Operators should be able to provide the CA that DPUs trust during provisioning without coordinating a flag-day deployment. This lets sites pin a long-lived Forge root for certificate rotation, while unconfigured sites retain today's CA download behavior.
What this involves
- Model the non-DPF DPU bootstrap CA source as a typed policy covering
legacy_download, embedded, and mounted. No setting means legacy_download, so upgrading NICo does not require an accompanying site-config change.
- Keep host Scout boots outside that DPU policy. The source is passed only to DPU BFB/cloud-init provisioning.
- Make
embedded an explicit site-build facility: BOOTSTRAP_CA_PATH stages a validated CA bundle at a dedicated BFB path, with no repository or developer-certificate fallback. Generic and SA builds retain their existing behavior.
- Keep
mounted distinct from the embedded path so a missing operator-provided bundle fails closed instead of silently consuming artifact material.
- Separate the CA served by
nico-pxe at /api/v0/tls/root_ca from the CA it uses for outbound API TLS. The new payload path falls back to FORGE_ROOT_CAFILE_PATH, preserving current deployments.
- Give the
nico-pxe Helm chart an optional ConfigMap/Secret-backed CA mount. Leave it out of rendered deployments unless configured.
- Let DPF override the legacy download URL or receive its CA from a ConfigMap/Secret, while keeping the existing bare
init-container invocation compatible. The shared published dpu-agent image does not embed a site trust anchor.
- Validate downloaded and mounted DPF bundles before atomically installing them, with no fallback between configured sources.
- Cover the legacy default and each opt-in mode with unit, shell, and Helm-rendering tests, plus documentation for rotation, configuration, staged rollout, existing-machine behavior, and server-chain verification.
- Keep end-to-end authentication and signing of the wider boot chain as separate follow-up work. These controls select the API server trust anchor; they do not claim to authenticate DHCP, DNS, iPXE, user-data, or replaceable boot artifacts.
Operators should be able to provide the CA that DPUs trust during provisioning without coordinating a flag-day deployment. This lets sites pin a long-lived Forge root for certificate rotation, while unconfigured sites retain today's CA download behavior.
What this involves
legacy_download,embedded, andmounted. No setting meanslegacy_download, so upgrading NICo does not require an accompanying site-config change.embeddedan explicit site-build facility:BOOTSTRAP_CA_PATHstages a validated CA bundle at a dedicated BFB path, with no repository or developer-certificate fallback. Generic and SA builds retain their existing behavior.mounteddistinct from the embedded path so a missing operator-provided bundle fails closed instead of silently consuming artifact material.nico-pxeat/api/v0/tls/root_cafrom the CA it uses for outbound API TLS. The new payload path falls back toFORGE_ROOT_CAFILE_PATH, preserving current deployments.nico-pxeHelm chart an optional ConfigMap/Secret-backed CA mount. Leave it out of rendered deployments unless configured.init-containerinvocation compatible. The shared published dpu-agent image does not embed a site trust anchor.