Skip to content

feat: make the DPU bootstrap CA operator-configurable #3571

Description

@chet

Operators should be able to provide the CA that DPUs trust during provisioning without coordinating a flag-day deployment. This lets sites pin a long-lived Forge root for certificate rotation, while unconfigured sites retain today's CA download behavior.

What this involves

  • Model the non-DPF DPU bootstrap CA source as a typed policy covering legacy_download, embedded, and mounted. No setting means legacy_download, so upgrading NICo does not require an accompanying site-config change.
  • Keep host Scout boots outside that DPU policy. The source is passed only to DPU BFB/cloud-init provisioning.
  • Make embedded an explicit site-build facility: BOOTSTRAP_CA_PATH stages a validated CA bundle at a dedicated BFB path, with no repository or developer-certificate fallback. Generic and SA builds retain their existing behavior.
  • Keep mounted distinct from the embedded path so a missing operator-provided bundle fails closed instead of silently consuming artifact material.
  • Separate the CA served by nico-pxe at /api/v0/tls/root_ca from the CA it uses for outbound API TLS. The new payload path falls back to FORGE_ROOT_CAFILE_PATH, preserving current deployments.
  • Give the nico-pxe Helm chart an optional ConfigMap/Secret-backed CA mount. Leave it out of rendered deployments unless configured.
  • Let DPF override the legacy download URL or receive its CA from a ConfigMap/Secret, while keeping the existing bare init-container invocation compatible. The shared published dpu-agent image does not embed a site trust anchor.
  • Validate downloaded and mounted DPF bundles before atomically installing them, with no fallback between configured sources.
  • Cover the legacy default and each opt-in mode with unit, shell, and Helm-rendering tests, plus documentation for rotation, configuration, staged rollout, existing-machine behavior, and server-chain verification.
  • Keep end-to-end authentication and signing of the wider boot chain as separate follow-up work. These controls select the API server trust anchor; they do not claim to authenticate DHCP, DNS, iPXE, user-data, or replaceable boot artifacts.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Fields

No fields configured for Enhancement.

Projects

Status
In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions