From 68961df8d57bf9f3fda1d81bbf71bca87a462738 Mon Sep 17 00:00:00 2001
From: Julia Kreger <juliaashleykreger@gmail.com>
Date: Wed, 17 Nov 2021 07:28:12 -0800
Subject: CI: Get tinyipa build working for CI usage

The qemu git server has updated it's ssl certificate, and can no longer
be verified by the software libraries and embedded tinycore data for
the 10.x release. Unfortunately, we have CI hard coded to an older
release and we cannot release a newer, older version of the tinycore
10.x supporting packages.

So, for our CI purposes, we just need a working build, so that
is all this patch attempts to do, get our CI in a working state
for the older branches.

It is an awful change. None of us like it, but we're stuck and
this is the only path forward short of completely abandoning
the use of the software builds on these branches.

Change-Id: Ia4434e9d2e4df49b26c33fcf371d821e0d44d6b7
---
 devstack/lib/ironic                                          |  7 +++++++
 .../dont-use-tinyipa-for-production-620d8c7488c3a677.yaml    | 12 ++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 releasenotes/notes/dont-use-tinyipa-for-production-620d8c7488c3a677.yaml

diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index 0f60bf558..09e6ac919 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -2697,6 +2697,13 @@ function build_tinyipa_ramdisk {
         export AUTHORIZE_SSH=true
         export SSH_PUBLIC_KEY=$IRONIC_ANSIBLE_SSH_KEY.pub
     fi
+    # NOTE(TheJulia): This is insecure. We know it, we don't like it.
+    # but we need CI to work and we're in a catch-22 as we can't explicitly patch
+    # this in to the versions used for CI with ussuri and train releases. This is
+    # because the certificates on qemu.org can no longer be verified since it was
+    # recently in late October 2021.
+    sed -i 's/git\ clone\ --branch/git\ clone\ --insecure\ --branch/' build-tinyipa.sh
+    # Resume our build process.
     make
     cp tinyipa.gz $ramdisk_path
     cp tinyipa.vmlinuz $kernel_path
diff --git a/releasenotes/notes/dont-use-tinyipa-for-production-620d8c7488c3a677.yaml b/releasenotes/notes/dont-use-tinyipa-for-production-620d8c7488c3a677.yaml
new file mode 100644
index 000000000..86aaa0dfa
--- /dev/null
+++ b/releasenotes/notes/dont-use-tinyipa-for-production-620d8c7488c3a677.yaml
@@ -0,0 +1,12 @@
+---
+issues:
+  - Users attempting to build older TinyIPA versions for Ussuri and Train
+    may find that they are unable to do so due to SSL certificate verification
+    issues. This is not expected to be fixed by the ironic community as we
+    are unable to release new versions of ironic-python-agent-builder used
+    by those releases.
+other:
+  - |
+    As a general reminder and a direct results of attempt to fix Continious
+    Integration test jobs for Ussuri and Train releases, it must be stressed
+    to *not* use TinyIPA in production.
-- 
cgit v1.2.1