Refactor BMC CA injection to make it a bootstrap asset

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>

data/data/bootstrap/baremetal/files/etc/containers/systemd/ironic.container.template

@@ -23,7 +23,7 @@ Volume=/opt/openshift/tls/ironic/:/certs/vmedia/:z
 {{ end }}
 Volume=/opt/openshift/tls/ironic/:/certs/ironic/:z
 {{ if ne len(.PlatformData.BareMetal.BMCVerifyCA) 0 }}
-Volume=/tmp/cert/ca/bmc:/certs/ca/bmc:z
+Volume=/opt/openshift/bmc-ca:/certs/ca/bmc:z
 {{ end }}
 Environment="IRONIC_RAMDISK_SSH_KEY=${IRONIC_RAMDISK_SSH_KEY}"
 Environment="PROVISIONING_INTERFACE=${PROVISIONING_INTERFACE}"

data/data/bootstrap/baremetal/files/usr/local/bin/build-ironic-env.sh

@@ -23,11 +23,6 @@ build_ironic_env() {
     printf 'CUSTOMIZATION_IMAGE="%s"\n' "$(image_for machine-image-customization-controller)"
     printf 'MACHINE_OS_IMAGES_IMAGE="%s"\n' "$(image_for machine-os-images)"
 
-    if [[ "$BMC_VERIFY_CA" ]]; then
-        mkdir -p /tmp/cert/ca/bmc
-        echo "$BMC_VERIFY_CA" > /tmp/cert/ca/bmc/verify_ca.crt
-    fi
-
     # set password for ironic basic auth
     # The ironic container contains httpd (and thus httpd-tools), so rely on it
     # to supply the htpasswd command

data/data/bootstrap/baremetal/systemd/units/build-ironic-env.service.template

@@ -10,7 +10,6 @@ Environment="PROVISIONING_MAC={{.PlatformData.BareMetal.ProvisioningInterfaceMAC
 Environment="PROVISIONING_NETWORK_TYPE={{.PlatformData.BareMetal.ProvisioningNetwork}}"
 Environment="IRONIC_IP={{index .PlatformData.BareMetal.APIVIPs 0}}"
 Environment="IRONIC_USERNAME={{.PlatformData.BareMetal.IronicUsername}}"
-Environment="BMC_VERIFY_CA={{.PlatformData.BareMetal.BMCVerifyCA}}"
 ExecStart=/usr/local/bin/build-ironic-env.sh
 Type=oneshot
 RemainAfterExit=true

pkg/asset/ignition/bootstrap/common.go

@@ -171,6 +171,7 @@ func (a *Common) Dependencies() []asset.Asset {
 		&tls.RootCA{},
 		&tls.ServiceAccountKeyPair{},
 		&tls.IronicTLSCert{},
+		&tls.BMCVerifyCA{},
 		&releaseimage.Image{},
 		new(rhcos.Image),
 	}
@@ -671,6 +672,7 @@ func (a *Common) addParentFiles(dependencies asset.Parents) {
 		&tls.ServiceAccountKeyPair{},
 		&tls.JournalCertKey{},
 		&tls.IronicTLSCert{},
+		&tls.BMCVerifyCA{},
 	} {
 		dependencies.Get(asset)
 

pkg/asset/manifests/bmcverifycaconfigmap.go

@@ -10,8 +10,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/openshift/installer/pkg/asset"
-	"github.com/openshift/installer/pkg/asset/installconfig"
-	"github.com/openshift/installer/pkg/types/baremetal"
+	"github.com/openshift/installer/pkg/asset/tls"
 )
 
 var (
@@ -41,21 +40,18 @@ func (*BMCVerifyCAConfigMap) Name() string {
 // the asset.
 func (*BMCVerifyCAConfigMap) Dependencies() []asset.Asset {
 	return []asset.Asset{
-		&installconfig.InstallConfig{},
+		&tls.BMCVerifyCA{},
 	}
 }
 
 // Generate generates the BMC Verify CA ConfigMap.
 func (bvc *BMCVerifyCAConfigMap) Generate(_ context.Context, dependencies asset.Parents) error {
-	installConfig := &installconfig.InstallConfig{}
-	dependencies.Get(installConfig)
+	bmcVerifyCA := &tls.BMCVerifyCA{}
+	dependencies.Get(bmcVerifyCA)
 
-	// Only generate the ConfigMap for baremetal platform with BMCVerifyCA configured
-	if installConfig.Config.Platform.Name() != baremetal.Name {
-		return nil
-	}
-
-	if installConfig.Config.Platform.BareMetal == nil || installConfig.Config.Platform.BareMetal.BMCVerifyCA == "" {
+	// Only generate the ConfigMap if BMCVerifyCA has content
+	files := bmcVerifyCA.Files()
+	if len(files) == 0 {
 		return nil
 	}
 
@@ -69,7 +65,7 @@ func (bvc *BMCVerifyCAConfigMap) Generate(_ context.Context, dependencies asset.
 			Name:      bmcVerifyCAConfigMapName,
 		},
 		Data: map[string]string{
-			bmcVerifyCAConfigMapDataKey: installConfig.Config.Platform.BareMetal.BMCVerifyCA,
+			bmcVerifyCAConfigMapDataKey: string(files[0].Data),
 		},
 	}
 

pkg/asset/tls/bmcverifyca.go

@@ -0,0 +1,65 @@
+package tls
+
+import (
+	"context"
+
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/installconfig"
+	"github.com/openshift/installer/pkg/types/baremetal"
+)
+
+// BMCVerifyCA is the asset for the user-provided BMC verify CA certificate file.
+// This CA certificate is used to verify BMC TLS certificates.
+type BMCVerifyCA struct {
+	File *asset.File
+}
+
+var _ asset.WritableAsset = (*BMCVerifyCA)(nil)
+
+// Name returns the human-friendly name of the asset.
+func (*BMCVerifyCA) Name() string {
+	return "BMC Verify CA Certificate"
+}
+
+// Dependencies returns the dependency of the asset.
+func (*BMCVerifyCA) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&installconfig.InstallConfig{},
+	}
+}
+
+// Generate generates the BMC verify CA file from the install config.
+func (a *BMCVerifyCA) Generate(_ context.Context, dependencies asset.Parents) error {
+	installConfig := &installconfig.InstallConfig{}
+	dependencies.Get(installConfig)
+
+	// Only generate the file for baremetal platform with BMCVerifyCA configured
+	if installConfig.Config.Platform.Name() != baremetal.Name {
+		return nil
+	}
+
+	if installConfig.Config.Platform.BareMetal == nil || installConfig.Config.Platform.BareMetal.BMCVerifyCA == "" {
+		return nil
+	}
+
+	// Create the file at rootDir/bmc-ca/verify_ca.crt (rootDir = /opt/openshift)
+	a.File = &asset.File{
+		Filename: "bmc-ca/verify_ca.crt",
+		Data:     []byte(installConfig.Config.Platform.BareMetal.BMCVerifyCA),
+	}
+
+	return nil
+}
+
+// Files returns the files generated by the asset.
+func (a *BMCVerifyCA) Files() []*asset.File {
+	if a.File != nil {
+		return []*asset.File{a.File}
+	}
+	return []*asset.File{}
+}
+
+// Load loads the already-generated files back from disk.
+func (a *BMCVerifyCA) Load(f asset.FileFetcher) (bool, error) {
+	return false, nil
+}