Merge pull request #51 from honza/verify-ca-downstream

Bug 1799219: Verify CA

cmd/make-bm-worker/main.go

@@ -13,6 +13,7 @@ func main() {
 	var username = flag.String("user", "", "username for BMC")
 	var password = flag.String("password", "", "password for BMC")
 	var bmcAddress = flag.String("address", "", "address URL for BMC")
+	var disableCertificateVerification = flag.Bool("disableCertificateVerification", false, "will skip certificate validation when true")
 	var hardwareProfile = flag.String("hardwareprofile", "", "hardwareProfile to be used")
 	var macAddress = flag.String("boot-mac", "", "boot-mac for bootMACAddress")
 	var verbose = flag.Bool("v", false, "turn on verbose output")
@@ -42,14 +43,15 @@ func main() {
 	}
 
 	template := templates.Template{
-		Name:              strings.Replace(hostName, "_", "-", -1),
-		BMCAddress:        *bmcAddress,
-		Username:          *username,
-		Password:          *password,
-		HardwareProfile:   *hardwareProfile,
-		BootMacAddress:    *macAddress,
-		Consumer:          strings.TrimSpace(*consumer),
-		ConsumerNamespace: strings.TrimSpace(*consumerNamespace),
+		Name:                           strings.Replace(hostName, "_", "-", -1),
+		BMCAddress:                     *bmcAddress,
+		DisableCertificateVerification: *disableCertificateVerification,
+		Username:                       *username,
+		Password:                       *password,
+		HardwareProfile:                *hardwareProfile,
+		BootMacAddress:                 *macAddress,
+		Consumer:                       strings.TrimSpace(*consumer),
+		ConsumerNamespace:              strings.TrimSpace(*consumerNamespace),
 	}
 	if *verbose {
 		fmt.Fprintf(os.Stderr, "%v", template)

cmd/make-bm-worker/templates/templates.go

@@ -37,18 +37,22 @@ spec:
     name: {{ .Consumer }}
     namespace: {{ .ConsumerNamespace }}
 {{- end }}
+{{- if .DisableCertificateVerification }}
+  disableCertificateVerification: true
+{{- end}}
 `
 
 // Template holds the arguments to pass to the template.
 type Template struct {
-	Name              string
-	BMCAddress        string
-	Username          string
-	Password          string
-	HardwareProfile   string
-	BootMacAddress    string
-	Consumer          string
-	ConsumerNamespace string
+	Name                           string
+	BMCAddress                     string
+	DisableCertificateVerification bool
+	Username                       string
+	Password                       string
+	HardwareProfile                string
+	BootMacAddress                 string
+	Consumer                       string
+	ConsumerNamespace              string
 }
 
 // EncodedUsername returns the username in the format needed to store

deploy/crds/metal3.io_baremetalhosts_crd.yaml

@@ -74,6 +74,13 @@ spec:
                   description: The name of the secret containing the BMC credentials
                     (requires keys "username" and "password").
                   type: string
+                disableCertificateVerification:
+                  description: DisableCertificateVerification disables verification
+                    of server certificates when using HTTPS to connect to the BMC.
+                    This is required when the server certificate is self-signed, but
+                    is insecure because it allows a man-in-the-middle to intercept
+                    the connection.
+                  type: boolean
               required:
               - address
               - credentialsName

docs/api.md

@@ -33,6 +33,9 @@ mainly, but not only, provisioning details.
   * *credentialsName* -- A reference to a *secret* containing the
     username and password for the BMC.
 
+  * *disableCertificateVerification* -- A boolean to skip certificate
+    validation when true.
+
 * *online* -- A boolean indicating whether the host should be powered on
   (true) or off (false). Changing this value will trigger a change in
   power state on the physical host.

docs/dev-setup.md

@@ -190,4 +190,5 @@ spec:
   bmc:
     address: 1.2.3.4
     credentialsName: worker-99-bmc-secret
+    disableCertificateVerification: true
 ```

pkg/apis/metal3/v1alpha1/baremetalhost_types.go

@@ -124,6 +124,13 @@ type BMCDetails struct {
 	// The name of the secret containing the BMC credentials (requires
 	// keys "username" and "password").
 	CredentialsName string `json:"credentialsName"`
+
+	// DisableCertificateVerification disables verification of server
+	// certificates when using HTTPS to connect to the BMC. This is
+	// required when the server certificate is self-signed, but is
+	// insecure because it allows a man-in-the-middle to intercept the
+	// connection.
+	DisableCertificateVerification bool `json:"disableCertificateVerification,omitempty"`
 }
 
 // BareMetalHostSpec defines the desired state of BareMetalHost

pkg/bmc/access.go

@@ -10,7 +10,7 @@ import (
 
 // AccessDetailsFactory describes a callable that returns a new
 // AccessDetails based on the input parameters.
-type AccessDetailsFactory func(parsedURL *url.URL) (AccessDetails, error)
+type AccessDetailsFactory func(parsedURL *url.URL, disableCertificateVerification bool) (AccessDetails, error)
 
 var factories = map[string]AccessDetailsFactory{}
 
@@ -99,7 +99,7 @@ func getParsedURL(address string) (parsedURL *url.URL, err error) {
 
 // NewAccessDetails creates an AccessDetails structure from the URL
 // for a BMC.
-func NewAccessDetails(address string) (AccessDetails, error) {
+func NewAccessDetails(address string, disableCertificateVerification bool) (AccessDetails, error) {
 
 	parsedURL, err := getParsedURL(address)
 	if err != nil {
@@ -111,5 +111,5 @@ func NewAccessDetails(address string) (AccessDetails, error) {
 		return nil, &UnknownBMCTypeError{address, parsedURL.Scheme}
 	}
 
-	return factory(parsedURL)
+	return factory(parsedURL, disableCertificateVerification)
 }