Bug 1826660

Summary: Can't register nodes from the UI with redfish if it uses self-signed certificates
Product: OpenShift Container Platform Reporter: Udi Kalifon <ukalifon>
Component: Console Metal3 PluginAssignee: Yadan Pei <yapei>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, yapei
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:30:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Disable Certificate Verification none

Description Udi Kalifon 2020-04-22 09:13:17 UTC 
Description of problem:
There is no way in the GUI to register a node and pass "insecure" to the bmh object creation. On the CLI you would add spec.bmc.disableCertificateVerification: true


How reproducible:
100%


Steps to Reproduce:
1. From the baremetal hosts page, click on Add host
2. The dialog lets you add the bmc address and credentials, but there is no option to set disableCertificateVerification: true


Actual results:
redfish://192.168.123.1:8000/redfish/v1/Systems/a83f321e-7684-4a22-9f02-a14cb40e5cee                      true     Failed to get power state for node a7539458-bbe8-466d-8b00-45b29d6fc240. Error: Redfish connection failed for node a7539458-bbe8-466d-8b00-45b29d6fc240: Unable to connect to https://192.168.123.1:8000/redfish/v1/. Error: HTTPSConnectionPool(host='192.168.123.1', port=8000): Max retries exceeded with url: /redfish/v1/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))


Additional info:
In the QE's libvirt environments we use sushy tools to simulate redfish, and it runs over https with self-signed certificates.
Comment 1 Jiri Tomasek 2020-05-15 10:13:54 UTC 
According to discussion with Dmitry, the option disables the certificates validation which imposes a security concern. Doing this should be avoided in production environments. We'll need to properly communicate this to the user when exposing the option via UI.
Comment 4 Yadan Pei 2020-06-17 02:58:21 UTC 
Created attachment 1697728 [details]
Disable Certificate Verification

Now on create baremetal hosts from dialog page https://console-openshift-console.apps.titan57-0.qe.lab.redhat.com/k8s/ns/openshift-machine-api/metal3.io~v1alpha1~BareMetalHost/~new/form, there is an option 'Disable Certificate Verification', after it is checked, BMH created will have spec.disableCertificateVerification set to True

spec:
  bmc:
    address: test
    credentialsName: testbmworker-bmc-secret
    disableCertificateVerification: true

Verified on 4.5.0-0.nightly-2020-06-11-183238
Comment 5 errata-xmlrpc 2020-07-13 17:30:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409