search

openshift / installer

Install an OpenShift 4.x cluster
https://try.openshift.com
Apache License 2.0
1.44k stars 1.39k forks source link

METAL-1137: Enable TLS for ironic API in the bootstrap VM #9189

Open MahnoorAsghar opened 2 weeks ago

openshift-ci-robot commented 2 weeks ago

@MahnoorAsghar: This pull request references METAL-1137 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to [this](https://github.com/openshift/installer/pull/9189): > Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Finstaller). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
MahnoorAsghar commented 2 weeks ago

/jira refresh

openshift-ci-robot commented 2 weeks ago

@MahnoorAsghar: This pull request references METAL-1137 which is a valid jira issue.

In response to [this](https://github.com/openshift/installer/pull/9189#issuecomment-2464577945): >/jira refresh Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Finstaller). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.
dtantsur commented 2 weeks ago

Do we have any strong reasons to generate a new certificate? We even called the previous one IronicTLSCert assuming it will be used not just for virtual media.

MahnoorAsghar commented 2 weeks ago

@dtantsur Thats a good question - I thought that's the way things should be: two separate certificates for 2 separate TLSs, but we could use the same one

openshift-ci[bot] commented 2 weeks ago

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign dtantsur for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files: - **[data/data/bootstrap/baremetal/OWNERS](https://github.com/openshift/installer/blob/master/data/data/bootstrap/baremetal/OWNERS)** Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
MahnoorAsghar commented 2 weeks ago

/retest They're all failing with this error:

could not run steps: step e2e-aws-ovn failed: failed to acquire lease for "aws-quota-slice": status 502 Bad Gateway, status code 502

dtantsur commented 2 weeks ago

I think a few more changes might be required:

1) Changing the URL we're passing to BMO

2) Adding IRONIC_INSECURE to various containers that cannot verify the certificate (BMO, most likely Ironic itself - for IPA).

MahnoorAsghar commented 2 weeks ago

(I'm unsure about the last patch I pushed, will take a deeper look later, most likely :))

openshift-ci[bot] commented 2 weeks ago

@MahnoorAsghar: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-metal-ipi-ovn-virtualmedia b76a2ae832b3e2cd7b3de61119930e8ab27e9617 link false /test e2e-metal-ipi-ovn-virtualmedia
ci/prow/e2e-metal-ipi-ovn b76a2ae832b3e2cd7b3de61119930e8ab27e9617 link false /test e2e-metal-ipi-ovn
ci/prow/e2e-metal-ipi-ovn-swapped-hosts b76a2ae832b3e2cd7b3de61119930e8ab27e9617 link false /test e2e-metal-ipi-ovn-swapped-hosts
ci/prow/e2e-metal-ipi-ovn-dualstack b76a2ae832b3e2cd7b3de61119930e8ab27e9617 link false /test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-metal-ipi-ovn-ipv6 b76a2ae832b3e2cd7b3de61119930e8ab27e9617 link true /test e2e-metal-ipi-ovn-ipv6

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).