2078531 – iPXE artifacts need to be served via HTTP

Bug 2078531 - iPXE artifacts need to be served via HTTP

Summary: iPXE artifacts need to be served via HTTP

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Infrastructure Operator
Sub Component:
Version:	rhacm-2.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	rhacm-2.6
Assignee:	Vadim Rutkovsky
QA Contact:	Chad Crum
Docs Contact:	Derek
URL:
Whiteboard:
Depends On:
Blocks:	2089195
TreeView+	depends on / blocked

Reported:	2022-04-25 14:23 UTC by Vadim Rutkovsky
Modified:	2023-09-15 01:54 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2089195 (view as bug list)
Environment:
Last Closed:	2022-09-06 22:30:54 UTC
Target Upstream Version:
Embargoed:
Flags:	cbynum: rhacm-2.6+ cbynum: rhacm-2.6.z+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift assisted-image-service pull 71	None	Merged	Bug 2078531: add an option expose all endpoints on plain HTTP port	2022-05-23 08:36:58 UTC
Github	openshift assisted-image-service pull 73	None	Merged	Revert "Bug 2078531: add an option expose all endpoints on plain HTTP port"	2022-05-23 08:36:58 UTC
Github	openshift assisted-image-service pull 74	None	Merged	Bug 2078531: add an option expose all endpoints on plain HTTP port (#71)	2022-05-23 08:36:57 UTC
Github	openshift assisted-service pull 3705	None	Merged	Bug 2078531: Expose ipxe boot artifacts via HTTP	2022-05-23 08:36:57 UTC
Github	stolostron backlog issues 21927	None	None	None	2022-04-25 15:38:54 UTC
Red Hat Issue Tracker	MGMTBUGSM-369	None	None	None	2022-04-25 14:57:10 UTC
Red Hat Product Errata	RHSA-2022:6370	None	None	None	2022-09-06 22:31:11 UTC

Description Vadim Rutkovsky 2022-04-25 14:23:56 UTC

Description of problem:
iPXE can't work with all HTTPS endpoints, so all necessary artifacts need to be served via HTTP.

This means we need:
* assisted-image-service setting to expose endpoints on a separate plain HTTP port
* assisted-service setting to expose ipxe script on a separate plain HTTP port
* operator change to enable this feature
* operator changes to update assisted-service/assisted-image-service settings to enable plain HTTP port
* operator changes to update services/routes

Comment 2 Vadim Rutkovsky 2022-05-12 18:29:58 UTC

https://github.com/openshift/assisted-service/pull/3705 adds new .spec.iPXEHTTPRoute setting (accepting "enabled/disabled", defaults to disabled) which creates HTTP routes and ensures only required artifacts can be fetched via HTTP.

Known issue: existing InfraEnvs won't be updated - links would be displayed as https (artifacts can be fetched via http). 
Workaround: re-create InfraEnv

Comment 3 Vlad Kolodny 2022-06-02 22:04:36 UTC

@vrutkovs

I have tested the solution with upstream (latest) and I can see that the port 80 is "listening" but the artifacts cannot be downloaded (getting 503)

[kni@provisionhost-0-0 ~]$ nc -v assisted-image-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com 80
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.123.10:80.


cat wget-log
--2022-06-02 17:53:17--  http://assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/14540a1a-ff8b-4a3c-a372-6025f3ed8a37/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiIxNDU0MGExYS1mZjhiLTRhM2MtYTM3Mi02MDI1ZjNlZDhhMzcifQ.6W699OHYrZS9z5TUm3P4on2vQBWXfJKN6j0W8jowD4HjuntjMnlqkkHAQIf9VWUDR1ZdnwuzvknEFslFqlNVAA
Resolving assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com (assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com)... 192.168.123.10
Connecting to assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com (assisted-service-assisted-installer.apps.ocp-edge-cluster-0.qe.lab.redhat.com)|192.168.123.10|:80... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2022-06-02 17:53:17 ERROR 503: Service Unavailable.

Comment 7 Chad Crum 2022-06-13 17:11:53 UTC

After adding `iPXEHTTPRoute: enabled` to the AgentServiceConfig and re-creating an ACI, the http ipxe bootartifact showed up in the infraenv and I was able to download it via http.

This was using latest upstream (aka 2.6 release branch) of assisted service.



oc get infraenv chub-4 -o yaml 
  bootArtifacts:
    ipxeScript: http://assisted-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/5e3ddae7-68ce-4658-80bd-7a052aae3577/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.BM94lSQxXPpfVMMhGQ6lW7BYPT2e9DmElL2-fn90q9lzqzFSWEbxbVxbmRq1GB4zdUxmF1NKfAjKrlCwOpV1lQ&file_name=ipxe-script


[kni@provisionhost-0-0 tmp]$ curl 'http://assisted-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/api/assisted-install/v2/infra-envs/5e3ddae7-68ce-4658-80bd-7a052aae3577/downloads/files?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.BM94lSQxXPpfVMMhGQ6lW7BYPT2e9DmElL2-fn90q9lzqzFSWEbxbVxbmRq1GB4zdUxmF1NKfAjKrlCwOpV1lQ&file_name=ipxe-script'
#!ipxe
initrd --name initrd http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/images/5e3ddae7-68ce-4658-80bd-7a052aae3577/pxe-initrd?api_key=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpbmZyYV9lbnZfaWQiOiI1ZTNkZGFlNy02OGNlLTQ2NTgtODBiZC03YTA1MmFhZTM1NzcifQ.dA5Dj6IcGUCr_kfAmyWr7axf-bKhTkLQsetKccRUJvGC2jrrt6KPkNkqP76OQBKclUTLv5ei6qOmIbi_y1BxVw&arch=x86_64&version=4.10
kernel http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/boot-artifacts/kernel?arch=x86_64&version=4.10 initrd=initrd coreos.live.rootfs_url=http://assisted-image-service-assisted-installer.apps.ocp-edge-cluster-assisted-0.qe.lab.redhat.com/boot-artifacts/rootfs?arch=x86_64&version=4.10 random.trust_cpu=on rd.luks.options=discard ignition.firstboot ignition.platform.id=metal console=tty1 console=ttyS1,115200n8 coreos.inst.persistent-kargs="console=tty1 console=ttyS1,115200n8"
boot

Comment 10 errata-xmlrpc 2022-09-06 22:30:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6370

Comment 11 Red Hat Bugzilla 2023-09-15 01:54:11 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.