-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱Add generation of empty-ironic-cacert secret for handling TLS disabled scenario #237
Conversation
/retest |
/test-integration |
3 similar comments
/test-integration |
/test-integration |
/test-integration |
2b5e481
to
d45d648
Compare
/test-integration |
/assign @furkatgofurov7 |
Test is going on in Metal3-dev-env for TLS disabled. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to make the volume optional instead of creating this empty secret? I'm thinking that we could add optional: true
here:
cluster-api-provider-metal3/config/bmo/secret_mount_patch.yaml
Lines 22 to 24 in 07cb2d8
- name: cacert | |
secret: | |
secretName: ironic-cacert |
But I'm not sure if BMO can handle a missing file or if it has to be an empty file?
At this current scenario when BMO is running as part of CAPM3, BMO will wait for the secret in both TLS enabled or disabled and the CI was failing without adding the empty secret. As most of our CI master job are running with TLS enabled, secret is necessary with the settings in BMO(part of CAPM3). So the empty secret will be used only to support non-TLS. I think when we are taking BMO outside of CAPM3, don't need to create an empty secret as the setting has separate TLS and non-TLS configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation! I think this is fine then 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/unhold |
/lgtm |
/retitle 🌱Add generation of empty-ironic-cacert secret for handling TLS disabled scenario |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: furkatgofurov7, lentzi90, namnx228 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
In non-TLS scenario BMO is waiting for an empty secret which was removed earlier with cert manager setup in ironic. Because of that the non-tls run was broken. This PR will add the empty secret creation and during TLS-disabled, we will substitute the secret name as
empty-ironic-cacert
before kustomization. The change of secret name will be done in metal3-dev-envThe changes fix the issue with non-TLS.