openstack/ironic
Code Issues Proposed changes

feat: add verify ca conf support for drivers

Browse Source 
Closes-Bug: #2040236
Change-Id: Iaedb68e9e3c22b7194c9e09425757a081c601bf1
This commit is contained in:
Zou Yu
2025-03-25 11:53:53 +08:00
committed by Yu Zou
parent c33f12329c
commit 65909e25ab
7 changed files with 114 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ironic/conf/irmc.py
View File

@@ -138,6 +138,9 @@ opts = [
'/proc/cmdline. Mind severe cmdline size limit! Can be '
'overridden by `instance_info/kernel_append_params` '
'property.')),
cfg.StrOpt('verify_ca',
help=_('The default verify_ca path when irmc_verify_ca '
'in driver_info is missing or set to True.')),
]

3
ironic/conf/redfish.py
View File

@@ -121,6 +121,9 @@ opts = [
help=_('Number of seconds to wait for boot mode or secure '
'boot status change to take effect after a reboot. '
'Set to 0 to disable waiting.')),
cfg.StrOpt('verify_ca',
help=_('The default verify_ca path when redfish_verify_ca '
'in driver_info is missing or set to True.')),
]

3
ironic/drivers/modules/irmc/common.py
View File

@@ -29,6 +29,7 @@ from ironic.common.i18n import _
from ironic.common import utils
from ironic.conf import CONF
from ironic.drivers.modules import snmp
from ironic.drivers import utils as driver_utils
scci = importutils.try_import('scciclient.irmc.scci')
elcm = importutils.try_import('scciclient.irmc.elcm')
@@ -182,7 +183,7 @@ def parse_driver_info(node):
_("Value '%s' is not supported for 'irmc_sensor_method'.") %
d_info['irmc_sensor_method'])
verify_ca = d_info.get('irmc_verify_ca')
verify_ca = driver_utils.get_verify_ca(node, d_info.get('irmc_verify_ca'))
if verify_ca is None:
d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca

4
ironic/drivers/modules/redfish/utils.py
View File

@@ -30,6 +30,7 @@ from ironic.common import exception
from ironic.common.i18n import _
from ironic.common import utils
from ironic.conf import CONF
from ironic.drivers import utils as driver_utils
LOG = log.getLogger(__name__)
@@ -151,7 +152,8 @@ def parse_driver_info(node):
{'value': driver_info['redfish_system_id'], 'node': node.uuid})
# Check if verify_ca is a Boolean or a file/directory in the file-system
verify_ca = driver_info.get('redfish_verify_ca', True)
verify_ca = driver_utils.get_verify_ca(
node, driver_info.get('redfish_verify_ca', True))
if isinstance(verify_ca, str):
if os.path.isdir(verify_ca) or os.path.isfile(verify_ca):
pass

24
ironic/drivers/utils.py
View File

@@ -550,3 +550,27 @@ def power_off_and_on(task):
next_state = (states.REBOOT if task.node.disable_power_off
else states.POWER_ON)
utils.node_power_action(task, next_state)
def get_verify_ca(node, verify_ca):
"""Add verify_ca setting to driver_info if needed.
This function checks if verify_ca needs to be set based on
configuration values and existing driver_info settings.
:param node: The node object
:param verify_ca: The verify_ca settings in driver_info
:return: Updated verify_ca setting if needed
"""
config_group = node.driver
if node.driver == 'idrac':
config_group = 'redfish'
if verify_ca is not None and verify_ca is not True:
return verify_ca
if CONF.get(config_group, {}).get('verify_ca'):
verify_ca = CONF[config_group]['verify_ca']
return verify_ca

71
ironic/tests/unit/drivers/test_utils.py
View File

@@ -430,3 +430,74 @@ class MixinVendorInterfaceTestCase(db_base.DbTestCase):
self.assertRaises(exception.InvalidParameterValue,
self.vendor.validate,
task, method='fake_method')
class GetVerifyCATestCase(tests_base.TestCase):
def setUp(self):
super(GetVerifyCATestCase, self).setUp()
def test_default_verify_is_unspecified(self):
node = obj_utils.get_test_node(self.context)
for case in [
{
'driver': 'idrac',
'config_group': 'drac',
'driver_info_key': 'redfish_verify_ca',
},
{
'driver': 'irmc',
'config_group': 'irmc',
'driver_info_key': 'irmc_verify_ca',
},
{
'driver': 'redfish',
'config_group': 'redfish',
'driver_info_key': 'redfish_verify_ca',
},
]:
node.driver = case['driver']
verify_ca = driver_utils.get_verify_ca(node, True)
self.assertEqual(verify_ca, True)
verify_ca = driver_utils.get_verify_ca(node, False)
self.assertEqual(verify_ca, False)
verify_ca = driver_utils.get_verify_ca(node, None)
self.assertIsNone(verify_ca)
verify_ca = driver_utils.get_verify_ca(node, 'rootca.crt')
self.assertEqual(verify_ca, 'rootca.crt')
def test_default_verify_is_specified(self):
node = obj_utils.get_test_node(self.context)
for case in [
{
'driver': 'idrac',
'config_group': 'redfish',
},
{
'driver': 'irmc',
'config_group': 'irmc',
},
{
'driver': 'redfish',
'config_group': 'redfish',
},
]:
node.driver = case['driver']
cfg.CONF.set_override(
'verify_ca', 'default.crt', case['config_group'])
verify_ca = driver_utils.get_verify_ca(node, True)
self.assertEqual(verify_ca, 'default.crt')
verify_ca = driver_utils.get_verify_ca(node, False)
self.assertEqual(verify_ca, False)
verify_ca = driver_utils.get_verify_ca(node, None)
self.assertEqual(verify_ca, 'default.crt')
verify_ca = driver_utils.get_verify_ca(node, 'rootca.crt')
self.assertEqual(verify_ca, 'rootca.crt')

8
releasenotes/notes/add-default-verify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
features:
- |
Allows users to specify the verify_ca path for the corresponding driver
through the ``verify_ca`` option under the ``[<driver>]`` section in the configuration.
When ``[driver_info]/<driver>_verify_ca`` is specified as None or True,
it will be replaced by the value of the ``verify_ca`` option.
NOTE: For the ``idrac`` driver, it uses the same options as the ``redfish`` driver.