Description of problem: iPXE can't work with all HTTPS endpoints, so all necessary artifacts need to be served via HTTP. This means we need: * assisted-image-service setting to expose endpoints on a separate plain HTTP port * assisted-service setting to expose ipxe script on a separate plain HTTP port * operator change to enable this feature * operator changes to update assisted-service/assisted-image-service settings to enable plain HTTP port * operator changes to update services/routes
https://github.com/openshift/assisted-service/pull/3705 adds new .spec.iPXEHTTPRoute setting (accepting "enabled/disabled", defaults to disabled) which creates HTTP routes and ensures only required artifacts can be fetched via HTTP. Known issue: existing InfraEnvs won't be updated - links would be displayed as https (artifacts can be fetched via http). Workaround: re-create InfraEnv
@vrutkovs I have tested the solution with upstream (latest) and I can see that the port 80 is "listening" but the artifacts cannot be downloaded (getting 503) [kni@provisionhost-0-0 ~]$ nc -v assisted-image-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com 80 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.123.10:80. cat wget-log --2022-06-02 17:53:17-- http://assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/14540a1a-ff8b-4a3c-a372-6025f3ed8a37/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiIxNDU0MGExYS1mZjhiLTRhM2MtYTM3Mi02MDI1ZjNlZDhhMzcifQ.6W699OHYrZS9z5TUm3P4on2vQBWXfJKN6j0W8jowD4HjuntjMnlqkkHAQIf9VWUDR1ZdnwuzvknEFslFqlNVAA Resolving assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com (assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com)... 192.168.123.10 Connecting to assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com (assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com)|192.168.123.10|:80... connected. HTTP request sent, awaiting response... 503 Service Unavailable 2022-06-02 17:53:17 ERROR 503: Service Unavailable.
After adding `iPXEHTTPRoute: enabled` to the AgentServiceConfig and re-creating an ACI, the http ipxe bootartifact showed up in the infraenv and I was able to download it via http. This was using latest upstream (aka 2.6 release branch) of assisted service. oc get infraenv chub-4 -o yaml bootArtifacts: ipxeScript: http://assisted-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/5e3ddae7-68ce-4658-80bd-7a052aae3577/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.BM94lSQxXPpfVMMhGQ6lW7BYPT2e9DmElL2-fn90q9lzqzFSWEbxbVxbmRq1GB4zdUxmF1NKfAjKrlCwOpV1lQ&file_name=ipxe-script [kni@provisionhost-0-0 tmp]$ curl 'http://assisted-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/5e3ddae7-68ce-4658-80bd-7a052aae3577/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.BM94lSQxXPpfVMMhGQ6lW7BYPT2e9DmElL2-fn90q9lzqzFSWEbxbVxbmRq1GB4zdUxmF1NKfAjKrlCwOpV1lQ&file_name=ipxe-script' #!ipxe initrd --name initrd http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/images/5e3ddae7-68ce-4658-80bd-7a052aae3577/pxe-initrd?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.dA5Dj6IcGUCr_kfAmyWr7axf-bKhTkLQsetKccRUJvGC2jrrt6KPkNkqP76OQBKclUTLv5ei6qOmIbi_y1BxVw&arch=x86_64&version=4.10 kernel http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/boot-artifacts/kernel?arch=x86_64&version=4.10 initrd=initrd coreos.live.rootfs_url=http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/boot-artifacts/rootfs?arch=x86_64&version=4.10 random.trust_cpu=on rd.luks.options=discard ignition.firstboot ignition.platform.id=metal console=tty1 console=ttyS1,115200n8 coreos.inst.persistent-kargs="console=tty1 console=ttyS1,115200n8" boot
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6370
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days