Bug 1826660 - Can't register nodes from the UI with redfish if it uses self-signed certificates
Summary: Can't register nodes from the UI with redfish if it uses self-signed certific...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Metal3 Plugin
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Yadan Pei
QA Contact: Udi Kalifon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-22 09:13 UTC by Udi Kalifon
Modified: 2020-07-13 17:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:30:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Disable Certificate Verification (130.00 KB, image/png)
2020-06-17 02:58 UTC, Yadan Pei
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 5615 0 None closed Bug 1826660: Expose option to disable BMC server certificate verification 2020-08-12 18:45:55 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:30:22 UTC

Description Udi Kalifon 2020-04-22 09:13:17 UTC
Description of problem:
There is no way in the GUI to register a node and pass "insecure" to the bmh object creation. On the CLI you would add spec.bmc.disableCertificateVerification: true


How reproducible:
100%


Steps to Reproduce:
1. From the baremetal hosts page, click on Add host
2. The dialog lets you add the bmc address and credentials, but there is no option to set disableCertificateVerification: true


Actual results:
redfish://192.168.123.1:8000/redfish/v1/Systems/a83f321e-7684-4a22-9f02-a14cb40e5cee                      true     Failed to get power state for node a7539458-bbe8-466d-8b00-45b29d6fc240. Error: Redfish connection failed for node a7539458-bbe8-466d-8b00-45b29d6fc240: Unable to connect to https://192.168.123.1:8000/redfish/v1/. Error: HTTPSConnectionPool(host='192.168.123.1', port=8000): Max retries exceeded with url: /redfish/v1/ (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))


Additional info:
In the QE's libvirt environments we use sushy tools to simulate redfish, and it runs over https with self-signed certificates.

Comment 1 Jiri Tomasek 2020-05-15 10:13:54 UTC
According to discussion with Dmitry, the option disables the certificates validation which imposes a security concern. Doing this should be avoided in production environments. We'll need to properly communicate this to the user when exposing the option via UI.

Comment 4 Yadan Pei 2020-06-17 02:58:21 UTC
Created attachment 1697728 [details]
Disable Certificate Verification

Now on create baremetal hosts from dialog page https://console-openshift-console.apps.titan57-0.qe.lab.redhat.com/k8s/ns/openshift-machine-api/metal3.io~v1alpha1~BareMetalHost/~new/form, there is an option 'Disable Certificate Verification', after it is checked, BMH created will have spec.disableCertificateVerification set to True

spec:
  bmc:
    address: test
    credentialsName: testbmworker-bmc-secret
    disableCertificateVerification: true

Verified on 4.5.0-0.nightly-2020-06-11-183238

Comment 5 errata-xmlrpc 2020-07-13 17:30:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.