1
0
forked from suse-edge/Factory

382 Commits
3.2 ... main

Author SHA256 Message Date
609919d57e Merge pull request 'chore: Bump c-v to 0.2.2 in main' (#295) from eminguez/suse-edge-factory:c-v-0.2.2 into main
Reviewed-on: suse-edge/Factory#295
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-10-24 13:56:17 +02:00
c4dea6361d Merge pull request 'metal3: Stop filtering kernel drivers embeded in IPA ramdisk' (#291) from nbelouin/Factory:enable-irdma into main
Reviewed-on: suse-edge/Factory#291
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-10-23 16:07:09 +02:00
4a6119ca82 Merge pull request 'fix(metal3): Fix a typo in the media subchart' (#296) from nbelouin/Factory:fix-metal3-media-typo into main
Reviewed-on: suse-edge/Factory#296
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-10-23 14:33:04 +02:00
b69a806fed fix(metal3): Fix a typo in the media subchart
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-10-23 11:54:18 +02:00
cd217a73f8 Bump versions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-10-23 11:09:57 +02:00
28f7c4b074 Remove kernel modules filter
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-10-23 11:05:25 +02:00
a9079e0bfc Adding support for SL Micro 6.2 builds 2025-10-22 10:35:34 +02:00
e-minguez
84c1cd9964 chore: Bump c-v to 0.2.2 in main 2025-10-22 10:27:28 +02:00
69db0a0b16 Merge pull request 'metal3: Introduce TLS variables for ironic vmedia server' (#281) from nbelouin/Factory:ironic-tls-cipher into main
Reviewed-on: suse-edge/Factory#281
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-10-14 15:04:32 +02:00
db47d9df65 Merge pull request '[3.5.0] - updated release manifest to use sl micro 6.2' (#288) from dprodanov/Factory:os-update into main
Reviewed-on: suse-edge/Factory#288
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-10-14 10:07:05 +02:00
1dc2e44dfd [3.5.0] - updated release manifest to use sl micro 6.2 2025-10-14 10:35:04 +03:00
800c0464e2 Merge pull request '[3.5.0] - create init release manifest for 3.5.0' (#287) from dprodanov/Factory:init-3.5 into main
Reviewed-on: suse-edge/Factory#287
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-10-13 18:04:13 +02:00
dcc86b217c [3.5.0] - create init release manifest for 3.5.0 2025-10-13 10:24:46 +03:00
54886117da Adding arm64 build for support tools (#280)
Adding arm64 build for nessie and python-suse-edge-components-versions

Co-authored-by: George <george_agriogiannis@yahoo.com>
Reviewed-on: suse-edge/Factory#280
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-10-06 12:52:09 +02:00
8696dbedf8 Merge pull request 'feat: Bump c-v to 0.2.1 using release manifests now' (#279) from eminguez/suse-edge-factory:c-v-0.2.0 into main
Reviewed-on: suse-edge/Factory#279
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-10-03 13:25:01 +02:00
e-minguez
df4cde31b0 feat: Bump c-v to 0.2.0 using release manifests now 2025-10-03 11:45:19 +02:00
4664d645d4 metallb - bump to 0.15.2 (#276)
Update MetalLB to 0.15.2, also updates kube-rbac-proxy

Reviewed-on: suse-edge/Factory#276
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Co-authored-by: Jonas Arndt <jonas.arndt@suse.com>
Co-committed-by: Jonas Arndt <jonas.arndt@suse.com>
2025-10-03 10:50:52 +02:00
f60348562e metal3: Introduce TLS variables for ironic vmedia server
port of https://github.com/metal3-io/ironic-image/pull/759

Expose it in chart with a new `ironic.ironicExtraEnv` value that allows
passing arbitrary extra environment variables to allow for advanced
configuration we may not want to keep as not for the faint of heart.

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-10-03 10:04:48 +02:00
8947818604 Merge pull request 'bump elemental dashboard version' (#277) from dprodanov/Factory:ele-dashboard into main
Reviewed-on: suse-edge/Factory#277
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-09-23 09:34:59 +02:00
13964b8be1 bump elemental dashboard version 2025-09-23 10:18:06 +03:00
1d374f13c9 Merge pull request 'update release images' (#274) from dprodanov/Factory:release-images into main
Reviewed-on: suse-edge/Factory#274
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-09-19 18:57:39 +02:00
03aeb3cef7 update release images 2025-09-19 19:48:34 +03:00
78898463aa Merge pull request 'added cert manager to the release manifest' (#272) from dprodanov/Factory:cert-man into main
Reviewed-on: suse-edge/Factory#272
2025-09-19 08:49:21 +02:00
c67f9081a9 added cert manager to the release manifest 2025-09-19 09:48:51 +03:00
d75736809d release-manifest: update images for turtles 0.24.0 2025-09-17 13:07:47 +03:00
de51bf9c83 rancher-turtles-chart: fix fleet airgap config
It seems the fetchConfig is not currently supported in the upstream chart
2025-09-17 13:07:47 +03:00
948a0193d8 rancher-turtles-airgap-resources: Update to 0.24.0
Note this requires a configuration change because the IPAM provider is
now decoupled from CAPM3
2025-09-17 13:07:47 +03:00
2ae659283a rancher-turtles: update to 0.24.0 2025-09-17 13:07:47 +03:00
8a13f25dfa Updates for EIB 1.3 (#268)
Reviewed-on: suse-edge/Factory#268
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Co-authored-by: dbw7 <danial.bekhit@suse.com>
Co-committed-by: dbw7 <danial.bekhit@suse.com>
2025-09-17 05:25:08 +02:00
2d1c31e19a Merge pull request 'Use BCI nginx for metal3 media subchart' (#267) from nbelouin/Factory:media-nginx into main
Reviewed-on: suse-edge/Factory#267
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-09-16 15:19:25 +02:00
18844c5a25 Use BCI nginx for metal3 media subchart
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-16 14:00:01 +02:00
265467d53f Merge pull request 'EIB 1.3.0-rc0 update' (#263) from dbekhit/Factory:eib-130rc0 into main
Reviewed-on: suse-edge/Factory#263
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-09-11 09:48:56 +02:00
b4a7eadd88 Update edge-image-builder/_service 2025-09-11 09:46:43 +02:00
be12376b9c 1.3.0-rc0 update 2025-09-11 02:02:57 -04:00
4b7ad790c8 Merge pull request 'fix(ironic-image): Reintroduce predictable nic naming' (#261) from nbelouin/Factory:reintroduce-predictable-nic-names into main
Reviewed-on: suse-edge/Factory#261
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
2025-09-10 14:56:14 +02:00
59f7f6c4d2 fix(ironic-image): Reintroduce predictable nic naming
We ended up dropping the `net.ifnames` kernel parameter handling during
rebase of ironic image, reintroducing it here.

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-10 14:03:31 +02:00
6c719f307c Merge pull request 'Update Hauler to v1.2.5' (#260) from dbekhit/Factory:hauler-1-2-5 into main
Reviewed-on: suse-edge/Factory#260
2025-09-10 05:15:07 +02:00
e30c1fef4b Update Hauler to v1.2.5 2025-09-09 22:39:56 -04:00
3fea007d77 Merge pull request 'Fix IPA Downloader tags for arch specific images' (#259) from nbelouin/Factory:fix-ipa-downloader-tags into main
Reviewed-on: suse-edge/Factory#259
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-09-08 16:37:20 +02:00
1bce8490f6 Fix IPA Downloader tags for arch specific images
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-08 16:03:39 +02:00
47bdcb200c Merge pull request 'feat: Bump c-v to 0.1.1' (#258) from eminguez/suse-edge-factory:c-v-0.1.1 into main
Reviewed-on: suse-edge/Factory#258
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-09-04 15:39:56 +02:00
e-minguez
bf869dec4e feat: Bump c-v to 0.1.1 2025-09-04 14:35:32 +02:00
92f49dbbfc Merge pull request 'Port multi-arch support patches to Factory' (#221) from nbelouin/Factory:ironic-arch into main
Reviewed-on: suse-edge/Factory#221
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
2025-09-04 14:01:28 +02:00
96320cc7f2 kubevirt-dashboard-extension-chart: fix chart tag 2025-09-04 12:17:23 +02:00
7be5f59e4f Bump metal3 versions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-04 12:00:39 +02:00
bb4ab90787 Add multi-arch related patches for BMO
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-03 16:07:13 +02:00
6c05726947 Port ironic-image and ipa-downloader-image PRs to Factory, and adapt chart accordingly
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-03 16:07:13 +02:00
9a87f37674 Merge pull request 'Bump prefered cargo to 1.89' (#256) from nbelouin/Factory:update-cargo into main
Reviewed-on: suse-edge/Factory#256
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-09-03 15:38:14 +02:00
6d50385ec3 Merge pull request 'fix: Allow helm chart metadata icon to be file' (#255) from eminguez/suse-edge-factory:pyhelm3-icon-allow-file into main
Reviewed-on: suse-edge/Factory#255
2025-09-03 13:47:25 +02:00
e-minguez
b94d722028 fix: Allow helm chart metadata icon to be file 2025-09-03 13:47:08 +02:00
35054ff64b akri-dashboard-extension-chart: Update to 304.0.3+up1.3.1 2025-09-03 11:24:50 +02:00
e5f6b76d8b kubevirt-dashboard-extension-chart: Update to 304.0.3+up1.3.2 2025-09-03 11:24:35 +02:00
4e32759250 Bump prefered cargo to 1.89
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-09-03 08:25:07 +02:00
59fd3c1a8b Merge pull request 'feat: Add suse-edge-components-versions' (#222) from eminguez/suse-edge-factory:components-versions into main
Reviewed-on: suse-edge/Factory#222
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-09-02 15:40:44 +02:00
e-minguez
5b167e10ab feat: Add suse-edge-components-versions 2025-09-02 13:44:12 +02:00
9cbf868ba7 Bump the metal3-chart and BMO subchart version
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-09-01 12:51:30 +00:00
7e04a91e72 Allow to set IRONIC_EXTERNAL_URL_V6 to Metal3 BMO
Whenever a BMC only has an IPv6 address, the Baremetal Operator will
change the "external_http_url" in the driver to an IPv6 contained in
IRONIC_EXTERNAL_URL_V6, if set.

Introduce 'externalHttpIPv6' in values for the BMO, in order to generate
such environment variable in configmap-ironic.yaml.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-09-01 12:34:14 +00:00
e9554a4399 Merge pull request 'Revert the removal of repo' (#252) from dprodanov/Factory:fix-rm into main
Reviewed-on: suse-edge/Factory#252
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-29 13:25:11 +02:00
45cd7fbc36 Revert the removal of repo 2025-08-29 14:24:06 +03:00
05f49fec7b Merge pull request 'Update rancher prime version to the GA' (#251) from dprodanov/Factory:update-rancher into main
Reviewed-on: suse-edge/Factory#251
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
2025-08-29 13:20:46 +02:00
d1cb632801 Update Rancher prime version to GA 2025-08-29 14:16:57 +03:00
a1ba635f5d Merge pull request 'upgrade-kubevirt' (#247) from dprodanov/Factory:upgrade-kubevirt into main
Reviewed-on: suse-edge/Factory#247
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-29 11:38:48 +02:00
0295819a86 bump chart version as well 2025-08-29 12:36:47 +03:00
6875eea67f Merge pull request 'changed the entry point for pre-commit to call the script from the venv' (#248) from dprodanov/Factory:fix-pre-commit into main
Reviewed-on: suse-edge/Factory#248
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-29 10:53:39 +02:00
3652c43179 changed the entry point for pre-commit to call the script from the venv 2025-08-29 11:51:53 +03:00
8403958d39 Update release manifest 2025-08-29 11:09:09 +03:00
b77a565a57 Upgrade Kubevirt to 1.5.2 2025-08-29 11:07:13 +03:00
a0180aa25a Upgrade CDI to 1.62.0 2025-08-29 11:03:39 +03:00
2a852b4266 Add release URL (#246)
Reviewed-on: suse-edge/Factory#246
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-08-27 01:09:53 +02:00
1b112a8727 Merge pull request '[3.4.0] - updates to release-manifest' (#245) from dprodanov/Factory:3-4-0-release-manifest into main
Reviewed-on: suse-edge/Factory#245
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-26 13:29:03 +02:00
411e9ab220 [3.4.0] - updates to release-manifest 2025-08-26 12:28:51 +03:00
9227c1bbeb Merge pull request 'Bump BMO to 0.10.2' (#217) from nbelouin/Factory:bmo-upgrade into main
Reviewed-on: suse-edge/Factory#217
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-08-22 15:27:10 +02:00
994273a2a3 Adding nessie to factory (#244)
Adding nessie to factory.
This aims to test the theory of conflict if there's same package and branch name, as was the case in #243

Authored-by: George <george_agriogiannis@yahoo.com>
Reviewed-on: suse-edge/Factory#244
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-22 09:25:32 +02:00
ec829ba559 Bump BMO to 0.10.2
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-08-21 09:04:32 +02:00
9821dab715 Pin to latest commit for EIB (#228)
Reviewed-on: suse-edge/Factory#228
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Co-authored-by: dbw7 <danial.bekhit@suse.com>
Co-committed-by: dbw7 <danial.bekhit@suse.com>
2025-08-20 08:36:43 +02:00
0eec81256f Merge pull request 'bump kubectl image in upgrade controller and turtles' (#239) from dprodanov/Factory:bump-kubectl-image into main
Reviewed-on: suse-edge/Factory#239
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-19 08:38:59 +02:00
0fd2e6472a bump kubectl image in upgrade controller and turtles 2025-08-18 16:29:53 +03:00
d648a17268 Merge pull request 'kubectl-image' (#238) from dprodanov/Factory:kubectl-image into main
Reviewed-on: suse-edge/Factory#238
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-18 15:24:38 +02:00
d056b82800 merge upstream 2025-08-18 13:56:30 +02:00
e935c18527 Merge pull request 'updated 3.4.0 release manifest versions' (#236) from dprodanov/Factory:update-rm into main
Reviewed-on: suse-edge/Factory#236
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-08-18 13:49:03 +02:00
d1dcfadea6 update kubectl image to 1.33.4 2025-08-18 13:15:40 +03:00
594a388a50 updated 3.4.0 release manifest versions 2025-08-18 13:06:57 +03:00
a8a7b3a542 Bump metal3-chart due to ironicIP
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-15 08:28:33 +00:00
6059a859a1 Bring IRONIC_IP back and give provisioningIP higher priority
Revert the change that translated ironicIP into provisioningIP, as well
as the messages on deprecation. This is to allow for the use with Metal
LB in SV.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-14 15:54:57 +00:00
8da51ba73f Allow the use of IRONIC_IP again in ironic-image
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-14 15:54:56 +00:00
5bf3812659 Let every media download go through HTTPS if set up
Update some URLs to leverage HTTPs whenever VMEDIA_TLS_PORT is set.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-14 15:54:56 +00:00
a11bb47c19 Always generate IRONIC_EXTERNAL_HTTP_URL
Commit 03d7a39 introduced the possibility to externally configure
IRONIC_EXTERNAL_HTTP_URL, while removing also the value when the host
was not user provided.

Revert this last behaviour, by always adding the variable in the ironic
ConfigMap even if the host is not set in values, leveraging either
ironicIP or provisioningIP. This is required to fix the use of VMedia
TLS.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-14 06:28:18 +00:00
d18aef225e Clear IRONIC_IP when PROVISIONING_IP is IPv6
Make sure that only IRONIC_IPV6 is set with a valid value when
PROVISIONING_IP is an IPv6 address by also clearing IRONIC_IP

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-13 15:05:13 +00:00
8d1f677931 Align TLS HTTPD with HTTP
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-12 14:19:56 +00:00
d0bbc1d844 Update a few httpd config files
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-12 14:17:29 +00:00
47df258e97 Bump the metal3-chart versions after PR #223
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-12 09:14:00 +00:00
5ece6cd64e Temporarily grant access to anything on HTTPS
Unfortuantely, likely due to some conflicts in the Apache, access cannot
be granted to /images/ only, so allow anyone for now.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-08 15:30:56 +00:00
0da5de1c06 Use Apache 2.4 syntax for access control on TLS HTTP server
Migrate the access rules for files in the HTTPS media server instance
to the newer 2.4 syntax, matching the HTTP media server in httpd.conf
2025-08-08 10:31:26 +00:00
27af056dce Fix a few ShellCheck reported warnings from PR #213
The checks on the upstream project have reported some warnings to the
code accepted in PR #213, fix them in this commit.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-07 20:20:09 +00:00
e233adfec2 Enable PreferDualStack on all the Services in the subcharts
Make sure that the services are created with both IPv4 and IPv6
addresses when the cluster has been created with both IPv4 and IPv6
ranges. They will behave as single stack otherwise.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:47:00 +00:00
8617c36789 Update the URL for the BMO to connect to Ironic
The BMO should now connect via the provisioningHostname if set or an IP
address. Add a helper that returns the ironic hostname or correctly
formatted IP to define the ironicApiHost variable in the BMO configmap.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:47:00 +00:00
aa56c231d4 Include the hostname for SAN in Certificates
Recently provisioningHostname has been introduced as an alternative way
to configure the IPs to bind and respond to. This however requires that
the Certificates for HTTPS also include a dnsNames section whenver such
value is present.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:47:00 +00:00
29dd8dda17 Introduce metal3.provisioningIP template and deprecate ironicIP
So far ironicIP has been part of values.yaml under the global section,
however this is very misleading: this variable is internal to the Ironic
startup scripts and should not be set, moreover it conflicts with
provisioningIP, which is instead a public configuration variable for the
purpose.

This commits thus introduces the following changes:
- removes the creation of IRONIC_IP in the Ironic configmap
- does not yet remove ironicIP from values.yaml to avoid breaking
  forward compatibility
- introduces a utility function to perform input validation while still
  prioritizing ironicIP if present

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:47:00 +00:00
6012f480b0 Allow to change the LISTEN_ALL_INTERFACE variable for Ironic
It should be possible to enable or disable the environment variable
LISTEN_ALL_INTERFACE in the Ironic configmap, as it allows to the way
Ironic binds to socket, especially in combination with the changes
introduced in v29.

However, if listenOnAll is false, Ironic will bind to a specific IPv4
and/or IPv6 address and the 127.0.0.1 address used for the liveness
and readiness probe will not be accepted. Also add a named template
that, when it is set to false, picks a different host IP or address,
according to the following priority:
- ironicIP (deprecated)
- provisioningIP
- provisioningHostname

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:47:00 +00:00
110a7b1f7c Introduce the provisioningHostname env variable in Ironic
Create a new provisioningHostname value in values.yaml in order to set
the new IRONIC_URL_HOSTNAME, that allows to set the address(es) Ironic
will bind to.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:30:27 +00:00
343fcd24b7 Remove unused env and helm variables
Since currently we can only define the provisioning network and the
external HTTP host, remove some clutter generating unused variables.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:30:26 +00:00
03d7a39ead Allow control over IRONIC_EXTERNAL_HTTP_URL via values.yaml
The purpose of this commit is to:
- avoid providing IRONIC_EXTERNAL_HTTP_URL by default, as the Ironic
  startup scripts will be able to derive the value from other variables
- define a new global value under the top values.yaml to generate
  IRONIC_EXTERNAL_HTTP_URL when actually needed
- make sure that the input, which can either be a hostname or an IP
  address, is correctly formatted in case of an IPv6.

This change also allows subsequent cleanups of the whole Configmap
template for Ironic.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-06 17:30:26 +00:00
e2d38a867c Let Apache use separate IPv4 and IPv6 sockets for listening to any
Enable the use of two separate sockets for IPv4 and IPv6 when
LISTEN_ALL_INTERFACES is set to true. While desirable, on Linux Apache uses
IPv4-mapped IPv6 addresses by default, thus leveraging a single IPv6 socket
for IPv4 connections as well.

This behaviour is far from being desirable and can be disabled at compile
time via the "--disable-v4-mapped" flag, so make sure both an ANY address
Listen directive is present for both IPv4 and IPv6. When Apache is compiled
with "--enable-v4-mapped", the IPv4 socket will be simply ignored.

Please see https://httpd.apache.org/docs/2.4/bind.html for more
information.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
eecd30e90d Update httpd.conf to bind to IPv4 and/or IPv6 sockets
Enable the use of individual IPv4 and IPv6 sockets when the respective
IP is detected and LISTEN_ALL_INTERFACES is not set to true. This allows
to correctly bind to both the IPv4 and IPv6 addresses found and not just
one of them.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
fc0cfda2c0 Let Ironic API use IPv4 and IPv6 sockets when possible
When LISTEN_ALL_INTERFACES is not set, Apache should make Ironic API
avaiable on either or both IPv4 and IPv6 sockets, depending on the
addresses requested or found on the system.

Make sure to set the "Listen" directive according to ENABLE_IPV4 and
ENABLE_IPV4, and the VirtualHost when IRONIC_URL_HOSTNAME is present.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
582aaaa424 Set host_ip to an IPv6 address when found
Prioritize IPv6 over IPv4 when available to set host_ip in ironic.conf
when LISTEN_ALL_INTERFACES is not set to true.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
a94cde2a35 Use my_ipv6 when IRONIC_IPV6 is defined in ironic.conf
As per the Ironic documentation:

"This field [my_ip] does accept an IPv6 address as an override for templates
and URLs, however it is recommended that [DEFAULT]my_ipv6 is used along with
DNS names for service URLs for dual-stack environments."

Fill my_ipv6 when an IPv6 address has been found for binding.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
ad01fecc4f Allow binding on the provisioning network via a hostname
In a dual-stack scenario, especially when deploying in direct mode via
virtual media, it might be useful to 1) use a hostname to enable "dual IP"
URLs 2) have ironic bind to those two addresses, if found on the system.

To make this possible, this commit introduces:
- a new user environment variable named IRONIC_URL_HOSTNAME, to be used
  as immutable external only input, to derive IRONIC_URL_HOST and the
  IP addresses to bind on
- a new utility function named "get_ip_of_hostname" to help look up the
  A and AAAA records
- additional logic to look for the returned address on the system, for
  binding the processes; this new logic has lower priority than
  PROVISIONING_IP (which can then be used to enforce one specific IP
  version) and PROVISIONING_INTERFACE

Note, while IRONIC_URL_HOSTNAME and PROVISIONING_IP are considered to be
mutually exclusive, IRONIC_URL_HOSTNAME and PROVISIONING_INTERFACE are
not.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
d59126b517 Introduce IRONIC_IPV6 to bind on IPv6 sockets
The ironic scripts either use PROVISIONING_IP as an input or try to
determine an IP address to bind the sockets to. This results in
IRONIC_IP being defined once the process is complete, and it can carry
either an IPv4 or an IPv6 address.

Likely, the assumption is that on Linux, by default, IPv4-mapped IPv6
addresses can be leveraged to serve both IPv4 and IPv6 through a single
socket. However this is not a good practice and two separate sockets
should be used instead, whenever possible.

This change modifies such logic by
- introducing the variable IRONIC_IPV6 alongside the existing
- matching IRONIC_IP and attempting to populate both variables

Please note that hostname based URLs, with both A and AAAA records, are
also required for a fully working dual-stack configuration.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
19394a8b03 Revert 2742439 being now redundant
Commit 2742439 added logic to tentatively identify the interface name
in get_provisioning_interface if the PROVISIONING_IP is provided.
However the same process in then repeated in wait_for_interface_or_ip.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
ca7da400d0 Leverage get_interface_of_ip to look PROVISIONING_IP up
Use the previously introduced get_interface_of_ip, to determine if the
PROVISIONING_IP address is actually present on a network interface.

This improves the code readability and enables additional debugging
output.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
c69044ff2b Add two new utility functions for later refactoring
The way the ironic-image processes are bound to internet sockets is mainly
by PROVISIONING_IP or PROVISIONING_INTERFACE, that is, by looking up a
specific address on an interface, or a specific interface for a workable
address.

Introduce two new utility functions in ironic-common.sh for these two
purposes:
get_interface_of_ip: returns the name of the interface where the IP address
                     provided as argument is found
get_ip_of_interface: returns the first IP associated to the interface
                     provided as argument

These two functions will be put into use in subsequent commits.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
60f0bdd5f0 Remove PROVISIONING_INTERFACE default for better validation
Whenever PROVISIONING_INTERFACE is not set by the user, function
get_provisioning_interface attempts to determine one, or provide
"provisionign" as default value. However this can cause confusing errors
down the line.

Remove this default value and fail gracefully, with proper logging,
if the PROVISIONING_INTERFACE value is not detected.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
4e4f9e591a Simplify the setting of host_ip in ironic.conf
The value of host_ip is determined twice within the ironic.conf.j2 template
file, by means of a relatively hard to read set of conditions.

Avoid this duplication and improve readability by exporting the correct
value once in scripts/configure-ironic.sh. This also leave more room for
more complex evaluations should these be needed in the future.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-08-04 14:47:42 +00:00
e-minguez
51b082a3f1 feat: Package pyhelm3 as requirement for c-v 2025-07-30 11:29:22 +02:00
d45c9764a4 release-manifest: Update rancher-turtles versions 2025-07-29 14:52:29 +03:00
efd8bf1075 rancher-turtles-airgap-resources: Update to 0.21.0
Updates to align with rancher-turtles chart

This also overides the RKE2 provider version to 0.18.0 so we can consume
recent fixes, in particular rancher/cluster-api-provider-rke2#684
2025-07-29 13:24:47 +03:00
892400cea7 rancher-turtles: Update 0.21.0
Also update CAPI operator and CAPM3 versions

This also overides the RKE2 provider version to 0.18.0 so we can consume
recent fixes, in particular rancher/cluster-api-provider-rke2#684
2025-07-29 13:24:47 +03:00
ff1b390d09 Merge pull request 'Add pre-commit to update release manifest' (#211) from nbelouin/Factory:pre-commit-manifest into main
Reviewed-on: suse-edge/Factory#211
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-07-29 11:27:57 +02:00
c3f1be5640 Add pre-commit to update release manifest
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-29 11:26:16 +02:00
e021cfa92f Merge pull request 'Upgrade to SLE 15.7 base and bump Ironic to use 2025.1 version' (#214) from nbelouin/Factory:15.7-upgrade into main
Reviewed-on: suse-edge/Factory#214
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-07-29 11:20:48 +02:00
5f0d0b019e Merge pull request 'Align config files and scripts with upstream (v29.0.0)' (#205) from mchiappero/Factory:alignment-v29.0.0 into main
Reviewed-on: suse-edge/Factory#205
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-07-29 11:19:21 +02:00
dc254aa461 Bump metal3-chart
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-29 11:01:52 +02:00
62f9faf144 Align configure-nonroot.sh
Try to reuse as much as possible of the upstream configure-nonroot.sh

Co-authored-by: Nicolas Belouin <nicolas.belouin@suse.com>
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
8164b5f125 Adopt the new readiness/liveness probes
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
5f6e0185f5 Make the new scripts executable
v29.0.0 add a couple of new scripts, such as ironic-probe.sh; make sure
they have the 'executable' flag.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
57dca6f0a4 Remove unused prometheus exporter
The Prometheus exporter is effectively, not only unused, but
unusable, due to missing dependencies. Since currently we
don't have use case for it, opt for dropping the exporter
entirely from the image.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
54bf2edf7b Force the use of Python 3.11
SLE 15.6 provides Python 3.11, make sure it's enforced.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
9c60855914 Update the destination path of Jinjia templates
Previously .j2 files used to be copied to /etc before being
instantiated. In order to make the image potentially read only,
move the templates to /tmp.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
bc1d924cc6 Disable the network schema check to allow for nmstate definitions
Bypass the OpenStack network-data format validation, to allow for the
nmstate based one we instead use (which would otherwise fail).

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:37 +00:00
2f4f94238f Do not force ipa-insecure=1, use env variable instead
Allow the use of https, force it to 1 via the IPA_INSECURE environment
variable only TLS is disabled.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 10:36:36 +00:00
dae0b33326 Use arch specific ESP img
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
4e4231b39e Use arch specific file for IPA
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
c9f13a514a Use arch named IPA file in IMAGE_CACHE_PREFIX
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
f8f730087f Change GRUB path in ironic.conf
Correct path for grub.cfg on a SUSE system.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
7c0423ee04 Use ironic-suse user/group in Apache for API
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
0358093370 Use ironic-suse user/group in Apache for media
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
a69e54a6df Use correct paths and modules for Apache
Correct the path of the Apache modules for a SUSE image.

Also keep a couple of modules disabled.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
65201fd575 Align to v29.0.0
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-28 09:26:00 +00:00
2adc97e581 Removing BuildVersion, bump ironic-image version
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-25 12:01:43 +02:00
ed4448d7a6 Merge pull request 'add release images file to the release container' (#212) from amorgante/Factory:add-release-images into main
Reviewed-on: suse-edge/Factory#212
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-07-24 16:32:52 +02:00
6251d8b670 ironic-image: remove obsolete packages
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-24 13:44:12 +02:00
3a98fe8f00 Update to SLE 15.7 and OpenStack 2025.1
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-24 13:44:12 +02:00
f9df52a457 add release images file to the release container 2025-07-24 09:32:28 +02:00
9bcffd112d Merge pull request 'Fix missing paths changes in condition' (#209) from fix-ipa-paths into main
Reviewed-on: suse-edge/Factory#209
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-07-11 15:32:03 +02:00
83b660285a Fix missing paths changes in condition
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-11 15:31:07 +02:00
f23003c01f Bump minor version in ironic-image and metal3-chart
Update metal3-chart to include the following ironic and ipa downloader
changes:

suse-edge/Factory#196
suse-edge/Factory#198
suse-edge/Factory#199
suse-edge/Factory#200
suse-edge/Factory#201
suse-edge/Factory#203
suse-edge/Factory#204
suse-edge/Factory#207
suse-edge/Factory#208

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-10 20:29:22 +00:00
4b9928ccdf metal3-chart: cleanup ironic-bmo ConfigMap
Apparently the ironic-bmo ConfigMap used to be shared with both Ironic
and the BareMetalOperator. Since it is no longer the case and many
variables are not used by Ironic, remove them.

Also, rename the ConfigMap, so that it is clearer it is for Ironic only.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-10 19:55:43 +00:00
df55d2abd4 Bump versions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-10 15:41:30 +02:00
214a65f2db Remove duplicate files from image to make it lighter
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-07-10 15:37:02 +02:00
d00b6ece5f Move the copy of Jinja templates to resemble upstream
Follow the same location for the COPY command moving the Jinja template
files in the image.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-07 21:49:15 +00:00
67f63aadc7 Remove stale file entries for old BIOS based machines
Two entries pointing to old and unesed files for non UEFI servers seem
to be unused both here and upstream, so this commit removes them.
2025-07-07 21:49:15 +00:00
f88e75a724 Apply misc changes to Dockerfile to align with upstream
Having a completely different image and build system the Dockerfile will
always differ quite significantly from the upstream one. Nonetheless,
it's still useful to make the commont parts to look alike as much as
possible to ease maintanance and update.

Note, this is just a small set of changes that are possible, more effort
into this direction may follow at later stage.
2025-07-07 21:49:13 +00:00
ef6989b0d8 Restore the upstream directory structure
It is now possible to bring back the original directory structure for
config (/ironic-config) files and scripts (/scripts). This will make
updates to re-align with upstream easier.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-07 21:45:39 +00:00
b2ca623d14 Remove unused prometheus exporter
The Prometheus exporter is effectively, not only unused, but
unusable, due to missing dependencies. Since currently we
don't have use case for it, opt for dropping the exporter
entirely from the image.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-07 13:12:16 +00:00
53c16ce7c9 Drop inotify-tools and switch to pyinotify
No longer inotifywait use and move to python pyinotify.

See https://github.com/metal3-io/ironic-image/issues/605 for
more details.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-03 12:47:31 +00:00
e55bf1ab63 Fix incorrect ArchExclusiveLine OBS directive
One Docker specific OBS directive, ArchExclusiveLine, is incorrectly
testing for x86 instead of aarch64, likely due to a copy-and-paste
error. Change the architecture for that RUN command.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-07-03 11:20:37 +02:00
4f71473b0a Fix wrong indentation in Dockerfile
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-06-30 14:52:10 +00:00
e20624cf98 Remove unused files as a single process/service is used
Revision 7 from isv:SUSE:Edge:Metal3:Ironic:2024.2 introduced
significant changes on how Ironic is run, by having only a single Apache
instance running the API, and conductor and inspector no longer use IP
sockets. However while porting this change to Factory some files have
not been removed here, so remove no longer used files to keep this
repository up to date.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-06-26 10:37:24 +00:00
afba5dedef Merge pull request 'metal3: Upgrade Mariadb' (#194) from nbelouin/Factory:mariadb-upgrade into main
Reviewed-on: suse-edge/Factory#194
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
2025-06-19 09:51:22 +02:00
5cbf832b02 Update versions for metal3-chart
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-16 14:37:30 +02:00
7cf1b8ea26 Fix upgrade issue
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-16 14:37:30 +02:00
83b44c9bc7 Bump mariadb chart
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-16 14:37:29 +02:00
a7cb23a9c1 Merge pull request 'Fix _config to correctly publish arm64 kiwi builder' (#193) from nbelouin/Factory:arm64-kiwi into main
Reviewed-on: suse-edge/Factory#193
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-06-12 14:05:06 +02:00
07505665e4 Fix _config to correctly publish arm64 kiwi builder
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-12 09:23:20 +02:00
13b18090d0 Merge pull request 'kiwi-builder-image: Remove failure if package version mismatch' (#184) from nbelouin/Factory:fix-kiwibuilder-image into main
Reviewed-on: suse-edge/Factory#184
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-06-10 13:31:13 +02:00
22947d9847 Merge pull request 'Remove additional tag without the _up suffix from UI extension charts' (#181) from jtomasek/Factory:remove-tags-extensions into main
Reviewed-on: suse-edge/Factory#181
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 13:24:11 +02:00
3d087070a7 Merge pull request '[3.3.1] - bump turtles airgap version to align with the other turtle chart version' (#188) from dprodanov/Factory:turtles-airgap into main
Reviewed-on: suse-edge/Factory#188
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-06-10 13:18:03 +02:00
9bc3066279 [3.3.1] - bump turtles airgap version to align with the other turtle chart version 2025-06-10 13:34:25 +03:00
ec4c51d003 Merge pull request 'Bump ECO version to v0.3.0' (#169) from bump-eco-to-030 into main
Reviewed-on: suse-edge/Factory#169
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 11:34:24 +02:00
70ff1fdd31 Merge pull request 'EIB updates for 1.2.1' (#185) from update-eib into main
Reviewed-on: suse-edge/Factory#185
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 11:26:13 +02:00
ce6519f470 Merge pull request 'bump uc and turtles version as a follow up of the kubectl image bump' (#183) from dprodanov/Factory:bump-charts into main
Reviewed-on: suse-edge/Factory#183
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 11:15:58 +02:00
0ccade5817 EIB updates for 1.2.1 2025-06-10 11:12:08 +02:00
87f163939c kiwi-builder-image: Remove failure if package version mismatch
Remove the automatic failure if repo package and base image are
mismatched.
This is needed to prevent automation from failing when updated base
image doesn't exists.

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-10 11:04:11 +02:00
f0d7ede6e0 bump uc and turtles version as a follow up of the kubectl image bump 2025-06-10 11:35:02 +03:00
aa677745a8 Bump ECO version to v0.3.0 2025-06-10 11:23:58 +03:00
08797b0030 Merge pull request 'release-manifest: fix version' (#180) from dprodanov/Factory:fix-versions into main
Reviewed-on: suse-edge/Factory#180
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 09:56:50 +02:00
8b37096c3a Remove additional tag without the _up suffix from UI extension charts
The issue https://github.com/rancher/rancher/issues/48746 which
required this workaround has been fixed and backported to Rancher
2.11.2 so the additional tags are no longer needed.
2025-06-10 09:50:04 +02:00
6ca1cc0ded fix RM version 2025-06-10 10:47:15 +03:00
fc24747ee5 Merge pull request '[3.4.0] - create release manifest' (#177) from dprodanov/Factory:release-3-4-0 into main
Reviewed-on: suse-edge/Factory#177
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 09:34:37 +02:00
9c2d445b06 Merge pull request 'create new kubectl image' (#178) from dprodanov/Factory:kubectl-1.32.4 into main
Reviewed-on: suse-edge/Factory#178
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-06-10 09:34:06 +02:00
e5de658ae9 create new kubectl image 2025-06-09 17:25:39 +03:00
8cc06f4ccb [3.4.0] - create release manifest 2025-06-09 11:22:25 +03:00
9dc5ba4c52 release-manifest: 3.3.1 version bumps
Updates to consume the latest patch releases from Rancher, RKE2/k3s
and Neuvector
2025-06-05 14:55:42 +01:00
f92f3600e6 release-manifest: update rancher-turtles version 2025-06-04 17:05:22 +02:00
e379d5df4e rancher-turtles-airgap-resources: Updates for 0.20.0
To align with https://github.com/suse-edge/charts/pull/221
2025-06-04 17:05:22 +02:00
346d6137fe rancher-turtles-chart: Updates for 0.20.0
To align with https://github.com/suse-edge/charts/pull/221
2025-06-04 17:05:22 +02:00
1f36228510 Merge pull request 'Fix metal3 chart' (#172) from nbelouin/Factory:metal3-chart-fixes into main
Reviewed-on: suse-edge/Factory#172
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-06-04 11:26:57 +02:00
ec7da715f4 Fix metal3 chart issues
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-04 10:43:46 +02:00
1ad6c99257 metal3-chart: fixup remove forgotten file
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-06-04 10:43:19 +02:00
12e91c2102 Bump EIB tag to 1.2.0.1
Follow up to #166 which bumped NMC and the related IPA downloader image,
we also need to bump EIB since it also consumes the updated NMC version
2025-05-29 10:02:32 +01:00
6fb80441cd Merge pull request 'metal3: Add a hook to BMO start to ensure it restarts on ironic CA change' (#165) from nbelouin/Factory:try-bmo-fix into main
Reviewed-on: suse-edge/Factory#165
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-27 13:31:41 +02:00
93a5f6813d Merge pull request 'Bump NM-Configurator to v0.3.3' (#166) from nbelouin/Factory:nmc-bump into main
Reviewed-on: suse-edge/Factory#166
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-27 13:31:03 +02:00
bdaa422813 Bump ipa ramdisk version for nm-config fix
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-27 12:39:36 +02:00
c25bf622bc Bump nm-configurator to 0.3.3
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-27 12:39:36 +02:00
fa57d15ff9 Merge pull request 'Fix issues with config and meta when releasing' (#167) from nbelouin/Factory:fix-conf into main
Reviewed-on: suse-edge/Factory#167
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-27 12:38:58 +02:00
1a29da28ca update release-manifest 2025-05-27 13:32:58 +03:00
f2d39a7025 Fix issues with config and meta when releasing
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-27 12:09:12 +02:00
629e96dded Add annotations to force rollout of pods on config change
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-27 10:49:09 +02:00
c190a1c800 Add bmo inotify hook
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-27 10:42:26 +02:00
be87fb0fc6 Merge pull request 'fix typo in network-operator' (#162) from dprodanov/Factory:fix-typo into main
Reviewed-on: suse-edge/Factory#162
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-20 15:38:19 +02:00
01dfdc5fd9 fix typo in network-operator 2025-05-20 16:37:01 +03:00
90ce8e165c release-manifest-image: Update NeuVector Extension to 2.1.3
Chart: https://github.com/rancher/ui-plugin-charts/blob/main/charts/neuvector-ui-ext/2.1.3/Chart.yaml
Release: https://github.com/neuvector/manager-ext/releases/tag/neuvector-ui-ext-2.1.3
2025-05-20 09:51:44 +02:00
ad68a91755 Merge pull request 'Fix rancher turtles airgap chart prefix' (#158) from nbelouin/Factory:fix_turtles_airgap_prefix into main
Reviewed-on: suse-edge/Factory#158
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-16 14:03:38 +02:00
c37782e077 Fix rancher turtles airgap chart prefix
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-16 13:12:18 +02:00
71257047ed Merge pull request 'Fix udev rule in IPA image and bump the metal3 chart to 0.11.3' (#157) from mchiappero/Factory:metal3-0.11.3 into main
Reviewed-on: suse-edge/Factory#157
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-16 09:56:06 +02:00
477a4e15eb metal3-chart: bump version to include IPA image 3.0.6
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-05-16 07:22:27 +00:00
be0d25d8f7 ironic-ipa-downloader-image: update to the latest 3.0.6 image
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-05-15 16:35:30 +00:00
70a42948aa ironic-ipa-ramdisk: make sure the udev rule is also matched on changes
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-05-15 16:31:13 +00:00
fb0f99ee20 Merge pull request 'add a tool to check local charts version in release manifest' (#149) from nbelouin/Factory:check_manifest into main
Reviewed-on: suse-edge/Factory#149
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-15 16:59:56 +02:00
cc8d3fe431 add a tool to check local charts version in release manifest
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-15 16:50:32 +02:00
4ee8e8c6f2 Merge pull request 'akri-dashboard-extension-chart: update to version 303.0.2+up1.3.1' (#156) from jtomasek/Factory:akri-dashboard-extension-chart-303.0.2+up1.3.1 into main
Reviewed-on: suse-edge/Factory#156
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-15 16:47:54 +02:00
79268b8e71 Merge pull request 'kubevirt-dashboard-extension-chart: update to version 303.0.2+up1.3.2' (#155) from jtomasek/Factory:kubevirt-dashboard-extension-chart-303.0.2+up1.3.2 into main
Reviewed-on: suse-edge/Factory#155
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-15 16:10:53 +02:00
d5e487518a akri-dashboard-extension-chart: update to version 303.0.2+up1.3.1 2025-05-15 14:35:35 +02:00
a7d128b8c4 updated sriov images 2025-05-15 14:06:32 +02:00
d97b554f8c kubevirt-dashboard-extension-chart: update to version 303.0.2+up1.3.2 2025-05-15 13:27:08 +02:00
1ca6ea51ea release-manifest-image: update rancher-turtles version 2025-05-15 12:05:06 +03:00
c9b9e2223b rancher-turtles-airgap-resources-chart: align with 0.8.1 2025-05-15 11:55:40 +03:00
027df1b35c rancher-turtles-chart: Updates to align with 0.8.1
Align with https://github.com/suse-edge/charts/pull/214 so we can
consume the RKE2 provider bugfix
2025-05-15 11:40:30 +03:00
e7448eeb1c Merge pull request 'Update to official EIB v1.2.0 tag' (#151) from dbekhit/Factory:main into main
Reviewed-on: suse-edge/Factory#151
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-13 17:34:14 +02:00
fb4d399f0f update to official EIB v1.2.0 tag 2025-05-13 10:35:41 -04:00
f47b6df822 Merge pull request 'Reduce the size of the IPA ramfs' (#147) from nbelouin/Factory:ipa-explode-rootfs into main
Reviewed-on: suse-edge/Factory#147
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Marco Chiappero <mchiappero@noreply.src.opensuse.org>
2025-05-13 14:13:00 +02:00
4e3f1b61fd Use up to date rootfs
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-13 11:13:24 +02:00
df60bb2ed3 Fix get-resource.sh for single arch images
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-12 13:52:00 +02:00
3a654b9826 rancher-turtles: updates for 0.19.0 2025-05-09 18:25:21 +01:00
15e4de98a7 Bump versions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-09 16:06:28 +02:00
fe8d0ba120 rancher-turtles-airgap-resources: Updates for 0.19.0 2025-05-09 15:05:52 +01:00
0b431c75e2 Try reduce image size
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-09 16:01:04 +02:00
a59e253ecd Try exploding the tarball
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-09 16:01:02 +02:00
b28f7a5817 Merge pull request 'Update the metal3-chart to fix the IPA ramdisk with multiple config-2 drives' (#145) from mchiappero/Factory:metal3_0.11.1 into main
Reviewed-on: suse-edge/Factory#145
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-09 15:58:42 +02:00
c6b78eb569 Update metal3-chart to leverage IPA downloader 3.0.4
Change the version of the metal3-chart include the latest IPA fixes,
and update the release manifest accordingly.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-05-09 12:18:07 +00:00
8f7747415c Update the IPA ramdisk and downloader to 3.0.4
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-05-09 12:17:44 +00:00
e5ba38d02f Merge pull request '[3.3.0] - update sriov chart' (#148) from dprodanov/Factory:sriov-update into main
Reviewed-on: suse-edge/Factory#148
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-05-09 11:52:57 +02:00
f221cf4b37 [3.3.0] - update sriov chart 2025-05-09 12:29:17 +03:00
f42ac11716 Merge pull request 'Do a multibuild for IPA image so we also have lighter single architecture images' (#130) from nbelouin/Factory:ipa-multibuild into main
Reviewed-on: suse-edge/Factory#130
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-05-09 10:18:34 +02:00
08ef2fe86f Merge pull request '[3.3.0] - update cdi version' (#144) from dprodanov/Factory:cdi-update into main
Reviewed-on: suse-edge/Factory#144
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
2025-05-08 10:38:32 +02:00
ad221cd94e Merge pull request '[3.3.0] - update kubevirt and sriov in release-manifest' (#143) from dprodanov/Factory:release-manifest-update into main
Reviewed-on: suse-edge/Factory#143
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
2025-05-08 10:38:26 +02:00
81a856e586 Merge pull request '[3.3.0] - update sriov to 1.5.0' (#142) from dprodanov/Factory:sriov-1-5-0 into main
Reviewed-on: suse-edge/Factory#142
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
2025-05-08 10:38:09 +02:00
3c9ebbd7ef [3.3.0] - update sriov to 1.5.0 2025-05-08 10:47:37 +03:00
03018e5cd1 [3.3.0] - update cdi version 2025-05-07 20:03:45 +03:00
e91096e13e [3.3.0] - update kubevirt and sriov in release-manifest 2025-05-07 19:44:16 +03:00
93f3abfeb5 Do a multibuild for IPA image so we also have lighter single architecture images
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-07 14:33:32 +02:00
2c4991cb24 Update versions for 3.3
Rancher prime 2.11.1 was released, so align with that and
updated Longhorn/Neuvector/Elemental and Metal3 charts
2025-05-06 15:34:15 +01:00
e71339ae00 Merge pull request 'Updates for EIB 1.2.0-rc1' (#126) from dbekhit/Factory:main into main
Reviewed-on: suse-edge/Factory#126
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-05-06 14:36:44 +02:00
f32718b5e4 Merge pull request 'Enable kubectl image on aarch64' (#140) from nbelouin/Factory:kubect-aarch64 into main
Reviewed-on: suse-edge/Factory#140
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-05-06 14:33:40 +02:00
c81f5057ce Enable kubectl image on aarch64
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-06 14:18:52 +02:00
6b8109c772 Merge pull request 'Remove extra slash in image reference' (#139) from nbelouin/Factory:fix-slash-typo into main
Reviewed-on: suse-edge/Factory#139
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-05-06 14:10:04 +02:00
8b383c15fa Remove extra slash in image reference
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-05-06 13:39:45 +02:00
2013caec19 Merge pull request 'Add checks (lint) for helm charts and images' (#128) from nbelouin/Factory:lint into main
Reviewed-on: suse-edge/Factory#128
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-05-06 10:00:12 +02:00
4259b167fd update to v1.2.0-rc1 2025-05-02 11:16:43 -04:00
652fc553b9 Remove -chart suffixes
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-30 16:42:54 +02:00
1048591769 Fix charts and images
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-30 16:42:54 +02:00
8a9717c266 Add initial checks
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-30 16:42:54 +02:00
49405f41f9 EIB v1.2.0-rc0 needs golang 1.124 2025-04-30 16:26:27 +02:00
be29dbba41 Fix the _service file to use the defined pre-release version 2025-04-30 16:26:27 +02:00
a2c817259f modify '-' to '~' 2025-04-30 16:26:27 +02:00
dfe4892f4c changes for EIB 1.2.0-rc0 2025-04-30 16:26:27 +02:00
ef68dbfd92 Merge pull request 'Fix some issue with dependency projects ordering, make _config only build wanted packages' (#137) from nbelouin/Factory:fix-meta-config into main
Reviewed-on: suse-edge/Factory#137
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-04-30 15:27:09 +02:00
6c1db68da8 Fix some issue with dependency projects ordering, make _config only build wanted packages
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-30 14:51:17 +02:00
376ec896fe Add kubevirt-dashboard-extension-chart version 303.0.1+up1.3.1 2025-04-29 17:41:05 +02:00
a473d935f9 Merge pull request 'Add support for uEFI aarch64 images without rpi config as default' (#135) from roxenham/Factory:aarch64-uefi into main
Reviewed-on: suse-edge/Factory#135
Reviewed-by: Alberto Morgante Medina <amorgante@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-04-29 16:33:27 +02:00
27aa096244 Add support for uEFI aarch64 images without rpi config as default
Previously, the default model for aarch64 raw disk images assumes that
you're deploying on Raspberry Pi, and not standard aarch64 systems. This
meant that all raw disk images were built with RPi firmware, and an MBR
boot record, which made it incompatible with systems that require uEFI/GPT
compatibility, especially with Edge Image Builder and Metal3/CAPI deployment
usage.

This PR introduces the following changes:

* Introduces new `Default-RPi` and `Base-RPi` profiles for compatibility with RPi users
* Forces `Base` and `Base-RT` profiles to use GPT based images (not MBR)
* Introduces a new `Base-RT-RPi` profile for kernel-rt on RPi (with MBR)
* Removes Raspberry Pi firmware packages from anything other than RPi profiles
* Modifies the `editbootinstall_rpi.sh` script to support container builds
* Adds policycoreutils-python-utils to the list of packages (for semanage)

See: https://bugzilla.suse.com/show_bug.cgi?id=1240619
2025-04-29 14:54:54 +01:00
3f968b0a06 Add akri-dashboard-extension-chart version 303.0.1+up1.3.0 2025-04-29 15:18:11 +02:00
481d7e90b4 Merge pull request 'update kiwi-builder to use kiwi version as build macro' (#129) from dirkmueller/Factory:main into main
Reviewed-on: suse-edge/Factory#129
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-04-28 16:08:49 +02:00
Dirk Müller
cb70d25886 Remove MAINTAINER statement
this is deprecated and already in oci.authors
2025-04-23 19:10:50 +02:00
Dirk Müller
04937b90b7 build the kiwi-image in an images_16.0 repository 2025-04-23 19:10:50 +02:00
Dirk Müller
ef256bc1d7 make version mismatches fatal 2025-04-23 19:10:50 +02:00
Dirk Müller
437b0fdc41 update README as well
Although this file seems to be unused?
2025-04-23 19:10:50 +02:00
Dirk Müller
0dbc0f8b52 Ensure kiwi versions and build tags actually align 2025-04-23 19:10:47 +02:00
Dirk Müller
3adc816d98 Remove no longer necessary workaround 2025-04-22 17:58:10 +02:00
5883bf7549 Merge pull request '[3.3] - bump nm configurator rpm to 0.3.2' (#122) from dprodanov/Factory:nm-configurator-0-3-2 into main
Reviewed-on: suse-edge/Factory#122
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-04-15 13:50:00 +02:00
ba5ed09bd8 Merge pull request '[3.3.0] kubevirt update to 0.5.0' (#116) from dprodanov/Factory:kubevirt-0-5-0 into main
Reviewed-on: suse-edge/Factory#116
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-04-15 13:49:44 +02:00
b91c34b6c3 [3.3] - bump nm configurator rpm to 0.3.2
[3.3] - bump nm config to 0.3.2

use lfs
2025-04-15 11:05:35 +03:00
b2e4b5e259 Merge pull request 'Enable aarch64 build for kiwi-builder-image' (#120) from nbelouin/Factory:enable-kiwi-arm into main
Reviewed-on: suse-edge/Factory#120
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-04-09 13:16:51 +02:00
e3f36b74d9 Enable aarch64 build for kiwi-builder-image
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-09 11:13:58 +02:00
2b020e9bd7 Merge pull request 'Install both ramdisks in the ipa downloader' (#84) from nbelouin/Factory:multi-arch-ipa into main
Reviewed-on: suse-edge/Factory#84
Reviewed-by: Alberto Morgante Medina <amorgante@noreply.src.opensuse.org>
2025-04-03 15:36:01 +02:00
98fa8835f7 Install both ramdisks in the ipa downloader
- Make the different ipa-ramdisk packages installable side by side
- Clean the ipa-downloader Dockerfile from what seems to be unneeded
- Get both images in
- Use zstd instead of xz for better speed
- Check sums before redoing certs integration
- Add value to metal3 chart to select between architectures
- Get the two ESP available as well

Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-04-03 15:34:29 +02:00
5f52392aa3 Merge pull request 'Change trigger_devel workflow to midday every week day' (#94) from fdegirmenci/suse-edge-factory:trigger-devel-midday-weekdays into main
Reviewed-on: suse-edge/Factory#94
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-03-31 09:33:19 +02:00
083c753a0d [3.3.0] kubevirt update to 0.5.0 2025-03-24 15:46:23 +02:00
48472176f2 metal3-chart: Remove stale files
I missed this in #88 - we need to remove these template files to align with
00421ca826
2025-03-24 13:32:49 +00:00
53f09dd00f Update kubevirt-dashboard-extension-chart to v302.0.0+up1.2.1 2025-03-24 12:09:44 +01:00
c610436551 Fix IPA Downloader version, bump to 3.0.2
Update the Dockerfile to be aligned with the IPA ramdisk and metal3
Chart.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-03-24 09:09:32 +00:00
3d1a70e87a rancher-turtles-chart: remove stale file
This was removed in the 0.17.0 chart but I didn't notice when rebasing
2025-03-21 17:24:45 +01:00
e439f489ca Bump Metal3 version
Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-03-21 14:05:19 +00:00
8e56e1edd3 Update the IPA ramdisk to 3.0.2
Force nmc to run before NetworkManager to avoid race conditions
that can lead to undetermined network configuration.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>
2025-03-21 14:05:19 +00:00
2a3c37b31d release-manifest: update rancher-turtles version
Update to 0.17.0 chart
2025-03-21 14:38:06 +01:00
eacabe4d71 rancher-turtles-chart: Update to 0.17.0
Aligns with https://github.com/suse-edge/charts/pull/193
2025-03-21 14:38:06 +01:00
d57078f9d9 rancher-turtles-airgap-resources-chart: Update to 0.17.0
Aligns with: https://github.com/suse-edge/charts/pull/193
2025-03-21 14:38:06 +01:00
fef712e4e8 Update akri-dashboard-extension-chart to v302.0.0+up1.2.1 2025-03-21 14:36:49 +01:00
2b194211ee Upgrade Hauler to v1.2.1 and add version to build (#92)
Reviewed-on: suse-edge/Factory#92
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Co-authored-by: dbw7 <danial.bekhit@suse.com>
Co-committed-by: dbw7 <danial.bekhit@suse.com>
2025-03-20 20:28:44 +01:00
a3fda4c5c0 Merge pull request 'Fix FRR-k8s versiobn' (#105) from kzhelyazkov/Factory:fix-frr-rbac-image into main
Reviewed-on: suse-edge/Factory#105
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-03-20 15:31:37 +01:00
3c08af8a28 Fix FRR-k8s versiobn 2025-03-20 16:30:17 +02:00
a1583230bd Merge pull request 'Add metallb-chart build tags' (#103) from kzhelyazkov/Factory:add-metallb-build-tag into main
Reviewed-on: suse-edge/Factory#103
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-03-20 15:09:59 +01:00
c8c20ce47a Add metallb-chart build tags 2025-03-20 16:08:09 +02:00
b30ece6b61 Merge pull request 'Update MetalLB and all other packages around it' (#98) from kzhelyazkov/Factory:update-metallb into main
Reviewed-on: suse-edge/Factory#98
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-03-20 13:25:13 +01:00
54c0850acf Update MetalLB and all other packages around it 2025-03-19 18:52:41 +02:00
ab92525cbe Merge pull request 'Bump Metal3 and Turles RM versions' (#96) from kzhelyazkov/Factory:bump-metal3-to-0.10.0 into main
Reviewed-on: suse-edge/Factory#96
Reviewed-by: Fatih Degirmenci <fdegirmenci@noreply.src.opensuse.org>
2025-03-19 14:06:13 +01:00
75ae14da78 Bump Metal3 and Turles RM versions 2025-03-19 11:56:54 +02:00
20de7cd994 Merge pull request '3.3.0: Bump rke2 to v1.32.2+rke2r1 in release-manifest' (#95) from fdegirmenci/suse-edge-factory:update-release-manifest-3.3.0 into main
Reviewed-on: suse-edge/Factory#95
Reviewed-by: Kristian Zhelyazkov <kzhelyazkov@noreply.src.opensuse.org>
2025-03-18 17:25:13 +01:00
ca510a470a 3.3.0: Bump rke2 to v1.32.2+rke2r1 in release-manifest 2025-03-18 17:21:11 +01:00
c68c882d35 metal3-chart: update to 0.10.0
Aligns with https://github.com/suse-edge/charts/pull/191
2025-03-17 15:43:38 +01:00
e83a9cea3c baremetal-operator: update to 0.9.0 2025-03-17 15:43:38 +01:00
ea8a9c590a Merge pull request 'Bump Rancher, RKE2, and k3s versions in release-manifest' (#93) from fdegirmenci/suse-edge-factory:update-release-manifest-3.3.0 into main
Reviewed-on: suse-edge/Factory#93
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-03-17 13:29:27 +01:00
fb896ffe62 Change trigger_devel workflow to midday every week day
Cron is configured to run every night on a daily basis which is
great. However, this has potential to break all the SV pipelines
as a commit that gets merged to EIB will result in a new image
build without the SV team have chance to validate and reflect the
change to SV.

This commit configures trigger_devel workflow to run midday every
week day so the SV team can make the necessary validations and
updates accordingly.

Please note that this should be considered as a temporary fix and
an automated way to bring new EIB versions to SV should be developed
collaboratively.
2025-03-17 13:16:07 +01:00
dc19c71706 Update Helm Chart versions for traefik and traefik-crd 2025-03-17 12:48:50 +01:00
5db4c3bc79 Bump Rancher, RKE2, and k3s versions in release-manifest
This PR bumps Rancher, RKE2, and k3s versions to align them with
SV baseline to ensure the upgrade validation is done using the
correct versions.

Versions for traefik and traefik-crd Helm Charts are still
pending to be verified.
2025-03-17 12:40:54 +01:00
389f19f7b9 Merge pull request 'longhorn-1-7-3' (#89) from dprodanov/Factory:longhorn-1-7-3 into main
Reviewed-on: suse-edge/Factory#89
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-03-14 10:54:25 +01:00
78a681a3a3 remove accidental push of .idea 2025-03-14 11:47:25 +02:00
da3b39573b update longhorn version to 1.7.3 2025-03-14 11:45:31 +02:00
6531575f1b metal3-chart: update to 0.9.4
Aligns with https://github.com/suse-edge/charts/pull/192
2025-03-12 09:38:29 +00:00
d59f3540a2 metal3-chart: update to 0.9.3
Aligns with https://github.com/suse-edge/charts/pull/189
2025-03-05 19:10:38 +01:00
43c764e69c ironic-image: update to 26.1.2.3
Aligns with https://github.com/suse-edge/charts/pull/189
Also see:
https://build.opensuse.org/package/rdiff/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-image?linkrev=base&rev=11
2025-03-05 19:06:06 +01:00
0b306a3e7a Merge pull request 'init versions for release manifest 3.3' (#83) from dprodanov/Factory:release-manifest-3.3 into main
Reviewed-on: suse-edge/Factory#83
Reviewed-by: Ivo Petrov <ipetrov117@noreply.src.opensuse.org>
2025-02-28 18:19:08 +01:00
c744e56218 Merge pull request 'Ironic dependency is located in different project when in internal obs' (#82) from nbelouin/Factory:ironic-meta into main
Reviewed-on: suse-edge/Factory#82
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-02-28 12:36:10 +01:00
ddabc54ac8 init versions for release manifest 3.3 2025-02-28 11:52:41 +02:00
0cb039a9df Ironic dependency is located in different project when in internal obs
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-26 10:36:10 +01:00
eff9a9b0c5 rancher-turtles-chart: Update to 0.16.0
Align with https://github.com/suse-edge/charts/pull/186
2025-02-25 15:31:46 +01:00
8d336f380b rancher-turtles-airgap-resources-chart: Update to 0.16.0
Align with https://github.com/suse-edge/charts/pull/186
2025-02-25 15:31:46 +01:00
5947d531ab Merge pull request 'Add scheduled workflow for devel branch' (#80) from nbelouin/Factory:trigger-devel-refresh into main
Reviewed-on: suse-edge/Factory#80
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-02-25 15:08:57 +01:00
15362e9536 Add scheduled workflow for devel branch
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-25 13:26:41 +01:00
8f20b3433e Fix PR closed workflow
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 15:44:23 +01:00
704eec6875 Merge pull request 'Fix obsinfo tar issues' (#77) from nbelouin/Factory:fix_packages_tar into main
Reviewed-on: suse-edge/Factory#77
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-02-24 15:32:13 +01:00
98c4be017d Add ipcalc, crudini and fakeroot for aarch64 build
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 13:50:10 +01:00
dccf206a98 Fix obsinfo tar issues
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 11:21:52 +01:00
9e41ee25d9 Make wait_obs correctly fail
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 11:21:31 +01:00
d97e434fce PR sha is the wrong one, fix it
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 11:16:34 +01:00
3dea69443d Add more output to wait_obs
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-24 10:47:26 +01:00
331f08255c Fix gitea not supporting if expressions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-21 15:38:13 +01:00
4a99805fde Fix typos in workflows
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-21 15:17:59 +01:00
6b8a623372 Merge pull request 'Synchronize metadata from template' (#76) from nbelouin/Factory:sync_meta into main
Reviewed-on: suse-edge/Factory#76
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-02-21 15:04:45 +01:00
34687fb5e9 Reduce number of maintainers to avoid spam
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-21 09:33:48 +01:00
5a73d61002 Fix issue with bash being annoying
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-20 15:57:08 +01:00
4c6d7dea17 Updating Kiwi builder for SL Micro 6.1 builds 2025-02-20 15:38:31 +01:00
531bb91d27 Merge pull request 'Add metal3 images to ARM allowlist' (#74) from steven.hardy/Factory:arm_config into main
Reviewed-on: suse-edge/Factory#74
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2025-02-20 15:34:51 +01:00
0d3c83fca1 Fix create_project for internal
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-20 14:13:37 +01:00
4d824b71cc Remove need for workflow
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-20 14:01:04 +01:00
7f93226cd3 Fix akri tar step
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-20 11:15:35 +01:00
d6d501ad99 Sync metadata, revamp PR jobs
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-20 11:05:47 +01:00
f61bb1e0e6 Add metal3 images to ARM allowlist
We need to ensure these build to enable usage of the metal3 chart on ARM
2025-02-20 09:36:23 +00:00
a510134ed4 Fix sync action typo
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-14 14:40:43 +01:00
54e0941879 Trigger workflow when it changes
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-14 14:36:16 +01:00
c04b2af72b Fix typo in sync_config action workflow
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-14 14:34:44 +01:00
c57aa3344d Merge pull request 'Add project config to git' (#72) from nbelouin/Factory:add_config into main
Reviewed-on: suse-edge/Factory#72
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Steven Hardy <steven.hardy@noreply.src.opensuse.org>
2025-02-14 14:31:37 +01:00
c86d724e92 Add project config to git
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-02-14 14:31:09 +01:00
9d97e8a56d metal3-chart: Update to 0.9.2
Align with https://github.com/suse-edge/charts/pull/182
2025-02-12 09:12:49 +00:00
b912f9d68a ironic-image: update to 26.1.2.2
Align with:
https://build.opensuse.org/package/rdiff/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-image?linkrev=base&rev=10
https://github.com/suse-edge/charts/pull/182

Fixes a pod restart caused by the runlogwatch.sh script
2025-02-12 09:06:45 +00:00
45443d5b5f ironic-ipa-downloader-image: remove unused _service entry
This is hard-coded to x86_64 so won't work for ARM, aligns with:
https://build.opensuse.org/package/rdiff/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-ipa-downloader-image?linkrev=base&rev=6
2025-02-07 11:25:21 +00:00
ac32110ac1 ironic-ipa-ramdisk: migrate tarball to git-lfs 2025-02-06 16:38:13 +00:00
5d20bc38e3 metal3-chart: update to 0.9.1
Align with https://github.com/suse-edge/charts/pull/173 which
added some fixes to enable deployment on aarch64
2025-02-06 16:36:07 +00:00
e085a97d98 ironic-ipa-downloader-image: update to 3.0.1
Update to the latest version from
https://build.opensuse.org/package/show/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-ipa-downloader-image
2025-02-06 16:36:04 +00:00
58c8be887a ironic-ipa-ramdisk: update to 3.0.1
Update to the latest version from
https://build.opensuse.org/package/show/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-ipa-ramdisk
2025-02-06 16:35:57 +00:00
0d59ad920e ironic-image: update to 26.1.2.1
Align with latest 26.1.2.1 version from
https://build.opensuse.org/package/show/isv:SUSE:Edge:Metal3:Ironic:2024.2/ironic-image
2025-02-05 15:58:26 +00:00
74133c22f6 Fix service file for frr-k8s-image
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-01-17 09:44:56 +01:00
e85da96001 Merge pull request 'Import missing package: frr-k8s-image' (#67) from nbelouin/Factory:import-frr-k8s-image into main
Reviewed-on: suse-edge/Factory#67
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2025-01-17 09:31:28 +01:00
dab7f36e0b Add package to workflow
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-01-17 09:31:10 +01:00
5490ffcde2 Import missing package: frr-k8s-image
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-01-17 09:24:32 +01:00
04b9c07dd5 Merge pull request 'Add an additional tag without the _up suffix to please Rancher for dashboard extensions' (#65) from nbelouin/Factory:add-no-up-tag-extensions into main
Reviewed-on: suse-edge/Factory#65
Reviewed-by: Jiří Tomášek <jtomasek@noreply.src.opensuse.org>
2025-01-16 15:47:33 +01:00
25de5df782 Add an additional tag without the _up suffix to please Rancher for dashboard extensions
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2025-01-16 15:35:46 +01:00
3f9b8c9e22 Merge pull request 'Use manifest_repo var to allow for release manifest in separate repo' (#57) from nbelouin/Factory:manifest-repo-var into main
Reviewed-on: suse-edge/Factory#57
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2024-12-23 12:11:01 +01:00
2a993e342e Use manifest_repo var to allow for release manifest in separate repo
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2024-12-23 11:33:04 +01:00
cab6fe1bcb release-manifest: Update to Rancher prime 2.10.1
2.10.1 was released so update to the prime version
2024-12-20 09:28:38 +00:00
fde506f9ef Release manifest updates in relation to corner case use-cases (#60)
Changes:

- Rancher version convention was changed from `v2.10.0` to `2.10.0` to better map to the actual version in the upstream helm chart repo which is without the `v` prefix.

- Rancher's `postDelete` hook has been disabled - done to ensure that we will not hit a corner case where:

   1. The Rancher helm chart upgrade fails, because of a core component not yet being ready
   2. The `helm-controller` schedules a `helm uninstall` which deletes the Rancher Helm release and triggers the `postDelete` hook.
   3. The problematic core component is up and running, so `helm-controller` schedules a `helm install` with the new version.
   4. Due to insufficient resources, or network connection (or other unforeseen problems), the `postDelete` hook is still running and it wrongly removes the new Rancher installation resulting in a missing rancher from the cluster after an upgrade.

The `postDelete` hook ensures that no accidental delete of the Rancher application will happen during an upgrade over a machine with fewer resources.

Reviewed-on: suse-edge/Factory#60
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Atanas Dinov <atanasdinov@noreply.src.opensuse.org>
Co-authored-by: Ivo Petrov <ivo.petrov@suse.com>
Co-committed-by: Ivo Petrov <ivo.petrov@suse.com>
2024-12-19 12:27:23 +01:00
f49e6be155 Bump K8s version in the release manifest (#58)
- Bumps both RKE2 and K3s versions to the `1.31.3` version that is expected by Rancher `v2.10.1`.

- Bumps the K8s core component versions to the `1.31.3` expected versions.

RKE2 core component versions have been checked against the `Chart Versions` table of the said [release](https://github.com/rancher/rke2/releases/tag/v1.31.3%2Brke2r1).
K3s core component versions have been checked agains the [manifests](https://github.com/k3s-io/k3s/tree/v1.31.3%2Bk3s1/manifests) directory of said release.

Reviewed-on: suse-edge/Factory#58
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
Co-authored-by: Ivo Petrov <ivo.petrov@suse.com>
Co-committed-by: Ivo Petrov <ivo.petrov@suse.com>
2024-12-17 09:06:03 +01:00
e820e98a2f Add missing Elemental dashboard chart (#55)
Reviewed-on: suse-edge/Factory#55
Reviewed-by: Atanas Dinov <atanasdinov@noreply.src.opensuse.org>
Co-authored-by: Ivo Petrov <ivo.petrov@suse.com>
Co-committed-by: Ivo Petrov <ivo.petrov@suse.com>
2024-12-12 11:20:22 +01:00
8c31073506 Merge pull request 'Bump upgrade-controller to v0.1.1' (#53) from upgrade-controller-v0.1.1 into main
Reviewed-on: suse-edge/Factory#53
Reviewed-by: Ivo Petrov <ipetrov117@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Reviewed-by: Denislav Prodanov <dprodanov@noreply.src.opensuse.org>
2024-12-11 18:35:11 +01:00
4bba5fd3f2 Bump chart version 2024-12-11 18:35:11 +01:00
383705e9a3 Bump container image version 2024-12-11 18:35:11 +01:00
a752a25191 Bump RPM version 2024-12-11 18:35:11 +01:00
83fec09683 Introduce K8s distribution core component list (#52)
Introduces the K8s distribution core component list that the upgrade-controller will follow in order to make sure that a specific Kubernetes upgrade has completed successfully.

Relates to the [#116](https://github.com/suse-edge/upgrade-controller/pull/116) upgrade-controller PR.

Reviewed-on: suse-edge/Factory#52
Reviewed-by: Atanas Dinov <atanasdinov@noreply.src.opensuse.org>
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
Co-authored-by: Ivo Petrov <ivo.petrov@suse.com>
Co-committed-by: Ivo Petrov <ivo.petrov@suse.com>
2024-12-11 15:45:28 +01:00
32519595dc IPA ramdisk git LFS fix
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2024-12-10 14:01:55 +01:00
87c7e1be88 Update akri-dashboard-extension-chart to v1.2.1 2024-12-06 09:47:40 +01:00
568d5d1590 Update kubevirt-dashboard-extension-chart to v1.2.1 2024-12-06 09:30:28 +01:00
fbd596290a release-manifest: Update rancher-turtles chart
Fix the rancher-turtles-chart version to align with #44
2024-12-05 17:35:46 +00:00
ec6c4745ea Remove CAPM3/IPAM images
These are now provided by the rancher registry since #44
2024-12-05 13:11:00 +00:00
856ec2ac8e rancher-turtles-airgap-resources-chart: Update to 0.14.1 upstream release
Aligns with https://github.com/suse-edge/charts/pull/174 which
rebases to 0.14.1, which is marked as compatible with Rancher 2.10
2024-12-05 11:35:05 +00:00
7721c66ab0 rancher-turtles-chart: Update to 0.14.1 upstream release
Aligns with https://github.com/suse-edge/charts/pull/174 which
rebases to 0.14.1, which is marked as compatible with Rancher 2.10
2024-12-05 11:31:40 +00:00
cf6abb24fb Merge pull request 'fixed versions in eib artifacts' (#42) from dprodanov/Factory:fix-eib-versions into main
Reviewed-on: suse-edge/Factory#42
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>
2024-12-04 16:00:26 +01:00
602249c98d fixed versions in eib artifacts 2024-12-04 16:02:41 +02:00
8a93aae7c5 kiwi-builder-image: Align with OBS latest version
Aligns with the latest fixes in isv:SUSE:Edge:KiwiBuilder/kiwi-builder-10
2024-12-02 18:19:04 +00:00
aba448b275 Merge pull request 'updated longhorn and neuvector to latest 105 charts' (#38) from dprodanov/Factory:update-release-manifests into main
Reviewed-on: suse-edge/Factory#38
Reviewed-by: Ivo Petrov <ipetrov117@noreply.src.opensuse.org>
2024-11-28 16:05:04 +01:00
09954e5818 updated longhorn and neuvector to latest 105 charts 2024-11-28 16:57:54 +02:00
636493adba rancher-turtles: Fix issue in 0.4.0 chart
The previous import was based on a pre-merge copy of the following PR
- an issue was discovered during SV validation which required an
additional change to ensure CRDs are created before creating the
ClusterctlConfig CR

https://github.com/suse-edge/charts/pull/166
2024-11-27 08:23:32 +00:00
377 changed files with 15497 additions and 35527 deletions

View File

@@ -0,0 +1,31 @@
name: Trigger Devel Packages
on:
# NOTE (fdegir): Cron is set to run midday every weekday
schedule:
- cron: "0 12 * * 1-5
jobs:
sync-pr-project:
name: "Trigger source services for devel packages that changed"
runs-on: tumbleweed
steps:
- name: Setup OSC
run: |
mkdir -p ~/.config/osc
cat >~/.config/osc/oscrc <<'EOF'
[general]
apiurl = https://api.opensuse.org
[https://api.opensuse.org]
user=${{ vars.OBS_USERNAME }}
pass=${{ secrets.OBS_PASSWORD }}
EOF
# Waiting on PR to get merged for support in upstream action/checkout action
- uses: 'https://github.com/yangskyboxlabs/action-checkout@sha256'
name: Checkout repository
with:
object-format: 'sha256'
ref: 'devel'
- name: "Trigger packages"
run: |
python3 .obs/trigger_package.py

1
.gitignore vendored
View File

@@ -1,3 +1,4 @@
*/.osc */.osc
*/__pycache__ */__pycache__
.venv/ .venv/
.idea/

24
.gitmodules vendored
View File

@@ -13,3 +13,27 @@
[submodule "autoconf"] [submodule "autoconf"]
path = autoconf path = autoconf
url = https://src.opensuse.org/SLFO-pool/autoconf.git url = https://src.opensuse.org/SLFO-pool/autoconf.git
[submodule "python-pydantic"]
path = python-pydantic
url = https://src.opensuse.org/SLFO-pool/python-pydantic
[submodule "python-pydantic-core"]
path = python-pydantic-core
url = https://src.opensuse.org/SLFO-pool/python-pydantic-core
[submodule "python-inline-snapshot"]
path = python-inline-snapshot
url = https://src.opensuse.org/SLFO-pool/python-inline-snapshot
[submodule "python-executing"]
path = python-executing
url = https://src.opensuse.org/SLFO-pool/python-executing
[submodule "python-typing-inspection"]
path = python-typing-inspection
url = https://src.opensuse.org/SLFO-pool/python-typing-inspection
[submodule "python-annotated-types"]
path = python-annotated-types
url = https://src.opensuse.org/SLFO-pool/python-annotated-types
[submodule "python-typing_extensions"]
path = python-typing_extensions
url = https://src.opensuse.org/SLFO-pool/python-typing_extensions
[submodule "python-flit-core"]
path = python-flit-core
url = https://src.opensuse.org/SLFO-pool/python-flit-core

View File

@@ -1,3 +1,3 @@
PROJECT = "isv:SUSE:Edge:3.2" PROJECT = "isv:SUSE:Edge:Factory"
REPOSITORY = "https://src.opensuse.org/suse-edge/Factory" REPOSITORY = "https://src.opensuse.org/suse-edge/Factory"
BRANCH = "3.2" BRANCH = "main"

View File

@@ -8,7 +8,7 @@ import sys
yaml = ruamel.yaml.YAML() yaml = ruamel.yaml.YAML()
def get_chart_version(chart_name: str) -> str: def get_chart_version(chart_name: str) -> str:
with open(f"./{chart_name}/Chart.yaml") as f: with open(f"./{chart_name}-chart/Chart.yaml") as f:
chart = yaml.load(f) chart = yaml.load(f)
return chart["version"] return chart["version"]
@@ -17,7 +17,7 @@ def get_charts(chart):
# Not a locally managed chart # Not a locally managed chart
return {} return {}
chart_name = chart["chart"][len("%%CHART_REPO%%/%%IMG_PREFIX%%"):] chart_name = chart["chart"][len("%%CHART_REPO%%/%%CHART_PREFIX%%"):]
charts = { chart_name: chart["version"] } charts = { chart_name: chart["version"] }
for child_chart in chart.get("dependencyCharts", []) + chart.get("addonCharts", []): for child_chart in chart.get("dependencyCharts", []) + chart.get("addonCharts", []):
charts.update(get_charts(child_chart)) charts.update(get_charts(child_chart))
@@ -39,7 +39,7 @@ def check_charts(fix: bool) -> bool:
expected_version = get_chart_version(chart) expected_version = get_chart_version(chart)
if expected_version != charts[chart]: if expected_version != charts[chart]:
success = False success = False
to_fix[f'%%CHART_REPO%%/%%IMG_PREFIX%%{chart}'] = expected_version to_fix[f'%%CHART_REPO%%/%%CHART_PREFIX%%{chart}'] = expected_version
print(f"{chart}: Expected: {expected_version}, Got: {charts[chart]}") print(f"{chart}: Expected: {expected_version}, Got: {charts[chart]}")
if fix and not success: if fix and not success:
fix_charts(to_fix) fix_charts(to_fix)

View File

@@ -8,6 +8,7 @@ def render(base_project, subproject, internal, scm_url=None):
context = { context = {
"base_project": subproject == "", "base_project": subproject == "",
"title": f"SUSE Edge {version} {subproject}".rstrip(), "title": f"SUSE Edge {version} {subproject}".rstrip(),
"ironic_base": "ISV:SUSE:Edge:Ironic" if internal else "Cloud:OpenStack",
} }
if subproject == "ToTest": if subproject == "ToTest":
context["project"] = f"{base_project}:ToTest" context["project"] = f"{base_project}:ToTest"

66
_config
View File

@@ -1,4 +1,5 @@
Prefer: -libqpid-proton10 -python311-urllib3_1 Prefer: -libqpid-proton10 -python311-urllib3_1
Prefer: -cargo1.58 -cargo1.57 cargo1.89
Macros: Macros:
%__python3 /usr/bin/python3.11 %__python3 /usr/bin/python3.11
@@ -23,6 +24,7 @@ Macros:
Macros: Macros:
%img_repo registry.suse.com/edge %img_repo registry.suse.com/edge
%chart_repo oci://registry.suse.com/edge %chart_repo oci://registry.suse.com/edge
%chart_prefix charts/
%manifest_repo registry.suse.com/edge %manifest_repo registry.suse.com/edge
%support_level l3 %support_level l3
:Macros :Macros
@@ -40,6 +42,7 @@ Macros:
%img_repo %(echo %{registry_url}:%{_project}:images | tr ":" "/" | tr '[:upper:]' '[:lower:]') %img_repo %(echo %{registry_url}:%{_project}:images | tr ":" "/" | tr '[:upper:]' '[:lower:]')
%manifest_repo %(echo %{registry_url}:%{_project}:test_manifest_images | tr ":" "/" | tr '[:upper:]' '[:lower:]') %manifest_repo %(echo %{registry_url}:%{_project}:test_manifest_images | tr ":" "/" | tr '[:upper:]' '[:lower:]')
%chart_repo oci://%(echo %{registry_url}:%{_project}:charts | tr ":" "/" | tr '[:upper:]' '[:lower:]') %chart_repo oci://%(echo %{registry_url}:%{_project}:charts | tr ":" "/" | tr '[:upper:]' '[:lower:]')
%chart_prefix %(echo "")
:Macros :Macros
%endif %endif
@@ -47,6 +50,15 @@ Macros:
BuildFlags: excludebuild:autoconf:el BuildFlags: excludebuild:autoconf:el
BuildFlags: excludebuild:autoconf:testsuite BuildFlags: excludebuild:autoconf:testsuite
# Missing deps for python packages related to suse-edge-components-versions
BuildFlags: excludebuild:python-pydantic:test
BuildFlags: excludebuild:python-pydantic-core:test
BuildFlags: excludebuild:python-inline-snapshot:test
BuildFlags: excludebuild:python-executing:test
BuildFlags: excludebuild:python-annotated-types:test
BuildFlags: excludebuild:python-typing-inspection:test
BuildFlags: excludebuild:python-typing_extensions:test
# Only build manifest embedding images here # Only build manifest embedding images here
%if "%_repository" == "test_manifest_images" %if "%_repository" == "test_manifest_images"
BuildFlags: onlybuild:edge-image-builder-image BuildFlags: onlybuild:edge-image-builder-image
@@ -58,9 +70,13 @@ BuildFlags: onlybuild:release-manifest-image
BuildFlags: excludebuild:endpoint-copier-operator-image BuildFlags: excludebuild:endpoint-copier-operator-image
BuildFlags: excludebuild:ironic-image BuildFlags: excludebuild:ironic-image
BuildFlags: excludebuild:ironic-ipa-downloader-image BuildFlags: excludebuild:ironic-ipa-downloader-image
BuildFlags: excludebuild:kiwi-builder-image
BuildFlags: excludebuild:kubectl-image
BuildFlags: excludebuild:kube-rbac-proxy-image BuildFlags: excludebuild:kube-rbac-proxy-image
BuildFlags: excludebuild:metallb-controller-image BuildFlags: excludebuild:metallb-controller-image
BuildFlags: excludebuild:metallb-speaker-image BuildFlags: excludebuild:metallb-speaker-image
BuildFlags: excludebuild:nessie-image
BuildFlags: excludebuild:suse-edge-components-versions-image
%endif %endif
%else %else
# Only a subset of stack is arm64 ready # Only a subset of stack is arm64 ready
@@ -69,8 +85,9 @@ BuildFlags: onlybuild:release-manifest-image
BuildFlags: onlybuild:baremetal-operator BuildFlags: onlybuild:baremetal-operator
BuildFlags: onlybuild:baremetal-operator-image BuildFlags: onlybuild:baremetal-operator-image
BuildFlags: onlybuild:ca-certificates-suse BuildFlags: onlybuild:ca-certificates-suse
BuildFlags: onlybuild:cosign BuildFlags: onlybuild:container-build-checks
BuildFlags: onlybuild:crudini BuildFlags: onlybuild:crudini
BuildFlags: onlybuild:edge-build-checks
BuildFlags: onlybuild:edge-image-builder BuildFlags: onlybuild:edge-image-builder
BuildFlags: onlybuild:edge-image-builder-image BuildFlags: onlybuild:edge-image-builder-image
BuildFlags: onlybuild:endpoint-copier-operator BuildFlags: onlybuild:endpoint-copier-operator
@@ -81,12 +98,29 @@ BuildFlags: onlybuild:release-manifest-image
BuildFlags: onlybuild:ironic-image BuildFlags: onlybuild:ironic-image
BuildFlags: onlybuild:ironic-ipa-downloader-image BuildFlags: onlybuild:ironic-ipa-downloader-image
BuildFlags: onlybuild:ironic-ipa-ramdisk BuildFlags: onlybuild:ironic-ipa-ramdisk
BuildFlags: onlybuild:kubectl
BuildFlags: onlybuild:kubectl-image
BuildFlags: onlybuild:kube-rbac-proxy BuildFlags: onlybuild:kube-rbac-proxy
BuildFlags: onlybuild:kube-rbac-proxy-image BuildFlags: onlybuild:kube-rbac-proxy-image
BuildFlags: onlybuild:metallb BuildFlags: onlybuild:metallb
BuildFlags: onlybuild:metallb-controller-image BuildFlags: onlybuild:metallb-controller-image
BuildFlags: onlybuild:metallb-speaker-image BuildFlags: onlybuild:metallb-speaker-image
BuildFlags: onlybuild:nessie
BuildFlags: onlybuild:nessie-image
BuildFlags: onlybuild:nm-configurator BuildFlags: onlybuild:nm-configurator
BuildFlags: onlybuild:python-annotated-types
BuildFlags: onlybuild:python-executing
BuildFlags: onlybuild:python-flit-core
BuildFlags: onlybuild:python-inline-snapshot
BuildFlags: onlybuild:python-pydantic
BuildFlags: onlybuild:python-pydantic-core
BuildFlags: onlybuild:python-pyhelm3
BuildFlags: onlybuild:python-rich
BuildFlags: onlybuild:python-suse-edge-components-versions
BuildFlags: onlybuild:python-typing-inspection
BuildFlags: onlybuild:python-typing_extensions
BuildFlags: onlybuild:shim-noarch
BuildFlags: onlybuild:suse-edge-components-versions-image
%endif %endif
%endif %endif
@@ -97,13 +131,22 @@ BuildFlags: onlybuild:release-manifest-image
Patterntype: none Patterntype: none
BuildEngine: podman BuildEngine: podman
Prefer: sles-release Prefer: sles-release
BuildFlags: dockerarg:SLE_VERSION=15.6 BuildFlags: dockerarg:SLE_VERSION=15.7
# Publish multi-arch container images only once all archs have been built # Publish multi-arch container images only once all archs have been built
PublishFlags: archsync PublishFlags: archsync
# skopeo and umoci are used by build scripts to list packages
Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
%endif %endif
%if "%_repository" == "images_6.0" %if "%_repository" == "images"
# skopeo and umoci are used by build scripts to list packages
Substitute: system-packages:podman podman buildah createrepo_c release-compare edge-build-checks skopeo umoci
%endif
%if "%_repository" == "images_16.0"
Prefer: container:sles15-image Prefer: container:sles15-image
Type: docker Type: docker
BuildEngine: podman BuildEngine: podman
@@ -112,6 +155,8 @@ BuildFlags: onlybuild:release-manifest-image
BuildFlags: dockerarg:SLE_VERSION=16.0 BuildFlags: dockerarg:SLE_VERSION=16.0
BuildFlags: onlybuild:kiwi-builder-image BuildFlags: onlybuild:kiwi-builder-image
Substitute: system-packages:podman podman buildah createrepo_c release-compare skopeo umoci
# Publish multi-arch container images only once all archs have been built # Publish multi-arch container images only once all archs have been built
PublishFlags: archsync PublishFlags: archsync
@@ -122,13 +167,22 @@ BuildFlags: onlybuild:release-manifest-image
BuildFlags: excludebuild:endpoint-copier-operator-image BuildFlags: excludebuild:endpoint-copier-operator-image
BuildFlags: excludebuild:ironic-image BuildFlags: excludebuild:ironic-image
BuildFlags: excludebuild:ironic-ipa-downloader-image BuildFlags: excludebuild:ironic-ipa-downloader-image
BuildFlags: excludebuild:kubectl-image
BuildFlags: excludebuild:kube-rbac-proxy-image BuildFlags: excludebuild:kube-rbac-proxy-image
BuildFlags: excludebuild:metallb-controller-image BuildFlags: excludebuild:metallb-controller-image
BuildFlags: excludebuild:metallb-speaker-image BuildFlags: excludebuild:metallb-speaker-image
BuildFlags: excludebuild:nessie-image
BuildFlags: excludebuild:suse-edge-components-versions-image
%endif %endif
%else %else
%if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
BuildFlags: excludebuild:kiwi-builder-image BuildFlags: excludebuild:kiwi-builder-image
%else
%ifarch aarch64
BuildFlags: onlybuild:kiwi-builder-image
%endif
%endif
%endif %endif
@@ -138,11 +192,17 @@ BuildFlags: onlybuild:release-manifest-image
Repotype: helm Repotype: helm
Patterntype: none Patterntype: none
Required: perl-YAML-LibYAML Required: perl-YAML-LibYAML
# include edge-build-checks here
Support: edge-build-checks
%endif %endif
%if "%_repository" == "standard" %if "%_repository" == "standard"
# for build openstack-ironic-image # for build openstack-ironic-image
BuildFlags: allowrootforbuild BuildFlags: allowrootforbuild
# ironic-ipa-ramdisk are noarch packages that need to be availble to both archs
ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64
%endif %endif
# Enable reproducible builds # Enable reproducible builds

16
_meta
View File

@@ -23,6 +23,9 @@
<disable/> <disable/>
<enable repository="charts"/> <enable repository="charts"/>
<enable repository="test_manifest_images"/> <enable repository="test_manifest_images"/>
{%- if for_release %}
<enable repository="releasecharts"/>
{%- endif %}
</build> </build>
<publish> <publish>
<disable repository="phantomcharts"/> <disable repository="phantomcharts"/>
@@ -31,17 +34,18 @@
<arch>x86_64</arch> <arch>x86_64</arch>
</repository> </repository>
{%- endif %} {%- endif %}
{%- for repository in ["images", "images_6.0", "test_manifest_images"] %} {%- for repository in ["images", "images_16.0", "test_manifest_images"] %}
<repository name="{{ repository }}"> <repository name="{{ repository }}">
{%- if release_project is defined and repository != "test_manifest_images" %} {%- if release_project is defined and repository != "test_manifest_images" %}
<releasetarget project="{{ release_project }}" repository="images" trigger="manual"/> <releasetarget project="{{ release_project }}" repository="images" trigger="manual"/>
{%- endif %} {%- endif %}
<path project="SUSE:Registry" repository="standard"/> <path project="SUSE:Registry" repository="standard"/>
{%- if repository == "images_6.0" %} {%- if repository == "images_16.0" %}
<path project="SUSE:CA" repository="16.0"/> <path project="SUSE:CA" repository="16.0"/>
<path project="SUSE:ALP:Products:Marble:6.0" repository="standard"/> <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
<path project="SUSE:SLFO:Main:Build" repository="standard"/>
{%- else %} {%- else %}
<path project="SUSE:CA" repository="SLE_15_SP6"/> <path project="SUSE:CA" repository="SLE_15_SP7"/>
<path project="{{ project }}" repository="standard"/> <path project="{{ project }}" repository="standard"/>
{%- endif %} {%- endif %}
<arch>x86_64</arch> <arch>x86_64</arch>
@@ -52,8 +56,8 @@
{%- if release_project is defined and not for_release %} {%- if release_project is defined and not for_release %}
<releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/> <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
{%- endif %} {%- endif %}
<path project="Cloud:OpenStack:2024.2" repository="15.6"/> <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
<path project="SUSE:SLE-15-SP6:Update" repository="standard"/> <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
<arch>x86_64</arch> <arch>x86_64</arch>
<arch>aarch64</arch> <arch>aarch64</arch>
</repository> </repository>

View File

@@ -1,5 +1,5 @@
#!BuildTag: %%IMG_PREFIX%%akri-chart:%%CHART_MAJOR%%.0.0_up0.12.20 #!BuildTag: %%CHART_PREFIX%%akri:%%CHART_MAJOR%%.0.0_up0.12.20
#!BuildTag: %%IMG_PREFIX%%akri-chart:%%CHART_MAJOR%%.0.0_up0.12.20-%RELEASE% #!BuildTag: %%CHART_PREFIX%%akri:%%CHART_MAJOR%%.0.0_up0.12.20-%RELEASE%
annotations: annotations:
catalog.cattle.io/display-name: Akri catalog.cattle.io/display-name: Akri
apiVersion: v2 apiVersion: v2

View File

@@ -9,8 +9,8 @@
</service> </service>
<service name="replace_using_env" mode="buildtime"> <service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param> <param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param> <param name="eval">CHART_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?chart_prefix})</param>
<param name="var">IMG_PREFIX</param> <param name="var">CHART_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param> <param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param> <param name="var">CHART_MAJOR</param>
</service> </service>

View File

@@ -853,7 +853,7 @@ webhookConfiguration:
pullPolicy: Always pullPolicy: Always
certImage: certImage:
# reference is the webhook-certgen image reference # reference is the webhook-certgen image reference
reference: registry.k8s.io/ingress-nginx/kube-webhook-certgen reference: registry.rancher.com/rancher/mirrored-ingress-nginx-kube-webhook-certgen
# tag is the webhook-certgen image tag # tag is the webhook-certgen image tag
tag: v1.1.1 tag: v1.1.1
# pullPolicy is the webhook-certgen pull policy # pullPolicy is the webhook-certgen pull policy

View File

@@ -1,21 +1,21 @@
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0 #!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0_up1.2.1 #!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.3_up1.3.1-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:%%CHART_MAJOR%%.0.0_up1.2.1-%RELEASE%
annotations: annotations:
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Akri
catalog.cattle.io/kube-version: ">= v1.26.0-0"
catalog.cattle.io/namespace: cattle-ui-plugin-system catalog.cattle.io/namespace: cattle-ui-plugin-system
catalog.cattle.io/os: linux catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux, windows catalog.cattle.io/permits-os: linux, windows
catalog.cattle.io/rancher-version: ">= 2.10.0-0"
catalog.cattle.io/scope: management catalog.cattle.io/scope: management
catalog.cattle.io/ui-component: plugins catalog.cattle.io/ui-component: plugins
catalog.cattle.io/ui-extensions-version: ">= 3.0.0 < 4.0.0" catalog.cattle.io/display-name: Akri
catalog.cattle.io/rancher-version: '>= 2.11.0-0'
catalog.cattle.io/ui-extensions-version: '>= 3.0.2 < 4.0.0'
catalog.cattle.io/kube-version: '>= v1.26.0-0'
apiVersion: v2 apiVersion: v2
appVersion: 302.0.0+up1.2.1 appVersion: 304.0.3+up1.3.1
description: 'SUSE Edge: Akri extension for Rancher Dashboard' description: 'SUSE Edge: Akri extension for Rancher Dashboard'
name: akri-dashboard-extension name: akri-dashboard-extension
type: application type: application
version: "%%CHART_MAJOR%%.0.0+up1.2.1" version: "%%CHART_MAJOR%%.0.3+up1.3.1"
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg icon: >-
https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg

View File

@@ -9,8 +9,8 @@
</service> </service>
<service name="replace_using_env" mode="buildtime"> <service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param> <param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param> <param name="eval">CHART_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?chart_prefix})</param>
<param name="var">IMG_PREFIX</param> <param name="var">CHART_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param> <param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param> <param name="var">CHART_MAJOR</param>
</service> </service>

View File

@@ -8,7 +8,7 @@ spec:
plugin: plugin:
name: {{ include "extension-server.fullname" . }} name: {{ include "extension-server.fullname" . }}
version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }} version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/302.0.0+up1.2.1 endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/304.0.3+up1.3.1
noCache: {{ .Values.plugin.noCache }} noCache: {{ .Values.plugin.noCache }}
noAuth: {{ .Values.plugin.noAuth }} noAuth: {{ .Values.plugin.noAuth }}
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }} metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}

View File

@@ -7,6 +7,6 @@ plugin:
noAuth: false noAuth: false
metadata: metadata:
catalog.cattle.io/display-name: Akri catalog.cattle.io/display-name: Akri
catalog.cattle.io/rancher-version: ">= 2.10.0-0" catalog.cattle.io/rancher-version: ">= 2.11.0-0"
catalog.cattle.io/ui-extensions-version: ">= 3.0.0 < 4.0.0" catalog.cattle.io/ui-extensions-version: ">= 3.0.2 < 4.0.0"
catalog.cattle.io/kube-version: ">= v1.26.0-0" catalog.cattle.io/kube-version: ">= v1.26.0-0"

View File

@@ -1,13 +1,12 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%% #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1
#!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE% #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/ COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/* RUN zypper --installroot /installroot --non-interactive install --no-recommends baremetal-operator inotify-tools procps iproute2 bind-utils vim shadow; zypper -n clean; rm -rf /var/log/*
FROM micro AS final FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers # Define labels according to https://en.opensuse.org/Building_derived_containers
@@ -19,7 +18,7 @@ LABEL org.opencontainers.image.version="%%baremetal-operator_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC" LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%" LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%" LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024" LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -29,6 +28,8 @@ LABEL com.suse.release-stage="released"
# endlabelprefix # endlabelprefix
COPY --from=base /installroot / COPY --from=base /installroot /
COPY bmo-run /usr/bin/bmo-run
RUN chmod +x /usr/bin/bmo-run
RUN groupadd -r -g 11000 bmo RUN groupadd -r -g 11000 bmo
RUN useradd -u 11000 -g 11000 bmo RUN useradd -u 11000 -g 11000 bmo
ENTRYPOINT [ "/usr/bin/baremetal-operator" ] ENTRYPOINT [ "/usr/bin/bmo-run" ]

View File

@@ -0,0 +1,12 @@
#!/bin/bash
export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
export IRONIC_CACERT_FILE=${IRONIC_CACERT_FILE:-"/opt/metal3/certs/ca/tls.crt"}
if [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CACERT_FILE}" | while read -r file event; do
kill $(pgrep baremetal-opera)
done &
fi
exec /usr/bin/baremetal-operator $@

View File

@@ -0,0 +1,163 @@
From f8c1ba1696fd8555e8e94246ec5afa38536fa8bd Mon Sep 17 00:00:00 2001
From: erjavaskivuori <erja.vaskivuori@est.tech>
Date: Thu, 5 Jun 2025 09:49:47 +0000
Subject: [PATCH 1/5] Enable exhaustive linter
Enable exhaustive linter to check exhaustiveness of switch statements of enum-like
constants.
Signed-off-by: erjavaskivuori <erja.vaskivuori@est.tech>
(cherry picked from commit a5a81b8717c9e6642ae626ea97933e3615fe11c0)
---
.golangci.yaml | 4 ++-
.../metal3.io/v1alpha1/baremetalhost_types.go | 1 +
.../metal3.io/baremetalhost_controller.go | 2 ++
.../metal3.io/host_state_machine.go | 4 +++
pkg/provisioner/ironic/ironic.go | 26 +++++++++----------
5 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/.golangci.yaml b/.golangci.yaml
index 58e54b31..c758b93c 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -21,7 +21,7 @@ linters:
- errchkjson
#- errname
#- errorlint
- #- exhaustive
+ - exhaustive
- exptostd
- fatcontext
#- forbidigo
@@ -78,6 +78,8 @@ linters:
# Run with --fast=false for more extensive checks
fast: true
linters-settings:
+ exhaustive:
+ default-signifies-exhaustive: true
gosec:
severity: medium
confidence: medium
diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types.go b/apis/metal3.io/v1alpha1/baremetalhost_types.go
index ba1b4333..426a7a89 100644
--- a/apis/metal3.io/v1alpha1/baremetalhost_types.go
+++ b/apis/metal3.io/v1alpha1/baremetalhost_types.go
@@ -1113,6 +1113,7 @@ func (host *BareMetalHost) OperationMetricForState(operation ProvisioningState)
metric = &history.Provision
case StateDeprovisioning:
metric = &history.Deprovision
+ default:
}
return
}
diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
index 33310bf7..1998627e 100644
--- a/internal/controller/metal3.io/baremetalhost_controller.go
+++ b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -586,6 +586,7 @@ func getCurrentImage(host *metal3api.BareMetalHost) *metal3api.Image {
if host.Spec.Image != nil && host.Spec.Image.URL != "" {
return host.Spec.Image.DeepCopy()
}
+ default:
}
return nil
}
@@ -816,6 +817,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
if info.host.Spec.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
preprovImgFormats = nil
}
+ default:
}
preprovImg, err := r.getPreprovImage(info, preprovImgFormats)
diff --git a/internal/controller/metal3.io/host_state_machine.go b/internal/controller/metal3.io/host_state_machine.go
index 8b382553..6d88591b 100644
--- a/internal/controller/metal3.io/host_state_machine.go
+++ b/internal/controller/metal3.io/host_state_machine.go
@@ -107,6 +107,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
if actionRes := hsm.ensureCapacity(info, hsm.NextState); actionRes != nil {
return actionRes
}
+ default:
}
info.log.Info("changing provisioning state",
@@ -137,6 +138,7 @@ func (hsm *hostStateMachine) updateHostStateFrom(initialState metal3api.Provisio
info.log.Info("saving boot mode",
"new mode", hsm.Host.Status.Provisioning.BootMode)
}
+ default:
}
}
@@ -163,6 +165,7 @@ func (hsm *hostStateMachine) checkDelayedHost(info *reconcileInfo) actionResult
if actionRes := hsm.ensureCapacity(info, info.host.Status.Provisioning.State); actionRes != nil {
return actionRes
}
+ default:
}
return nil
@@ -299,6 +302,7 @@ func (hsm *hostStateMachine) checkDetachedHost(info *reconcileInfo) (result acti
switch info.host.Status.Provisioning.State {
case metal3api.StateProvisioned, metal3api.StateExternallyProvisioned, metal3api.StateReady, metal3api.StateAvailable:
return hsm.Reconciler.detachHost(hsm.Provisioner, info)
+ default:
}
}
if info.host.Status.ErrorType == metal3api.DetachError {
diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
index 9a4b4589..4c4923ad 100644
--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
@@ -335,21 +335,17 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
return result, err
}
+ if data.State == metal3api.StateProvisioning && data.CurrentImage.IsLiveISO() {
+ // Live ISO doesn't need pre-provisioning image
+ return result, nil
+ }
+
+ if data.State == metal3api.StateDeprovisioning && data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
+ // No need for pre-provisioning image if cleaning disabled
+ return result, nil
+ }
+
switch data.State {
- case metal3api.StateProvisioning,
- metal3api.StateDeprovisioning:
- if data.State == metal3api.StateProvisioning {
- if data.CurrentImage.IsLiveISO() {
- // Live ISO doesn't need pre-provisioning image
- return result, nil
- }
- } else {
- if data.AutomatedCleaningMode == metal3api.CleaningModeDisabled {
- // No need for pre-provisioning image if cleaning disabled
- return result, nil
- }
- }
- fallthrough
case metal3api.StateInspecting,
metal3api.StatePreparing:
if deployImageInfo == nil {
@@ -360,6 +356,7 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
}
return result, err
}
+ default:
}
return result, nil
@@ -1724,6 +1721,7 @@ func (p *ironicProvisioner) loadBusyHosts() (hosts map[string]struct{}, err erro
if !strings.Contains(node.BootInterface, "virtual-media") {
hosts[node.Name] = struct{}{}
}
+ default:
}
}
--
2.50.1

View File

@@ -0,0 +1,91 @@
From 509ba92a8ed7303a418c5277f7544db2765c3802 Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Wed, 2 Jul 2025 17:33:46 +0200
Subject: [PATCH 2/5] Stop requiring DEPLOY_KERNEL/RAMDISK
Ironic has global configuration that allows specifying them, even
depending on the architecture. Our ironic-image supports that when
IPA downloader is used (and should start supporting explicit variables
too).
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
(cherry picked from commit 0f1ef6cbeb8815f19d853ba5eab1e70c7d85e2ec)
---
pkg/provisioner/ironic/factory.go | 6 ++----
pkg/provisioner/ironic/factory_test.go | 9 ++-------
pkg/provisioner/ironic/ironic.go | 10 +++-------
3 files changed, 7 insertions(+), 18 deletions(-)
diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
index 19571eb0..15f636b3 100644
--- a/pkg/provisioner/ironic/factory.go
+++ b/pkg/provisioner/ironic/factory.go
@@ -114,10 +114,8 @@ func loadConfigFromEnv(havePreprovImgBuilder bool) (ironicConfig, error) {
c.deployRamdiskURL = os.Getenv("DEPLOY_RAMDISK_URL")
c.deployISOURL = os.Getenv("DEPLOY_ISO_URL")
if !havePreprovImgBuilder {
- if c.deployISOURL == "" &&
- (c.deployKernelURL == "" || c.deployRamdiskURL == "") {
- return c, errors.New("either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set")
- }
+ // NOTE(dtantsur): with a PreprovisioningImage controller, it makes sense to set only the kernel.
+ // Without it, either both or neither must be set.
if (c.deployKernelURL == "" && c.deployRamdiskURL != "") ||
(c.deployKernelURL != "" && c.deployRamdiskURL == "") {
return c, errors.New("DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together")
diff --git a/pkg/provisioner/ironic/factory_test.go b/pkg/provisioner/ironic/factory_test.go
index db47d8b2..0d32eccb 100644
--- a/pkg/provisioner/ironic/factory_test.go
+++ b/pkg/provisioner/ironic/factory_test.go
@@ -98,24 +98,19 @@ func TestLoadConfigFromEnv(t *testing.T) {
ramdiskURL: "http://ramdisk",
},
},
- {
- name: "no deploy info",
- env: EnvFixture{},
- expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
- },
{
name: "only kernel",
env: EnvFixture{
kernelURL: "http://kernel",
},
- expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
+ expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
},
{
name: "only ramdisk",
env: EnvFixture{
ramdiskURL: "http://ramdisk",
},
- expectedError: "either DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL or DEPLOY_ISO_URL must be set",
+ expectedError: "DEPLOY_KERNEL_URL and DEPLOY_RAMDISK_URL can only be set together",
expectedImgBuildError: "DEPLOY_RAMDISK_URL requires DEPLOY_KERNEL_URL to be set also",
},
{
diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
index 4c4923ad..48db865a 100644
--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
@@ -348,14 +348,10 @@ func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessDat
switch data.State {
case metal3api.StateInspecting,
metal3api.StatePreparing:
- if deployImageInfo == nil {
- if p.config.havePreprovImgBuilder {
- result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
- } else {
- result, err = operationFailed("no preprovisioning image available")
- }
- return result, err
+ if deployImageInfo == nil && p.config.havePreprovImgBuilder {
+ result, err = transientError(provisioner.ErrNeedsPreprovisioningImage)
}
+ return result, err
default:
}
--
2.50.1

View File

@@ -0,0 +1,49 @@
From ea10df866f0fc491cac15ba5005f3b820e1ccecb Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Wed, 2 Jul 2025 17:55:48 +0200
Subject: [PATCH 3/5] Remove DEPLOY_KERNEL_URL from deployment scripts for main
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
(cherry picked from commit ddcf3d915819b6344f79fbcec3e28250b217a597)
---
config/default/ironic.env | 2 --
config/overlays/e2e/ironic.env | 2 --
config/render/capm3.yaml | 2 --
3 files changed, 6 deletions(-)
diff --git a/config/default/ironic.env b/config/default/ironic.env
index e72cb3c3..3fe36d25 100644
--- a/config/default/ironic.env
+++ b/config/default/ironic.env
@@ -1,7 +1,5 @@
HTTP_PORT=6180
PROVISIONING_INTERFACE=eth2
DHCP_RANGE=172.22.0.10,172.22.0.100
-DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel
-DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs
IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
CACHEURL=http://172.22.0.1/images
diff --git a/config/overlays/e2e/ironic.env b/config/overlays/e2e/ironic.env
index 44147ae0..6f200720 100644
--- a/config/overlays/e2e/ironic.env
+++ b/config/overlays/e2e/ironic.env
@@ -1,3 +1 @@
-DEPLOY_KERNEL_URL=http://192.168.222.1:6180/images/ironic-python-agent.kernel
-DEPLOY_RAMDISK_URL=http://192.168.222.1:6180/images/ironic-python-agent.initramfs
IRONIC_ENDPOINT=https://192.168.222.1:6385/v1/
diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml
index 42283193..7568288f 100644
--- a/config/render/capm3.yaml
+++ b/config/render/capm3.yaml
@@ -2510,8 +2510,6 @@ subjects:
apiVersion: v1
data:
CACHEURL: http://172.22.0.1/images
- DEPLOY_KERNEL_URL: http://172.22.0.2:6180/images/ironic-python-agent.kernel
- DEPLOY_RAMDISK_URL: http://172.22.0.2:6180/images/ironic-python-agent.initramfs
DHCP_RANGE: 172.22.0.10,172.22.0.100
HTTP_PORT: "6180"
IRONIC_ENDPOINT: http://172.22.0.2:6385/v1/
--
2.50.1

View File

@@ -0,0 +1,422 @@
From b2e8a1a42c95a3338c9c83a4781ba4744da5ff6a Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Tue, 24 Jun 2025 18:53:42 +0200
Subject: [PATCH 4/5] Refactor setting various Ironic properties
Currently, Ironic instance_info and properties fields are populated at
random either in most states or before deployment. While potentially
convenient, it makes it very hard to reason about the code.
Now, the logic is split into two parts:
1. configureNode (renamed from configureImages) writes fields that are
considered properties of the node itself: CPU architecture, deploy
images, capabilities, etc.
2. getInstanceUpdateOpts (merge of getImageUpdateOptsForNode and
getUpdateOptsForNode) writes fields that are required for deployment
and thus are properties of instance. This includes images, checksums,
runtime capabilities. As an exception, root device hints fall under
this category and thus are now set in instance_info, not properties.
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
(cherry picked from commit 0c70cba38c926c474f4fa129a7e99ef9827d6ce9)
---
.../metal3.io/baremetalhost_controller.go | 2 +-
pkg/provisioner/ironic/ironic.go | 49 +++++-------
pkg/provisioner/ironic/provision_test.go | 27 +++----
pkg/provisioner/ironic/register.go | 3 +-
pkg/provisioner/ironic/register_test.go | 78 +------------------
pkg/provisioner/provisioner.go | 2 +-
6 files changed, 40 insertions(+), 121 deletions(-)
diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
index 1998627e..0d0c9562 100644
--- a/internal/controller/metal3.io/baremetalhost_controller.go
+++ b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -848,6 +848,7 @@ func (r *BareMetalHostReconciler) registerHost(prov provisioner.Provisioner, inf
PreprovisioningNetworkData: preprovisioningNetworkData,
HasCustomDeploy: hasCustomDeploy(info.host),
DisablePowerOff: info.host.Spec.DisablePowerOff,
+ CPUArchitecture: getHostArchitecture(info.host),
},
credsChanged,
info.host.Status.ErrorType == metal3api.RegistrationError)
@@ -1271,7 +1272,6 @@ func (r *BareMetalHostReconciler) actionProvisioning(prov provisioner.Provisione
BootMode: info.host.Status.Provisioning.BootMode,
HardwareProfile: hwProf,
RootDeviceHints: info.host.Status.Provisioning.RootDeviceHints.DeepCopy(),
- CPUArchitecture: getHostArchitecture(info.host),
}, forceReboot)
if err != nil {
return actionError{errors.Wrap(err, "failed to provision")}
diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
index 48db865a..b8e6d72b 100644
--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
@@ -311,20 +311,24 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
return nil
}
-func (p *ironicProvisioner) configureImages(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
+func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
updater := clients.UpdateOptsBuilder(p.log)
deployImageInfo := setDeployImage(p.config, bmcAccess, data.PreprovisioningImage)
updater.SetDriverInfoOpts(deployImageInfo, ironicNode)
- // NOTE(dtantsur): It is risky to update image information for active nodes since it may affect the ability to clean up.
- if (data.CurrentImage != nil || data.HasCustomDeploy) && ironicNode.ProvisionState != string(nodes.Active) {
- p.getImageUpdateOptsForNode(ironicNode, data.CurrentImage, data.BootMode, data.HasCustomDeploy, updater)
- }
updater.SetTopLevelOpt("automated_clean",
data.AutomatedCleaningMode != metal3api.CleaningModeDisabled,
ironicNode.AutomatedClean)
+ opts := clients.UpdateOptsData{
+ "capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
+ }
+ if data.CPUArchitecture != "" {
+ opts["cpu_arch"] = data.CPUArchitecture
+ }
+ updater.SetPropertiesOpts(opts, ironicNode)
+
_, success, result, err := p.tryUpdateNode(ironicNode, updater)
if !success {
return result, err
@@ -656,40 +660,29 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
}
-func (p *ironicProvisioner) getImageUpdateOptsForNode(ironicNode *nodes.Node, imageData *metal3api.Image, bootMode metal3api.BootMode, hasCustomDeploy bool, updater *clients.NodeUpdater) {
+func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
+ updater := clients.UpdateOptsBuilder(p.log)
+
+ hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
+
// instance_uuid
updater.SetTopLevelOpt("instance_uuid", string(p.objectMeta.UID), ironicNode.InstanceUUID)
updater.SetInstanceInfoOpts(clients.UpdateOptsData{
- "capabilities": buildInstanceInfoCapabilities(bootMode),
+ "capabilities": buildInstanceInfoCapabilities(data.BootMode),
+ "root_device": devicehints.MakeHintMap(data.RootDeviceHints),
}, ironicNode)
if hasCustomDeploy {
// Custom deploy process
- p.setCustomDeployUpdateOptsForNode(ironicNode, imageData, updater)
- } else if imageData.IsLiveISO() {
+ p.setCustomDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
+ } else if data.Image.IsLiveISO() {
// Set live-iso format options
- p.setLiveIsoUpdateOptsForNode(ironicNode, imageData, updater)
+ p.setLiveIsoUpdateOptsForNode(ironicNode, &data.Image, updater)
} else {
// Set deploy_interface direct options when not booting a live-iso
- p.setDirectDeployUpdateOptsForNode(ironicNode, imageData, updater)
+ p.setDirectDeployUpdateOptsForNode(ironicNode, &data.Image, updater)
}
-}
-
-func (p *ironicProvisioner) getUpdateOptsForNode(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
- updater := clients.UpdateOptsBuilder(p.log)
-
- hasCustomDeploy := data.CustomDeploy != nil && data.CustomDeploy.Method != ""
- p.getImageUpdateOptsForNode(ironicNode, &data.Image, data.BootMode, hasCustomDeploy, updater)
-
- opts := clients.UpdateOptsData{
- "root_device": devicehints.MakeHintMap(data.RootDeviceHints),
- "capabilities": buildCapabilitiesValue(ironicNode, data.BootMode),
- }
- if data.CPUArchitecture != "" {
- opts["cpu_arch"] = data.CPUArchitecture
- }
- updater.SetPropertiesOpts(opts, ironicNode)
return updater
}
@@ -792,7 +785,7 @@ func (p *ironicProvisioner) setUpForProvisioning(ironicNode *nodes.Node, data pr
p.log.Info("starting provisioning", "node properties", ironicNode.Properties)
ironicNode, success, result, err := p.tryUpdateNode(ironicNode,
- p.getUpdateOptsForNode(ironicNode, data))
+ p.getInstanceUpdateOpts(ironicNode, data))
if !success {
return result, err
}
diff --git a/pkg/provisioner/ironic/provision_test.go b/pkg/provisioner/ironic/provision_test.go
index 72ee57b7..40c714e9 100644
--- a/pkg/provisioner/ironic/provision_test.go
+++ b/pkg/provisioner/ironic/provision_test.go
@@ -713,7 +713,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
BootMode: metal3api.DefaultBootMode,
RootDeviceHints: host.Status.Provisioning.RootDeviceHints,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -723,7 +723,7 @@ func TestGetUpdateOptsForNodeWithRootHints(t *testing.T) {
Value interface{} // the value being passed to ironic (or value associated with the key)
}{
{
- Path: "/properties/root_device",
+ Path: "/instance_info/root_device",
Value: "userdefined_devicename",
Map: map[string]string{
"name": "s== userd_devicename",
@@ -807,7 +807,7 @@ func TestGetUpdateOptsForNodeVirtual(t *testing.T) {
BootMode: metal3api.DefaultBootMode,
HardwareProfile: hwProf,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -903,9 +903,8 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
Image: *host.Spec.Image,
BootMode: metal3api.DefaultBootMode,
HardwareProfile: hwProf,
- CPUArchitecture: "x86_64",
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -930,10 +929,6 @@ func TestGetUpdateOptsForNodeDell(t *testing.T) {
Path: "/instance_uuid",
Value: "27720611-e5d1-45d3-ba3a-222dcfaa4ca2",
},
- {
- Path: "/properties/cpu_arch",
- Value: "x86_64",
- },
}
for _, e := range expected {
@@ -971,7 +966,7 @@ func TestGetUpdateOptsForNodeLiveIso(t *testing.T) {
Image: *host.Spec.Image,
BootMode: metal3api.DefaultBootMode,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1038,7 +1033,7 @@ func TestGetUpdateOptsForNodeImageToLiveIso(t *testing.T) {
Image: *host.Spec.Image,
BootMode: metal3api.DefaultBootMode,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1116,7 +1111,7 @@ func TestGetUpdateOptsForNodeLiveIsoToImage(t *testing.T) {
Image: *host.Spec.Image,
BootMode: metal3api.DefaultBootMode,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1188,7 +1183,7 @@ func TestGetUpdateOptsForNodeCustomDeploy(t *testing.T) {
BootMode: metal3api.DefaultBootMode,
CustomDeploy: host.Spec.CustomDeploy,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1245,7 +1240,7 @@ func TestGetUpdateOptsForNodeCustomDeployWithImage(t *testing.T) {
BootMode: metal3api.DefaultBootMode,
CustomDeploy: host.Spec.CustomDeploy,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1312,7 +1307,7 @@ func TestGetUpdateOptsForNodeImageToCustomDeploy(t *testing.T) {
BootMode: metal3api.DefaultBootMode,
CustomDeploy: host.Spec.CustomDeploy,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
@@ -1405,7 +1400,7 @@ func TestGetUpdateOptsForNodeSecureBoot(t *testing.T) {
BootMode: metal3api.UEFISecureBoot,
HardwareProfile: hwProf,
}
- patches := prov.getUpdateOptsForNode(ironicNode, provData).Updates
+ patches := prov.getInstanceUpdateOpts(ironicNode, provData).Updates
t.Logf("patches: %v", patches)
diff --git a/pkg/provisioner/ironic/register.go b/pkg/provisioner/ironic/register.go
index 390e463f..9a600189 100644
--- a/pkg/provisioner/ironic/register.go
+++ b/pkg/provisioner/ironic/register.go
@@ -220,7 +220,7 @@ func (p *ironicProvisioner) Register(data provisioner.ManagementAccessData, cred
fallthrough
default:
- result, err = p.configureImages(data, ironicNode, bmcAccess)
+ result, err = p.configureNode(data, ironicNode, bmcAccess)
return result, provID, err
}
}
@@ -246,6 +246,7 @@ func (p *ironicProvisioner) enrollNode(data provisioner.ManagementAccessData, bm
DisablePowerOff: &data.DisablePowerOff,
Properties: map[string]interface{}{
"capabilities": buildCapabilitiesValue(nil, data.BootMode),
+ "cpu_arch": data.CPUArchitecture,
},
}
diff --git a/pkg/provisioner/ironic/register_test.go b/pkg/provisioner/ironic/register_test.go
index e6c302b5..8e524dad 100644
--- a/pkg/provisioner/ironic/register_test.go
+++ b/pkg/provisioner/ironic/register_test.go
@@ -72,7 +72,7 @@ func TestRegisterMACOptional(t *testing.T) {
assert.Equal(t, "", result.ErrorMessage)
}
-func TestRegisterCreateNodeNoImage(t *testing.T) {
+func TestRegisterCreateNode(t *testing.T) {
// Create a host without a bootMACAddress and with a BMC that
// does not require one.
host := makeHost()
@@ -146,79 +146,6 @@ func TestRegisterCreateNodeOldInspection(t *testing.T) {
assert.Equal(t, "inspector", createdNode.InspectInterface)
}
-func TestRegisterCreateWithImage(t *testing.T) {
- // Create a host with Image specified in the Spec
- host := makeHost()
- host.Status.Provisioning.ID = "" // so we don't lookup by uuid
- host.Spec.Image.URL = "theimagefoo"
- host.Spec.Image.Checksum = "thechecksumxyz"
- host.Spec.Image.ChecksumType = "auto"
-
- var createdNode *nodes.Node
-
- createCallback := func(node nodes.Node) {
- createdNode = &node
- }
-
- ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
- ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
- ironic.Start()
- defer ironic.Stop()
-
- auth := clients.AuthConfig{Type: clients.NoAuth}
- prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
- if err != nil {
- t.Fatalf("could not create provisioner: %s", err)
- }
-
- result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
- if err != nil {
- t.Fatalf("error from Register: %s", err)
- }
- assert.Equal(t, "", result.ErrorMessage)
- assert.Equal(t, createdNode.UUID, provID)
- assert.Equal(t, "", createdNode.DeployInterface)
- updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
- assert.Contains(t, updates, "/instance_info/image_source")
- assert.Contains(t, updates, host.Spec.Image.URL)
- assert.Contains(t, updates, "/instance_info/image_checksum")
- assert.Contains(t, updates, host.Spec.Image.Checksum)
-}
-
-func TestRegisterCreateWithLiveIso(t *testing.T) {
- // Create a host with Image specified in the Spec
- host := makeHostLiveIso()
- host.Status.Provisioning.ID = "" // so we don't lookup by uuid
-
- var createdNode *nodes.Node
-
- createCallback := func(node nodes.Node) {
- createdNode = &node
- }
-
- ironic := testserver.NewIronic(t).WithDrivers().CreateNodes(createCallback).NoNode(host.Namespace + nameSeparator + host.Name).NoNode(host.Name)
- ironic.AddDefaultResponse("/v1/nodes/node-0", "PATCH", http.StatusOK, "{}")
- ironic.Start()
- defer ironic.Stop()
-
- auth := clients.AuthConfig{Type: clients.NoAuth}
- prov, err := newProvisionerWithSettings(host, bmc.Credentials{}, nullEventPublisher, ironic.Endpoint(), auth)
- if err != nil {
- t.Fatalf("could not create provisioner: %s", err)
- }
-
- result, provID, err := prov.Register(provisioner.ManagementAccessData{CurrentImage: host.Spec.Image.DeepCopy()}, false, false)
- if err != nil {
- t.Fatalf("error from Register: %s", err)
- }
- assert.Equal(t, "", result.ErrorMessage)
- assert.Equal(t, createdNode.UUID, provID)
- assert.Equal(t, "ramdisk", createdNode.DeployInterface)
- updates, _ := ironic.GetLastRequestFor("/v1/nodes/node-0", http.MethodPatch)
- assert.Contains(t, updates, "/instance_info/boot_iso")
- assert.Contains(t, updates, host.Spec.Image.URL)
-}
-
func TestRegisterExistingNode(t *testing.T) {
// Create a host without a bootMACAddress and with a BMC that
// does not require one.
@@ -342,6 +269,7 @@ func TestRegisterExistingNodeContinue(t *testing.T) {
"test_password": "******", // ironic returns a placeholder
"test_port": "42",
},
+ Properties: map[string]interface{}{"capabilities": ""},
}).NodeUpdate(nodes.Node{
UUID: "uuid",
})
@@ -521,6 +449,7 @@ func TestRegisterExistingSteadyStateNoUpdate(t *testing.T) {
DeployInterface: imageType.DeployInterface,
InstanceInfo: imageType.InstanceInfo,
DriverInfo: imageType.DriverInfo,
+ Properties: map[string]interface{}{"capabilities": ""},
}).NodeUpdate(nodes.Node{
UUID: "uuid",
})
@@ -577,6 +506,7 @@ func TestRegisterExistingNodeWaiting(t *testing.T) {
"test_password": "******", // ironic returns a placeholder
"test_port": "42",
},
+ Properties: map[string]interface{}{"capabilities": ""},
}
ironic := testserver.NewIronic(t).CreateNodes(createCallback).Node(node).NodeUpdate(nodes.Node{
UUID: "uuid",
diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
index faddd0fd..e2018e63 100644
--- a/pkg/provisioner/provisioner.go
+++ b/pkg/provisioner/provisioner.go
@@ -82,6 +82,7 @@ type ManagementAccessData struct {
PreprovisioningNetworkData string
HasCustomDeploy bool
DisablePowerOff bool
+ CPUArchitecture string
}
type AdoptData struct {
@@ -122,7 +123,6 @@ type ProvisionData struct {
HardwareProfile profile.Profile
RootDeviceHints *metal3api.RootDeviceHints
CustomDeploy *metal3api.CustomDeploy
- CPUArchitecture string
}
type HTTPHeaders []map[string]string
--
2.50.1

View File

@@ -0,0 +1,46 @@
From 5419f8d95306efed8667936156d8081c21e068ed Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Wed, 9 Jul 2025 14:02:23 +0200
Subject: [PATCH 5/5] Provide inline docs for node configuration calls
Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
(cherry picked from commit 778d9342747aefc8079f1ccaa6a14f83b26f28ff)
---
pkg/provisioner/ironic/ironic.go | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/pkg/provisioner/ironic/ironic.go b/pkg/provisioner/ironic/ironic.go
index b8e6d72b..166d929c 100644
--- a/pkg/provisioner/ironic/ironic.go
+++ b/pkg/provisioner/ironic/ironic.go
@@ -311,6 +311,10 @@ func (p *ironicProvisioner) createPXEEnabledNodePort(uuid, macAddress string) er
return nil
}
+// configureNode configures Node properties that are not related to any specific provisioning phase.
+// It populates the AutomatedClean field, as well as capabilities and architecture in Properties.
+// It also calls setDeployImage to populate IPA parameters in DriverInfo and
+// checks if the required PreprovisioningImage is provided and ready.
func (p *ironicProvisioner) configureNode(data provisioner.ManagementAccessData, ironicNode *nodes.Node, bmcAccess bmc.AccessDetails) (result provisioner.Result, err error) {
updater := clients.UpdateOptsBuilder(p.log)
@@ -426,6 +430,8 @@ func setExternalURL(p *ironicProvisioner, driverInfo map[string]interface{}) map
return driverInfo
}
+// setDeployImage configures the IPA ramdisk parameters in the Node's DriverInfo.
+// It can use either the provided PreprovisioningImage or the global configuration from ironicConfig.
func setDeployImage(config ironicConfig, accessDetails bmc.AccessDetails, hostImage *provisioner.PreprovisioningImage) clients.UpdateOptsData {
deployImageInfo := clients.UpdateOptsData{
deployKernelKey: nil,
@@ -660,6 +666,7 @@ func (p *ironicProvisioner) setCustomDeployUpdateOptsForNode(ironicNode *nodes.N
SetTopLevelOpt("deploy_interface", "custom-agent", ironicNode.DeployInterface)
}
+// getInstanceUpdateOpts constructs InstanceInfo options required to provision a Node in Ironic.
func (p *ironicProvisioner) getInstanceUpdateOpts(ironicNode *nodes.Node, data provisioner.ProvisionData) *clients.NodeUpdater {
updater := clients.UpdateOptsBuilder(p.log)
--
2.50.1

View File

@@ -2,7 +2,7 @@
<service name="obs_scm"> <service name="obs_scm">
<param name="url">https://github.com/metal3-io/baremetal-operator</param> <param name="url">https://github.com/metal3-io/baremetal-operator</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="revision">v0.8.0</param> <param name="revision">v0.10.2</param>
<param name="version">_auto_</param> <param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param> <param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>

View File

@@ -17,14 +17,21 @@
Name: baremetal-operator Name: baremetal-operator
Version: 0.8.0 Version: 0.10.2
Release: 0.8.0 Release: 0
Summary: Implements a Kubernetes API for managing bare metal hosts Summary: Implements a Kubernetes API for managing bare metal hosts
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/metal3-io/baremetal-operator URL: https://github.com/metal3-io/baremetal-operator
Source: baremetal-operator-%{version}.tar Source: baremetal-operator-%{version}.tar
Source1: vendor.tar.gz Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22 # Patches related to multi-architecture support, upstream PRs #2506 #2559 #2537
Patch0: 0001-Enable-exhaustive-linter.patch
Patch1: 0002-Stop-requiring-DEPLOY_KERNEL-RAMDISK.patch
Patch2: 0003-Remove-DEPLOY_KERNEL_URL-from-deployment-scripts-for.patch
Patch3: 0004-Refactor-setting-various-Ironic-properties.patch
Patch4: 0005-Provide-inline-docs-for-node-configuration-calls.patch
BuildRequires: golang(API) = 1.24
ExcludeArch: s390 ExcludeArch: s390
ExcludeArch: %{ix86} ExcludeArch: %{ix86}

View File

@@ -1,9 +1,9 @@
#!BuildTag: %%IMG_PREFIX%%cdi-chart:%%CHART_MAJOR%%.0.0_up0.4.0 #!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0
#!BuildTag: %%IMG_PREFIX%%cdi-chart:%%CHART_MAJOR%%.0.0_up0.4.0-%RELEASE% #!BuildTag: %%CHART_PREFIX%%cdi:%%CHART_MAJOR%%.0.1_up0.6.0-%RELEASE%
apiVersion: v2 apiVersion: v2
appVersion: 1.60.1 appVersion: 1.62.0
description: A Helm chart for Containerized Data Importer (CDI) description: A Helm chart for Containerized Data Importer (CDI)
icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/kubevirt/icon/color/kubevirt-icon-color.svg
name: cdi name: cdi
type: application type: application
version: "%%CHART_MAJOR%%.0.0+up0.4.0" version: "%%CHART_MAJOR%%.0.1+up0.6.0"

View File

@@ -2,8 +2,8 @@
<service mode="buildtime" name="kiwi_metainfo_helper"/> <service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime"> <service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param> <param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param> <param name="eval">CHART_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?chart_prefix})</param>
<param name="var">IMG_PREFIX</param> <param name="var">CHART_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param> <param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param> <param name="var">CHART_MAJOR</param>
</service> </service>

View File

@@ -109,9 +109,9 @@ spec:
description: CDIConfig at CDI level description: CDIConfig at CDI level
properties: properties:
dataVolumeTTLSeconds: dataVolumeTTLSeconds:
description: DataVolumeTTLSeconds is the time in seconds after description: |-
DataVolume completion it can be garbage collected. Disabled DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
by default. Deprecated: Removed in v1.62.
format: int32 format: int32
type: integer type: integer
featureGates: featureGates:
@@ -2641,9 +2641,9 @@ spec:
description: CDIConfig at CDI level description: CDIConfig at CDI level
properties: properties:
dataVolumeTTLSeconds: dataVolumeTTLSeconds:
description: DataVolumeTTLSeconds is the time in seconds after description: |-
DataVolume completion it can be garbage collected. Disabled DataVolumeTTLSeconds is the time in seconds after DataVolume completion it can be garbage collected. Disabled by default.
by default. Deprecated: Removed in v1.62.
format: int32 format: int32
type: integer type: integer
featureGates: featureGates:

View File

@@ -599,6 +599,8 @@ spec:
strategy: {} strategy: {}
template: template:
metadata: metadata:
annotations:
openshift.io/required-scc: restricted-v2
labels: labels:
cdi.kubevirt.io: cdi-operator cdi.kubevirt.io: cdi-operator
name: cdi-operator name: cdi-operator
@@ -606,17 +608,7 @@ spec:
prometheus.cdi.kubevirt.io: "true" prometheus.cdi.kubevirt.io: "true"
spec: spec:
affinity: affinity:
podAffinity: {{- .Values.deployment.affinity | toYaml | nindent 8 }}
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: cdi.kubevirt.io
operator: In
values:
- cdi-operator
topologyKey: kubernetes.io/hostname
weight: 1
containers: containers:
- env: - env:
- name: DEPLOY_CLUSTER_RESOURCES - name: DEPLOY_CLUSTER_RESOURCES
@@ -650,9 +642,7 @@ spec:
name: metrics name: metrics
protocol: TCP protocol: TCP
resources: resources:
requests: {{- .Values.deployment.resources | toYaml | nindent 12 }}
cpu: 100m
memory: 150Mi
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -661,6 +651,8 @@ spec:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
securityContext: securityContext:

View File

@@ -19,3 +19,7 @@ spec:
workload: workload:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
{{- with .Values.cdi.customizeComponents }}
customizeComponents:
{{- toYaml . | nindent 4 }}
{{- end }}

View File

@@ -1,19 +1,36 @@
deployment: deployment:
version: 1.60.1-150600.3.9.1 version: 1.62.0-150700.9.3.1
operatorImage: registry.suse.com/suse/sles/15.6/cdi-operator operatorImage: registry.suse.com/suse/sles/15.7/cdi-operator
controllerImage: registry.suse.com/suse/sles/15.6/cdi-controller controllerImage: registry.suse.com/suse/sles/15.7/cdi-controller
importerImage: registry.suse.com/suse/sles/15.6/cdi-importer importerImage: registry.suse.com/suse/sles/15.7/cdi-importer
clonerImage: registry.suse.com/suse/sles/15.6/cdi-cloner clonerImage: registry.suse.com/suse/sles/15.7/cdi-cloner
apiserverImage: registry.suse.com/suse/sles/15.6/cdi-apiserver apiserverImage: registry.suse.com/suse/sles/15.7/cdi-apiserver
uploadserverImage: registry.suse.com/suse/sles/15.6/cdi-uploadserver uploadserverImage: registry.suse.com/suse/sles/15.7/cdi-uploadserver
uploadproxyImage: registry.suse.com/suse/sles/15.6/cdi-uploadproxy uploadproxyImage: registry.suse.com/suse/sles/15.7/cdi-uploadproxy
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: cdi.kubevirt.io
operator: In
values:
- cdi-operator
topologyKey: kubernetes.io/hostname
weight: 1
resources:
requests:
cpu: 100m
memory: 150Mi
cdi: cdi:
config: config:
featureGates: featureGates:
- HonorWaitForFirstConsumer - HonorWaitForFirstConsumer
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
customizeComponents: {}
infra: infra:
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
@@ -25,7 +42,7 @@ cdi:
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
hookImage: rancher/kubectl:v1.30.2 hookImage: registry.rancher.com/rancher/kubectl:v1.33.1
hookRestartPolicy: OnFailure hookRestartPolicy: OnFailure
hookSecurityContext: hookSecurityContext:
seccompProfile: seccompProfile:

23
container-build-checks/.gitattributes vendored Normal file
View File

@@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@@ -0,0 +1,39 @@
From 982cfa8500250c9704448880a779ade06cc8f976 Mon Sep 17 00:00:00 2001
From: Nicolas Belouin <nicolas.belouin@suse.com>
Date: Thu, 3 Apr 2025 16:53:49 +0200
Subject: [PATCH] Allow slash prefixes in registry
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
---
container-build-checks.py | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/container-build-checks.py b/container-build-checks.py
index b8c873c..d862f33 100755
--- a/container-build-checks.py
+++ b/container-build-checks.py
@@ -82,13 +82,17 @@ def verify_reference(image, result, value):
return
(registry, repo, tag) = reference_match.groups()
- allowed_registries: list[str] = config["General"].getlist("Registry")
- if len(allowed_registries) and registry not in allowed_registries:
+ raw_allowed_registries: list[str] = config["General"].getlist("Registry")
+ allowed_registries: dict[str, str] = {v[0]: v[2] for v in map(lambda a: a.partition("/"), raw_allowed_registries)}
+
+ if len(allowed_registries) and (registry not in allowed_registries.keys() or not repo.startswith(allowed_registries[registry])):
result.warn(
f"The org.opensuse.reference label ({value}) does not use an "
- f"allowed registry: {','.join(allowed_registries)}")
+ f"allowed registry: {','.join(raw_allowed_registries)}")
+
+ prefix = allowed_registries[registry]
- if f"{repo}:{tag}" not in image.containerinfo["tags"]:
+ if f"{repo[len(prefix)+1:]}:{tag}" not in image.containerinfo["tags"]:
tags = ", ".join(image.containerinfo["tags"])
result.warn(f"The org.opensuse.reference label ({value}) does not refer to an existing tag ({tags})")
elif "release" in image.containerinfo and image.containerinfo["release"] not in tag:
--
2.49.0

View File

@@ -0,0 +1,4 @@
[General]
Vendor=com.suse
Registry=registry.suse.com
Registry+=dp.apps.rancher.io

View File

@@ -0,0 +1,15 @@
<services>
<service mode="manual" name="obs_scm">
<param name="url">https://github.com/openSUSE/container-build-checks.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="manual" name="set_version" />
<service mode="buildtime" name="tar">
<param name="obsinfo">container-build-checks.obsinfo</param>
</service>
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
</services>

View File

@@ -0,0 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/openSUSE/container-build-checks.git</param>
<param name="changesrevision">412e7f60c08221a549b0f00dfcc4bee7694193ab</param></service></servicedata>

Binary file not shown.

View File

@@ -0,0 +1,101 @@
-------------------------------------------------------------------
Mon Aug 12 11:33:57 UTC 2024 - Fabian Vogt <fvogt@suse.com>
- Update to version 1723452932.412e7f6:
* add test for missing substitutions
* Reject labels that are missing a substitution
-------------------------------------------------------------------
Mon Jul 22 13:43:57 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update SUSE.conf: allow dp.rancher.apps.io
-------------------------------------------------------------------
Mon Jul 22 13:08:23 UTC 2024 - Fabian Vogt <fvogt@suse.com>
- Switch _service to mode="manual"
- Update to version 1721653643.19092fe:
* Use generic name for the python setup step
* Allow specifying more than one registry
* Use Pathlib for resolving containerinfo
* Switch to test Python 3.11
-------------------------------------------------------------------
Fri Apr 28 09:23:53 UTC 2023 - Fabian Vogt <fvogt@suse.com>
- Update to version 1682595397.5ce6d2f:
* Handle OCI style images as well
* Makefile: Add missing dependency of broken-derived on proper-base
* GitHub workflow: Update action versions
* GitHub workflow: Test python 3.6 and 3.10
-------------------------------------------------------------------
Mon Aug 8 11:37:19 UTC 2022 - Fabian Vogt <fvogt@suse.com>
- Make the URL point to GitHub
-------------------------------------------------------------------
Thu Jul 7 13:42:05 UTC 2022 - Fabian Vogt <fvogt@suse.com>
- openSUSE.conf: Allow bci/* as prefix
-------------------------------------------------------------------
Wed Apr 20 14:26:26 UTC 2022 - Fabian Vogt <fvogt@suse.com>
- Update to version 1650464301.a198cf9:
* Detect and treat local builds specially
-------------------------------------------------------------------
Mon Mar 7 09:23:46 UTC 2022 - Silvio Moioli <moio@suse.com>
- Adding Uyuni prefix for https://www.uyuni-project.org/
-------------------------------------------------------------------
Thu Feb 03 07:44:23 UTC 2022 - fvogt@suse.com
- Update to version 1643874076.3d0e13c:
* Avoid crash on local builds
-------------------------------------------------------------------
Tue Dec 14 13:49:12 UTC 2021 - fvogt@suse.com
- Update to version 1639489705.a4c5a3ab2a75:
* Don't error out when the release field is empty
* Add simple gitpod configuration
-------------------------------------------------------------------
Tue Jun 1 09:06:12 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Drop obsolete Requires: grep jq
-------------------------------------------------------------------
Fri May 28 13:57:34 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Update to version 1622209785.4616f4f:
* README.md: Point badge to new location
-------------------------------------------------------------------
Fri May 28 12:47:42 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Update to version 1622204213.c8ecb9f:
* Add options to allow and block specific tags
-------------------------------------------------------------------
Thu May 27 15:09:59 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Update to version 1622127842.b548dd8:
* Update README.md
* Add README.md
* Add broken-derived test
* Verify prefix of the image specific label prefix
* Add some comments in the Makefile
* Always check the tag used in org.opensuse.reference
* Add github workflow
* Use bash explicitly
* Make lint
* Less noise in Makefile
-------------------------------------------------------------------
Fri Apr 30 10:04:09 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Initial commit

View File

@@ -0,0 +1,4 @@
name: container-build-checks
version: 1723452932.412e7f6
mtime: 1723452932
commit: 412e7f60c08221a549b0f00dfcc4bee7694193ab

View File

@@ -0,0 +1,95 @@
#
# spec file for package container-build-checks
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: container-build-checks
Version: 1723452932.412e7f6
Release: 0
Summary: Scripts to validate built container images
License: GPL-2.0-or-later
Group: Development/Tools/Building
URL: https://github.com/openSUSE/container-build-checks
Patch0: 0001-Allow-slash-prefixes-in-registry.patch
Source0: %{name}-%{version}.tar.xz
Source1: openSUSE.conf
Source2: SUSE.conf
Requires: %{name}-vendor
BuildArch: noarch
%package vendor-openSUSE
Summary: openSUSE configuration for %{name}
Group: Development/Tools/Building
Requires: %{name} = %{version}
Provides: %{name}-vendor
Conflicts: %{name}-vendor
%description vendor-openSUSE
openSUSE configuration for %{name}
%package vendor-SUSE
Summary: SUSE configuration for %{name}
Group: Development/Tools/Building
Requires: %{name} = %{version}
Provides: %{name}-vendor
Conflicts: %{name}-vendor
%description vendor-SUSE
SUSE configuration for %{name}
%package strict
Summary: Strict configuration for %{name}
Group: Development/Tools/Building
%description strict
Strict configuration for %{name}
%description
This tool checks that built container images conform to the openSUSE container
image policies (https://en.opensuse.org/Building_derived_containers).
%prep
%autosetup -p1
%build
%make_build
%install
%make_install
mkdir -p %{buildroot}%{_datadir}/container-build-checks/
install -m0644 %{SOURCE1} %{buildroot}%{_datadir}/container-build-checks/openSUSE.conf
install -m0644 %{SOURCE2} %{buildroot}%{_datadir}/container-build-checks/SUSE.conf
echo -e "[General]\nFatalWarnings=true" > %{buildroot}%{_datadir}/container-build-checks/strict.conf
%files
#%doc README
%license LICENSE
%dir %{_datadir}/container-build-checks
%dir %{_prefix}/lib/build/
%dir %{_prefix}/lib/build/post-build-checks/
%{_prefix}/lib/build/post-build-checks/container-build-checks
%files vendor-openSUSE
%{_datadir}/container-build-checks/openSUSE.conf
%files vendor-SUSE
%{_datadir}/container-build-checks/SUSE.conf
%files strict
%{_datadir}/container-build-checks/strict.conf
%changelog

View File

@@ -0,0 +1,10 @@
[General]
Vendor=org.opensuse
Registry=registry.opensuse.org
[Tags]
# To avoid conflicts with other stuff on the registry and
# avoid ambiguities with images on other registries.
Allowed+=opensuse/*,kubic/*,kubevirt/*,uyuni/*,bci/*
# Those are images, not available as namespaces
Blocked+=opensuse/tumbleweed/*,opensuse/leap/*

View File

@@ -1,18 +0,0 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/rancher-government-carbide/cosign.git</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param>
<param name="exclude">.get</param>
<param name="revision">v2.2.3+carbide.2</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param>
</service>
<service mode="buildtime" name="tar">
<param name="obsinfo">cosign.obsinfo</param>
</service>
<service mode="buildtime" name="set_version" />
<service name="go_modules">
<param name="compression">gz</param>
</service>
</services>

View File

@@ -1,55 +0,0 @@
#
# spec file for package cosign-rgs
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define project https://github.com/hauler-dev/cosign
%define revision 49542360ffb5de63f9d2f5856b658651d5538e40
Name: cosign
Version: 0
Release: 0
Summary: Container Signing, Verification and Storage in an OCI registry
License: Apache-2.0
URL: https://github.com/rancher-government-carbide/cosign
Source: cosign-%{version}.tar
Source1: vendor.tar.gz
BuildRequires: golang-packaging
%description
%prep
%setup -q -a1 -n cosign-%{version}
%build
%goprep %{project}
DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ"
BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}")
CLI_PKG=sigs.k8s.io/release-utils/version
CLI_LDFLAGS="-X ${CLI_PKG}.gitVersion=%{version} -X ${CLI_PKG}.gitCommit=%{revision} -X ${CLI_PKG}.gitTreeState=release -X ${CLI_PKG}.buildDate=${BUILD_DATE}"
CGO_ENABLED=0 go build -mod=vendor -buildmode=pie -trimpath -ldflags "${CLI_LDFLAGS}" -o cosign ./cmd/cosign
%install
install -D -m 0755 cosign %{buildroot}%{_bindir}/cosign
%files
%license LICENSE
%doc *.md
%{_bindir}/cosign
%changelog

View File

@@ -0,0 +1,12 @@
#!/bin/bash
HELM="/usr/bin/helm"
TOPDIR=/usr/src/packages/HELM
failed=0
if [ -x $HELM ]; then
$HELM lint "$TOPDIR"/*.tgz
failed=$?
fi
exit $failed

View File

@@ -0,0 +1,159 @@
#!/usr/bin/python3
import os
import glob
import subprocess
import yaml
import sys
import pprint
AUTHORIZED_REPOS = [
"registry.suse.com/suse/sles/",
"registry.suse.com/rancher",
"registry.rancher.com",
]
EXTRA_CONFIG = None
class CheckResult:
"""Class to track count of issues"""
def __init__(self):
self.hints = 0
self.warnings = 0
self.errors = 0
def hint(self, msg):
print(f"Hint: {msg}")
self.hints += 1
def warn(self, msg):
print(f"Warning: {msg}")
self.warnings += 1
def error(self, msg):
print(f"Error: {msg}")
self.errors += 1
def tarballs():
"""Return a list of .helminfo files to check."""
if "BUILD_ROOT" not in os.environ:
# Not running in an OBS build container
return glob.glob("*.tgz")
# Running in an OBS build container
buildroot = os.environ["BUILD_ROOT"]
topdir = "/usr/src/packages"
if os.path.isdir(buildroot + "/.build.packages"):
topdir = "/.build.packages"
if os.path.islink(buildroot + "/.build.packages"):
topdir = "/" + os.readlink(buildroot + "/.build.packages")
return glob.glob(f"{buildroot}{topdir}/HELM/*.tgz")
def get_extra_config():
global EXTRA_CONFIG
if EXTRA_CONFIG is not None:
return EXTRA_CONFIG
if "BUILD_ROOT" not in os.environ:
file_path = "./.checks_helm.yaml"
else:
buildroot = os.environ["BUILD_ROOT"]
topdir = "/usr/src/packages"
file_path = f"{buildroot}{topdir}/SOURCES/.checks_helm.yaml"
try:
with open(file_path) as config_file:
EXTRA_CONFIG = yaml.safe_load(config_file)
if EXTRA_CONFIG is None: # No document in stream
EXTRA_CONFIG = {}
except OSError:
EXTRA_CONFIG = {}
return EXTRA_CONFIG
def get_extra_params():
config = get_extra_config()
args = []
for api in config.get('extra_apis', []):
args.extend(['-a', api])
return args
def is_exception(image):
config = get_extra_config()
exceptions = config.get('image_exceptions', [])
(namespace, _, _) = image.partition(':')
return namespace in exceptions
def get_template(tarball_path):
raw_templates = subprocess.check_output(
[
"helm",
"template",
tarball_path,
] + get_extra_params()
).decode()
return yaml.safe_load_all(raw_templates)
def extract_key(key, var):
if hasattr(var, "items"): # hasattr(var,'items') for python 3
for k, v in var.items(): # var.items() for python 3
if k == key:
yield v
if isinstance(v, dict):
for result in extract_key(key, v):
yield result
elif isinstance(v, list):
for d in v:
for result in extract_key(key, d):
yield result
def check_template(result, template):
if template["kind"] not in [
"Pod",
"Deployment",
"StatefulSet",
"DaemonSet",
"ReplicaSet",
"Job",
"CronJob",
]:
return
for image in extract_key("image", template):
if not image.startswith(tuple(AUTHORIZED_REPOS)) and not is_exception(image):
result.error(f"{image} is not from authorized source")
pass
def main():
result = CheckResult()
img_repo = subprocess.check_output(
[
"rpm",
"--macros=/root/.rpmmacros",
"-E",
"%{?img_repo}",
]
).strip()
if img_repo:
result.hint(f"Adding '{img_repo.decode()}' to authorized repo")
AUTHORIZED_REPOS.append(img_repo.decode())
else:
result.warn("img_repo macro not defined, will not add extra authorized repo")
for tarball in tarballs():
print(f"Looking at {tarball}")
for template in get_template(tarball):
if template: # Exclude empty templates
check_template(result, template)
ret = 0
if result.errors > 0:
print("Fatal errors found.")
ret = 1
sys.exit(ret)
if __name__ == "__main__":
main()

View File

@@ -0,0 +1,92 @@
#!/usr/bin/python3
import json
import os
import glob
import sys
import re
class CheckResult:
"""Class to track count of issues"""
def __init__(self):
self.hints = 0
self.warnings = 0
self.errors = 0
def hint(self, msg):
print(f"Hint: {msg}")
self.hints += 1
def warn(self, msg):
print(f"Warning: {msg}")
self.warnings += 1
def error(self, msg):
print(f"Error: {msg}")
self.errors += 1
TAG_RE = re.compile(r"(.*\/)?([^:]+):([^:]+)")
def check_tags(helminfo, result):
release_tag_found = False
version_tag_found = False
for tag in helminfo["tags"]:
(tag_prefix, tag_name, tag_version) = TAG_RE.fullmatch(tag).groups()
if tag_name != helminfo.get("name"):
result.warn(
f"Tag ({tag}) doesn't use the chart name ({helminfo.get('name')})"
)
if "release" in helminfo and helminfo["release"] in tag_version:
release_tag_found = True
if tag_version.replace("_", "+") == helminfo["version"]:
version_tag_found = True
if not release_tag_found:
result.error(
"None of the tags are unique to a specific build of the image.\n"
+ "Make sure that at least one tag contains the release."
)
if not version_tag_found:
result.error(
"None of the tags is the equivalent of the chart's version.\n"
+ "Make sure that one of the tag is the chart version."
)
def helminfos():
"""Return a list of .helminfo files to check."""
if "BUILD_ROOT" not in os.environ:
# Not running in an OBS build container
return glob.glob("*.helminfo")
# Running in an OBS build container
buildroot = os.environ["BUILD_ROOT"]
topdir = "/usr/src/packages"
if os.path.isdir(buildroot + "/.build.packages"):
topdir = "/.build.packages"
if os.path.islink(buildroot + "/.build.packages"):
topdir = "/" + os.readlink(buildroot + "/.build.packages")
return glob.glob(f"{buildroot}{topdir}/HELM/*.helminfo")
def main():
result = CheckResult()
for helminfo in helminfos():
print(f"Looking at {helminfo}")
with open(helminfo, "rb") as cifile:
ci_dict = json.load(cifile)
check_tags(ci_dict, result)
ret = 0
if result.errors > 0:
print("Fatal errors found.")
ret = 1
sys.exit(ret)
if __name__ == "__main__":
main()

340
edge-build-checks/COPYING Normal file
View File

@@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

View File

@@ -0,0 +1,6 @@
[General]
Vendor=com.suse
Registry=%%IMG_REPO%%
[Tags]
Allowed=%%IMG_PREFIX%%*

View File

@@ -0,0 +1,9 @@
<services>
<service name="replace_using_env" mode="buildtime">
<param name="file">SUSE-Edge.conf</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

View File

@@ -0,0 +1,59 @@
#
# spec file for package edge-build-checks
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: edge-build-checks
Summary: post checks for build after charts and images are created
License: GPL-2.0-or-later
Group: Development/Tools/Building
Version: 0.0.1
Release: 0
Source0: COPYING
Source1: 20-helm-images
Source2: 10-helm-lint
Source3: SUSE-Edge.conf
Source4: 20-helm-tags
BuildArch: noarch
Requires: container-build-checks
Requires: python3-PyYAML
Provides: container-build-checks-vendor
%description
some scripts to check for problems in edge related helm charts and images after their creation
in OBS.
%prep
cp %{SOURCE0} .
%build
%define _lto_cflags %{nil}
# nothing to do
%install
install -d $RPM_BUILD_ROOT/usr/lib/build/post-build-checks
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/build/post-build-checks
install -m 755 %{SOURCE2} $RPM_BUILD_ROOT/usr/lib/build/post-build-checks
install -m 755 %{SOURCE4} $RPM_BUILD_ROOT/usr/lib/build/post-build-checks
install -d %{buildroot}%{_datadir}/container-build-checks
install -m 644 %{SOURCE3} %{buildroot}%{_datadir}/container-build-checks/SUSE-Edge.conf
%files
%license COPYING
%{_datadir}/container-build-checks
/usr/lib/build
%changelog

View File

@@ -1,6 +1,5 @@
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.1.2-rc1 #!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.0
#!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.1.2-rc1-%RELEASE% #!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.3.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-base:$SLE_VERSION FROM registry.suse.com/bci/bci-base:$SLE_VERSION
MAINTAINER SUSE LLC (https://www.suse.com/) MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -15,11 +14,11 @@ RUN zypper --non-interactive install --no-recommends edge-image-builder qemu-x86
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image" LABEL org.opencontainers.image.title="SLE edge-image-builder Container Image"
LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image." LABEL org.opencontainers.image.description="edge-image-builder based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="1.1.2-rc1" LABEL org.opencontainers.image.version="1.3.0"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC" LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.1.2-rc1-%RELEASE%" LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.3.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%" LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024" LABEL com.suse.eula="SUSE Combined EULA February 2024"

View File

@@ -7,8 +7,8 @@
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param> <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param> <param name="var">IMG_REPO</param>
<param name="file">artifacts.yaml</param> <param name="file">artifacts.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param> <param name="eval">CHART_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?chart_prefix})</param>
<param name="var">IMG_PREFIX</param> <param name="var">CHART_PREFIX</param>
<param name="eval">CHART_REPO=$(rpm --macros=/root/.rpmmacros -E %chart_repo)</param> <param name="eval">CHART_REPO=$(rpm --macros=/root/.rpmmacros -E %chart_repo)</param>
<param name="var">CHART_REPO</param> <param name="var">CHART_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param> <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
@@ -17,4 +17,3 @@
<param name="var">CHART_MAJOR</param> <param name="var">CHART_MAJOR</param>
</service> </service>
</services> </services>

View File

@@ -1,15 +1,19 @@
metallb: metallb:
chart: metallb-chart chart: metallb
repository: "%%CHART_REPO%%/%%IMG_PREFIX%%" repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
version: "%%CHART_MAJOR%%.0.1+up0.14.9" version: "%%CHART_MAJOR%%.0.1+up0.15.2"
endpoint-copier-operator: endpoint-copier-operator:
chart: endpoint-copier-operator-chart chart: endpoint-copier-operator
repository: "%%CHART_REPO%%/%%IMG_PREFIX%%" repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
version: "%%CHART_MAJOR%%.0.0+up0.2.1" version: "%%CHART_MAJOR%%.0.1+up0.3.0"
kubernetes: kubernetes:
k3s: k3s:
selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch
selinuxRepository: https://rpm.rancher.io/k3s/stable/common/slemicro/noarch selinuxRepository: https://rpm.rancher.io/k3s/stable/common/slemicro/noarch
selinuxRepositoryPriority: 1
releaseURL: https://github.com/k3s-io/k3s/releases/download/
rke2: rke2:
selinuxPackage: rke2-selinux selinuxPackage: rke2-selinux
selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch selinuxRepository: https://rpm.rancher.io/rke2/stable/common/slemicro/noarch
selinuxRepositoryPriority: 1
releaseURL: https://github.com/rancher/rke2/releases/download/

View File

@@ -3,11 +3,11 @@
<param name="url">https://github.com/suse-edge/edge-image-builder.git</param> <param name="url">https://github.com/suse-edge/edge-image-builder.git</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.git</param> <param name="exclude">.git</param>
<param name="revision">v1.1.2-rc1</param> <param name="revision">v1.3.0</param>
<!-- Uncomment and set this For Pre-Release Version --> <!-- Uncomment and set this For Pre-Release Version -->
<param name="version">1.1.2~rc0</param> <!-- <param name="version">1.3.0</param> -->
<!-- Uncomment and this for regular version --> <!-- Uncomment and this for regular version -->
<!-- <param name="versionformat">@PARENT_TAG@</param> --> <param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param> <param name="versionrewrite-pattern">v(\d+).(\d+).(\d+)</param>
<param name="versionrewrite-replacement">\1.\2.\3</param> <param name="versionrewrite-replacement">\1.\2.\3</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>

View File

@@ -17,14 +17,14 @@
Name: edge-image-builder Name: edge-image-builder
Version: 1.1.2~rc1 Version: 1.3.0
Release: 0 Release: 0
Summary: Edge Image Builder Summary: Edge Image Builder
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/suse-edge/edge-image-builder URL: https://github.com/suse-edge/edge-image-builder
Source: edge-image-builder-%{version}.tar Source: edge-image-builder-%{version}.tar
Source1: vendor.tar.gz Source1: vendor.tar.gz
BuildRequires: golang(API) go1.22 BuildRequires: golang(API) go1.24
BuildRequires: golang-packaging BuildRequires: golang-packaging
BuildRequires: gpgme-devel BuildRequires: gpgme-devel
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel

View File

@@ -1,8 +1,8 @@
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:%%CHART_MAJOR%%.0.0_up0.2.1 #!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator-chart:%%CHART_MAJOR%%.0.0_up0.2.1-%RELEASE% #!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0-%RELEASE%
apiVersion: v2 apiVersion: v2
appVersion: v0.2.0 appVersion: v0.3.0
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
name: endpoint-copier-operator name: endpoint-copier-operator
type: application type: application
version: "%%CHART_MAJOR%%.0.0+up0.2.1" version: "%%CHART_MAJOR%%.0.1+up0.3.0"

View File

@@ -9,8 +9,8 @@
</service> </service>
<service name="replace_using_env" mode="buildtime"> <service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param> <param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param> <param name="eval">CHART_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?chart_prefix})</param>
<param name="var">IMG_PREFIX</param> <param name="var">CHART_PREFIX</param>
<param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param> <param name="eval">CHART_MAJOR=$(rpm --macros=/root/.rpmmacros -E %{?chart_major})</param>
<param name="var">CHART_MAJOR</param> <param name="var">CHART_MAJOR</param>
</service> </service>

View File

@@ -20,8 +20,23 @@ spec:
labels: labels:
{{- include "endpoint-copier-operator.selectorLabels" . | nindent 8 }} {{- include "endpoint-copier-operator.selectorLabels" . | nindent 8 }}
spec: spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
containers: containers:
- command: - command:
- /manager - /manager

View File

@@ -7,9 +7,9 @@ metadata:
name: {{ include "endpoint-copier-operator.fullname" . }} name: {{ include "endpoint-copier-operator.fullname" . }}
rules: rules:
- apiGroups: - apiGroups:
- "" - "discovery.k8s.io"
resources: resources:
- endpoints - endpointslices
verbs: verbs:
- create - create
- delete - delete

View File

@@ -8,7 +8,7 @@ image:
repository: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator repository: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion. # Overrides the image tag whose default is the chart appVersion.
tag: "0.2.0" tag: "0.3.0"
nameOverride: "endpoint-copier-operator" nameOverride: "endpoint-copier-operator"
fullnameOverride: "endpoint-copier-operator" fullnameOverride: "endpoint-copier-operator"
@@ -29,6 +29,8 @@ podSecurityContext:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
priorityClassName: "system-cluster-critical"
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -37,11 +39,11 @@ securityContext:
resources: resources:
limits: limits:
cpu: 500m cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi memory: 64Mi
requests:
cpu: 5m
memory: 32Mi
autoscaling: autoscaling:
enabled: false enabled: false

View File

@@ -1,7 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%% #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%
#!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE% #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

View File

@@ -2,7 +2,7 @@
<service name="obs_scm"> <service name="obs_scm">
<param name="url">https://github.com/suse-edge/endpoint-copier-operator</param> <param name="url">https://github.com/suse-edge/endpoint-copier-operator</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="revision">v0.2.0</param> <param name="revision">v0.3.0</param>
<param name="version">_auto_</param> <param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param> <param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>

View File

@@ -17,14 +17,14 @@
Name: endpoint-copier-operator Name: endpoint-copier-operator
Version: 0.2.0 Version: 0.3.0
Release: 0.2.0 Release: 0.3.0
Summary: Implements a Kubernetes API for copying endpoint resources Summary: Implements a Kubernetes API for copying endpoint resources
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/suse-edge/endpoint-copier-operator URL: https://github.com/suse-edge/endpoint-copier-operator
Source: endpoint-copier-operator-%{version}.tar Source: endpoint-copier-operator-%{version}.tar
Source1: vendor.tar.gz Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.20 BuildRequires: golang(API) = 1.24
ExcludeArch: s390 ExcludeArch: s390
ExcludeArch: %{ix86} ExcludeArch: %{ix86}

View File

@@ -1,7 +1,6 @@
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
#!BuildTag: %%IMG_PREFIX%%frr:8.4 #!BuildTag: %%IMG_PREFIX%%frr:10.2.1
#!BuildTag: %%IMG_PREFIX%%frr:8.4-%RELEASE% #!BuildTag: %%IMG_PREFIX%%frr:10.2.1-%RELEASE%
#!BuildVersion: 15.5
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -15,11 +14,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="FRR Container Image" LABEL org.opencontainers.image.title="FRR Container Image"
LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image." LABEL org.opencontainers.image.description="frr based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="8.4" LABEL org.opencontainers.image.version="10.2.1"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC" LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:8.4-%RELEASE%" LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%frr:10.2.1-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%" LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024" LABEL com.suse.eula="SUSE Combined EULA February 2024"

View File

@@ -1,7 +1,6 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%% #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%
#!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE% #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro

View File

@@ -2,7 +2,7 @@
<service name="obs_scm"> <service name="obs_scm">
<param name="url">https://github.com/metallb/frr-k8s</param> <param name="url">https://github.com/metallb/frr-k8s</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="revision">v0.0.14</param> <param name="revision">v0.0.20</param>
<param name="version">_auto_</param> <param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param> <param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>

View File

@@ -17,14 +17,14 @@
Name: frr-k8s Name: frr-k8s
Version: 0.0.14 Version: 0.0.20
Release: 0.0.14 Release: 0.0.20
Summary: A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner. Summary: A kubernetes based daemonset that exposes a subset of the FRR API in a kubernetes compliant manner.
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/metallb/frr-k8s URL: https://github.com/metallb/frr-k8s
Source: frr-k8s-%{version}.tar Source: frr-k8s-%{version}.tar
Source1: vendor.tar.gz Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22 BuildRequires: golang(API) = 1.24
ExcludeArch: s390 ExcludeArch: s390
ExcludeArch: %{ix86} ExcludeArch: %{ix86}

View File

@@ -4,7 +4,7 @@
<param name="versionformat">@PARENT_TAG@</param> <param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param> <param name="scm">git</param>
<param name="exclude">.get</param> <param name="exclude">.get</param>
<param name="revision">v1.0.7</param> <param name="revision">v1.2.5</param>
<param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-pattern">v(.*)</param>
<param name="changesgenerate">enable</param> <param name="changesgenerate">enable</param>
</service> </service>
@@ -15,4 +15,13 @@
<service name="go_modules"> <service name="go_modules">
<param name="compression">gz</param> <param name="compression">gz</param>
</service> </service>
<service mode="buildtime" name="replace_using_env">
<param name="file">hauler.spec</param>
<param name="var">SOURCE_COMMIT</param>
<param name="eval">
SOURCE_COMMIT=$(grep commit hauler.obsinfo | cut -d" " -f2)
</param>
<param name="verbose">1</param>
</service>
<service mode="buildtime" name="set_version" />
</services> </services>

View File

@@ -18,7 +18,7 @@
%define project github.com/hauler-dev/hauler %define project github.com/hauler-dev/hauler
Name: hauler Name: hauler
Version: 1.0.7 Version: 1.2.5
Release: 0 Release: 0
Summary: Airgap Swiss Army Knife Summary: Airgap Swiss Army Knife
License: Apache-2.0 License: Apache-2.0
@@ -26,7 +26,6 @@ URL: https://github.com/hauler-dev/hauler
Source: hauler-%{version}.tar Source: hauler-%{version}.tar
Source1: vendor.tar.gz Source1: vendor.tar.gz
BuildRequires: golang-packaging BuildRequires: golang-packaging
BuildRequires: cosign
%description %description
@@ -38,10 +37,18 @@ BuildRequires: cosign
tar -xf %{SOURCE1} tar -xf %{SOURCE1}
mkdir cmd/hauler/binaries MODULE=hauler.dev/go/hauler
cp `which cosign` cmd/hauler/binaries/cosign-linux-%{go_arch} %define buildtime %(date +%%Y-%%m-%%dT%%H:%%M:%%S%%z)
%define buildcommit %%SOURCE_COMMIT%%
go build -mod=vendor -buildmode=pie -o hauler ./cmd/hauler
go build \
-mod=vendor \
-buildmode=pie \
-o hauler \
-ldflags \
"-X $MODULE/internal/version.gitVersion=v%{version} -X $MODULE/internal/version.gitCommit=%{buildcommit} -X $MODULE/internal/version.buildDate=%{buildtime}" \
./cmd/hauler
%install %install

View File

@@ -1,21 +1,14 @@
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.3 #!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.3-%RELEASE% #!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
#!ArchExclusiveLine: x86_64 RUN zypper -n in --no-recommends shim-x86_64 shim-aarch64 grub2-x86_64-efi grub2-arm64-efi dosfstools mtools
RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper -n in --no-recommends gcc git make xz-devel shim dosfstools mtools glibc-extra grub2-x86_64-efi grub2; zypper -n clean; rm -rf /var/log/*; \
fi
#!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper -n rm kubic-locale-archive-2.31-10.36.noarch openssl-1_1-1.1.1l-150500.17.37.1.aarch64; zypper -n in --no-recommends gcc git make xz-devel openssl-3 mokutil shim dosfstools mtools glibc glibc-extra grub2 grub2-arm64-efi; zypper -n clean; rm -rf /var/log/* ;\
fi
WORKDIR /tmp WORKDIR /tmp
COPY prepare-efi.sh /bin/ COPY prepare-efi.sh /bin/
RUN set -euo pipefail; chmod +x /bin/prepare-efi.sh RUN set -euo pipefail; chmod +x /bin/prepare-efi.sh
@@ -26,11 +19,11 @@ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes
#!ArchExclusiveLine: x86_64 #!ArchExclusiveLine: x86_64
RUN if [ "$(uname -m)" = "x86_64" ];then \ RUN if [ "$(uname -m)" = "x86_64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \ zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
fi fi
#!ArchExclusiveLine: aarch64 #!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ];then \ RUN if [ "$(uname -m)" = "aarch64" ];then \
zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \ zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
fi fi
# DATABASE # DATABASE
@@ -38,7 +31,9 @@ RUN mkdir -p /installroot/var/lib/ironic && \
/installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \ /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
zypper --installroot /installroot --non-interactive remove sqlite3 zypper --installroot /installroot --non-interactive remove sqlite3
# build actual image
FROM micro AS final FROM micro AS final
MAINTAINER SUSE LLC (https://www.suse.com/) MAINTAINER SUSE LLC (https://www.suse.com/)
# Define labels according to https://en.opensuse.org/Building_derived_containers # Define labels according to https://en.opensuse.org/Building_derived_containers
LABEL org.opencontainers.image.title="SLE Openstack Ironic Container Image" LABEL org.opencontainers.image.title="SLE Openstack Ironic Container Image"
@@ -46,8 +41,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC" LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.version="26.1.2.3" LABEL org.opencontainers.image.version="29.0.4.4"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.3-%RELEASE%" LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.4-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%" LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024" LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -68,14 +63,19 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
COPY mkisofs_wrapper /usr/bin/mkisofs COPY mkisofs_wrapper /usr/bin/mkisofs
RUN set -euo pipefail; chmod +x /usr/bin/mkisofs RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
RUN mkdir -p /tftpboot RUN mkdir -p /tftpboot
RUN mkdir -p $GRUB_DIR RUN mkdir -p $GRUB_DIR
# No need to support the Legacy BIOS boot COPY scripts/ /bin/
#RUN cp /usr/share/syslinux/pxelinux.0 /tftpboot COPY configure-nonroot.sh /bin/
#RUN cp /usr/share/syslinux/chain.c32 /tftpboot/ RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/ironic-probe.sh /bin/rundatabase-upgrade /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/runonline-data-migrations /bin/configure-nonroot.sh
RUN mv /bin/ironic-probe.sh /bin/ironic-readiness
RUN cp /bin/ironic-readiness /bin/ironic-liveness
COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
/tmp/
# IRONIC # # IRONIC #
RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -83,30 +83,24 @@ RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
RUN if [ "$(uname -m)" = "x86_64" ];then \ RUN if [ "$(uname -m)" = "x86_64" ];then \
cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\ cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\
fi fi
#!ArchExclusiveLine: x86_64 #!ArchExclusiveLine: aarch64
RUN if [ "$(uname -m)" = "aarch64" ]; then\ RUN if [ "$(uname -m)" = "aarch64" ]; then\
cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\ cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
fi fi
COPY --from=base /tmp/esp.img /tmp/uefi_esp.img COPY --from=base /tmp/uefi_esp_*.img /templates/
COPY ironic.conf.j2 /etc/ironic/ COPY ironic-config/ironic.conf.j2 ironic-config/network-data-schema-empty.json /etc/ironic/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
COPY network-data-schema-empty.json /etc/ironic/
# DNSMASQ
COPY dnsmasq.conf.j2 /etc/
# Custom httpd config, removes all but the bare minimum needed modules
COPY httpd.conf.j2 /etc/httpd/conf/
COPY httpd-modules.conf /etc/httpd/conf.modules.d/
COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
# Workaround # Workaround
# Removing the 010-ironic.conf file that comes with the package # Removing the 010-ironic.conf file that comes with the package
RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
# Custom httpd config, removes all but the bare minimum needed modules
COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
# configure non-root user and set relevant permissions # configure non-root user and set relevant permissions
RUN configure-nonroot.sh && \ RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh
rm -f /bin/configure-nonroot.sh

View File

@@ -1,27 +0,0 @@
Listen {{ env.VMEDIA_TLS_PORT }}
<VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
<Directory "/shared">
AllowOverride None
Require all granted
</Directory>
<Directory "/shared/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<Location ~ "^/(redfish|ilo)/">
SSLRequireSSL
</Location>

View File

@@ -1,59 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
configure_client_basic_auth()
{
local auth_config_file="/auth/$1/auth-config"
local dest="${2:-/etc/ironic/ironic.conf}"
if [[ -f "${auth_config_file}" ]]; then
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${dest}" < "${auth_config_file}"
fi
}
configure_json_rpc_auth()
{
if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
if [[ -z "${IRONIC_HTPASSWD}" ]]; then
echo "FATAL: enabling JSON RPC requires authentication"
exit 1
fi
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
fi
}
configure_ironic_auth()
{
local config=/etc/ironic/ironic.conf
# Configure HTTP basic auth for API server
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${config}" DEFAULT auth_strategy http_basic
crudini --set "${config}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
}

View File

@@ -1,119 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
fi
# TODO(dtantsur): remove the explicit default once we get
# https://review.opendev.org/761185 in the repositories
NUMPROC="$(grep -c "^processor" /proc/cpuinfo)"
if [[ "$NUMPROC" -lt 4 ]]; then
NUMPROC=4
fi
export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
# Whether cleaning disks before and after deployment
export IRONIC_AUTOMATED_CLEAN=${IRONIC_AUTOMATED_CLEAN:-true}
# Wheter to enable the sensor data collection
export SEND_SENSOR_DATA=${SEND_SENSOR_DATA:-false}
# Set of collectors that should be used with IPA inspection
export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
wait_for_interface_or_ip
# Hostname to use for the current conductor instance.
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
else
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
fi
fi
IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
if [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
export IRONIC_DEFAULT_KERNEL="${IMAGE_CACHE_PREFIX}.kernel"
export IRONIC_DEFAULT_RAMDISK="${IMAGE_CACHE_PREFIX}.initramfs"
fi
if [[ -f /etc/ironic/ironic.conf ]]; then
# Make a copy of the original supposed empty configuration file
cp /etc/ironic/ironic.conf /etc/ironic/ironic.conf_orig
fi
# oslo.config also supports Config Opts From Environment, log them to stdout
echo 'Options set from Environment variables'
env | grep "^OS_" || true
mkdir -p /shared/html
mkdir -p /shared/ironic_prometheus_exporter
configure_json_rpc_auth
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
configure_client_basic_auth ironic-rpc
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
export PROBE_CURL_ARGS
export PROBE_URL
PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

57
ironic-image/configure-nonroot.sh Normal file → Executable file
View File

@@ -1,53 +1,70 @@
#!/usr/bin/bash #!/usr/bin/bash
# This script changes permissions to allow Ironic container to run as non-root
# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
# and ironic-log-watch via BMO's ironic k8s manifest, it has
# to be configured to work with multiple different users and groups, while they
# share files via bind mounts (/shared, /certs/*), which can only get one
# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
# which we provide via "setcap", and "allowPrivilegeEscalation: true" in
# manifest.
set -eux
# user and group are from ironic rpms (uid 997, gid 994)
NONROOT_UID=10475 NONROOT_UID=10475
NONROOT_GID=10475 NONROOT_GID=10475
USER="ironic-suse" IRONIC_USER="ironic-suse"
IRONIC_GROUP="ironic-suse"
groupadd -r -g ${NONROOT_GID} ${USER} groupadd -r -g ${NONROOT_GID} ${IRONIC_GROUP}
useradd -r -g ${NONROOT_GID} \ useradd -r -g ${NONROOT_GID} \
-u ${NONROOT_UID} \ -u ${NONROOT_UID} \
-d /var/lib/ironic \ -d /var/lib/ironic \
-s /sbin/nologin \ -s /sbin/nologin \
${USER} ${IRONIC_USER}
# create ironic's http_root directory # most containers mount /shared but dnsmasq can live without it
mkdir -p /shared/html mkdir -p /shared
chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html mkdir -p /data
mkdir -p /conf
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /data
chown "${IRONIC_USER}":"${IRONIC_GROUP}" /conf
# we'll bind mount shared ca and ironic certificate dirs here # we'll bind mount shared ca and ironic certificate dirs here
# that need to have correct ownership as the entire ironic in BMO # that need to have correct ownership as the entire ironic in BMO
# deployment shares a single fsGroup in manifest's securityContext # deployment shares a single fsGroup in manifest's securityContext
mkdir -p /certs/ca mkdir -p /certs/ca
chown "${NONROOT_UID}":"${NONROOT_GID}" /certs{,/ca} chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
chmod 2775 /certs{,/ca} chmod 2775 /certs{,/ca}
# apache2 permission changes # apache2 permission changes
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2 chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/apache2
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run
# ironic and httpd related changes # ironic and httpd related changes
mkdir -p /etc/httpd/conf.d mkdir -p /etc/httpd/conf.d
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d /etc/httpd/conf.modules.d/
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d #chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/* chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.modules.d/*
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
chmod 2775 /var/lib/ironic
chmod 664 /var/lib/ironic/ironic.sqlite chmod 664 /var/lib/ironic/ironic.sqlite
# dnsmasq, and the capabilities required to run it as non-root user # dnsmasq, and the capabilities required to run it as non-root user
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/dnsmasq.conf
chmod 2775 /var/lib/dnsmasq #handled at chart level
touch /var/lib/dnsmasq/dnsmasq.leases #setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq
chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
# ca-certificates permission changes # ca-certificates permission changes
touch /var/lib/ca-certificates/ca-bundle.pem.new touch /var/lib/ca-certificates/ca-bundle.pem.new
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/ chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ca-certificates/
chmod -R +w /var/lib/ca-certificates/ chmod -R +w /var/lib/ca-certificates/
# probes that are created before start # probes that are created before start
touch /bin/ironic-{readi,live}ness touch /bin/ironic-{readi,live}ness
chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness chown root:"${IRONIC_GROUP}" /bin/ironic-{readi,live}ness
chmod 775 /bin/ironic-{readi,live}ness chmod 775 /bin/ironic-{readi,live}ness

View File

@@ -1,57 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
<VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
{% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
{% endif %}
{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/inspector.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/inspector.sock|http://127.0.0.1/"
{% else %}
ProxyPass "/" "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
{% endif %}
SetEnv APACHE_RUN_USER ironic-suse
SetEnv APACHE_RUN_GROUP ironic-suse
ErrorLog /dev/stdout
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine On
SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
{% if "INSPECTOR_HTPASSWD" in env and env.INSPECTOR_HTPASSWD | length %}
<Location / >
AuthType Basic
AuthName "Restricted area"
AuthUserFile "/etc/ironic-inspector/htpasswd"
Require valid-user
</Location>
<Location ~ "^/(v1/?)?$" >
Require all granted
</Location>
<Location /v1/continue >
Require all granted
</Location>
{% endif %}
</VirtualHost>

View File

@@ -1,10 +0,0 @@
#!ipxe
:retry_boot
echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
boot

View File

@@ -1,107 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_IP="${IRONIC_IP:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
get_provisioning_interface()
{
if [[ -n "$PROVISIONING_INTERFACE" ]]; then
# don't override the PROVISIONING_INTERFACE if one is provided
echo "$PROVISIONING_INTERFACE"
return
fi
local interface="provisioning"
if [[ -n "${PROVISIONING_IP}" ]]; then
if ip -br addr show | grep -qi " ${PROVISIONING_IP}/"; then
interface="$(ip -br addr show | grep -i " ${PROVISIONING_IP}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
fi
fi
for mac in ${PROVISIONING_MACS//,/ }; do
if ip -br link show up | grep -qi "$mac"; then
interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
break
fi
done
echo "$interface"
}
PROVISIONING_INTERFACE="$(get_provisioning_interface)"
export PROVISIONING_INTERFACE
export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
# Wait for the interface or IP to be up, sets $IRONIC_IP
wait_for_interface_or_ip()
{
# If $PROVISIONING_IP is specified, then we wait for that to become available on an interface, otherwise we look at $PROVISIONING_INTERFACE for an IP
if [[ -n "$PROVISIONING_IP" ]]; then
# Convert the address using ipcalc which strips out the subnet. For IPv6 addresses, this will give the short-form address
IRONIC_IP="$(ipcalc "${PROVISIONING_IP}" | grep "^Address:" | awk '{print $2}')"
export IRONIC_IP
until grep -F " ${IRONIC_IP}/" <(ip -br addr show); do
echo "Waiting for ${IRONIC_IP} to be configured on an interface"
sleep 1
done
else
until [[ -n "$IRONIC_IP" ]]; do
echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
IRONIC_IP="$(ip -br add show scope global up dev "${PROVISIONING_INTERFACE}" | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
export IRONIC_IP
sleep 1
done
fi
# If the IP contains a colon, then it's an IPv6 address, and the HTTP
# host needs surrounding with brackets
if [[ "$IRONIC_IP" =~ .*:.* ]]; then
export IPV=6
export IRONIC_URL_HOST="[$IRONIC_IP]"
else
export IPV=4
export IRONIC_URL_HOST="$IRONIC_IP"
fi
}
render_j2_config()
{
ls $1 # DEBUG
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
ls $2 # DEBUG
}
run_ironic_dbsync()
{
if [[ "${IRONIC_USE_MARIADB:-true}" == "true" ]]; then
# It's possible for the dbsync to fail if mariadb is not up yet, so
# retry until success
until ironic-dbsync --config-file /etc/ironic/ironic.conf upgrade; do
echo "WARNING: ironic-dbsync failed, retrying"
sleep 1
done
else
# SQLite does not support some statements. Fortunately, we can just create
# the schema in one go if not already created, instead of going through an upgrade
DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
fi
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}

View File

@@ -1,4 +1,5 @@
Listen {{ env.IPXE_TLS_PORT }} Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
Listen [::]:{{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}> <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr ErrorLog /dev/stderr

View File

@@ -0,0 +1,41 @@
Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
Listen [::]:{{ env.VMEDIA_TLS_PORT }}
<VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
{% if "IRONIC_VMEDIA_TLS_12_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_12_CIPHERS %}
SSLCipherSuite {{ env.IRONIC_VMEDIA_TLS_12_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_TLS_13_CIPHERS" in env and env.IRONIC_VMEDIA_TLS_13_CIPHERS %}
SSLCipherSuite TLSv1.3 {{ env.IRONIC_VMEDIA_TLS_13_CIPHERS }}
{% endif %}
{% if "IRONIC_VMEDIA_CURVES" in env and env.IRONIC_VMEDIA_CURVES %}
SSLOpenSSLConfCmd Curves {{ env.IRONIC_VMEDIA_CURVES }}
{% endif %}
{% if env.IRONIC_VMEDIA_TLS_ENFORCE_SERVER_CIPHER_ORDER | lower == "true" %}
SSLHonorCipherOrder on
{% endif %}
<Directory "/shared/html/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
<Location ~ "^/(redfish|ilo)/">
SSLRequireSSL
</Location>

View File

@@ -3,6 +3,7 @@ bind-dynamic
enable-tftp enable-tftp
tftp-root=/shared/tftpboot tftp-root=/shared/tftpboot
log-queries log-queries
dhcp-leasefile=/data/dnsmasq/dnsmasq.leases
# Configure listening for DNS (0 disables DNS) # Configure listening for DNS (0 disables DNS)
port={{ env.DNS_PORT }} port={{ env.DNS_PORT }}
@@ -31,11 +32,11 @@ dhcp-match=ipxe,175
# Client is already running iPXE; move to next stage of chainloading # Client is already running iPXE; move to next stage of chainloading
{%- if env.IPXE_TLS_SETUP == "true" %} {%- if env.IPXE_TLS_SETUP == "true" %}
# iPXE with (U)EFI # iPXE with (U)EFI
dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi dhcp-boot=tag:efi,tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/snponly.efi
# iPXE with BIOS # iPXE with BIOS
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/custom-ipxe/undionly.kpxe
{% else %} {% else %}
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe dhcp-boot=tag:ipxe,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
{% endif %} {% endif %}
# Note: Need to test EFI booting # Note: Need to test EFI booting
@@ -59,8 +60,8 @@ ra-param={{ env.PROVISIONING_INTERFACE }},0,0
dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient dhcp-vendorclass=set:pxe6,enterprise:343,PXEClient
dhcp-userclass=set:ipxe6,iPXE dhcp-userclass=set:ipxe6,iPXE
dhcp-option=tag:pxe6,option6:bootfile-url,tftp://{{ env.IRONIC_URL_HOST }}/snponly.efi dhcp-option=tag:pxe6,option6:bootfile-url,{{ env.IRONIC_TFTP_URL }}/snponly.efi
dhcp-option=tag:ipxe6,option6:bootfile-url,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe dhcp-option=tag:ipxe6,option6:bootfile-url,{{ env.IRONIC_HTTP_URL }}/boot.ipxe
# It can be used when setting DNS or GW variables. # It can be used when setting DNS or GW variables.
{%- if env["GATEWAY_IP"] is undefined %} {%- if env["GATEWAY_IP"] is undefined %}

View File

@@ -12,11 +12,21 @@
{% if env.LISTEN_ALL_INTERFACES | lower == "true" %} {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen {{ env.IRONIC_LISTEN_PORT }} Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}> <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
{% else %} {% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }} {% if env.ENABLE_IPV4 %}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}> Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
{% endif %}
{% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
{% endif %}
{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
{% else %}
<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
{% endif %}
{% endif %} {% endif %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %} {% if env.IRONIC_PRIVATE_PORT == "unix" %}
@@ -45,7 +55,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %} {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic AuthType Basic
AuthName "Restricted area" AuthName "Restricted area"
AuthUserFile "/etc/ironic/htpasswd" AuthUserFile {{ env.HTPASSWD_FILE }}
Require valid-user Require valid-user
{% endif %} {% endif %}
</Location> </Location>

View File

@@ -17,4 +17,4 @@ LoadModule authn_core_module /usr/lib64/apache2/mod_authn_core.so
LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so LoadModule auth_basic_module /usr/lib64/apache2/mod_auth_basic.so
LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so LoadModule authn_file_module /usr/lib64/apache2/mod_authn_file.so
LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so LoadModule authz_user_module /usr/lib64/apache2/mod_authz_user.so
LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so #LoadModule access_compat_module /usr/lib64/apache2/mod_access_compat.so

View File

@@ -1,10 +1,16 @@
ServerRoot "/etc/httpd" ServerRoot {{ env.HTTPD_DIR }}
{%- if env.LISTEN_ALL_INTERFACES | lower == "true" %} {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen {{ env.HTTP_PORT }} Listen 0.0.0.0:{{ env.HTTP_PORT }}
Listen [::]:{{ env.HTTP_PORT }}
{% else %} {% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }} {% if env.ENABLE_IPV4 %}
Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
{% endif %} {% endif %}
Include conf.modules.d/*.conf {% if env.ENABLE_IPV6 %}
Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
{% endif %}
{% endif %}
Include /etc/httpd/conf.modules.d/*.conf
User ironic-suse User ironic-suse
Group ironic-suse Group ironic-suse

View File

@@ -0,0 +1,10 @@
#!ipxe
:retry_boot
echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
boot

View File

@@ -25,8 +25,15 @@ rpc_transport = none
use_stderr = true use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256 hash_ring_algorithm = sha256
{% if env.ENABLE_IPV4 %}
my_ip = {{ env.IRONIC_IP }} my_ip = {{ env.IRONIC_IP }}
{% endif %}
{% if env.ENABLE_IPV6 %}
my_ipv6 = {{ env.IRONIC_IPV6 }}
{% endif %}
host = {{ env.IRONIC_CONDUCTOR_HOST }} host = {{ env.IRONIC_CONDUCTOR_HOST }}
tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
# If a path to a certificate is defined, use that first for webserver # If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %} {% if env.WEBSERVER_CACERT_FILE %}
@@ -49,6 +56,7 @@ deploy_logs_local_path = /shared/log/ironic/deploy
# retries here works around such problems without affecting the normal path. # retries here works around such problems without affecting the normal path.
# See https://bugzilla.redhat.com/show_bug.cgi?id=1822763 # See https://bugzilla.redhat.com/show_bug.cgi?id=1822763
max_command_attempts = 30 max_command_attempts = 30
certificates_path = {{ env.IRONIC_GEN_CERT_DIR }}
[api] [api]
{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %} {% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
@@ -63,7 +71,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
{% endif %} {% endif %}
public_endpoint = {{ env.IRONIC_BASE_URL }} public_endpoint = {{ env.IRONIC_BASE_URL }}
{% else %} {% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %} host_ip = {{ env.IRONIC_HOST_IP }}
port = {{ env.IRONIC_LISTEN_PORT }} port = {{ env.IRONIC_LISTEN_PORT }}
{% if env.IRONIC_TLS_SETUP == "true" %} {% if env.IRONIC_TLS_SETUP == "true" %}
enable_ssl_api = true enable_ssl_api = true
@@ -83,28 +91,37 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# Power state is checked every 60 seconds and BMC activity should # Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds. # be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160 send_sensor_data_interval = 160
bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img bootloader_by_arch = {{ env.BOOTLOADER_BY_ARCH }}
verify_step_priority_override = management.clear_job_queue:90 verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database # We don't use this feature, and it creates an additional load on the database
node_history = False node_history = False
# Provide for a timeout longer than 60 seconds for certain vendor's hardware # Provide for a timeout longer than 60 seconds for certain vendor's hardware
power_state_change_timeout = 120 power_state_change_timeout = 120
{% if env.IRONIC_DEFAULT_KERNEL is defined %} {% if env.DEPLOY_KERNEL_URL is defined %}
deploy_kernel = file://{{ env.IRONIC_DEFAULT_KERNEL }} deploy_kernel = {{ env.DEPLOY_KERNEL_URL }}
{% endif %} {% endif %}
{% if env.IRONIC_DEFAULT_RAMDISK is defined %} {% if env.DEPLOY_KERNEL_BY_ARCH is defined %}
deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }} deploy_kernel_by_arch = {{ env.DEPLOY_KERNEL_BY_ARCH }}
{% endif %}
{% if env.DEPLOY_RAMDISK_URL is defined %}
deploy_ramdisk = {{ env.DEPLOY_RAMDISK_URL }}
{% endif %}
{% if env.DEPLOY_RAMDISK_BY_ARCH is defined %}
deploy_ramdisk_by_arch = {{ env.DEPLOY_RAMDISK_BY_ARCH }}
{% endif %}
{% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
disable_deep_image_inspection = True
{% endif %} {% endif %}
[database] [database]
{% if env.IRONIC_USE_MARIADB | lower == "false" %} {% if env.IRONIC_USE_MARIADB | lower == "true" %}
connection = sqlite:////var/lib/ironic/ironic.sqlite connection = {{ env.MARIADB_CONNECTION }}
{% else %}
connection = {{ env.LOCAL_DB_URI }}
# Synchronous mode is required for data integrity in case of operating system # Synchronous mode is required for data integrity in case of operating system
# crash. In our case we restart the container from scratch, so we can save some # crash. In our case we restart the container from scratch, so we can save some
# IO by not doing syncs all the time. # IO by not doing syncs all the time.
sqlite_synchronous = False sqlite_synchronous = False
{% else %}
connection = {{ env.MARIADB_CONNECTION }}
{% endif %} {% endif %}
[deploy] [deploy]
@@ -112,15 +129,15 @@ default_boot_option = local
erase_devices_metadata_priority = 10 erase_devices_metadata_priority = 10
erase_devices_priority = 0 erase_devices_priority = 0
http_root = /shared/html/ http_root = /shared/html/
http_url = {{ env.IRONIC_BOOT_BASE_URL }} http_url = {% if env.VMEDIA_TLS_PORT %}{{ env.IRONIC_HTTPS_VMEDIA_URL }}{% else %}{{ env.IRONIC_HTTP_URL }}{% endif %}
fast_track = {{ env.IRONIC_FAST_TRACK }} fast_track = {{ env.IRONIC_FAST_TRACK }}
{% if env.IRONIC_BOOT_ISO_SOURCE %} {% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }} ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
{% endif %} {% endif %}
{% if env.IRONIC_EXTERNAL_HTTP_URL %} {% if env.IRONIC_EXTERNAL_HTTP_URL %}
external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }} external_http_url = {{ env.IRONIC_EXTERNAL_HTTP_URL }}
{% elif env.IRONIC_VMEDIA_TLS_SETUP == "true" %} {% elif env.VMEDIA_TLS_PORT %}
external_http_url = https://{{ env.IRONIC_URL_HOST }}:{{ env.VMEDIA_TLS_PORT }} external_http_url = {{ env.IRONIC_HTTPS_VMEDIA_URL }}
{% endif %} {% endif %}
{% if env.IRONIC_EXTERNAL_CALLBACK_URL %} {% if env.IRONIC_EXTERNAL_CALLBACK_URL %}
external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }} external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
@@ -175,8 +192,8 @@ cipher_suite_versions = 3,17
# unauthenticated connections from other processes in the same host since the # unauthenticated connections from other processes in the same host since the
# containers are in host networking. # containers are in host networking.
auth_strategy = http_basic auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %} host_ip = {{ env.IRONIC_HOST_IP }}
{% if env.IRONIC_TLS_SETUP == "true" %} {% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }} cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -187,11 +204,6 @@ insecure = {{ env.IRONIC_INSECURE }}
[nova] [nova]
send_power_notifications = false send_power_notifications = false
[oslo_messaging_notifications]
driver = prometheus_exporter
location = /shared/ironic_prometheus_exporter
transport_url = fake://
[pxe] [pxe]
# NOTE(dtantsur): keep this value at least 3x lower than # NOTE(dtantsur): keep this value at least 3x lower than
# [conductor]deploy_callback_timeout so that at least some retries happen. # [conductor]deploy_callback_timeout so that at least some retries happen.

View File

@@ -1,68 +0,0 @@
[DEFAULT]
auth_strategy = noauth
debug = true
transport_url = fake://
use_stderr = true
{% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %}
{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
listen_unix_socket = /shared/inspector.sock
# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
# another container, we need to make it world-writeable.
listen_unix_socket_mode = 0666
{% else %}
listen_port = {{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}
listen_address = 127.0.0.1
{% endif %}
{% elif env.LISTEN_ALL_INTERFACES | lower == "true" %}
listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
listen_address = ::
{% else %}
listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
listen_address = {{ env.IRONIC_IP }}
{% endif %}
host = {{ env.IRONIC_IP }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
use_ssl = true
{% endif %}
[database]
connection = sqlite:////var/lib/ironic-inspector/ironic-inspector.db
{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
[discovery]
enroll_node_driver = ipmi
{% endif %}
[ironic]
auth_type = none
endpoint_override = {{ env.IRONIC_BASE_URL }}
{% if env.IRONIC_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_CACERT_FILE }}
insecure = {{ env.IRONIC_INSECURE }}
{% endif %}
[processing]
add_ports = all
always_store_ramdisk_logs = true
keep_ports = present
{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
node_not_found_hook = enroll
{% endif %}
permit_active_introspection = true
power_off = false
processing_hooks = $default_processing_hooks,lldp_basic
ramdisk_logs_dir = /shared/log/ironic-inspector/ramdisk
store_data = database
[pxe_filter]
driver = noop
[service_catalog]
auth_type = none
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
[ssl]
cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }}
key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }}
{% endif %}

View File

@@ -1,9 +0,0 @@
#!/bin/bash
set -eu -o pipefail
curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
# to make sure the conductor is ready. This requires having access to secrets
# since these endpoints are authenticated.

View File

@@ -2,41 +2,26 @@
set -euxo pipefail set -euxo pipefail
ARCH=$(uname -m) declare -A efi_arch=(
DEST=${2:-/tmp/esp.img} ["x86_64"]="X64"
OS=${1:-sles} ["aarch64"]="AA64"
)
if [ $ARCH = "aarch64" ]; then for arch in "${!efi_arch[@]}"; do
BOOTEFI=BOOTAA64.EFI
GRUBEFI=grubaa64.efi
else
BOOTEFI=BOOTX64.efi
GRUBEFI=grubx64.efi
fi
dd bs=1024 count=6400 if=/dev/zero of=$DEST DEST=/tmp/uefi_esp_${arch}.img
mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST
dd bs=1024 count=6400 if=/dev/zero of=$DEST
mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST
mmd -i $DEST EFI
mmd -i $DEST EFI/BOOT
mcopy -i $DEST -v /usr/share/efi/${arch}/shim.efi ::EFI/BOOT/BOOT${efi_arch[$arch]}.EFI
mcopy -i $DEST -v /usr/share/efi/${arch}/grub.efi ::EFI/BOOT/GRUB.EFI
mdir -i $DEST ::EFI/BOOT;
done
mkdir -p /boot/efi/EFI/BOOT
mkdir -p /boot/efi/EFI/$OS
if [ $ARCH = "aarch64" ]; then
cp -L /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI
cp -L /usr/share/efi/aarch64/grub.efi /boot/efi/EFI/BOOT/grub.efi
cp /usr/share/grub2/arm64-efi/grub.efi /boot/efi/EFI/$OS/grubaa64.efi
else
cp -L /usr/lib64/efi/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI
#cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/$GRUBEFI
cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/grub.efi
fi
mmd -i $DEST EFI
mmd -i $DEST EFI/BOOT
mcopy -i $DEST -v /boot/efi/EFI/BOOT/$BOOTEFI ::EFI/BOOT
if [ $ARCH = "aarch64" ]; then
mcopy -i $DEST -v /boot/efi/EFI/BOOT/grub.efi ::EFI/BOOT
mcopy -i $DEST -v /boot/efi/EFI/$OS/$GRUBEFI ::EFI/BOOT
else
mcopy -i $DEST -v /boot/efi/EFI/$OS/grub.efi ::EFI/BOOT
fi
mdir -i $DEST ::EFI/BOOT;

View File

@@ -1,23 +0,0 @@
#!/usr/bin/bash
# This setting must go before configure-ironic since it has different defaults.
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# Ramdisk logs
mkdir -p /shared/log/ironic/deploy
run_ironic_dbsync
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
configure_ironic_auth
exec /usr/bin/ironic

View File

@@ -1,13 +0,0 @@
#!/usr/bin/bash
export IRONIC_DEPLOYMENT="API"
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
export IRONIC_REVERSE_PROXY_SETUP=false
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
# shellcheck disable=SC1091
. /bin/runhttpd

View File

@@ -1,20 +0,0 @@
#!/usr/bin/bash
export IRONIC_DEPLOYMENT="Conductor"
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# Ramdisk logs
mkdir -p /shared/log/ironic/deploy
run_ironic_dbsync
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
exec /usr/bin/ironic-conductor

View File

@@ -1,12 +0,0 @@
#!/usr/bin/bash
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
export IRONIC_CONFIG="/etc/ironic/ironic.conf"
exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
ironic_prometheus_exporter.app.wsgi:application

View File

@@ -1,62 +0,0 @@
#!/usr/bin/bash
set -euxo pipefail
CONFIG=/etc/ironic-inspector/ironic-inspector.conf
export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
exit 1
fi
wait_for_interface_or_ip
IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]] && [[ "${IRONIC_INSPECTOR_PRIVATE_PORT}" != "unix" ]]; then
IRONIC_INSPECTOR_PORT=$IRONIC_INSPECTOR_PRIVATE_PORT
fi
else
export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi
export IRONIC_INSPECTOR_BASE_URL="${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_PORT}"
export IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"
build_j2_config()
{
local CONFIG_FILE="$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
}
# Merge with the original configuration file from the package.
build_j2_config "$CONFIG" | crudini --merge "$CONFIG"
configure_inspector_auth
configure_client_basic_auth ironic "${CONFIG}"
ironic-inspector-dbsync --config-file "${CONFIG}" upgrade
if [[ "$INSPECTOR_REVERSE_PROXY_SETUP" == "false" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
kill $(pgrep ironic)
done &
fi
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
# shellcheck disable=SC2086
exec /usr/bin/ironic-inspector

View File

@@ -1,19 +0,0 @@
#!/usr/bin/bash
# Ramdisk logs path
LOG_DIR="/shared/log/ironic/deploy"
# The ironic container creates the directory, wait for
# it to exist before running inotifywait or it can fail causing
# a spurious restart
while [ ! -d "${LOG_DIR}" ]; do
echo "Waiting for ${LOG_DIR}"
sleep 5
done
inotifywait -m "${LOG_DIR}" -e close_write |
while read -r path _action file; do
echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
rm -f "${path}/${file}"
done

View File

@@ -0,0 +1,97 @@
#!/usr/bin/bash
set -euxo pipefail
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
# CUSTOM_CONFIG_DIR is also managed in the ironic-common.sh, in order to
# keep auth-common and ironic-common separate (to stay consistent with the
# architecture) part of the ironic-common logic had to be duplicated
CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
IRONIC_HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
export IRONIC_RPC_HTPASSWD_FILE="${IRONIC_HTPASSWD_FILE}-rpc"
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
if [[ -f "/auth/ironic-rpc/htpasswd" ]]; then
IRONIC_RPC_HTPASSWD=$(</auth/ironic-rpc/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_RPC_HTPASSWD=${IRONIC_RPC_HTPASSWD:-${IRONIC_HTPASSWD}}
if [[ -n "${MARIADB_PASSWORD:-}" ]]; then
echo "WARNING: passing MARIADB_PASSWORD is deprecated, mount a secret under /auth/mariadb instead"
elif [[ -f /auth/mariadb/password ]]; then
MARIADB_PASSWORD=$(</auth/mariadb/password)
fi
if [[ -z "${MARIADB_USER:-}" ]] && [[ -f /auth/mariadb/username ]]; then
MARIADB_USER=$(</auth/mariadb/username)
fi
IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
configure_json_rpc_auth()
{
if [[ "${IRONIC_EXPOSE_JSON_RPC}" != "true" ]]; then
return
fi
local auth_config_file="/auth/ironic-rpc/auth-config"
local username_file="/auth/ironic-rpc/username"
local password_file="/auth/ironic-rpc/password"
if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
set +x
crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
set -x
elif [[ -f "${auth_config_file}" ]]; then
echo "WARNING: using auth-config is deprecated, mount a secret directly"
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
else
echo "FATAL: no client-side credentials provided for JSON RPC"
echo "HINT: mount a secret with username and password fields under /auth/ironic-rpc"
exit 1
fi
if [[ -z "${IRONIC_RPC_HTPASSWD}" ]]; then
if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
htpasswd -c -i -B "${IRONIC_RPC_HTPASSWD_FILE}" "$(<${username_file})" <"${password_file}"
else
echo "FATAL: enabling JSON RPC requires authentication"
echo "HINT: mount a secret with either username and password or htpasswd under /auth/ironic-rpc"
exit 1
fi
else
printf "%s\n" "${IRONIC_RPC_HTPASSWD}" > "${IRONIC_RPC_HTPASSWD_FILE}"
fi
}
configure_ironic_auth()
{
# Configure HTTP basic auth for API server
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${IRONIC_CONFIG}" DEFAULT auth_strategy http_basic
crudini --set "${IRONIC_CONFIG}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
}

View File

@@ -0,0 +1,153 @@
#!/usr/bin/bash
set -euxo pipefail
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
export VMEDIA_TLS_PORT="${VMEDIA_TLS_PORT:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
# shellcheck disable=SC1091
. /bin/tls-common.sh
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
if [[ "${IRONIC_USE_MARIADB}" == true ]]; then
if [[ -z "${MARIADB_PASSWORD:-}" ]]; then
echo "FATAL: IRONIC_USE_MARIADB requires password, mount a secret under /auth/mariadb"
exit 1
fi
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
fi
# zero makes it do cpu number detection on Ironic side
export NUMWORKERS=${NUMWORKERS:-0}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
# Whether cleaning disks before and after deployment
export IRONIC_AUTOMATED_CLEAN=${IRONIC_AUTOMATED_CLEAN:-true}
# Wheter to enable the sensor data collection
export SEND_SENSOR_DATA=${SEND_SENSOR_DATA:-false}
# Set of collectors that should be used with IPA inspection
export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
wait_for_interface_or_ip
if [[ "$(echo "$LISTEN_ALL_INTERFACES" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
export IRONIC_HOST_IP="::"
elif [[ -n "${ENABLE_IPV6}" ]]; then
export IRONIC_HOST_IP="$IRONIC_IPV6"
else
export IRONIC_HOST_IP="$IRONIC_IP"
fi
if [[ "${VMEDIA_TLS_PORT}" ]]; then
export IRONIC_HTTPS_VMEDIA_URL="https://${IRONIC_URL_HOST}:${VMEDIA_TLS_PORT}"
fi
# Hostname to use for the current conductor instance.
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
else
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
fi
fi
IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent"
if [[ -z "${DEPLOY_KERNEL_URL:-}" ]] && [[ -z "${DEPLOY_RAMDISK_URL:-}" ]] && \
[[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then
export DEPLOY_KERNEL_URL="file://${IMAGE_CACHE_PREFIX}.kernel"
export DEPLOY_RAMDISK_URL="file://${IMAGE_CACHE_PREFIX}.initramfs"
fi
declare -A detected_arch
for var_arch in "${!DEPLOY_KERNEL_URL_@}"; do
IPA_ARCH="${var_arch#DEPLOY_KERNEL_URL}"
detected_arch["${IPA_ARCH,,}"]=1
done
for file_arch in "${IMAGE_CACHE_PREFIX}"_*.kernel; do
if [[ -f "${file_arch}" ]]; then
IPA_ARCH="$(basename "${file_arch#"${IMAGE_CACHE_PREFIX}"_}" .kernel)"
detected_arch["${IPA_ARCH}"]=1
fi
done
DEPLOY_KERNEL_BY_ARCH=""
DEPLOY_RAMDISK_BY_ARCH=""
for IPA_ARCH in "${!detected_arch[@]}"; do
kernel_var="DEPLOY_KERNEL_URL_${IPA_ARCH^^}"
ramdisk_var="DEPLOY_RAMDISK_URL_${IPA_ARCH^^}"
if [[ -z "${!kernel_var:-}" ]] && [[ -z "${!ramdisk_var:-}" ]] && \
[[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs" ]]; then
export "${kernel_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.kernel"
export "${ramdisk_var}"="file://${IMAGE_CACHE_PREFIX}_${IPA_ARCH}.initramfs"
fi
DEPLOY_KERNEL_BY_ARCH+="${!kernel_var:+${IPA_ARCH}:${!kernel_var},}"
DEPLOY_RAMDISK_BY_ARCH+="${!ramdisk_var:+${IPA_ARCH}:${!ramdisk_var},}"
done
if [[ -n "${DEPLOY_KERNEL_BY_ARCH}" ]] && [[ -n "${DEPLOY_RAMDISK_BY_ARCH}" ]]; then
export DEPLOY_KERNEL_BY_ARCH="${DEPLOY_KERNEL_BY_ARCH%?}"
export DEPLOY_RAMDISK_BY_ARCH="${DEPLOY_RAMDISK_BY_ARCH%?}"
fi
if [[ -f "${IRONIC_CONF_DIR}/ironic.conf" ]]; then
# Make a copy of the original supposed empty configuration file
cp "${IRONIC_CONF_DIR}/ironic.conf" "${IRONIC_CONF_DIR}/ironic.conf.orig"
fi
BOOTLOADER_BY_ARCH=""
for bootloader in /templates/uefi_esp_*.img; do
BOOTLOADER_ARCH="$(basename "${bootloader#/templates/uefi_esp_}" .img)"
BOOTLOADER_BY_ARCH+="${BOOTLOADER_ARCH}:file://${bootloader},"
done
export BOOTLOADER_BY_ARCH="${BOOTLOADER_BY_ARCH%?}"
# oslo.config also supports Config Opts From Environment, log them to stdout
echo 'Options set from Environment variables'
env | grep "^OS_" || true
mkdir -p /shared/html
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config "/etc/ironic/ironic.conf.j2" \
"${IRONIC_CONF_DIR}/ironic.conf"
configure_json_rpc_auth
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-}"
if [[ -n "$IRONIC_IPV6" ]]; then
export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
fi
if [[ -n "$IRONIC_IP" ]]; then
export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
fi

View File

@@ -0,0 +1,295 @@
#!/usr/bin/bash
set -euxo pipefail
# Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in
# e.g. dnsmasq configuration
export IRONIC_IP="${IRONIC_IP:-}"
IRONIC_IPV6="${IRONIC_IPV6:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IRONIC_URL_HOSTNAME="${IRONIC_URL_HOSTNAME:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
CUSTOM_DATA_DIR="${CUSTOM_DATA_DIR:-/data}"
export DNSMASQ_CONF_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
export DNSMASQ_DATA_DIR="${CUSTOM_DATA_DIR}/dnsmasq"
export DNSMASQ_TEMP_DIR="${CUSTOM_CONFIG_DIR}/dnsmasq"
export HTTPD_DIR="${CUSTOM_CONFIG_DIR}/httpd"
export HTTPD_CONF_DIR="${HTTPD_DIR}/conf"
export HTTPD_CONF_DIR_D="${HTTPD_DIR}/conf.d"
export IRONIC_CONF_DIR="${CUSTOM_CONFIG_DIR}/ironic"
export IRONIC_DB_DIR="${CUSTOM_DATA_DIR}/db"
export IRONIC_GEN_CERT_DIR="${CUSTOM_DATA_DIR}/auto_gen_certs"
export IRONIC_TMP_DATA_DIR="${CUSTOM_DATA_DIR}/tmp"
export PROBE_CONF_DIR="${CUSTOM_CONFIG_DIR}/probes"
mkdir -p "${IRONIC_CONF_DIR}" "${PROBE_CONF_DIR}" "${HTTPD_CONF_DIR}" \
"${HTTPD_CONF_DIR_D}" "${DNSMASQ_CONF_DIR}" "${DNSMASQ_TEMP_DIR}" \
"${IRONIC_DB_DIR}" "${IRONIC_GEN_CERT_DIR}" "${DNSMASQ_DATA_DIR}" \
"${IRONIC_TMP_DATA_DIR}"
export HTPASSWD_FILE="${IRONIC_CONF_DIR}/htpasswd"
export LOCAL_DB_URI="sqlite:///${IRONIC_DB_DIR}/ironic.sqlite"
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
get_ip_of_hostname()
{
if [[ "$#" -ne 2 ]]; then
echo "${FUNCNAME}: two parameters required, $# provided" >&2
return 1
fi
case $2 in
4)
QUERY="a";;
6)
QUERY="aaaa";;
*)
echo "${FUNCNAME}: the second parameter should be [a|aaaa] for A and AAAA records"
return 1;;
esac
local HOSTNAME=$1
echo $(nslookup -type=${QUERY} "${HOSTNAME}" | tail -n2 | grep -w "Address:" | cut -d " " -f2)
}
get_interface_of_ip()
{
local IP_VERS=""
if [[ "$#" -gt 2 ]]; then
echo "${FUNCNAME}: too many parameters" >&2
return 1
fi
if [[ "$#" -eq 2 ]]; then
case $2 in
4|6)
local IP_VERS="-${2}"
;;
*)
echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
return 2
;;
esac
fi
local IP_ADDR=$1
# Convert the address using ipcalc which strips out the subnet.
# For IPv6 addresses, this will give the short-form address
IP_ADDR="$(ipcalc "${IP_ADDR}" | grep "^Address:" | awk '{print $2}')"
echo $(ip ${IP_VERS} -br addr show scope global | grep -i " ${IP_ADDR}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')
}
get_ip_of_interface()
{
local IP_VERS=""
if [[ "$#" -gt 2 ]]; then
echo "${FUNCNAME}: too many parameters" >&2
return 1
fi
if [[ "$#" -eq 2 ]]; then
case $2 in
4|6)
local IP_VERS="-${2}"
;;
*)
echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
return 2
;;
esac
fi
local IFACE=$1
echo $(ip ${IP_VERS} -br addr show scope global up dev ${IFACE} | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)
}
get_provisioning_interface()
{
if [[ -n "$PROVISIONING_INTERFACE" ]]; then
# don't override the PROVISIONING_INTERFACE if one is provided
echo "$PROVISIONING_INTERFACE"
return
fi
local interface=""
for mac in ${PROVISIONING_MACS//,/ }; do
if ip -br link show up | grep -i "$mac" &>/dev/null; then
interface="$(ip -br link show up | grep -i "$mac" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
break
fi
done
echo "$interface"
}
PROVISIONING_INTERFACE="$(get_provisioning_interface)"
export PROVISIONING_INTERFACE
export LISTEN_ALL_INTERFACES="${LISTEN_ALL_INTERFACES:-true}"
# Wait for the interface or IP to be up, sets $IRONIC_IP
wait_for_interface_or_ip()
{
# If $PROVISIONING_IP is specified, then we wait for that to become
# available on an interface, otherwise we look at $PROVISIONING_INTERFACE
# for an IP
if [[ -n "${PROVISIONING_IP}" ]]; then
local IFACE_OF_IP=""
until [[ -n "$IFACE_OF_IP" ]]; do
echo "Waiting for ${PROVISIONING_IP} to be configured on an interface..."
IFACE_OF_IP="$(get_interface_of_ip "${PROVISIONING_IP}")"
sleep 1
done
echo "Found $PROVISIONING_IP on interface \"${IFACE_OF_IP}\"!"
export PROVISIONING_INTERFACE="$IFACE_OF_IP"
# If the IP contains a colon, then it's an IPv6 address
if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then
export IRONIC_IPV6="$PROVISIONING_IP"
export IRONIC_IP=""
else
export IRONIC_IP="$PROVISIONING_IP"
fi
elif [[ -n "${IRONIC_IP}" ]]; then
if [[ "$IRONIC_IP" =~ .*:.* ]]; then
export IRONIC_IPV6="$IRONIC_IP"
export IRONIC_IP=""
fi
elif [[ -n "${PROVISIONING_INTERFACE}" ]]; then
until [[ -n "$IRONIC_IPV6" ]] || [[ -n "$IRONIC_IP" ]]; do
echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured..."
IRONIC_IPV6="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 6)"
sleep 1
IRONIC_IP="$(get_ip_of_interface "${PROVISIONING_INTERFACE}" 4)"
sleep 1
done
if [[ -n "$IRONIC_IPV6" ]]; then
echo "Found $IRONIC_IPV6 on interface \"${PROVISIONING_INTERFACE}\"!"
export IRONIC_IPV6
fi
if [[ -n "$IRONIC_IP" ]]; then
echo "Found $IRONIC_IP on interface \"${PROVISIONING_INTERFACE}\"!"
export IRONIC_IP
fi
elif [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
local IPV6_IFACE=""
local IPV4_IFACE=""
# we should get at least one IP address
until [[ -n "$IPV6_IFACE" ]] || [[ -n "$IPV4_IFACE" ]]; do
local IPV6_RECORD=""
local IPV4_RECORD=""
IPV6_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 6)"
IPV4_RECORD="$(get_ip_of_hostname "${IRONIC_URL_HOSTNAME}" 4)"
# We couldn't get any IP
if [[ -z "$IPV4_RECORD" ]] && [[ -z "$IPV6_RECORD" ]]; then
echo "${FUNCNAME}: no valid IP found for hostname ${IRONIC_URL_HOSTNAME}" >&2
return 1
fi
echo "Waiting for ${IPV6_RECORD} to be configured on an interface"
IPV6_IFACE="$(get_interface_of_ip "${IPV6_RECORD}" 6)"
sleep 1
echo "Waiting for ${IPV4_RECORD} to be configured on an interface"
IPV4_IFACE="$(get_interface_of_ip "${IPV4_RECORD}" 4)"
sleep 1
done
# Add some debugging output
if [[ -n "$IPV6_IFACE" ]]; then
echo "Found $IPV6_RECORD on interface \"${IPV6_IFACE}\"!"
export IRONIC_IPV6="$IPV6_RECORD"
fi
if [[ -n "$IPV4_IFACE" ]]; then
echo "Found $IPV4_RECORD on interface \"${IPV4_IFACE}\"!"
export IRONIC_IP="$IPV4_RECORD"
fi
# Make sure both IPs are asigned to the same interface
if [[ -n "$IPV6_IFACE" ]] && [[ -n "$IPV4_IFACE" ]] && [[ "$IPV6_IFACE" != "$IPV4_IFACE" ]]; then
echo "Warning, the IPv4 and IPv6 addresses from \"${HOSTNAME}\" are assigned to different " \
"interfaces (\"${IPV6_IFACE}\" and \"${IPV4_IFACE}\")" >&2
fi
else
echo "Cannot determine an interface or an IP for binding and creating URLs"
return 1
fi
# Define the URLs based on the what we have found,
# prioritize IPv6 for IRONIC_URL_HOST
if [[ -n "$IRONIC_IP" ]]; then
export ENABLE_IPV4=yes
export IRONIC_URL_HOST="$IRONIC_IP"
fi
if [[ -n "$IRONIC_IPV6" ]]; then
export ENABLE_IPV6=yes
export IRONIC_URL_HOST="[${IRONIC_IPV6}]" # The HTTP host needs surrounding with brackets
fi
# Once determined if we have IPv4 and/or IPv6, override the hostname if provided
if [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
IRONIC_URL_HOST=$IRONIC_URL_HOSTNAME
fi
# Avoid having to construct full URL multiple times while allowing
# the override of IRONIC_HTTP_URL for environments in which IRONIC_IP
# is unreachable from hosts being provisioned.
export IRONIC_HTTP_URL="${IRONIC_HTTP_URL:-http://${IRONIC_URL_HOST}:${HTTP_PORT}}"
export IRONIC_TFTP_URL="${IRONIC_TFTP_URL:-tftp://${IRONIC_URL_HOST}}"
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
}
render_j2_config()
{
python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
}
run_ironic_dbsync()
{
if [[ "${IRONIC_USE_MARIADB}" == "true" ]]; then
# It's possible for the dbsync to fail if mariadb is not up yet, so
# retry until success
until ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade; do
echo "WARNING: ironic-dbsync failed, retrying"
sleep 1
done
else
# SQLite does not support some statements. Fortunately, we can just
# create the schema in one go if not already created, instead of going
# through an upgrade
cp "/var/lib/ironic/ironic.sqlite" "${IRONIC_DB_DIR}/ironic.sqlite"
DB_VERSION="$(ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" create_schema
fi
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}

View File

@@ -0,0 +1,23 @@
#!/bin/bash
set -eu -o pipefail
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/auth-common.sh
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
# shellcheck disable=SC2086
curl -sSf ${PROBE_CURL_ARGS} "${PROBE_URL}"

View File

@@ -0,0 +1,10 @@
#!/usr/bin/bash
set -euxo pipefail
# shellcheck disable=SC1091
. /bin/configure-ironic.sh
# NOTE(dtantsur): no retries here: this script is supposed to be run as a Job
# that is retried on failure.
exec ironic-dbsync --config-file "${IRONIC_CONF_DIR}/ironic.conf" upgrade

Some files were not shown because too many files have changed in this diff Show More