Pin to latest commit for EIB (#228 )

Reviewed-on: suse-edge/Factory#228 Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org> Co-authored-by: dbw7 <danial.bekhit@suse.com> Co-committed-by: dbw7 <danial.bekhit@suse.com>
Merge pull request 'bump kubectl image in upgrade controller and turtles' (#239 ) from dprodanov/Factory:bump-kubectl-image into main
2025-08-20 08:36:43 +02:00 · 2025-08-19 08:38:59 +02:00 · 2025-08-18 16:29:53 +03:00 · 2025-08-18 15:24:38 +02:00 · 2025-08-18 13:56:30 +02:00 · 2025-08-18 13:49:03 +02:00
37 changed files with 425 additions and 139 deletions
--- a/ironic-image/Dockerfile
+++ b/ironic-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.0
-#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%

 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -19,11 +19,11 @@ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes

 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
    fi
 #!ArchExclusiveLine: aarch64
 RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
+      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
    fi
    
 # DATABASE
@@ -41,8 +41,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="29.0.4.0"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.0-%RELEASE%"
+LABEL org.opencontainers.image.version="29.0.4.1"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.1-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/ironic-image/configure-nonroot.sh
+++ b/ironic-image/configure-nonroot.sh
@@ -45,10 +45,10 @@ chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run

 # ironic and httpd related changes
 mkdir -p /etc/httpd/conf.d
-chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
+chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
 #chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
-chmod 664 /etc/ironic/* /etc/httpd/conf/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.modules.d/*

 chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
 chmod 2775 /var/lib/ironic
--- a/ironic-image/ironic-config/apache2-ipxe.conf.j2
+++ b/ironic-image/ironic-config/apache2-ipxe.conf.j2
@@ -1,4 +1,5 @@
-Listen {{ env.IPXE_TLS_PORT }}
+Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
+Listen [::]:{{ env.IPXE_TLS_PORT }}

 <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
    ErrorLog /dev/stderr
--- a/ironic-image/ironic-config/apache2-vmedia.conf.j2
+++ b/ironic-image/ironic-config/apache2-vmedia.conf.j2
@@ -1,4 +1,5 @@
-Listen {{ env.VMEDIA_TLS_PORT }}
+Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
+Listen [::]:{{ env.VMEDIA_TLS_PORT }}

 <VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
    ErrorLog /dev/stderr
@@ -10,13 +11,15 @@ Listen {{ env.VMEDIA_TLS_PORT }}
    SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}

-    <Directory ~ "/shared/html">
-         Order deny,allow
-         deny from all
+    <Directory "/shared/html/">
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
    </Directory>
    <Directory ~ "/shared/html/(redfish|ilo)/">
-         Order allow,deny
-         allow from all
+        Options Indexes FollowSymLinks
+        AllowOverride None
+        Require all granted
    </Directory>
 </VirtualHost>

--- a/ironic-image/ironic-config/httpd-ironic-api.conf.j2
+++ b/ironic-image/ironic-config/httpd-ironic-api.conf.j2
@@ -12,11 +12,21 @@


 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.IRONIC_LISTEN_PORT }}
+Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
+Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
 <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
- <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
+{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
+<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
+{% else %}
+<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
+{% endif %}
 {% endif %}

    {% if env.IRONIC_PRIVATE_PORT == "unix" %}
--- a/ironic-image/ironic-config/httpd-modules.conf
+++ b/ironic-image/ironic-config/httpd-modules.conf
@@ -17,4 +17,4 @@ LoadModule authn_core_module /usr/lib64/apache2/mod_authn_core.so
 LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so
 LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so
 LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so
-LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
+#LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so
--- a/ironic-image/ironic-config/httpd.conf.j2
+++ b/ironic-image/ironic-config/httpd.conf.j2
@@ -1,8 +1,14 @@
 ServerRoot {{ env.HTTPD_DIR }}
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.HTTP_PORT }}
+Listen 0.0.0.0:{{ env.HTTP_PORT }}
+Listen [::]:{{ env.HTTP_PORT }}
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
+{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
+{% endif %}
 {% endif %}
 Include /etc/httpd/conf.modules.d/*.conf
 User ironic-suse
--- a/ironic-image/ironic-config/ironic.conf.j2
+++ b/ironic-image/ironic-config/ironic.conf.j2
@@ -25,7 +25,13 @@ rpc_transport = none
 use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
+{% if env.ENABLE_IPV4 %}
 my_ip = {{ env.IRONIC_IP }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+my_ipv6 = {{ env.IRONIC_IPV6 }}
+{% endif %}
+
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
 tempdir = {{ env.IRONIC_TMP_DATA_DIR }}

@@ -65,7 +71,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
 {% endif %}
 public_endpoint = {{ env.IRONIC_BASE_URL }}
 {% else %}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 port = {{ env.IRONIC_LISTEN_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 enable_ssl_api = true
@@ -85,7 +91,11 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
+{% if env.VMEDIA_TLS_PORT %}
+bootloader = {{ env.IRONIC_HTTPS_VMEDIA_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
+{% else %}
 bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
+{% endif %}
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -117,15 +127,15 @@ default_boot_option = local
 erase_devices_metadata_priority = 10
 erase_devices_priority = 0
 http_root = /shared/html/
-http_url = {{ env.IRONIC_HTTP_URL }}
+http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
 {% endif %}
 {% if env.IRONIC_EXTERNAL_HTTP_URL %}
 external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
-{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %}
-external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }}
+{% elif env.VMEDIA_TLS_PORT %}
+external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }}
 {% endif %}
 {% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
 external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
@@ -181,7 +191,7 @@ cipher_suite_versions = 3,17
 # containers are in host networking.
 auth_strategy = http_basic
 http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
--- a/ironic-image/scripts/configure-ironic.sh
+++ b/ironic-image/scripts/configure-ironic.sh
@@ -3,6 +3,7 @@
 set -euxo pipefail

 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
+export VMEDIA_TLS_PORT="${VMEDIA_TLS_PORT:-}"

 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information
@@ -51,6 +52,18 @@ export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}

 wait_for_interface_or_ip

+if [[ "$(echo "$LISTEN_ALL_INTERFACES" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
+export IRONIC_HOST_IP="::"
+elif [[ -n "${ENABLE_IPV6}" ]]; then
+export IRONIC_HOST_IP="$IRONIC_IPV6"
+else
+export IRONIC_HOST_IP="$IRONIC_IP"
+fi
+
+if [[ "${VMEDIA_TLS_PORT}" ]]; then
+   export IRONIC_HTTPS_VMEDIA_URL="https://${IRONIC_URL_HOST}:${VMEDIA_TLS_PORT}"
+fi
+
 # Hostname to use for the current conductor instance.
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}

@@ -92,4 +105,11 @@ render_j2_config "/etc/ironic/ironic.conf.j2" \
 configure_json_rpc_auth

 # Make sure ironic traffic bypasses any proxies
-export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+export NO_PROXY="${NO_PROXY:-}"
+
+if [[ -n "$IRONIC_IPV6" ]]; then
+export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
+fi
+if [[ -n "$IRONIC_IP" ]]; then
+export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
+fi
--- a/ironic-image/scripts/ironic-common.sh
+++ b/ironic-image/scripts/ironic-common.sh
@@ -5,9 +5,11 @@ set -euxo pipefail
 # Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in
 # e.g. dnsmasq configuration
 export IRONIC_IP="${IRONIC_IP:-}"
+IRONIC_IPV6="${IRONIC_IPV6:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
+IRONIC_URL_HOSTNAME="${IRONIC_URL_HOSTNAME:-}"
 IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
 CUSTOM_DATA_DIR="${CUSTOM_DATA_DIR:-/data}"
@@ -33,6 +35,85 @@ export LOCAL_DB_URI="sqlite:///${IRONIC_DB_DIR}/ironic.sqlite"

 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}

+
+get_ip_of_hostname()
+{
+    if [[ "$#" -ne 2 ]]; then
+        echo "${FUNCNAME}: two parameters required, $# provided" >&2
+        return 1
+    fi
+
+    case $2 in
+        4)
+            QUERY="a";;
+        6)
+            QUERY="aaaa";;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [a|aaaa] for A and AAAA records"
+            return 1;;
+    esac
+
+    local HOSTNAME=$1
+
+    echo $(nslookup -type=${QUERY} "${HOSTNAME}" | tail -n2 | grep -w "Address:" | cut -d " " -f2)
+}
+
+get_interface_of_ip()
+{
+    local IP_VERS=""
+
+    if [[ "$#" -gt 2 ]]; then
+        echo "${FUNCNAME}: too many parameters" >&2
+        return 1
+    fi
+
+    if [[ "$#" -eq 2 ]]; then
+        case $2 in
+        4|6)
+            local IP_VERS="-${2}"
+            ;;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
+            return 2
+            ;;
+        esac
+    fi
+
+    local IP_ADDR=$1
+
+    # Convert the address using ipcalc which strips out the subnet.
+    # For IPv6 addresses, this will give the short-form address
+    IP_ADDR="$(ipcalc "${IP_ADDR}" | grep "^Address:" | awk '{print $2}')"
+
+    echo $(ip ${IP_VERS} -br addr show scope global | grep -i " ${IP_ADDR}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')
+}
+
+get_ip_of_interface()
+{
+    local IP_VERS=""
+
+    if [[ "$#" -gt 2 ]]; then
+        echo "${FUNCNAME}: too many parameters" >&2
+        return 1
+    fi
+
+    if [[ "$#" -eq 2 ]]; then
+        case $2 in
+        4|6)
+            local IP_VERS="-${2}"
+            ;;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
+            return 2
+            ;;
+        esac
+    fi
+
+    local IFACE=$1
+
+    echo $(ip ${IP_VERS} -br addr show scope global up dev ${IFACE} | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)
+}
+
 get_provisioning_interface()
 {
    if [[ -n "$PROVISIONING_INTERFACE" ]]; then
@@ -41,13 +122,7 @@ get_provisioning_interface()
        return
    fi

-    local interface="provisioning"
-
-    if [[ -n "${PROVISIONING_IP}" ]]; then
-        if ip -br addr show | grep -i " ${PROVISIONING_IP}/" &>/dev/null; then
-            interface="$(ip -br addr show | grep -i " ${PROVISIONING_IP}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
-        fi
-    fi
+    local interface=""

    for mac in ${PROVISIONING_MACS//,/ }; do
        if ip -br link show up | grep -i "$mac" &>/dev/null; then
@@ -71,32 +146,111 @@ wait_for_interface_or_ip()
    # available on an interface, otherwise we look at $PROVISIONING_INTERFACE
    # for an IP
    if [[ -n "${PROVISIONING_IP}" ]]; then
-        # Convert the address using ipcalc which strips out the subnet.
-        # For IPv6 addresses, this will give the short-form address
-        IRONIC_IP="$(ipcalc "${PROVISIONING_IP}" | grep "^Address:" | awk '{print $2}')"
-        export IRONIC_IP
-        until grep -F " ${IRONIC_IP}/" <(ip -br addr show); do
-            echo "Waiting for ${IRONIC_IP} to be configured on an interface"
+        local IFACE_OF_IP=""
+
+        until [[ -n "$IFACE_OF_IP" ]]; do
+            echo "Waiting for ${PROVISIONING_IP} to be configured on an interface..."
+            IFACE_OF_IP="$(get_interface_of_ip "${PROVISIONING_IP}")"
            sleep 1
        done
+
+        echo "Found $PROVISIONING_IP on interface \"${IFACE_OF_IP}\"!"
+
+        export PROVISIONING_INTERFACE="$IFACE_OF_IP"
+	# If the IP contains a colon, then it's an IPv6 address
+        if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then
+            export IRONIC_IPV6="$PROVISIONING_IP"
+            export IRONIC_IP=""
+        else
+            export IRONIC_IP="$PROVISIONING_IP"
+        fi
+    elif [[ -n "${IRONIC_IP}" ]]; then
+        if [[ "$IRONIC_IP" =~ .*:.* ]]; then
+            export IRONIC_IPV6="$IRONIC_IP"
+            export IRONIC_IP=""
+        fi
+    elif [[ -n "${PROVISIONING_INTERFACE}" ]]; then
+        until [[ -n "$IRONIC_IPV6" ]] || [[ -n "$IRONIC_IP" ]]; do
+            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured..."
+
+            IRONIC_IPV6="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 6)"
+            sleep 1
+
+            IRONIC_IP="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 4)"
+            sleep 1
+        done
+
+        if [[ -n "$IRONIC_IPV6" ]]; then
+            echo "Found $IRONIC_IPV6 on interface \"${PROVISIONING_INTERFACE}\"!"
+	    export IRONIC_IPV6
+        fi
+        if [[ -n "$IRONIC_IP" ]]; then
+            echo "Found $IRONIC_IP on interface \"${PROVISIONING_INTERFACE}\"!"
+	    export IRONIC_IP
+        fi
+    elif [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
+        local IPV6_IFACE=""
+        local IPV4_IFACE=""
+        
+        # we should get at least one IP address
+        until [[ -n "$IPV6_IFACE" ]] || [[ -n "$IPV4_IFACE" ]]; do
+            local IPV6_RECORD=""
+            local IPV4_RECORD=""
+
+            IPV6_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 6)"
+            IPV4_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 4)"
+
+            # We couldn't get any IP
+            if [[ -z "$IPV4_RECORD" ]] && [[ -z "$IPV6_RECORD" ]]; then
+                echo "${FUNCNAME}: no valid IP found for hostname ${IRONIC_URL_HOSTNAME}" >&2
+                return 1
+            fi
+
+            echo "Waiting for ${IPV6_RECORD} to be configured on an interface"
+            IPV6_IFACE="$(get_interface_of_ip "${IPV6_RECORD}" 6)"
+            sleep 1
+
+            echo "Waiting for ${IPV4_RECORD} to be configured on an interface"
+            IPV4_IFACE="$(get_interface_of_ip "${IPV4_RECORD}" 4)"
+            sleep 1
+        done
+
+        # Add some debugging output
+        if [[ -n "$IPV6_IFACE" ]]; then
+            echo "Found $IPV6_RECORD on interface \"${IPV6_IFACE}\"!"
+            export IRONIC_IPV6="$IPV6_RECORD"
+        fi
+        if [[ -n "$IPV4_IFACE" ]]; then
+            echo "Found $IPV4_RECORD on interface \"${IPV4_IFACE}\"!"
+            export IRONIC_IP="$IPV4_RECORD"
+        fi
+
+        # Make sure both IPs are asigned to the same interface
+        if [[ -n "$IPV6_IFACE" ]] && [[ -n "$IPV4_IFACE" ]] && [[ "$IPV6_IFACE" != "$IPV4_IFACE" ]]; then
+            echo "Warning, the IPv4 and IPv6 addresses from \"${HOSTNAME}\" are assigned to different " \
+            "interfaces (\"${IPV6_IFACE}\" and \"${IPV4_IFACE}\")" >&2
+        fi
+
    else
-        until [[ -n "$IRONIC_IP" ]]; do
-            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
-            IRONIC_IP="$(ip -br add show scope global up dev "${PROVISIONING_INTERFACE}" | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
-            export IRONIC_IP
-            sleep 1
-        done
+        echo "Cannot determine an interface or an IP for binding and creating URLs"
+        return 1
    fi

-    # If the IP contains a colon, then it's an IPv6 address, and the HTTP
-    # host needs surrounding with brackets
-    if [[ "$IRONIC_IP" =~ .*:.* ]]; then
-        export IPV=6
-        export IRONIC_URL_HOST="[$IRONIC_IP]"
-    else
-        export IPV=4
+    # Define the URLs based on the what we have found,
+    # prioritize IPv6 for IRONIC_URL_HOST
+    if [[ -n "$IRONIC_IP" ]]; then
+        export ENABLE_IPV4=yes
        export IRONIC_URL_HOST="$IRONIC_IP"
    fi
+    if [[ -n "$IRONIC_IPV6" ]]; then
+        export ENABLE_IPV6=yes
+        export IRONIC_URL_HOST="[${IRONIC_IPV6}]" # The HTTP host needs surrounding with brackets
+    fi
+
+    # Once determined if we have IPv4 and/or IPv6, override the hostname if provided
+    if [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
+        IRONIC_URL_HOST=$IRONIC_URL_HOSTNAME
+    fi

    # Avoid having to construct full URL multiple times while allowing
    # the override of IRONIC_HTTP_URL for environments in which IRONIC_IP
--- a/kubectl-image/Dockerfile
+++ b/kubectl-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4
-#!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4
+#!BuildTag: %%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

@@ -15,11 +15,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE kubectl image"
 LABEL org.opencontainers.image.description="kubectl on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="1.32.4"
+LABEL org.opencontainers.image.version="1.33.4"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/kubectl/kubectl.spec
+++ b/kubectl/kubectl.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}

 Name: kubectl
-Version: 1.32.4
+Version: 1.33.4
 Release: 0
 Summary: Command-line utility for interacting with a Kubernetes cluster

--- a/kubectl/kubectl_1.32.4.orig.tar.gz
+++ b/kubectl/kubectl_1.32.4.orig.tar.gz
--- a/kubectl/kubectl_1.33.4.orig.tar.gz
+++ b/kubectl/kubectl_1.33.4.orig.tar.gz
--- a/metal3-chart/Chart.yaml
+++ b/metal3-chart/Chart.yaml
@@ -1,28 +1,28 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.10_up0.12.0
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.10_up0.12.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.12_up0.12.2
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.12_up0.12.2-%RELEASE%
 apiVersion: v2
-appVersion: 0.12.0
+appVersion: 0.12.2
 dependencies:
 - alias: metal3-baremetal-operator
  name: baremetal-operator
  repository: file://./charts/baremetal-operator
-  version: 0.9.2
+  version: 0.9.4
 - alias: metal3-ironic
  name: ironic
  repository: file://./charts/ironic
-  version: 0.11.0
+  version: 0.11.2
 - alias: metal3-mariadb
  condition: global.enable_mariadb
  name: mariadb
  repository: file://./charts/mariadb
-  version: 0.6.0
+  version: 0.6.1
 - alias: metal3-media
  condition: global.enable_metal3_media_server
  name: media
  repository: file://./charts/media
-  version: 0.6.4
+  version: 0.6.5
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.10+up0.12.0"
+version: "%%CHART_MAJOR%%.0.12+up0.12.2"
--- a/metal3-chart/charts/baremetal-operator/Chart.yaml
+++ b/metal3-chart/charts/baremetal-operator/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 0.9.1
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.9.2
+version: 0.9.4
--- a/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl
+++ b/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl
@@ -61,3 +61,19 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the URL to use for connecting to the Ironic servers (e.g. API, cache)
+*/}}
+{{- define "baremetal-operator.ironicHttpHost" -}}
+{{- $hostIP := include "metal3.hostIP" . -}}
+{{- with .Values.global }}
+{{- if .provisioningHostname }}
+{{- .provisioningHostname }}
+{{- else if regexMatch ".*:.*" $hostIP}}
+{{- print "[" $hostIP "]" }}
+{{- else }}
+{{- $hostIP }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
@@ -1,10 +1,10 @@
  {{- $enableTLS := .Values.global.enable_tls }}
  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
  {{- $protocol := ternary "https" "http" $enableTLS }}
-  {{- $ironicIP := .Values.global.ironicIP | default "" }}
-  {{- $ironicApiHost := print $ironicIP ":6385" }}
-  {{- $ironicBootHost := print $ironicIP ":6180" }}
-  {{- $ironicCacheHost := print $ironicIP ":6180" }}
+  {{- $ironicHost := include "baremetal-operator.ironicHttpHost" . | required "Missing host information for BMO to connect to Ironic" }}
+  {{- $ironicApiHost := print $ironicHost ":6385" }}
+  {{- $ironicBootHost := print $ironicHost ":6180" }}
+  {{- $ironicCacheHost := print $ironicHost ":6180" }}
  {{- $deployArch := .Values.global.deployArchitecture }}

 apiVersion: v1
@@ -12,8 +12,8 @@ data:
  IRONIC_ENDPOINT: "{{ $protocol }}://{{ $ironicApiHost }}/v1/"
  # Switch VMedia to HTTP if enable_vmedia_tls is false
  {{- if and $enableTLS $enableVMediaTLS }}
-    {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
-    {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
+    {{- $ironicBootHost = print $ironicHost ":" .Values.global.vmediaTLSPort }}
+    {{- $ironicCacheHost = print $ironicHost ":" .Values.global.vmediaTLSPort }}
    {{- $protocol = "https" }}
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
  {{- else }}
--- a/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml
@@ -6,6 +6,7 @@ metadata:
    control-plane: controller-manager
  name: {{ include "baremetal-operator.fullname" . }}-controller-manager-metrics-service
 spec:
+  ipFamilyPolicy: PreferDualStack
  ports:
  - name: https
    port: 8443
--- a/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml
@@ -5,6 +5,7 @@ metadata:
    {{- include "baremetal-operator.labels" . | nindent 4 }}
  name: {{ include "baremetal-operator.fullname" . }}-webhook-service
 spec:
+  ipFamilyPolicy: PreferDualStack
  ports:
  - port: 443
    targetPort: 9443
--- a/metal3-chart/charts/ironic/Chart.yaml
+++ b/metal3-chart/charts/ironic/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 29.0.4
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.11.0
+version: 0.11.2
--- a/metal3-chart/charts/ironic/templates/_helpers.tpl
+++ b/metal3-chart/charts/ironic/templates/_helpers.tpl
@@ -83,3 +83,50 @@ Get ironic CA volumeMounts
  readOnly: true
 {{- end }}
 {{- end }}
+
+{{/*
+Get the formatted "External" hostname or IP based URL
+*/}}
+{{- define "ironic.externalHttpUrl" }}
+{{- $host := ternary (include "metal3.hostIP" .) .Values.global.externalHttpHost (empty .Values.global.externalHttpHost) }}
+{{- if regexMatch ".*:.*" $host }}
+{{- $host = print "[" $host "]" }}
+{{- end }}
+{{- $protocol := "http" }}
+{{- $port := "6180" }}
+{{- if .Values.global.enable_vmedia_tls }}
+{{- $protocol = "https" }}
+{{- $port = .Values.global.vmediaTLSPort | default "6185" }}
+{{- end }}
+{{- print $protocol "://" $host ":" $port }}
+{{- end }}
+
+{{/*
+Get the command to use for Liveness and Readiness probes
+*/}}
+{{- define "ironic.probeCommand" }}
+{{- $host := "127.0.0.1" }}
+{{- if eq .Values.listenOnAll false }}
+{{- $host = coalesce .Values.global.provisioningIP .Values.global.ironicIP .Values.global.provisioningHostname }}
+{{- if regexMatch ".*:.*" $host }}
+{{- $host = print "[" $host "]" }}
+{{- end }}
+{{- end }}
+{{- print "curl -sSfk https://" $host ":6385" }}
+{{- end }}
+
+{{/*
+Create the subjectAltNames section to be set on the Certificate
+*/}}
+{{- define "ironic.subjectAltNames" -}}
+{{- with .Values.global }}
+{{- if .provisioningHostname }}
+dnsNames:
+- {{ .provisioningHostname }}
+{{- end -}}
+{{- if or .ironicIP .provisioningIP }}
+ipAddresses:
+  - {{ coalesce .provisioningIP .ironicIP }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/metal3-chart/charts/ironic/templates/certificates.yaml
+++ b/metal3-chart/charts/ironic/templates/certificates.yaml
@@ -6,8 +6,7 @@ metadata:
 spec:
  commonName: ironic-ca
  isCA: true
-  ipAddresses:
-  - {{ .Values.global.ironicIP }}
+  {{- include "ironic.subjectAltNames" . | indent 2 }}
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
@@ -19,8 +18,7 @@ metadata:
  name: ironic-cert
 spec:
  commonName: ironic-cert
-  ipAddresses:
-  - {{ .Values.global.ironicIP }}
+  {{- include "ironic.subjectAltNames" . | indent 2 }}
  issuerRef:
    kind: Issuer
    name: ca-issuer
@@ -33,8 +31,7 @@ metadata:
  name: ironic-vmedia-cert
 spec:
  commonName: ironic-vmedia-cert
-  ipAddresses:
-  - {{ .Values.global.ironicIP }}
+  {{- include "ironic.subjectAltNames" . | indent 2 }}
  issuerRef:
    kind: Issuer
    name: ca-issuer
--- a/metal3-chart/charts/ironic/templates/configmap.yaml
+++ b/metal3-chart/charts/ironic/templates/configmap.yaml
@@ -5,16 +5,9 @@ metadata:
  labels:
    {{- include "ironic.labels" . | nindent 4 }}
 data:
-  {{- $enableTLS := .Values.global.enable_tls }}
-  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
-  {{- $protocol := ternary "https" "http" $enableTLS }}
-  {{- $ironicIP := .Values.global.ironicIP | default "" }}
-  {{- $ironicBootHost := print $ironicIP ":6180" }}
-  {{- $ironicCacheHost := print $ironicIP ":6180" }}
  {{- $deployArch := .Values.global.deployArchitecture }}

  {{- if  ( .Values.global.enable_dnsmasq ) }}
-  DNSMASQ_BOOT_SERVER_ADDRESS: {{ $ironicBootHost }}
  DNSMASQ_DNS_SERVER_ADDRESS: {{ .Values.global.dnsmasqDNSServer }}
  DNSMASQ_DEFAULT_ROUTER: {{ .Values.global.dnsmasqDefaultRouter }}
  DHCP_RANGE: {{ .Values.global.dhcpRange }}
@@ -24,29 +17,21 @@ data:
  {{- end }}
  HTTP_PORT: "6180"
  PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
-  # Switch VMedia to HTTP if enable_vmedia_tls is false
-  {{- if and $enableTLS $enableVMediaTLS }}
-    {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
-    {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
-    {{- $protocol = "https" }}
-  {{- else }}
-    {{- $protocol = "http" }}
-  {{- end }}
-  IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }}
+  IRONIC_EXTERNAL_HTTP_URL: {{ include "ironic.externalHttpUrl" . }}
  DEPLOY_ARCHITECTURE: {{ $deployArch }}
-  IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
  ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
  {{- if .Values.global.provisioningInterface }}
  PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
  {{- end }}
  {{- if .Values.global.provisioningIP }}
-  PROVISIONING_IP: {{ .Values.global.provisioningIP }}
+  PROVISIONING_IP: {{ include "metal3.hostIP" . }}
+  {{- else if .Values.global.ironicIP }}
+  IRONIC_IP: {{ include "metal3.hostIP" . }}
+  {{- else if .Values.global.provisioningHostname }}
+  IRONIC_URL_HOSTNAME: {{ .Values.global.provisioningHostname }}
  {{- end }}
  IRONIC_FAST_TRACK: "true"
-  LISTEN_ALL_INTERFACES: "true"
-  {{- if .Values.global.ironicIP }}
-  IRONIC_IP: {{ .Values.global.ironicIP }}
-  {{- end }}
+  LISTEN_ALL_INTERFACES: "{{ .Values.listenOnAll }}"
  {{- if  ( .Values.global.enable_tls ) }}
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
  IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }} tls.enabled=true
--- a/metal3-chart/charts/ironic/templates/deployment.yaml
+++ b/metal3-chart/charts/ironic/templates/deployment.yaml
@@ -42,7 +42,7 @@ spec:
            name: ironic
        livenessProbe:
          exec:
-            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
+            command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"]
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
@@ -60,7 +60,7 @@ spec:
        {{- end }}
        readinessProbe:
          exec:
-            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
+            command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"]
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
--- a/metal3-chart/charts/ironic/templates/service.yaml
+++ b/metal3-chart/charts/ironic/templates/service.yaml
@@ -10,6 +10,7 @@ metadata:
  {{- end }}
 spec:
  type: {{ .Values.service.type }}
+  ipFamilyPolicy: PreferDualStack
  ports:
  {{- $enableTLS := .Values.global.enable_tls }}
  {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
--- a/metal3-chart/charts/ironic/values.yaml
+++ b/metal3-chart/charts/ironic/values.yaml
@@ -32,6 +32,12 @@ global:
  # IP Address assigned to network interface on provisioning network
  provisioningIP: ""

+  # Fully Qualified Domain Name used by Ironic for both binding (to the
+  # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and
+  # media, also used by BMO. Note, this is the only way to enable a fully
+  # working dual-stack configuration.
+  provisioningHostname: ""
+
  # Whether the NIC names should be predictable or not
  predictableNicNames: "true"

@@ -52,11 +58,13 @@ global:

 replicaCount: 1

+listenOnAll: true
+
 images:
  ironic:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
    pullPolicy: IfNotPresent
-    tag: 29.0.4.0
+    tag: 29.0.4.1
  ironicIPADownloader:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
    pullPolicy: IfNotPresent
--- a/metal3-chart/charts/mariadb/Chart.yaml
+++ b/metal3-chart/charts/mariadb/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: "10.11"
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.6.0
+version: 0.6.1
--- a/metal3-chart/charts/mariadb/templates/service.yaml
+++ b/metal3-chart/charts/mariadb/templates/service.yaml
@@ -5,10 +5,11 @@ metadata:
  labels:
    {{- include "mariadb.labels" . | nindent 4 }}
 spec:
+  ipFamilyPolicy: PreferDualStack
  type: {{ .Values.service.type }}
  selector:
    {{- include "mariadb.selectorLabels" . | nindent 4 }}
  ports:
  {{- with .Values.service.ports }}
    {{- toYaml . | nindent 2 }}
-  {{- end }}
+  {{- end }}
--- a/metal3-chart/charts/media/Chart.yaml
+++ b/metal3-chart/charts/media/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.16.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.4
+version: 0.6.5
--- a/metal3-chart/charts/media/templates/service.yaml
+++ b/metal3-chart/charts/media/templates/service.yaml
@@ -5,6 +5,7 @@ metadata:
  labels:
    {{- include "media.labels" . | nindent 4 }}
 spec:
+  ipFamilyPolicy: PreferDualStack
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
--- a/metal3-chart/charts/media/values.yaml
+++ b/metal3-chart/charts/media/values.yaml
@@ -24,7 +24,7 @@ replicaCount: 1
 image:
  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
  pullPolicy: IfNotPresent
-  tag: 29.0.4.0
+  tag: 29.0.4.1

 imagePullSecrets: []
 nameOverride: ""
--- a/metal3-chart/templates/_helpers.tpl
+++ b/metal3-chart/templates/_helpers.tpl
@@ -60,3 +60,18 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Produce the correct IP or hostname for Ironic provisioning
+*/}}
+{{- define "metal3.hostIP" -}}
+{{- with .Values.global }}
+{{- if and .provisioningHostname (or .provisioningIP .ironicIP) }}
+{{  fail "Please provide either provisioningHostname or provisioningIP or ironicIP" }}
+{{- end }}
+{{- if and .provisioningIP .ironicIP }}
+{{  fail "Please provide either ironicIP or provisioningIP" }}
+{{- end }}
+{{- coalesce .provisioningIP .ironicIP }}
+{{- end }}
+{{- end }}
--- a/metal3-chart/values.yaml
+++ b/metal3-chart/values.yaml
@@ -60,6 +60,15 @@ global:
  # IP Address assigned to network interface on provisioning network
  provisioningIP: ""

+  # Fully Qualified Domain Name used by Ironic for both binding (to the 
+  # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and
+  # media, also used by BMO. Note, this is the only way to enable a fully
+  # working dual-stack configuration.
+  provisioningHostname: ""
+
+  # Hostname or IP for accessing the Ironic API server from a non-provisioning network
+  externalHttpHost: ""
+
  # Name for the MariaDB service
  databaseServiceName: metal3-mariadb

--- a/rancher-turtles-chart/values.yaml
+++ b/rancher-turtles-chart/values.yaml
@@ -22,7 +22,7 @@ rancherTurtles:
  # rancherInstalled: True if Rancher already installed is in the cluster, this is the preferred installation way.
  rancherInstalled: false
  # kubectlImage: Image for kubectl tasks.
-  kubectlImage: "%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.32.4"
+  kubectlImage: "%%IMG_REPO%%/%%IMG_PREFIX%%kubectl:1.33.4"
  # features: Optional and experimental features.
  features:
    # day2operations: Alpha feature.
--- a/release-manifest-image/release_manifest.yaml
+++ b/release-manifest-image/release_manifest.yaml
@@ -7,7 +7,7 @@ spec:
  components:
    kubernetes:
      k3s:
-        version: v1.32.4+k3s1
+        version: v1.33.3+k3s1
        coreComponents:
          - name: traefik-crd
            version: 34.2.1+up34.2.0
@@ -31,46 +31,46 @@ spec:
                image: rancher/mirrored-metrics-server:v0.7.2
            type: Deployment
      rke2:
-        version: v1.32.4+rke2r1
+        version: v1.33.3+rke2r1
        coreComponents:
          - name: rke2-cilium
-            version: 1.17.300
+            version: 1.17.600
            type: HelmChart
          - name: rke2-canal
-            version: v3.29.3-build2025040801
+            version: v3.30.2-build2025071100
            type: HelmChart
          - name: rke2-calico-crd
-            version: v3.29.101
+            version: v3.30.100
            type: HelmChart
          - name: rke2-calico
-            version: v3.29.300
+            version: v3.30.100
            type: HelmChart
          - name: rke2-coredns
-            version: 1.39.201
+            version: 1.42.302
            type: HelmChart
          - name: rke2-ingress-nginx
-            version: 4.12.101
+            version: 4.12.401
            type: HelmChart
          - name: rke2-metrics-server
-            version: 3.12.200
+            version: 3.12.203
            type: HelmChart
          - name: rancher-vsphere-csi
-            version: 3.3.1-rancher900
+            version: 3.3.1-rancher1000
            type: HelmChart
          - name: rancher-vsphere-cpi
-            version: 1.10.000
+            version: 1.11.000
            type: HelmChart
          - name: harvester-cloud-provider
-            version: 0.2.900
+            version: 0.2.1000
            type: HelmChart
          - name: harvester-csi-driver
-            version: 0.1.2300
+            version: 0.1.2400
            type: HelmChart
          - name: rke2-snapshot-controller-crd
-            version: 4.0.002
+            version: 4.0.003
            type: HelmChart
          - name: rke2-snapshot-controller
-            version: 4.0.002
+            version: 4.0.003
            type: HelmChart
          # Deprecated this empty chart addon can be removed in v1.34
          - name: rke2-snapshot-validation-webhook
@@ -89,20 +89,20 @@ spec:
        - prettyName: Rancher
          releaseName: rancher
          chart: rancher
-          version: 2.11.2
-          repository: https://charts.rancher.com/server-charts/prime
+          version: 2.12.1-alpha1
+          repository: https://releases.rancher.com/server-charts/alpha
          values:
            postDelete:
              enabled: false
        - prettyName: Longhorn
          releaseName: longhorn
          chart: longhorn
-          version: 106.2.0+up1.8.1
+          version: 106.2.1+up1.8.2
          repository: https://charts.rancher.io
          dependencyCharts:
            - releaseName: longhorn-crd
              chart: longhorn-crd
-              version: 106.2.0+up1.8.1
+              version: 106.2.1+up1.8.2
              repository: https://charts.rancher.io
        - prettyName: MetalLB
          releaseName: metallb
@@ -123,12 +123,12 @@ spec:
        - prettyName: NeuVector
          releaseName: neuvector
          chart: neuvector
-          version: 106.0.1+up2.8.6
+          version: 107.0.0+up2.8.7
          repository: https://charts.rancher.io
          dependencyCharts:
            - releaseName: neuvector-crd
              chart: neuvector-crd
-              version: 106.0.1+up2.8.6
+              version: 107.0.0+up2.8.7
              repository: https://charts.rancher.io
          addonCharts:
            - releaseName: neuvector-ui-ext
@@ -142,11 +142,11 @@ spec:
        - prettyName: Elemental
          releaseName: elemental-operator
          chart: oci://registry.suse.com/rancher/elemental-operator-chart
-          version: 1.6.8
+          version: 1.7.3
          dependencyCharts:
            - releaseName: elemental-operator-crds
              chart: oci://registry.suse.com/rancher/elemental-operator-crds-chart
-              version: 1.6.8
+              version: 1.7.3
          addonCharts:
            - releaseName: elemental
              chart: elemental
@@ -171,7 +171,7 @@ spec:
        - prettyName: Metal3
          releaseName: metal3
          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metal3'
-          version: '%%CHART_MAJOR%%.0.10+up0.12.0'
+          version: '%%CHART_MAJOR%%.0.12+up0.12.2'
        - prettyName: RancherTurtles
          releaseName: rancher-turtles
          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles'
--- a/upgrade-controller-chart/values.yaml
+++ b/upgrade-controller-chart/values.yaml
@@ -15,7 +15,7 @@ env:
    image: %%MANIFEST_REPO%%/%%IMG_PREFIX%%release-manifest
  kubectl:
    image: %%IMG_REPO%%/%%IMG_PREFIX%%kubectl
-    version: 1.32.4
+    version: 1.33.4

 imagePullSecrets: []
 nameOverride: ""
Author	SHA256	Message	Date
dbw7	9821dab715	Pin to latest commit for EIB (#228 ) Reviewed-on: suse-edge/Factory#228 Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org> Co-authored-by: dbw7 <danial.bekhit@suse.com> Co-committed-by: dbw7 <danial.bekhit@suse.com>	2025-08-20 08:36:43 +02:00
Denislav Prodanov	0eec81256f	Merge pull request 'bump kubectl image in upgrade controller and turtles' (#239 ) from dprodanov/Factory:bump-kubectl-image into main Reviewed-on: suse-edge/Factory#239 Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>	2025-08-19 08:38:59 +02:00
Denislav Prodanov	0fd2e6472a	bump kubectl image in upgrade controller and turtles	2025-08-18 16:29:53 +03:00
Denislav Prodanov	d648a17268	Merge pull request 'kubectl-image' (#238 ) from dprodanov/Factory:kubectl-image into main Reviewed-on: suse-edge/Factory#238 Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>	2025-08-18 15:24:38 +02:00
Denislav Prodanov	d056b82800	merge upstream	2025-08-18 13:56:30 +02:00
Denislav Prodanov	e935c18527	Merge pull request 'updated 3.4.0 release manifest versions' (#236 ) from dprodanov/Factory:update-rm into main Reviewed-on: suse-edge/Factory#236 Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>	2025-08-18 13:49:03 +02:00
Denislav Prodanov	d1dcfadea6	update kubectl image to 1.33.4	2025-08-18 13:15:40 +03:00
Denislav Prodanov	594a388a50	updated 3.4.0 release manifest versions	2025-08-18 13:06:57 +03:00
Marco Chiappero	a8a7b3a542	Bump metal3-chart due to ironicIP Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-15 08:28:33 +00:00
Marco Chiappero	6059a859a1	Bring IRONIC_IP back and give provisioningIP higher priority Revert the change that translated ironicIP into provisioningIP, as well as the messages on deprecation. This is to allow for the use with Metal LB in SV. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-14 15:54:57 +00:00
Marco Chiappero	8da51ba73f	Allow the use of IRONIC_IP again in ironic-image Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-14 15:54:56 +00:00
Marco Chiappero	5bf3812659	Let every media download go through HTTPS if set up Update some URLs to leverage HTTPs whenever VMEDIA_TLS_PORT is set. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-14 15:54:56 +00:00
Marco Chiappero	a11bb47c19	Always generate IRONIC_EXTERNAL_HTTP_URL Commit `03d7a39` introduced the possibility to externally configure IRONIC_EXTERNAL_HTTP_URL, while removing also the value when the host was not user provided. Revert this last behaviour, by always adding the variable in the ironic ConfigMap even if the host is not set in values, leveraging either ironicIP or provisioningIP. This is required to fix the use of VMedia TLS. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-14 06:28:18 +00:00
Marco Chiappero	d18aef225e	Clear IRONIC_IP when PROVISIONING_IP is IPv6 Make sure that only IRONIC_IPV6 is set with a valid value when PROVISIONING_IP is an IPv6 address by also clearing IRONIC_IP Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-13 15:05:13 +00:00
Marco Chiappero	8d1f677931	Align TLS HTTPD with HTTP Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-12 14:19:56 +00:00
Marco Chiappero	d0bbc1d844	Update a few httpd config files Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-12 14:17:29 +00:00
Marco Chiappero	47df258e97	Bump the metal3-chart versions after PR #223 Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-12 09:14:00 +00:00
Marco Chiappero	5ece6cd64e	Temporarily grant access to anything on HTTPS Unfortuantely, likely due to some conflicts in the Apache, access cannot be granted to /images/ only, so allow anyone for now. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-08 15:30:56 +00:00
Marco Chiappero	0da5de1c06	Use Apache 2.4 syntax for access control on TLS HTTP server Migrate the access rules for files in the HTTPS media server instance to the newer 2.4 syntax, matching the HTTP media server in httpd.conf	2025-08-08 10:31:26 +00:00
Marco Chiappero	27af056dce	Fix a few ShellCheck reported warnings from PR #213 The checks on the upstream project have reported some warnings to the code accepted in PR #213, fix them in this commit. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-07 20:20:09 +00:00
Marco Chiappero	e233adfec2	Enable PreferDualStack on all the Services in the subcharts Make sure that the services are created with both IPv4 and IPv6 addresses when the cluster has been created with both IPv4 and IPv6 ranges. They will behave as single stack otherwise. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:47:00 +00:00
Marco Chiappero	8617c36789	Update the URL for the BMO to connect to Ironic The BMO should now connect via the provisioningHostname if set or an IP address. Add a helper that returns the ironic hostname or correctly formatted IP to define the ironicApiHost variable in the BMO configmap. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:47:00 +00:00
Marco Chiappero	aa56c231d4	Include the hostname for SAN in Certificates Recently provisioningHostname has been introduced as an alternative way to configure the IPs to bind and respond to. This however requires that the Certificates for HTTPS also include a dnsNames section whenver such value is present. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:47:00 +00:00
Marco Chiappero	29dd8dda17	Introduce metal3.provisioningIP template and deprecate ironicIP So far ironicIP has been part of values.yaml under the global section, however this is very misleading: this variable is internal to the Ironic startup scripts and should not be set, moreover it conflicts with provisioningIP, which is instead a public configuration variable for the purpose. This commits thus introduces the following changes: - removes the creation of IRONIC_IP in the Ironic configmap - does not yet remove ironicIP from values.yaml to avoid breaking forward compatibility - introduces a utility function to perform input validation while still prioritizing ironicIP if present Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:47:00 +00:00
Marco Chiappero	6012f480b0	Allow to change the LISTEN_ALL_INTERFACE variable for Ironic It should be possible to enable or disable the environment variable LISTEN_ALL_INTERFACE in the Ironic configmap, as it allows to the way Ironic binds to socket, especially in combination with the changes introduced in v29. However, if listenOnAll is false, Ironic will bind to a specific IPv4 and/or IPv6 address and the 127.0.0.1 address used for the liveness and readiness probe will not be accepted. Also add a named template that, when it is set to false, picks a different host IP or address, according to the following priority: - ironicIP (deprecated) - provisioningIP - provisioningHostname Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:47:00 +00:00
Marco Chiappero	110a7b1f7c	Introduce the provisioningHostname env variable in Ironic Create a new provisioningHostname value in values.yaml in order to set the new IRONIC_URL_HOSTNAME, that allows to set the address(es) Ironic will bind to. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:30:27 +00:00
Marco Chiappero	343fcd24b7	Remove unused env and helm variables Since currently we can only define the provisioning network and the external HTTP host, remove some clutter generating unused variables. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:30:26 +00:00
Marco Chiappero	03d7a39ead	Allow control over IRONIC_EXTERNAL_HTTP_URL via values.yaml The purpose of this commit is to: - avoid providing IRONIC_EXTERNAL_HTTP_URL by default, as the Ironic startup scripts will be able to derive the value from other variables - define a new global value under the top values.yaml to generate IRONIC_EXTERNAL_HTTP_URL when actually needed - make sure that the input, which can either be a hostname or an IP address, is correctly formatted in case of an IPv6. This change also allows subsequent cleanups of the whole Configmap template for Ironic. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-06 17:30:26 +00:00
Marco Chiappero	e2d38a867c	Let Apache use separate IPv4 and IPv6 sockets for listening to any Enable the use of two separate sockets for IPv4 and IPv6 when LISTEN_ALL_INTERFACES is set to true. While desirable, on Linux Apache uses IPv4-mapped IPv6 addresses by default, thus leveraging a single IPv6 socket for IPv4 connections as well. This behaviour is far from being desirable and can be disabled at compile time via the "--disable-v4-mapped" flag, so make sure both an ANY address Listen directive is present for both IPv4 and IPv6. When Apache is compiled with "--enable-v4-mapped", the IPv4 socket will be simply ignored. Please see https://httpd.apache.org/docs/2.4/bind.html for more information. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	eecd30e90d	Update httpd.conf to bind to IPv4 and/or IPv6 sockets Enable the use of individual IPv4 and IPv6 sockets when the respective IP is detected and LISTEN_ALL_INTERFACES is not set to true. This allows to correctly bind to both the IPv4 and IPv6 addresses found and not just one of them. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	fc0cfda2c0	Let Ironic API use IPv4 and IPv6 sockets when possible When LISTEN_ALL_INTERFACES is not set, Apache should make Ironic API avaiable on either or both IPv4 and IPv6 sockets, depending on the addresses requested or found on the system. Make sure to set the "Listen" directive according to ENABLE_IPV4 and ENABLE_IPV4, and the VirtualHost when IRONIC_URL_HOSTNAME is present. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	582aaaa424	Set host_ip to an IPv6 address when found Prioritize IPv6 over IPv4 when available to set host_ip in ironic.conf when LISTEN_ALL_INTERFACES is not set to true. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	a94cde2a35	Use my_ipv6 when IRONIC_IPV6 is defined in ironic.conf As per the Ironic documentation: "This field [my_ip] does accept an IPv6 address as an override for templates and URLs, however it is recommended that [DEFAULT]my_ipv6 is used along with DNS names for service URLs for dual-stack environments." Fill my_ipv6 when an IPv6 address has been found for binding. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	ad01fecc4f	Allow binding on the provisioning network via a hostname In a dual-stack scenario, especially when deploying in direct mode via virtual media, it might be useful to 1) use a hostname to enable "dual IP" URLs 2) have ironic bind to those two addresses, if found on the system. To make this possible, this commit introduces: - a new user environment variable named IRONIC_URL_HOSTNAME, to be used as immutable external only input, to derive IRONIC_URL_HOST and the IP addresses to bind on - a new utility function named "get_ip_of_hostname" to help look up the A and AAAA records - additional logic to look for the returned address on the system, for binding the processes; this new logic has lower priority than PROVISIONING_IP (which can then be used to enforce one specific IP version) and PROVISIONING_INTERFACE Note, while IRONIC_URL_HOSTNAME and PROVISIONING_IP are considered to be mutually exclusive, IRONIC_URL_HOSTNAME and PROVISIONING_INTERFACE are not. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	d59126b517	Introduce IRONIC_IPV6 to bind on IPv6 sockets The ironic scripts either use PROVISIONING_IP as an input or try to determine an IP address to bind the sockets to. This results in IRONIC_IP being defined once the process is complete, and it can carry either an IPv4 or an IPv6 address. Likely, the assumption is that on Linux, by default, IPv4-mapped IPv6 addresses can be leveraged to serve both IPv4 and IPv6 through a single socket. However this is not a good practice and two separate sockets should be used instead, whenever possible. This change modifies such logic by - introducing the variable IRONIC_IPV6 alongside the existing - matching IRONIC_IP and attempting to populate both variables Please note that hostname based URLs, with both A and AAAA records, are also required for a fully working dual-stack configuration. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	19394a8b03	Revert 2742439 being now redundant Commit 2742439 added logic to tentatively identify the interface name in get_provisioning_interface if the PROVISIONING_IP is provided. However the same process in then repeated in wait_for_interface_or_ip. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	ca7da400d0	Leverage get_interface_of_ip to look PROVISIONING_IP up Use the previously introduced get_interface_of_ip, to determine if the PROVISIONING_IP address is actually present on a network interface. This improves the code readability and enables additional debugging output. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	c69044ff2b	Add two new utility functions for later refactoring The way the ironic-image processes are bound to internet sockets is mainly by PROVISIONING_IP or PROVISIONING_INTERFACE, that is, by looking up a specific address on an interface, or a specific interface for a workable address. Introduce two new utility functions in ironic-common.sh for these two purposes: get_interface_of_ip: returns the name of the interface where the IP address provided as argument is found get_ip_of_interface: returns the first IP associated to the interface provided as argument These two functions will be put into use in subsequent commits. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	60f0bdd5f0	Remove PROVISIONING_INTERFACE default for better validation Whenever PROVISIONING_INTERFACE is not set by the user, function get_provisioning_interface attempts to determine one, or provide "provisionign" as default value. However this can cause confusing errors down the line. Remove this default value and fail gracefully, with proper logging, if the PROVISIONING_INTERFACE value is not detected. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00
Marco Chiappero	4e4f9e591a	Simplify the setting of host_ip in ironic.conf The value of host_ip is determined twice within the ironic.conf.j2 template file, by means of a relatively hard to read set of conditions. Avoid this duplication and improve readability by exporting the correct value once in scripts/configure-ironic.sh. This also leave more room for more complex evaluations should these be needed in the future. Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>	2025-08-04 14:47:42 +00:00