From 3edeb4c4f30bb9b6ab9b264020fba26ef1f5bed9 Mon Sep 17 00:00:00 2001
From: Pavlo Shchelokovskyy <shchelokovskyy@gmail.com>
Date: Fri, 23 Feb 2018 18:13:54 +0200
Subject: [PATCH] [devstack] block iPXE boot from HTTPS TempURLs

While generally supported by iPXE, in DevStack we do not have any
facilities in place to boot iPXE from a HTTPS URL when the server is
using a custom certificate.
This is moslty concerning ability to boot iPXE directly from Swift's
TempURL when SSL is enabled on Swift in DevStack.

Just die with proper message when IRONIC_IPXE_USE_SWIFT and tls-proxy
are both enabled.

Change-Id: Ie0e01828f05b2706d310d8110e6e8dd8c4a03e4e
---
 devstack/lib/ironic | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index 328a12a837..e733d00148 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -485,6 +485,12 @@ if [ $IRONIC_DEFAULT_BOOT_OPTION != 'netboot' ] && [ $IRONIC_DEFAULT_BOOT_OPTION
     die $LINENO "Supported values for IRONIC_DEFAULT_BOOT_OPTION are 'netboot' and 'local' only."
 fi
 
+# TODO(pas-ha) find a way to (cross-)sign the custom CA bundle used by tls-proxy
+# with default iPXE cert - for reference see http://ipxe.org/crypto
+if [ $IRONIC_IPXE_USE_SWIFT == 'True' && is_service_enabled tls-proxy ]; then
+    die $LINENO "Ironic in DevStack does not yet support booting iPXE from HTTPS URLs"
+fi
+
 # Timeout for "manage" action. 2 minutes is more than enough.
 IRONIC_MANAGE_TIMEOUT=${IRONIC_MANAGE_TIMEOUT:-120}
 # Timeout for "provide" action. This involves cleaning. Generally, 15 minutes