Enable TLS validation for Redfish emulator

dtantsur · dtantsur · commit 78d2d971afa2 · 2025-11-28T10:48:36.000+01:00
Starting with 4.21, we can pass the CA certificate to the installer.

Signed-off-by: Dmitry Tantsur &lt;dtantsur@protonmail.com&gt;
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
@@ -361,6 +361,8 @@ function generate_ocp_install_config() {
       NETWORK_TYPE=OVNKubernetes
     fi
 
+    OCP_VERSION=$(openshift_version $OCP_DIR)
+
     cat > "${outdir}/install-config.yaml" << EOF
 apiVersion: v1
 baseDomain: ${BASE_DOMAIN}
@@ -409,6 +411,13 @@ EOF
 $(node_map_to_install_config_hosts $NUM_WORKERS $(( NUM_MASTERS + NUM_ARBITERS )) worker)
 $(node_map_to_install_config_hosts $NUM_ARBITERS $NUM_MASTERS arbiter)
 $(node_map_to_install_config_hosts $NUM_MASTERS 0 master)
+EOF
+  fi
+
+  if ! is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+    cat >> "${outdir}/install-config.yaml" << EOF
+    bmcVerifyCA: |
+$(sudo sed 's/^/      /' "${WORKING_DIR}/virtualbmc/sushy-tools/cert.pem")
 EOF
   fi
 
@@ -455,8 +464,12 @@ function generate_ocp_host_manifest() {
 
         encoded_username=$(echo -n "$username" | base64)
         encoded_password=$(echo -n "$password" | base64)
-        # Heads up, "verify_ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
-        disableCertificateVerification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+        if is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+          # Heads up, "verify_ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+          disableCertificateVerification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+        else
+          disableCertificateVerification=false
+        fi
 
         secret="---
 apiVersion: v1
diff --git a/utils.sh b/utils.sh
@@ -260,13 +260,15 @@ function node_map_to_install_config_hosts() {
 EOF
 
       if [[ "$driver_prefix" == "redfish" ]]; then
-          # Set disableCertificateVerification
-          # Heads up, "verify ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
-          verify_ca=$(node_val ${idx} "driver_info.redfish_verify_ca")
-          disable_certificate_verification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
-          cat << EOF
+          # Set disableCertificateVerification on older versions
+          if is_lower_version "$(openshift_version $OCP_DIR)" "4.21"; then
+              # Heads up, "verify ca" in ironic driver config, and "disableCertificateVerification" in BMH have opposite meaning
+              verify_ca=$(node_val ${idx} "driver_info.redfish_verify_ca")
+              disable_certificate_verification=$([ "$verify_ca" = "False" ] && echo "true" || echo "false")
+              cat << EOF
           disableCertificateVerification: ${disable_certificate_verification}
 EOF
+          fi
       fi
 
 
