Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ironic-python-agent - CA bundle inject #506

Merged
merged 1 commit into from
Jan 7, 2025
Merged

Fix ironic-python-agent - CA bundle inject #506

merged 1 commit into from
Jan 7, 2025
+1 −1

Conversation

hjensas
Copy link
Contributor

@hjensas hjensas commented Dec 19, 2024
edited
Loading

Currently the pxe-init script copies the certificate bundle directly to /etc/pki/ca-trust/extracted in the initramfs. When update-ca-trust runs under chroot the contents under pki/ca-trust/extracted is overwritten. See manual page: update-ca-trust(8) "EXTRACTED CONFIGURATION" section.

With this change the bundle is copied to /etc/pki/ca-trust/source/anchors directory in the initramfs instead, so that update-ca-trust will find the source and update CA certs and trusts correctly.

Jira: OSPRH-12526

@hjensas hjensas added bug Something isn't working do-not-merge/hold labels Dec 19, 2024
@hjensas hjensas requested a review from stuggi December 19, 2024 18:03
@hjensas hjensas force-pushed the OSPRH-12526 branch 2 times, most recently from 60436cd to aba8781 Compare December 19, 2024 18:11
@stuggi
Copy link
Contributor

stuggi commented Dec 20, 2024

do we need this? our big ca bundle already has the internal-ca-bundle included.

@hjensas
Copy link
Contributor Author

hjensas commented Dec 20, 2024

do we need this? our big ca bundle already has the internal-ca-bundle included.

Thanks Martin!
It is possible my root cause analysis is wrong.

We are injecting that (or atleast we intend to) since: #491

also after looking more at the lib-common, I think this patch would actually just mount the big ca bundle again under a different name. Anyhow ... I'll go back to figuring out the root cause.

@hjensas hjensas removed the approved label Dec 20, 2024
@hjensas hjensas changed the title Fix ironic-python-agent - CA bundle inject [DNM] Fix ironic-python-agent - CA bundle inject Dec 20, 2024
@hjensas
Copy link
Contributor Author

hjensas commented Jan 2, 2025

/recheck

@hjensas
Fix ironic-python-agent - CA bundle inject
ed17b02 
Currently the pxe-init script copies the certificate bundle directly
to /etc/pki/ca-trust/extracted in the initramfs. When update-ca-trust
runs under chroot the contents under pki/ca-trust/extracted is
overwritten. See manual page: update-ca-trust(8) "EXTRACTED
CONFIGURATION" section.

With this change the bundle is copied to /etc/pki/ca-trust/source/anchors
directory in the initramfs instead, so that update-ca-trust will find the
source and update CA certs and trusts correctly.

Jira: OSPRH-12526
@hjensas hjensas changed the title [DNM] Fix ironic-python-agent - CA bundle inject Fix ironic-python-agent - CA bundle inject Jan 3, 2025
@softwarefactory-project-zuul softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/69dabee1829c403a9edce379789c5bad

✔️ noop SUCCESS in 0s
✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 06m 52s
podified-multinode-ironic-deployment POST_FAILURE in 47m 40s

@hjensas
Copy link
Contributor Author

hjensas commented Jan 3, 2025

recheck

Task 
Collect logs, artifacts and docs
  failed running on host 
controller

kex_exchange_identification: read: Connection reset by peer

rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(226) [Receiver=3.1.3]

steveb
steveb approved these changes Jan 5, 2025
View reviewed changes
Copy link
Collaborator

@steveb steveb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 5, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hjensas, steveb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@hjensas
Copy link
Contributor Author

hjensas commented Jan 7, 2025

/test ironic-operator-build-deploy-kuttl

@openshift-merge-bot openshift-merge-bot bot merged commit faf8bd6 into openstack-k8s-operators:main Jan 7, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steveb steveb steveb approved these changes

@dprince dprince Awaiting requested review from dprince

@frenzyfriday frenzyfriday Awaiting requested review from frenzyfriday

@stuggi stuggi Awaiting requested review from stuggi

Assignees

@steveb steveb

Labels
approved bug Something isn't working lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hjensas @stuggi @steveb