4.3" -LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.3-%RELEASE%" +LABEL org.opencontainers.image.version="29.0.4.4" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%" LABEL org.openbuildservice.disturl="%DISTURL%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.eula="SUSE Combined EULA February 2024" diff --git a/ironic-image/ironic-config/apache2-vmedia.conf.j2 b/ironic-image/ironic-config/apache2-vmedia.conf.j2 index 2301717..3abb7c4 100644 --- a/ironic-image/ironic-config/apache2-vmedia.conf.j2 +++ b/ironic-image/ironic-config/apache2-vmedia.conf.j2 @@ -11,6 +11,19 @@ Listen [::]:{{ env.VMEDIA_TLS_PORT }} SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }} SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }} + {% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %} + SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }} + {% endif %} + {% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %} + SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }} + {% endif %} + {% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %} + SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }} + {% endif %} + {% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %} + SSLHonorCipherOrder on + {% endif %} + Options Indexes FollowSymLinks AllowOverride None diff --git a/metal3-chart/Chart.yaml b/metal3-chart/Chart.yaml index 8b38eba..70e0d15 100644 --- a/metal3-chart/Chart.yaml +++ b/metal3-chart/Chart.yaml @@ -1,7 +1,7 @@ -#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.17_up0.12.7 -#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.17_up0.12.7-%RELEASE% +#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.18_up0.12.8 +#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.18_up0.12.8-%RELEASE% apiVersion: v2 -appVersion: 0.12.6 +appVersion: 0.12.8 dependencies: - alias: metal3-baremetal-operator name: baremetal-operator @@ -10,7 +10,7 @@ dependencies: - alias: metal3-ironic name: ironic repository: file://./charts/ironic - version: 0.11.4 + version: 0.11.5 - alias: metal3-mariadb condition: global.enable_mariadb name: mariadb @@ -20,9 +20,9 @@ dependencies: condition: global.enable_metal3_media_server name: media repository: file://./charts/media - version: 0.7.0 + version: 0.7.1 description: A Helm chart that installs all of the dependencies needed for Metal3 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg name: metal3 type: application -version: "%%CHART_MAJOR%%.0.17+up0.12.7" +version: "%%CHART_MAJOR%%.0.18+up0.12.8" diff --git a/metal3-chart/charts/ironic/Chart.yaml b/metal3-chart/charts/ironic/Chart.yaml index cf64357..c5b378c 100644 --- a/metal3-chart/charts/ironic/Chart.yaml +++ b/metal3-chart/charts/ironic/Chart.yaml @@ -3,4 +3,4 @@ appVersion: 29.0.4 description: A Helm chart for Ironic, used by Metal3 name: ironic type: application -version: 0.11.4 +version: 0.11.5 diff --git a/metal3-chart/charts/ironic/templates/configmap.yaml b/metal3-chart/charts/ironic/templates/configmap.yaml index f46830b..58912b4 100644 --- a/metal3-chart/charts/ironic/templates/configmap.yaml +++ b/metal3-chart/charts/ironic/templates/configmap.yaml @@ -52,3 +52,6 @@ data: {{- else }} IRONIC_USE_MARIADB: "false" {{- end }} + {{- with .Values.ironicExtraEnv -}} + {{ toYaml . | nindent 2 }} + {{- end -}} \ No newline at end of file diff --git a/metal3-chart/charts/ironic/values.yaml b/metal3-chart/charts/ironic/values.yaml index 4f0aa74..2c83461 100644 --- a/metal3-chart/charts/ironic/values.yaml +++ b/metal3-chart/charts/ironic/values.yaml @@ -64,7 +64,7 @@ images: ironic: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic pullPolicy: IfNotPresent - tag: 29.0.4.3 + tag: 29.0.4.4 ironicIPADownloader: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader pullPolicy: IfNotPresent @@ -138,6 +138,8 @@ baremetaloperator: debug: ironicRamdiskSshKey: "" +ironicExtraEnv: {} + tlscerts: cacert: "" key: "" diff --git a/metal3-chart/charts/media/Chart.yaml b/metal3-chart/charts/media/Chart.yaml index 4899bbb..5f74cd3 100644 --- a/metal3-chart/charts/media/Chart.yaml +++ b/metal3-chart/charts/media/Chart.yaml @@ -3,4 +3,4 @@ appVersion: 1.21.0 description: A Helm chart for Media, used by Metal3 name: media type: application -version: 0.7.0 +version: 0.7.1 diff --git a/metal3-chart/charts/media/values.yaml b/metal3-chart/charts/media/values.yaml index b573861..2cbe873 100644 --- a/metal3-chart/charts/media/values.yaml +++ b/metal3-chart/charts/media/values.yaml @@ -42,8 +42,8 @@ serviceAccount: podAnnotations: {} podSecurityContext: - runAsUser: 10475 - fsGroup: 10475 + runAsUser: 486 + fsGroup: 499 securityContext: allowPrivilegeEscalation: false @@ -102,11 +102,16 @@ volumes: - name: assets persistentVolumeClaim: claimName: media + - name: run + emptyDir: + sizeLimit: 10Mi # volume mounts volumeMounts: - mountPath: /srv/www/htdocs name: assets + - mountPath: /run + name: run # media volume settings mediaVolume: diff --git a/release-manifest-image/release_manifest.yaml b/release-manifest-image/release_manifest.yaml index f5afdd1..7f471f8 100644 --- a/release-manifest-image/release_manifest.yaml +++ b/release-manifest-image/release_manifest.yaml @@ -171,7 +171,7 @@ spec: - prettyName: Metal3 releaseName: metal3 chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metal3' - version: '%%CHART_MAJOR%%.0.17+up0.12.7' + version: '%%CHART_MAJOR%%.0.18+up0.12.8' - prettyName: RancherTurtles releaseName: rancher-turtles chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles' @@ -184,4 +184,4 @@ spec: releaseName: cert-manager chart: cert-manager version: 1.18.2 - repository: https://charts.jetstack.io \ No newline at end of file + repository: https://charts.jetstack.io -- 2.51.1