From 65909e25abe19a9d5b090ec54c1f53096694443e Mon Sep 17 00:00:00 2001 From: Zou Yu Date: Tue, 25 Mar 2025 11:53:53 +0800 Subject: [PATCH] feat: add verify ca conf support for drivers Closes-Bug: #2040236 Change-Id: Iaedb68e9e3c22b7194c9e09425757a081c601bf1 --- ironic/conf/irmc.py | 3 + ironic/conf/redfish.py | 3 + ironic/drivers/modules/irmc/common.py | 3 +- ironic/drivers/modules/redfish/utils.py | 4 +- ironic/drivers/utils.py | 24 +++++++ ironic/tests/unit/drivers/test_utils.py | 71 +++++++++++++++++++ ...a-opt-for-driver-cfg-72284de9b2acd1ab.yaml | 8 +++ 7 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-default-verify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml diff --git a/ironic/conf/irmc.py b/ironic/conf/irmc.py index e36c83d604..9a66a5f0bd 100644 --- a/ironic/conf/irmc.py +++ b/ironic/conf/irmc.py @@ -138,6 +138,9 @@ opts = [ '/proc/cmdline. Mind severe cmdline size limit! Can be ' 'overridden by `instance_info/kernel_append_params` ' 'property.')), + cfg.StrOpt('verify_ca', + help=_('The default verify_ca path when irmc_verify_ca ' + 'in driver_info is missing or set to True.')), ] diff --git a/ironic/conf/redfish.py b/ironic/conf/redfish.py index 7ef0ff4b61..791bd6516d 100644 --- a/ironic/conf/redfish.py +++ b/ironic/conf/redfish.py @@ -121,6 +121,9 @@ opts = [ help=_('Number of seconds to wait for boot mode or secure ' 'boot status change to take effect after a reboot. ' 'Set to 0 to disable waiting.')), + cfg.StrOpt('verify_ca', + help=_('The default verify_ca path when redfish_verify_ca ' + 'in driver_info is missing or set to True.')), ] diff --git a/ironic/drivers/modules/irmc/common.py b/ironic/drivers/modules/irmc/common.py index 8fcb0d8be5..157beb98ed 100644 --- a/ironic/drivers/modules/irmc/common.py +++ b/ironic/drivers/modules/irmc/common.py @@ -29,6 +29,7 @@ from ironic.common.i18n import _ from ironic.common import utils from ironic.conf import CONF from ironic.drivers.modules import snmp +from ironic.drivers import utils as driver_utils scci = importutils.try_import('scciclient.irmc.scci') elcm = importutils.try_import('scciclient.irmc.elcm') @@ -182,7 +183,7 @@ def parse_driver_info(node): _("Value '%s' is not supported for 'irmc_sensor_method'.") % d_info['irmc_sensor_method']) - verify_ca = d_info.get('irmc_verify_ca') + verify_ca = driver_utils.get_verify_ca(node, d_info.get('irmc_verify_ca')) if verify_ca is None: d_info['irmc_verify_ca'] = verify_ca = CONF.webserver_verify_ca diff --git a/ironic/drivers/modules/redfish/utils.py b/ironic/drivers/modules/redfish/utils.py index b00352492e..3d2969e8fe 100644 --- a/ironic/drivers/modules/redfish/utils.py +++ b/ironic/drivers/modules/redfish/utils.py @@ -30,6 +30,7 @@ from ironic.common import exception from ironic.common.i18n import _ from ironic.common import utils from ironic.conf import CONF +from ironic.drivers import utils as driver_utils LOG = log.getLogger(__name__) @@ -151,7 +152,8 @@ def parse_driver_info(node): {'value': driver_info['redfish_system_id'], 'node': node.uuid}) # Check if verify_ca is a Boolean or a file/directory in the file-system - verify_ca = driver_info.get('redfish_verify_ca', True) + verify_ca = driver_utils.get_verify_ca( + node, driver_info.get('redfish_verify_ca', True)) if isinstance(verify_ca, str): if os.path.isdir(verify_ca) or os.path.isfile(verify_ca): pass diff --git a/ironic/drivers/utils.py b/ironic/drivers/utils.py index 5e63d6dbe8..39c764005b 100644 --- a/ironic/drivers/utils.py +++ b/ironic/drivers/utils.py @@ -550,3 +550,27 @@ def power_off_and_on(task): next_state = (states.REBOOT if task.node.disable_power_off else states.POWER_ON) utils.node_power_action(task, next_state) + + +def get_verify_ca(node, verify_ca): + """Add verify_ca setting to driver_info if needed. + + This function checks if verify_ca needs to be set based on + configuration values and existing driver_info settings. + + :param node: The node object + :param verify_ca: The verify_ca settings in driver_info + :return: Updated verify_ca setting if needed + """ + config_group = node.driver + + if node.driver == 'idrac': + config_group = 'redfish' + + if verify_ca is not None and verify_ca is not True: + return verify_ca + + if CONF.get(config_group, {}).get('verify_ca'): + verify_ca = CONF[config_group]['verify_ca'] + + return verify_ca diff --git a/ironic/tests/unit/drivers/test_utils.py b/ironic/tests/unit/drivers/test_utils.py index 9b68221c16..d2256b1e90 100644 --- a/ironic/tests/unit/drivers/test_utils.py +++ b/ironic/tests/unit/drivers/test_utils.py @@ -430,3 +430,74 @@ class MixinVendorInterfaceTestCase(db_base.DbTestCase): self.assertRaises(exception.InvalidParameterValue, self.vendor.validate, task, method='fake_method') + + +class GetVerifyCATestCase(tests_base.TestCase): + + def setUp(self): + super(GetVerifyCATestCase, self).setUp() + + def test_default_verify_is_unspecified(self): + node = obj_utils.get_test_node(self.context) + for case in [ + { + 'driver': 'idrac', + 'config_group': 'drac', + 'driver_info_key': 'redfish_verify_ca', + }, + { + 'driver': 'irmc', + 'config_group': 'irmc', + 'driver_info_key': 'irmc_verify_ca', + }, + { + 'driver': 'redfish', + 'config_group': 'redfish', + 'driver_info_key': 'redfish_verify_ca', + }, + ]: + node.driver = case['driver'] + + verify_ca = driver_utils.get_verify_ca(node, True) + self.assertEqual(verify_ca, True) + + verify_ca = driver_utils.get_verify_ca(node, False) + self.assertEqual(verify_ca, False) + + verify_ca = driver_utils.get_verify_ca(node, None) + self.assertIsNone(verify_ca) + + verify_ca = driver_utils.get_verify_ca(node, 'rootca.crt') + self.assertEqual(verify_ca, 'rootca.crt') + + def test_default_verify_is_specified(self): + node = obj_utils.get_test_node(self.context) + for case in [ + { + 'driver': 'idrac', + 'config_group': 'redfish', + }, + { + 'driver': 'irmc', + 'config_group': 'irmc', + }, + { + 'driver': 'redfish', + 'config_group': 'redfish', + }, + ]: + node.driver = case['driver'] + cfg.CONF.set_override( + 'verify_ca', 'default.crt', case['config_group']) + + verify_ca = driver_utils.get_verify_ca(node, True) + self.assertEqual(verify_ca, 'default.crt') + + verify_ca = driver_utils.get_verify_ca(node, False) + self.assertEqual(verify_ca, False) + + verify_ca = driver_utils.get_verify_ca(node, None) + self.assertEqual(verify_ca, 'default.crt') + + verify_ca = driver_utils.get_verify_ca(node, 'rootca.crt') + self.assertEqual(verify_ca, 'rootca.crt') diff --git a/releasenotes/notes/add-default-verify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml b/releasenotes/notes/add-default-verify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml new file mode 100644 index 0000000000..6915f32155 --- /dev/null +++ b/releasenotes/notes/add-default-verify-ca-opt-for-driver-cfg-72284de9b2acd1ab.yaml @@ -0,0 +1,8 @@ +--- +features: + - | + Allows users to specify the verify_ca path for the corresponding driver + through the ``verify_ca`` option under the ``[]`` section in the configuration. + When ``[driver_info]/_verify_ca`` is specified as None or True, + it will be replaced by the value of the ``verify_ca`` option. + NOTE: For the ``idrac`` driver, it uses the same options as the ``redfish`` driver.