Let Apache use separate IPv4 and IPv6 sockets for listening to any

Enable the use of two separate sockets for IPv4 and IPv6 when
LISTEN_ALL_INTERFACES is set to true. While desirable, on Linux Apache uses
IPv4-mapped IPv6 addresses by default, thus leveraging a single IPv6 socket
for IPv4 connections as well.

This behaviour is far from being desirable and can be disabled at compile
time via the "--disable-v4-mapped" flag, so make sure both an ANY address
Listen directive is present for both IPv4 and IPv6. When Apache is compiled
with "--enable-v4-mapped", the IPv4 socket will be simply ignored.

Please see https://httpd.apache.org/docs/2.4/bind.html for more
information.

Signed-off-by: Marco Chiappero <marco.chiappero@suse.com>

.gitea/workflows/check_manifest.yaml

@@ -17,7 +17,7 @@ jobs:
           object-format: 'sha256'
       - name: Setup dependencies
         run: |
-          zypper in -y python3-PyYAML
+          zypper in -y python3-ruamel.yaml
       - name: Check release manifest
         run: |
-          python3 .obs/manifest-check.py
+          python3 .obs/manifest-check.py --check

.obs/manifest-check.py

@@ -1,11 +1,15 @@
 #!/usr/bin/python3
 
-import yaml
+import ruamel.yaml
+import pathlib
+import argparse
 import sys
 
+yaml = ruamel.yaml.YAML()
+
 def get_chart_version(chart_name: str) -> str:
     with open(f"./{chart_name}-chart/Chart.yaml") as f:
-        chart = yaml.safe_load(f)
+        chart = yaml.load(f)
         return chart["version"]
 
 def get_charts(chart):
@@ -21,22 +25,57 @@ def get_charts(chart):
 
 def get_charts_list():
     with open("./release-manifest-image/release_manifest.yaml") as f:
-        manifest = yaml.safe_load(f)
+        manifest = yaml.load(f)
     charts = {}
     for chart in manifest["spec"]["components"]["workloads"]["helm"]:
         charts.update(get_charts(chart))
     return charts
 
-def main():
+def check_charts(fix: bool) -> bool:
-    print("Checking charts versions in release manifest")
     success = True
     charts = get_charts_list()
+    to_fix = {}
     for chart in charts:
         expected_version = get_chart_version(chart)
         if expected_version != charts[chart]:
             success = False
+            to_fix[f'%%CHART_REPO%%/%%CHART_PREFIX%%{chart}'] = expected_version
             print(f"{chart}: Expected: {expected_version}, Got: {charts[chart]}")
-    if not success:
+    if fix and not success:
+        fix_charts(to_fix)
+        return True
+    return success
+
+def fix_charts(to_fix):
+    manifest_path = pathlib.Path("./release-manifest-image/release_manifest.yaml")
+    manifest = yaml.load(manifest_path)
+    yaml.indent(mapping=2, sequence=4, offset=2)
+    yaml.width = 4096
+    for chart_index, chart in enumerate(manifest["spec"]["components"]["workloads"]["helm"]):
+        changed = False
+        if chart["chart"] in to_fix.keys():
+            changed = True
+            chart["version"] = to_fix[chart["chart"]]
+        for subchart_index, subchart in enumerate(chart.get("addonCharts", [])):
+            if subchart["chart"] in to_fix.keys():
+                changed = True
+                subchart["version"] = to_fix[subchart["chart"]]
+                chart["addonCharts"][subchart_index] = subchart
+        for subchart_index, subchart in enumerate(chart.get("dependencyCharts", [])):
+            if subchart["chart"] in to_fix.keys():
+                changed = True
+                subchart["version"] = to_fix[subchart["chart"]]
+                chart["dependencyCharts"][subchart_index] = subchart
+        if changed:
+            manifest["spec"]["components"]["workloads"]["helm"][chart_index] = chart
+    yaml.dump(manifest, manifest_path)
+
+def main():
+    print("Checking charts versions in release manifest")
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-c', '--check', action='store_true')
+    args = parser.parse_args()
+    if not check_charts(not args.check):
         sys.exit(1)
     else:
         print("All local charts in release manifest are using the right version")

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check-manifest
+        name: "Check release-manifest"
+        entry: .obs/manifest-check.py
+        language: python
+        additional_dependencies: ['ruamel.yaml']
+        pass_filenames: false
+        always_run: true

_config

@@ -1,4 +1,5 @@
 Prefer: -libqpid-proton10 -python311-urllib3_1
+Prefer: -cargo1.58 -cargo1.57 cargo1.88
 
 Macros:
 %__python3 /usr/bin/python3.11
@@ -105,7 +106,7 @@ BuildFlags: onlybuild:release-manifest-image
     Patterntype: none
     BuildEngine: podman
     Prefer: sles-release
-    BuildFlags: dockerarg:SLE_VERSION=15.6
+    BuildFlags: dockerarg:SLE_VERSION=15.7
 
     # Publish multi-arch container images only once all archs have been built
     PublishFlags: archsync

_meta

@@ -45,7 +45,7 @@
       <path project="SUSE:SLFO:Products:SLES:16.0" repository="standard"/>
       <path project="SUSE:SLFO:Main:Build" repository="standard"/>
     {%- else %}
-      <path project="SUSE:CA" repository="SLE_15_SP6"/>
+      <path project="SUSE:CA" repository="SLE_15_SP7"/>
       <path project="{{ project }}" repository="standard"/>
     {%- endif %}
     <arch>x86_64</arch>
@@ -56,8 +56,8 @@
     {%- if release_project is defined and not for_release %}
     <releasetarget project="{{ release_project }}" repository="standard" trigger="manual"/>
     {%- endif %}
-    <path project="{{ ironic_base }}:2024.2" repository="15.6"/>
+    <path project="{{ ironic_base }}:2025.1" repository="15.7"/>
-    <path project="SUSE:SLE-15-SP6:Update" repository="standard"/>
+    <path project="SUSE:SLE-15-SP7:Update" repository="standard"/>
     <arch>x86_64</arch>
     <arch>aarch64</arch>
   </repository>

baremetal-operator-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1
 #!BuildTag: %%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%.1-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

edge-image-builder-image/Dockerfile

@@ -1,6 +1,5 @@
 #!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1
 #!BuildTag: %%IMG_PREFIX%%edge-image-builder:1.2.1-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION
 MAINTAINER SUSE LLC (https://www.suse.com/)

endpoint-copier-operator-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%
 #!BuildTag: %%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

frr-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: MIT
 #!BuildTag: %%IMG_PREFIX%%frr:8.5.6
 #!BuildTag: %%IMG_PREFIX%%frr:8.5.6-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

frr-k8s-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%
 #!BuildTag: %%IMG_PREFIX%%frr-k8s:v%%frr-k8s_version%%-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

ironic-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.0
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:29.0.4.0-%RELEASE%
-#!BuildVersion: 15.6
 
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -20,11 +19,11 @@ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes
 
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
     fi
 #!ArchExclusiveLine: aarch64
 RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
+      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 bind-utils procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic; \
     fi
     
 # DATABASE
@@ -42,8 +41,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="26.1.2.4"
+LABEL org.opencontainers.image.version="29.0.4.0"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:29.0.4.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -69,11 +68,14 @@ RUN mkdir -p $GRUB_DIR
 
 COPY scripts/ /bin/
 COPY configure-nonroot.sh /bin/
-RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runironic-exporter /bin/runlogwatch.sh /bin/configure-nonroot.sh
+RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/ironic-probe.sh /bin/rundatabase-upgrade /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/runonline-data-migrations /bin/configure-nonroot.sh
+
+RUN mv /bin/ironic-probe.sh /bin/ironic-readiness
+RUN cp /bin/ironic-readiness /bin/ironic-liveness
 
 COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
      ironic-config/ipxe_config.template ironic-config/dnsmasq.conf.j2 \
-     /templates/
+     /tmp/
 
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -98,8 +100,8 @@ RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 # Custom httpd config, removes all but the bare minimum needed modules
 COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
-COPY ironic-config/apache2-vmedia.conf.j2 /templates/httpd-vmedia.conf.j2
+COPY ironic-config/apache2-vmedia.conf.j2 /tmp/httpd-vmedia.conf.j2
-COPY ironic-config/apache2-ipxe.conf.j2 /templates/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-ipxe.conf.j2 /tmp/httpd-ipxe.conf.j2
 
 # configure non-root user and set relevant permissions
 RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh

ironic-image/configure-nonroot.sh

@@ -1,53 +1,70 @@
 #!/usr/bin/bash
 
+# This script changes permissions to allow Ironic container to run as non-root
+# user. As the same image is used to run ironic, ironic-httpd, ironic-dsnmasq,
+# and ironic-log-watch via BMO's ironic k8s manifest, it has
+# to be configured to work with multiple different users and groups, while they
+# share files via bind mounts (/shared, /certs/*), which can only get one
+# group id as "fsGroup". Additionally, dnsmasq needs three capabilities to run
+# which we provide via "setcap", and "allowPrivilegeEscalation: true" in
+# manifest.
+
+set -eux
+
+# user and group are from ironic rpms (uid 997, gid 994)
 NONROOT_UID=10475
 NONROOT_GID=10475
-USER="ironic-suse"
+IRONIC_USER="ironic-suse"
+IRONIC_GROUP="ironic-suse"
 
-groupadd -r -g ${NONROOT_GID} ${USER}
+groupadd -r -g ${NONROOT_GID} ${IRONIC_GROUP}
 useradd -r -g ${NONROOT_GID} \
            -u ${NONROOT_UID} \
            -d /var/lib/ironic \
            -s /sbin/nologin \
-           ${USER}
+           ${IRONIC_USER}
 
-# create ironic's http_root directory
+# most containers mount /shared but dnsmasq can live without it
-mkdir -p /shared/html
+mkdir -p /shared
-chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
+mkdir -p /data
+mkdir -p /conf
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /shared
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /data
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /conf
 
 # we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
-chown "${NONROOT_UID}":"${NONROOT_GID}" /certs{,/ca}
+chown "${IRONIC_USER}":"${IRONIC_GROUP}" /certs{,/ca}
 chmod 2775 /certs{,/ca}
 
 # apache2 permission changes
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/apache2
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /run
 
 # ironic and httpd related changes
 mkdir -p /etc/httpd/conf.d
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
 chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+#chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/*
 
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ironic
+chmod 2775 /var/lib/ironic
 chmod 664 /var/lib/ironic/ironic.sqlite
 
 # dnsmasq, and the capabilities required to run it as non-root user
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /etc/dnsmasq.conf
-chmod 2775 /var/lib/dnsmasq
+#handled at chart level
-touch /var/lib/dnsmasq/dnsmasq.leases
+#setcap "cap_net_raw,cap_net_admin,cap_net_bind_service=+eip" /usr/sbin/dnsmasq
-chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 
 # ca-certificates permission changes
 touch /var/lib/ca-certificates/ca-bundle.pem.new
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
+chown -R "${IRONIC_USER}":"${IRONIC_GROUP}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
 
 # probes that are created before start
 touch /bin/ironic-{readi,live}ness
-chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
+chown root:"${IRONIC_GROUP}" /bin/ironic-{readi,live}ness
 chmod 775 /bin/ironic-{readi,live}ness

ironic-image/ironic-config/apache2-ipxe.conf.j2

@@ -1,4 +1,5 @@
-Listen {{ env.IPXE_TLS_PORT }}
+Listen 0.0.0.0:{{ env.IPXE_TLS_PORT }}
+Listen [::]:{{ env.IPXE_TLS_PORT }}
 
 <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
     ErrorLog /dev/stderr

ironic-image/ironic-config/apache2-vmedia.conf.j2

@@ -1,4 +1,5 @@
-Listen {{ env.VMEDIA_TLS_PORT }}
+Listen 0.0.0.0:{{ env.VMEDIA_TLS_PORT }}
+Listen [::]:{{ env.VMEDIA_TLS_PORT }}
 
 <VirtualHost *:{{ env.VMEDIA_TLS_PORT }}>
     ErrorLog /dev/stderr

ironic-image/ironic-config/httpd-ironic-api.conf.j2

@@ -12,11 +12,21 @@
 
 
 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.IRONIC_LISTEN_PORT }}
+Listen 0.0.0.0:{{ env.IRONIC_LISTEN_PORT }}
+Listen [::]:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost *:{{ env.IRONIC_LISTEN_PORT }}>
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
+{% if env.ENABLE_IPV4 %}
- <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
+Listen {{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}
+{% endif %}
+{% if env.IRONIC_URL_HOSTNAME is defined and env.IRONIC_URL_HOSTNAME|length %}
+<VirtualHost {{ env.IRONIC_URL_HOSTNAME }}:{{ env.IRONIC_LISTEN_PORT }}>
+{% else %}
+<VirtualHost {% if env.ENABLE_IPV4 %}{{ env.IRONIC_IP }}:{{ env.IRONIC_LISTEN_PORT }}{% endif %} {% if env.ENABLE_IPV6 %}[{{ env.IRONIC_IPV6 }}]:{{ env.IRONIC_LISTEN_PORT }}{% endif %}>
+{% endif %}
 {% endif %}
 
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}

ironic-image/ironic-config/httpd.conf.j2

@@ -1,8 +1,14 @@
 ServerRoot {{ env.HTTPD_DIR }}
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.HTTP_PORT }}
+Listen 0.0.0.0:{{ env.HTTP_PORT }}
+Listen [::]:{{ env.HTTP_PORT }}
 {% else %}
-Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
+{% if env.ENABLE_IPV4 %}
+Listen {{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+Listen [{{ env.IRONIC_IPV6 }}]:{{ env.HTTP_PORT }}
+{% endif %}
 {% endif %}
 Include /etc/httpd/conf.modules.d/*.conf
 User ironic-suse
@@ -64,7 +70,7 @@ AddDefaultCharset UTF-8
     MIMEMagicFile conf/magic
 </IfModule>
 
-PidFile {{ env.IRONIC_TMP_DATA_DIR }}/httpd.pid
+PidFile /var/tmp/httpd.pid
 
 # EnableSendfile directive could speed up deployments but it could also cause
 # issues depending on the underlying file system, to learn more:

ironic-image/ironic-config/inspector.ipxe.j2

@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure={{ env.IPA_INSECURE }} ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent-${buildarch}.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
-initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent.initramfs || goto retry_boot
+initrd --timeout 60000 {{ env.IRONIC_HTTP_URL }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot
 boot

ironic-image/ironic-config/ironic.conf.j2

@@ -25,8 +25,15 @@ rpc_transport = none
 use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
+{% if env.ENABLE_IPV4 %}
 my_ip = {{ env.IRONIC_IP }}
+{% endif %}
+{% if env.ENABLE_IPV6 %}
+my_ipv6 = {{ env.IRONIC_IPV6 }}
+{% endif %}
+
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
+tempdir = {{ env.IRONIC_TMP_DATA_DIR }}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -64,7 +71,7 @@ port = {{ env.IRONIC_PRIVATE_PORT }}
 {% endif %}
 public_endpoint = {{ env.IRONIC_BASE_URL }}
 {% else %}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 port = {{ env.IRONIC_LISTEN_PORT }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 enable_ssl_api = true
@@ -84,7 +91,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-bootloader = file:///templates/uefi_esp.img
+bootloader = {{ env.IRONIC_HTTP_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -99,9 +106,6 @@ deploy_ramdisk = file://{{ env.IRONIC_DEFAULT_RAMDISK }}
 {% if env.DISABLE_DEEP_IMAGE_INSPECTION | lower == "true" %}
 disable_deep_image_inspection = True
 {% endif %}
-# Allowed path for file:// links: ipa-downloader uses /shared/html/images,
-# while the bootloader configuration above refers to /templates.
-file_url_allowed_paths = /shared/html/images,/templates
 
 [database]
 {% if env.IRONIC_USE_MARIADB | lower == "true" %}
@@ -183,7 +187,7 @@ cipher_suite_versions = 3,17
 # containers are in host networking.
 auth_strategy = http_basic
 http_basic_auth_user_file = {{ env.IRONIC_RPC_HTPASSWD_FILE }}
-host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
+host_ip = {{ env.IRONIC_HOST_IP }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -194,11 +198,6 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 
-[oslo_messaging_notifications]
-driver = prometheus_exporter
-location = /shared/ironic_prometheus_exporter
-transport_url = fake://
-
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.
@@ -208,7 +207,7 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
@@ -216,19 +215,19 @@ enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 {% if env.IPXE_TLS_SETUP | lower == "true" %}
-ipxe_config_template = /templates/ipxe_config.template
+ipxe_config_template = /tmp/ipxe_config.template
 {% endif %}
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 use_web_server_for_images = true
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}

ironic-image/scripts/configure-ironic.sh

@@ -51,6 +51,14 @@ export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
 
 wait_for_interface_or_ip
 
+if [[ "$(echo "$LISTEN_ALL_INTERFACES" | tr '[:upper:]' '[:lower:]')" == "true" ]]; then
+export IRONIC_HOST_IP="::"
+elif [[ -n env.ENABLE_IPV6 ]]; then
+export IRONIC_HOST_IP="$IRONIC_IPV6"
+else
+export IRONIC_HOST_IP="$IRONIC_IP"
+fi
+
 # Hostname to use for the current conductor instance.
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 
@@ -79,7 +87,6 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 
 mkdir -p /shared/html
-mkdir -p /shared/ironic_prometheus_exporter
 
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
     ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
@@ -93,4 +100,11 @@ render_j2_config "/etc/ironic/ironic.conf.j2" \
 configure_json_rpc_auth
 
 # Make sure ironic traffic bypasses any proxies
-export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+export NO_PROXY="${NO_PROXY:-}"
+
+if [[ -n "$IRONIC_IPV6" ]]; then
+export NO_PROXY="${NO_PROXY},${IRONIC_IPV6}"
+fi
+if [[ -n "$IRONIC_IP" ]]; then
+export NO_PROXY="${NO_PROXY},${IRONIC_IP}"
+fi

ironic-image/scripts/ironic-common.sh

@@ -5,9 +5,11 @@ set -euxo pipefail
 # Export IRONIC_IP to avoid needing to lean on IRONIC_URL_HOST for consumption in
 # e.g. dnsmasq configuration
 export IRONIC_IP="${IRONIC_IP:-}"
+export IRONIC_IPV6="${IRONIC_IPV6:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
+IRONIC_URL_HOSTNAME="${IRONIC_URL_HOSTNAME:-}"
 IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 CUSTOM_CONFIG_DIR="${CUSTOM_CONFIG_DIR:-/conf}"
 CUSTOM_DATA_DIR="${CUSTOM_DATA_DIR:-/data}"
@@ -33,6 +35,85 @@ export LOCAL_DB_URI="sqlite:///${IRONIC_DB_DIR}/ironic.sqlite"
 
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
 
+
+get_ip_of_hostname()
+{
+    if [[ "$#" -ne 2 ]]; then
+        echo "${FUNCNAME}: two parameters required, $# provided" >&2
+        return 1
+    fi
+
+    case $2 in
+        4)
+            QUERY="a";;
+        6)
+            QUERY="aaaa";;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [a|aaaa] for A and AAAA records"
+            return 1;;
+    esac
+
+    local HOSTNAME=$1
+
+    echo "$(nslookup -type=${QUERY} $HOSTNAME | tail -n2 | grep -w "Address:" | cut -d " " -f2)"
+}
+
+get_interface_of_ip()
+{
+    local IP_VERS=""
+
+    if [[ "$#" -gt 2 ]]; then
+        echo "${FUNCNAME}: too many parameters" >&2
+        return 1
+    fi
+
+    if [[ "$#" -eq 2 ]]; then
+        case $2 in
+        4|6)
+            local IP_VERS="-${2}"
+            ;;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
+            return 2
+            ;;
+        esac
+    fi
+
+    local IP_ADDR=$1
+
+    # Convert the address using ipcalc which strips out the subnet.
+    # For IPv6 addresses, this will give the short-form address
+    IP_ADDR="$(ipcalc "${IP_ADDR}" | grep "^Address:" | awk '{print $2}')"
+
+    echo "$(ip $IP_VERS -br addr show scope global | grep -i " ${IP_ADDR}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
+}
+
+get_ip_of_interface()
+{
+    local IP_VERS=""
+
+    if [[ "$#" -gt 2 ]]; then
+        echo "${FUNCNAME}: too many parameters" >&2
+        return 1
+    fi
+
+    if [[ "$#" -eq 2 ]]; then
+        case $2 in
+        4|6)
+            local IP_VERS="-${2}"
+            ;;
+        *)
+            echo "${FUNCNAME}: the second parameter should be [4|6] (or missing for both)" >&2
+            return 2
+            ;;
+        esac
+    fi
+
+    local IFACE=$1
+
+    echo "$(ip $IP_VERS -br addr show scope global up dev $IFACE | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
+}
+
 get_provisioning_interface()
 {
     if [[ -n "$PROVISIONING_INTERFACE" ]]; then
@@ -41,13 +122,7 @@ get_provisioning_interface()
         return
     fi
 
-    local interface="provisioning"
+    local interface=""
-
-    if [[ -n "${PROVISIONING_IP}" ]]; then
-        if ip -br addr show | grep -i " ${PROVISIONING_IP}/" &>/dev/null; then
-            interface="$(ip -br addr show | grep -i " ${PROVISIONING_IP}/" | cut -f 1 -d ' ' | cut -f 1 -d '@')"
-        fi
-    fi
 
     for mac in ${PROVISIONING_MACS//,/ }; do
         if ip -br link show up | grep -i "$mac" &>/dev/null; then
@@ -71,32 +146,103 @@ wait_for_interface_or_ip()
     # available on an interface, otherwise we look at $PROVISIONING_INTERFACE
     # for an IP
     if [[ -n "${PROVISIONING_IP}" ]]; then
-        # Convert the address using ipcalc which strips out the subnet.
+        local IFACE_OF_IP=""
-        # For IPv6 addresses, this will give the short-form address
+
-        IRONIC_IP="$(ipcalc "${PROVISIONING_IP}" | grep "^Address:" | awk '{print $2}')"
+        until [[ -n "$IFACE_OF_IP" ]]; do
-        export IRONIC_IP
+            echo "Waiting for ${PROVISIONING_IP} to be configured on an interface..."
-        until grep -F " ${IRONIC_IP}/" <(ip -br addr show); do
+            IFACE_OF_IP="$(get_interface_of_ip $PROVISIONING_IP)"
-            echo "Waiting for ${IRONIC_IP} to be configured on an interface"
             sleep 1
         done
+
+        echo "Found $PROVISIONING_IP on interface \"${IFACE_OF_IP}\"!"
+
+        export PROVISIONING_INTERFACE="$IFACE_OF_IP"
+	# If the IP contains a colon, then it's an IPv6 address
+        if [[ "$PROVISIONING_IP" =~ .*:.* ]]; then
+            export IRONIC_IPV6="$PROVISIONING_IP"
+        else
+            export IRONIC_IP="$PROVISIONING_IP"
+        fi
+    elif [[ -n "${PROVISIONING_INTERFACE}" ]]; then
+        until [[ -n "$IRONIC_IPV6" ]] || [[ -n "$IRONIC_IP" ]]; do
+            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured..."
+
+            export IRONIC_IPV6="$(get_ip_of_interface $PROVISIONING_INTERFACE 6)"
+            sleep 1
+
+            export IRONIC_IP="$(get_ip_of_interface $PROVISIONING_INTERFACE 4)"
+            sleep 1
+        done
+
+        if [[ -n "$IRONIC_IPV6" ]]; then
+            echo "Found $IRONIC_IPV6 on interface \"${PROVISIONING_INTERFACE}\"!"
+        fi
+        if [[ -n "$IRONIC_IP" ]]; then
+            echo "Found $IRONIC_IP on interface \"${PROVISIONING_INTERFACE}\"!"
+        fi
+    elif [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
+        local IPV6_IFACE=""
+        local IPV4_IFACE=""
+        
+        # we should get at least one IP address
+        until [[ -n "$IPV6_IFACE" ]] || [[ -n "$IPV4_IFACE" ]]; do
+            local IPV6_RECORD=""
+            local IPV4_RECORD=""
+
+            IPV6_RECORD="$(get_ip_of_hostname $IRONIC_URL_HOSTNAME 6)"
+            IPV4_RECORD="$(get_ip_of_hostname $IRONIC_URL_HOSTNAME 4)"
+
+            # We couldn't get any IP
+            if [[ -z "$IPV4_RECORD" ]] && [[ -z "$IPV6_RECORD" ]]; then
+                echo "${FUNCNAME}: no valid IP found for hostname $IRONIC_URL_HOSTNAME" >&2
+                return 1
+            fi
+
+            echo "Waiting for ${IPV6_RECORD} to be configured on an interface"
+            IPV6_IFACE="$(get_interface_of_ip $IPV6_RECORD 6)"
+            sleep 1
+
+            echo "Waiting for ${IPV4_RECORD} to be configured on an interface"
+            IPV4_IFACE="$(get_interface_of_ip $IPV4_RECORD 4)"
+            sleep 1
+        done
+
+        # Add some debugging output
+        if [[ -n "$IPV6_IFACE" ]]; then
+            echo "Found $IPV6_RECORD on interface \"${IPV6_IFACE}\"!"
+            export IRONIC_IPV6="$IPV6_RECORD"
+        fi
+        if [[ -n "$IPV4_IFACE" ]]; then
+            echo "Found $IPV4_RECORD on interface \"${IPV4_IFACE}\"!"
+            export IRONIC_IP="$IPV4_RECORD"
+        fi
+
+        # Make sure both IPs are asigned to the same interface
+        if [[ -n "$IPV6_IFACE" ]] && [[ -n "$IPV4_IFACE" ]] && [[ "$IPV6_IFACE" != "$IPV4_IFACE" ]]; then
+            echo "Warning, the IPv4 and IPv6 addresses from \"${HOSTNAME}\" are assigned to different " \
+            "interfaces (\"${IPV6_IFACE}\" and \"${IPV4_IFACE}\")" >&2
+        fi
+
     else
-        until [[ -n "$IRONIC_IP" ]]; do
+        echo "Cannot determine an interface or an IP for binding and creating URLs"
-            echo "Waiting for ${PROVISIONING_INTERFACE} interface to be configured"
+        return 1
-            IRONIC_IP="$(ip -br add show scope global up dev "${PROVISIONING_INTERFACE}" | awk '{print $3}' | sed -e 's%/.*%%' | head -n 1)"
-            export IRONIC_IP
-            sleep 1
-        done
     fi
 
-    # If the IP contains a colon, then it's an IPv6 address, and the HTTP
+    # Define the URLs based on the what we have found,
-    # host needs surrounding with brackets
+    # prioritize IPv6 for IRONIC_URL_HOST
-    if [[ "$IRONIC_IP" =~ .*:.* ]]; then
+    if [[ -n "$IRONIC_IP" ]]; then
-        export IPV=6
+        export ENABLE_IPV4=yes
-        export IRONIC_URL_HOST="[$IRONIC_IP]"
-    else
-        export IPV=4
         export IRONIC_URL_HOST="$IRONIC_IP"
     fi
+    if [[ -n "$IRONIC_IPV6" ]]; then
+        export ENABLE_IPV6=yes
+        export IRONIC_URL_HOST="[$IRONIC_IPV6]" # The HTTP host needs surrounding with brackets
+    fi
+
+    # Once determined if we have IPv4 and/or IPv6, override the hostname if provided
+    if [[ -n "$IRONIC_URL_HOSTNAME" ]]; then
+        IRONIC_URL_HOST=$IRONIC_URL_HOSTNAME
+    fi
 
     # Avoid having to construct full URL multiple times while allowing
     # the override of IRONIC_HTTP_URL for environments in which IRONIC_IP

ironic-image/scripts/rundnsmasq

@@ -36,7 +36,7 @@ fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
 # where we can't write
-python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/templates/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
+python3.11 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' <"/tmp/dnsmasq.conf.j2" >"${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"
 
 for iface in $(echo "$DNSMASQ_EXCEPT_INTERFACE" | tr ',' ' '); do
     sed -i -e "/^interface=.*/ a\except-interface=${iface}" "${DNSMASQ_TEMP_DIR}/dnsmasq_temp.conf"

ironic-image/scripts/runhttpd

@@ -36,7 +36,8 @@ fi
 export INSPECTOR_EXTRA_ARGS
 
 # Copy files to shared mount
-render_j2_config /templates/inspector.ipxe.j2 /shared/html/inspector.ipxe
+render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
+cp /tmp/uefi_esp*.img /shared/html/
 # cp -r /etc/httpd/* "${HTTPD_DIR}"
 if [[ -f "${HTTPD_CONF_DIR}/httpd.conf" ]]; then
     mv "${HTTPD_CONF_DIR}/httpd.conf" "${HTTPD_CONF_DIR}/httpd.conf.example"
@@ -48,7 +49,7 @@ render_j2_config "/etc/httpd/conf/httpd.conf.j2" \
 
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
     if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "/templates/httpd-ironic-api.conf.j2" \
+        render_j2_config "/tmp/httpd-ironic-api.conf.j2" \
             "${HTTPD_CONF_DIR_D}/ironic.conf"
     fi
 else
@@ -59,7 +60,7 @@ write_htpasswd_files
 
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-    render_j2_config "/templates/httpd-vmedia.conf.j2" \
+    render_j2_config "/tmp/httpd-vmedia.conf.j2" \
         "${HTTPD_CONF_DIR_D}/vmedia.conf"
 fi
 
@@ -67,7 +68,7 @@ fi
 if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
     mkdir -p /shared/html/custom-ipxe
     chmod 0777 /shared/html/custom-ipxe
-    render_j2_config "/templates/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
+    render_j2_config "/tmp/httpd-ipxe.conf.j2" "${HTTPD_CONF_DIR_D}/ipxe.conf"
     cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
        "/shared/html/custom-ipxe"

ironic-image/scripts/runironic-exporter

@@ -1,14 +0,0 @@
-#!/usr/bin/bash
-
-# shellcheck disable=SC1091
-. /bin/configure-ironic.sh
-# shellcheck disable=SC1091
-. /bin/ironic-common.sh
-
-FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
-FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
-
-export IRONIC_CONFIG="${IRONIC_CONF_DIR}/ironic.conf"
-
-exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
-    ironic_prometheus_exporter.app.wsgi:application

ironic-image/scripts/runlogwatch.sh

@@ -12,10 +12,6 @@ python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
         # <Event dir=False mask=0x8 maskname=IN_CLOSE_WRITE name=mylogs.gzip path=/shared/log/ironic/deploy pathname=/shared/log/ironic/deploy/mylogs.gzip wd=1 >
         FILENAME=$(echo "${filename}" | cut -d'=' -f2-)
         echo "************ Contents of ${LOG_DIR}/${FILENAME} ramdisk log file bundle **************"
-        tar -tzf "${LOG_DIR}/${FILENAME}" | while read -r entry; do
+        tar -xOzvvf "${LOG_DIR}/${FILENAME}" | sed -e "s/^/${FILENAME}: /"
-            echo "${FILENAME}: **** Entry: ${entry} ****"
-            tar -xOzf "${LOG_DIR}/${FILENAME}" "${entry}" | sed -e "s/^/${FILENAME}: /"
-            echo
-        done
         rm -f "${LOG_DIR}/${FILENAME}"
     done

ironic-image/scripts/tls-common.sh

@@ -20,6 +20,11 @@ export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 
+mkdir -p /certs/ironic
+mkdir -p /certs/ca/ironic
+mkdir -p /certs/ipxe
+mkdir -p /certs/vmedia
+
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
     exit 1
@@ -64,7 +69,6 @@ if [[ -f "$IRONIC_CERT_FILE" ]] || [[ -f "$IRONIC_CACERT_FILE" ]]; then
     export IRONIC_TLS_SETUP="true"
     export IRONIC_SCHEME="https"
     if [[ ! -f "$IRONIC_CACERT_FILE" ]]; then
-        mkdir -p "$(dirname "${IRONIC_CACERT_FILE}")"
         copy_atomic "$IRONIC_CERT_FILE" "$IRONIC_CACERT_FILE"
     fi
 else
@@ -103,7 +107,7 @@ configure_restart_on_certificate_update()
         if [[ "${service}" == httpd ]]; then
             signal="WINCH"
         fi
-        python3.12 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
+        python3 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${cert_file}" |
             while read -r; do
                 pkill "-${signal}" "${service}"
             done &

ironic-ipa-downloader-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.6"
+LABEL org.opencontainers.image.version="3.0.8"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,8 +33,6 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
-RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
-RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.aarch64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.6"
+LABEL org.opencontainers.image.version="3.0.8"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,8 +33,6 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
-RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
-RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.x86_64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -18,11 +18,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.6"
+LABEL org.opencontainers.image.version="3.0.8"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -33,8 +33,6 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
-RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
-RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/get-resource.sh

@@ -6,6 +6,8 @@ export http_proxy=${http_proxy:-$HTTP_PROXY}
 export https_proxy=${https_proxy:-$HTTPS_PROXY}
 export no_proxy=${no_proxy:-$NO_PROXY}
 
+IMAGES_BASE_PATH="/srv/tftpboot/openstack-ironic-image"
+
 if [ -d "/tmp/ironic-certificates" ]; then
   sha256sum /tmp/ironic-certificates/* > /tmp/certificates.sha256
   if cmp "/shared/certificates.sha256" "/tmp/certificates.sha256"; then
@@ -26,14 +28,14 @@ if [ -z "${IPA_BASEURI}" ]; then
   IMAGE_CHANGED=1
   # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
   mkdir -p /shared/html/images
-  if [ -f /tmp/initrd-x86_64.zst ]; then
+  if [ -f ${IMAGES_BASE_PATH}/initrd-x86_64.zst ]; then
-    cp /tmp/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
+    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
-    cp /tmp/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
+    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
   fi
   # Use arm64 as destination for iPXE compatibility
-  if [ -f /tmp/initrd-aarch64.zst ]; then
+  if [ -f ${IMAGES_BASE_PATH}/initrd-aarch64.zst ]; then
-    cp /tmp/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
+    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
-    cp /tmp/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
+    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
   fi
 
   cp /tmp/images.sha256 /shared/images.sha256

kube-rbac-proxy-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
 #!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

kubectl-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4
 #!BuildTag: %%IMG_PREFIX%%kubectl:1.32.4-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

metal3-chart/Chart.yaml

@@ -1,7 +1,7 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.10_up0.12.0
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.10_up0.12.0-%RELEASE%
 apiVersion: v2
-appVersion: 0.11.6
+appVersion: 0.12.0
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
@@ -10,7 +10,7 @@ dependencies:
 - alias: metal3-ironic
   name: ironic
   repository: file://./charts/ironic
-  version: 0.10.5
+  version: 0.11.0
 - alias: metal3-mariadb
   condition: global.enable_mariadb
   name: mariadb
@@ -20,9 +20,9 @@ dependencies:
   condition: global.enable_metal3_media_server
   name: media
   repository: file://./charts/media
-  version: 0.6.2
+  version: 0.6.4
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.8+up0.11.6"
+version: "%%CHART_MAJOR%%.0.10+up0.12.0"

metal3-chart/charts/ironic/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 26.1.2
+appVersion: 29.0.4
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.10.5
+version: 0.11.0

metal3-chart/charts/ironic/templates/configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ironic-bmo
+  name: ironic
   labels:
     {{- include "ironic.labels" . | nindent 4 }}
 data:
@@ -9,7 +9,6 @@ data:
   {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
   {{- $protocol := ternary "https" "http" $enableTLS }}
   {{- $ironicIP := .Values.global.ironicIP | default "" }}
-  {{- $ironicApiHost := print $ironicIP ":6385" }}
   {{- $ironicBootHost := print $ironicIP ":6180" }}
   {{- $ironicCacheHost := print $ironicIP ":6180" }}
   {{- $deployArch := .Values.global.deployArchitecture }}
@@ -25,11 +24,6 @@ data:
   {{- end }}
   HTTP_PORT: "6180"
   PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
-  USE_IRONIC_INSPECTOR: "false"
-  IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
-  IRONIC_API_HOST: {{ $ironicApiHost }}
-  IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
-  IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
   # Switch VMedia to HTTP if enable_vmedia_tls is false
   {{- if and $enableTLS $enableVMediaTLS }}
     {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
@@ -39,12 +33,8 @@ data:
     {{- $protocol = "http" }}
   {{- end }}
   IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }}
-  CACHEURL: {{ $protocol }}://{{ $ironicCacheHost }}/images
-  DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel
-  DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs
   DEPLOY_ARCHITECTURE: {{ $deployArch }}
   IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
-  IRONIC_VMEDIA_HTTPD_SERVER_NAME: {{ $ironicBootHost }}
   ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
   {{- if .Values.global.provisioningInterface }}
   PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
@@ -52,8 +42,6 @@ data:
   {{- if .Values.global.provisioningIP }}
   PROVISIONING_IP: {{ .Values.global.provisioningIP }}
   {{- end }}
-  IRONIC_ILO_USE_SWIFT: "false"
-  IRONIC_ILO_USE_WEB_SERVER_FOR_IMAGES: "true"
   IRONIC_FAST_TRACK: "true"
   LISTEN_ALL_INTERFACES: "true"
   {{- if .Values.global.ironicIP }}

metal3-chart/charts/ironic/templates/deployment.yaml

@@ -39,7 +39,7 @@ spec:
         - /bin/runhttpd
         envFrom:
         - configMapRef:
-            name: ironic-bmo
+            name: ironic
         livenessProbe:
           exec:
             command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
@@ -97,7 +97,7 @@ spec:
         - /bin/runironic
         envFrom:
         - configMapRef:
-            name: ironic-bmo
+            name: ironic
         env:
         {{- if .Values.global.enable_basicAuth }}
         - name: IRONIC_HTPASSWD
@@ -170,7 +170,7 @@ spec:
         - /bin/rundnsmasq
         envFrom:
         - configMapRef:
-            name: ironic-bmo
+            name: ironic
         livenessProbe:
           exec:
             command:

metal3-chart/charts/ironic/values.yaml

@@ -56,11 +56,11 @@ images:
   ironic:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
     pullPolicy: IfNotPresent
-    tag: 26.1.2.4
+    tag: 29.0.4.0
   ironicIPADownloader:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
     pullPolicy: IfNotPresent
-    tag: 3.0.7
+    tag: 3.0.8
 
 nameOverride: ""
 fullnameOverride: ""

metal3-chart/charts/media/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: 1.16.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.2
+version: 0.6.4

metal3-chart/charts/media/values.yaml

@@ -24,7 +24,7 @@ replicaCount: 1
 image:
   repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
   pullPolicy: IfNotPresent
-  tag: 26.1.2.4
+  tag: 29.0.4.0
 
 imagePullSecrets: []
 nameOverride: ""

metallb-controller-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%
 #!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

metallb-speaker-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%
 #!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 

rancher-turtles-airgap-resources-chart/Chart.yaml

@@ -1,10 +1,10 @@
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.4_up0.20.0
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.5_up0.21.0
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.4_up0.20.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.5_up0.21.0-%RELEASE%
 apiVersion: v2
-appVersion: 0.20.0
+appVersion: 0.21.0
 description: Rancher Turtles utility chart for airgap scenarios
 home: https://github.com/rancher/turtles/
 icon: https://raw.githubusercontent.com/rancher/turtles/main/logos/capi.svg
 name: rancher-turtles-airgap-resources
 type: application
-version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+version: "%%CHART_MAJOR%%.0.5+up0.21.0"

rancher-turtles-airgap-resources-chart/templates/airgap-cm-fleet-addon.yaml

@@ -656,12 +656,8 @@ data:
       - list
       - get
       - watch
-    - apiGroups:
-      - ""
-      resources:
-      - namespaces
-      verbs:
       - create
+      - patch
     - apiGroups:
       - events.k8s.io
       resources:
@@ -817,7 +813,7 @@ data:
             control-plane: controller-manager
         spec:
           containers:
-          - image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.10.0
+          - image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.11.0
             imagePullPolicy: IfNotPresent
             name: manager
             ports:
@@ -839,7 +835,7 @@ data:
                 memory: 100Mi
           - args:
             - --helm-install
-            image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.10.0
+            image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.11.0
             name: helm-manager
             resources:
               limits:
@@ -891,10 +887,13 @@ data:
       - major: 0
         minor: 10
         contract: v1beta1
+      - major: 0
+        minor: 11
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.10.0
+  name: v0.11.0
   namespace: rancher-turtles-system
   labels:
     provider-components: fleet

rancher-turtles-airgap-resources-chart/templates/airgap-cm-metal3.yaml

@@ -3734,7 +3734,7 @@ data:
             envFrom:
             - configMapRef:
                 name: capm3-capm3fasttrack-configmap
-            image: registry.rancher.com/rancher/cluster-api-provider-metal3:v1.9.3
+            image: registry.rancher.com/rancher/cluster-api-provider-metal3:v1.9.4
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -3820,7 +3820,7 @@ data:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            image: quay.io/metal3-io/ip-address-manager:v1.9.4
+            image: quay.io/metal3-io/ip-address-manager:v1.9.5
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -4524,7 +4524,7 @@ data:
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v1.9.3
+  name: v1.9.4
   namespace: capm3-system
   labels:
     provider-components: metal3

rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-bootstrap.yaml

@@ -985,6 +985,9 @@ data:
                       - path
                       type: object
                     type: array
+                  gzipUserData:
+                    description: GzipUserData specifies if the user data should be gzipped.
+                    type: boolean
                   postRKE2Commands:
                     description: PostRKE2Commands specifies extra commands to run after
                       rke2 setup runs.
@@ -2164,6 +2167,10 @@ data:
                               - path
                               type: object
                             type: array
+                          gzipUserData:
+                            description: GzipUserData specifies if the user data should
+                              be gzipped.
+                            type: boolean
                           postRKE2Commands:
                             description: PostRKE2Commands specifies extra commands to
                               run after rke2 setup runs.
@@ -2525,11 +2532,12 @@ data:
             - --leader-elect
             - --diagnostics-address=${CAPRKE2_DIAGNOSTICS_ADDRESS:=:8443}
             - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
-            - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=true}
             - --v=${CAPRKE2_DEBUG_LEVEL:=0}
+            - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=true},ClusterTopology=${CLUSTER_TOPOLOGY:=true}
+            - --concurrency=${CONCURRENCY_NUMBER:=10}
             command:
             - /manager
-            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.16.1
+            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.18.0
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -2764,10 +2772,16 @@ data:
       - major: 0
         minor: 16
         contract: v1beta1
+      - major: 0
+        minor: 17
+        contract: v1beta1
+      - major: 0
+        minor: 18
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.16.1
+  name: v0.18.0
   namespace: rke2-bootstrap-system
   labels:
     provider-components: rke2-bootstrap

rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-control-plane.yaml

@@ -1624,6 +1624,9 @@ data:
                       - path
                       type: object
                     type: array
+                  gzipUserData:
+                    description: GzipUserData specifies if the user data should be gzipped.
+                    type: boolean
                   infrastructureRef:
                     description: |-
                       InfrastructureRef is a required reference to a custom resource
@@ -2434,6 +2437,51 @@ data:
                               if value is false, ETCD metrics will NOT be exposed
                             type: boolean
                         type: object
+                      externalDatastoreSecret:
+                        description: |-
+                          ExternalDatastoreSecret is a reference to a Secret that contains configuration about connecting to an external datastore.
+                          The secret must contain a key named "endpoint" that contains the connection string for the external datastore.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                       kubeAPIServer:
                         description: KubeAPIServer defines optional custom configuration
                           of the Kube API Server.
@@ -3125,6 +3173,10 @@ data:
                               - path
                               type: object
                             type: array
+                          gzipUserData:
+                            description: GzipUserData specifies if the user data should
+                              be gzipped.
+                            type: boolean
                           infrastructureRef:
                             description: |-
                               InfrastructureRef is a required reference to a custom resource
@@ -3950,6 +4002,51 @@ data:
                                       if value is false, ETCD metrics will NOT be exposed
                                     type: boolean
                                 type: object
+                              externalDatastoreSecret:
+                                description: |-
+                                  ExternalDatastoreSecret is a reference to a Secret that contains configuration about connecting to an external datastore.
+                                  The secret must contain a key named "endpoint" that contains the connection string for the external datastore.
+                                properties:
+                                  apiVersion:
+                                    description: API version of the referent.
+                                    type: string
+                                  fieldPath:
+                                    description: |-
+                                      If referring to a piece of an object instead of an entire object, this string
+                                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                                      the event) or if no container name is specified "spec.containers[2]" (container with
+                                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                                      referencing a part of an object.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of the referent.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                                    type: string
+                                  resourceVersion:
+                                    description: |-
+                                      Specific resourceVersion to which this reference is made, if any.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                                    type: string
+                                  uid:
+                                    description: |-
+                                      UID of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                               kubeAPIServer:
                                 description: KubeAPIServer defines optional custom configuration
                                   of the Kube API Server.
@@ -4446,6 +4543,7 @@ data:
             - --diagnostics-address=${CAPRKE2_DIAGNOSTICS_ADDRESS:=:8443}
             - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
             - --v=${CAPRKE2_DEBUG_LEVEL:=0}
+            - --concurrency=${CONCURRENCY_NUMBER:=10}
             command:
             - /manager
             env:
@@ -4461,7 +4559,7 @@ data:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.uid
-            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.16.1
+            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.18.0
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -4703,10 +4801,16 @@ data:
       - major: 0
         minor: 16
         contract: v1beta1
+      - major: 0
+        minor: 17
+        contract: v1beta1
+      - major: 0
+        minor: 18
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.16.1
+  name: v0.18.0
   namespace: rke2-control-plane-system
   labels:
     provider-components: rke2-control-plane

rancher-turtles-chart/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://kubernetes-sigs.github.io/cluster-api-operator
   version: 0.18.1
 digest: sha256:7ad59ce8888c32723b4ef1ae5f334fdff00a8aba87e6f1de76d605f134bff354
-generated: "2025-05-29T09:13:16.863770955Z"
+generated: "2025-06-30T13:10:01.066923702Z"

rancher-turtles-chart/Chart.yaml

@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.4_up0.20.0
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.5_up0.21.0
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.4_up0.20.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.5_up0.21.0-%RELEASE%
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: Rancher Turtles - the Cluster API Extension
@@ -12,12 +12,12 @@ annotations:
   catalog.cattle.io/scope: management
   catalog.cattle.io/type: cluster-tool
 apiVersion: v2
-appVersion: 0.20.0
+appVersion: 0.21.0
 dependencies:
 - condition: cluster-api-operator.enabled
   name: cluster-api-operator
   repository: file://./charts/cluster-api-operator
-  version: 0.17.0
+  version: 0.18.1
 description: Rancher Turtles is an extension to Rancher that brings full Cluster API
   integration to Rancher.
 home: https://github.com/rancher/turtles/
@@ -29,4 +29,4 @@ keywords:
 - provisioning
 name: rancher-turtles
 type: application
-version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+version: "%%CHART_MAJOR%%.0.5+up0.21.0"

rancher-turtles-chart/RELEASE_NOTES.md

@@ -1,4 +1,4 @@
-## Changes since v0.20.0-rc.0
+## Changes since examples/v0.21.0
 ---
 ## :chart_with_upwards_trend: Overview
 

rancher-turtles-chart/charts/cluster-api-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.17.0
+appVersion: 0.18.1
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.17.0
+version: 0.18.1

rancher-turtles-chart/charts/cluster-api-operator/templates/addon.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $addonNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $addonName }}
   namespace: {{ $addonNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $addonVersion $.Values.secretName }}
 spec:

rancher-turtles-chart/charts/cluster-api-operator/templates/bootstrap.yaml

@@ -26,8 +26,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $bootstrapNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -36,8 +39,11 @@ metadata:
   name: {{ $bootstrapName }}
   namespace: {{ $bootstrapNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $bootstrapVersion $.Values.configSecret.name }}
 spec:
 {{- end}}

rancher-turtles-chart/charts/cluster-api-operator/templates/control-plane.yaml

@@ -26,8 +26,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $controlPlaneNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -36,8 +39,11 @@ metadata:
   name: {{ $controlPlaneName }}
   namespace: {{ $controlPlaneNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $controlPlaneVersion $.Values.configSecret.name $.Values.manager }}
 spec:
 {{- end}}

rancher-turtles-chart/charts/cluster-api-operator/templates/core-conditions.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.addon .Values.bootstrap .Values.controlPlane .Values.infrastructure }}
+{{- if or .Values.addon .Values.bootstrap .Values.controlPlane .Values.infrastructure .Values.ipam }}
 # Deploy core components if not specified
 {{- if not .Values.core }}
 ---
@@ -6,8 +6,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: capi-system
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -16,8 +19,11 @@ metadata:
   name: cluster-api
   namespace: capi-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
   configSecret:
@@ -28,4 +34,3 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
-

rancher-turtles-chart/charts/cluster-api-operator/templates/core.yaml

@@ -25,8 +25,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $coreNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -35,8 +38,10 @@ metadata:
   name: {{ $coreName }}
   namespace: {{ $coreNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $coreVersion $.Values.configSecret.name $.Values.manager }}
 spec:
@@ -45,8 +50,8 @@ spec:
   version: {{ $coreVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and $.Values.manager.featureGates $.Values.manager.featureGates.core }}
+  manager:
     featureGates:
     {{- range $key, $value := $.Values.manager.featureGates.core }}
       {{ $key }}: {{ $value }}

rancher-turtles-chart/charts/cluster-api-operator/templates/infra-conditions.yaml

@@ -7,8 +7,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-bootstrap-system
 ---
@@ -18,8 +20,10 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-bootstrap-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
@@ -37,8 +41,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-control-plane-system
 ---
@@ -48,14 +54,16 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-control-plane-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
 {{- if $.Values.manager }}
-  manager:
 {{- if and $.Values.manager.featureGates $.Values.manager.featureGates.kubeadm }}
+  manager:
     featureGates:
     {{- range $key, $value := $.Values.manager.featureGates.kubeadm }}
       {{ $key }}: {{ $value }}

rancher-turtles-chart/charts/cluster-api-operator/templates/infra.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $infrastructureNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $infrastructureName }}
   namespace: {{ $infrastructureNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
 spec:
@@ -47,8 +51,8 @@ spec:
   version: {{ $infrastructureVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $infrastructureName) }}
+  manager:
 {{- range $key, $value := $.Values.manager.featureGates }}
   {{- if eq $key $infrastructureName }}
     featureGates:

rancher-turtles-chart/charts/cluster-api-operator/templates/ipam.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $ipamNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $ipamName }}
   namespace: {{ $ipamNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $ipamVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
 spec:
@@ -47,8 +51,8 @@ spec:
   version: {{ $ipamVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $ipamName) }}
+  manager:
 {{- range $key, $value := $.Values.manager.featureGates }}
   {{- if eq $key $ipamName }}
     featureGates:

rancher-turtles-chart/charts/cluster-api-operator/values.yaml

@@ -21,7 +21,7 @@ leaderElection:
 image:
   manager:
     repository: registry.k8s.io/capi-operator/cluster-api-operator
-    tag: v0.17.0
+    tag: v0.18.1
     pullPolicy: IfNotPresent
 env:
   manager: []
@@ -69,3 +69,4 @@ volumeMounts:
     - mountPath: /tmp/k8s-webhook-server/serving-certs
       name: cert
       readOnly: true
+enableHelmHook: true

rancher-turtles-chart/questions.yml

@@ -36,7 +36,7 @@ questions:
         label: Enable Agent TLS Mode
         group: "Rancher Turtles Features Settings"
       - variable: rancherTurtles.kubectlImage
-        default: "registry.suse.com/edge/3.2/kubectl:1.32.4"
+        default: "registry.suse.com/edge/3.3/kubectl:1.32.4"
         description: "Specify the image to use when running kubectl in jobs."
         type: string
         label: Kubectl Image

rancher-turtles-chart/values.yaml

@@ -9,8 +9,8 @@ turtlesUI:
 rancherTurtles:
   # image: registry.rancher.com/rancher/rancher/turtles
   image: registry.rancher.com/rancher/rancher/turtles
-  # imageVersion: v0.20.0
+  # imageVersion: v0.21.0
-  imageVersion: v0.20.0
+  imageVersion: v0.21.0
   # imagePullPolicy: IfNotPresent
   imagePullPolicy: IfNotPresent
   # namespace: Select namespace for Turtles to run.
@@ -31,8 +31,8 @@ rancherTurtles:
       enabled: false
       # image: registry.rancher.com/rancher/rancher/turtles
       image: registry.rancher.com/rancher/rancher/turtles
-      # imageVersion: v0.20.0
+      # imageVersion: v0.21.0
-      imageVersion: v0.20.0
+      imageVersion: v0.21.0
       # imagePullPolicy: IfNotPresent
       imagePullPolicy: IfNotPresent
       # etcdBackupRestore: Alpha feature. Manages etcd backup/restore.
@@ -49,8 +49,8 @@ rancherTurtles:
       enabled: false
       # image: registry.rancher.com/rancher/rancher/turtles
       image: registry.rancher.com/rancher/rancher/turtles
-      # imageVersion: v0.20.0
+      # imageVersion: v0.21.0
-      imageVersion: v0.20.0
+      imageVersion: v0.21.0
       # imagePullPolicy: IfNotPresent
       imagePullPolicy: IfNotPresent
 
@@ -127,7 +127,7 @@ cluster-api-operator:
       # enabled: Turn on or off.
       enabled: true
       # version: RKE2 version.
-      version: "v0.16.1"
+      version: "v0.18.0"
       # bootstrap: RKE2 bootstrap provider.
       bootstrap:
         # namespace: Bootstrap namespace.
@@ -154,10 +154,10 @@ cluster-api-operator:
           selector: ""
     metal3:
       enabled: true
-      version: "v1.9.3"
+      version: "v1.9.4"
       infrastructure:
         namespace: capm3-system
-        imageUrl: "registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.3"
+        imageUrl: "registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.4"
         fetchConfig:
           url: ""
           selector: ""

release-manifest-image/Dockerfile

@@ -20,4 +20,4 @@ LABEL com.suse.image-type="release-manifest"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 
-COPY release_manifest.yaml release_manifest.yaml
+COPY release_manifest.yaml release_images.yaml ./

release-manifest-image/_service

@@ -2,6 +2,7 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
+    <param name="file">release_images.yaml</param>
     <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %manifest_repo)</param>

release-manifest-image/release_images.yaml

@@ -0,0 +1,64 @@
+images:
+  - name: quay.io/jetstack/cert-manager-cainjector:v1.14.2
+  - name: quay.io/jetstack/cert-manager-controller:v1.14.2
+  - name: quay.io/jetstack/cert-manager-webhook:v1.14.2
+  - name: registry.rancher.com/rancher/hardened-cluster-autoscaler:v1.10.2-build20250507
+  - name: registry.rancher.com/rancher/hardened-cni-plugins:v1.7.1-build20250509
+  - name: registry.rancher.com/rancher/hardened-coredns:v1.12.1-build20250507
+  - name: registry.rancher.com/rancher/hardened-etcd:v3.5.21-k3s1-build20250411
+  - name: registry.rancher.com/rancher/hardened-k8s-metrics-server:v0.7.2-build20250507
+  - name: registry.rancher.com/rancher/hardened-kubernetes:v1.32.5-rke2r1-build20250515
+  - name: registry.rancher.com/rancher/hardened-multus-cni:v4.2.0-build20250326
+  - name: registry.rancher.com/rancher/klipper-helm:v0.9.5-build20250306
+  - name: registry.rancher.com/rancher/mirrored-cilium-cilium:v1.17.3
+  - name: registry.rancher.com/rancher/mirrored-cilium-operator-generic:v1.17.3
+  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-attacher:v4.8.1
+  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-node-driver-registrar:v2.13.0
+  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-provisioner:v5.2.0
+  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-resizer:v1.13.2
+  - name: registry.rancher.com/rancher/mirrored-longhornio-csi-snapshotter:v8.2.0
+  - name: registry.rancher.com/rancher/mirrored-longhornio-livenessprobe:v2.15.0
+  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-engine:v1.8.1
+  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-instance-manager:v1.8.1
+  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-manager:v1.8.1
+  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-share-manager:v1.8.1
+  - name: registry.rancher.com/rancher/mirrored-longhornio-longhorn-ui:v1.8.1
+  - name: registry.rancher.com/rancher/mirrored-sig-storage-snapshot-controller:v8.2.0
+  - name: registry.rancher.com/rancher/neuvector-compliance-config:1.0.4
+  - name: registry.rancher.com/rancher/neuvector-controller:5.4.3
+  - name: registry.rancher.com/rancher/neuvector-enforcer:5.4.3
+  - name: registry.rancher.com/rancher/nginx-ingress-controller:v1.12.1-hardened6
+  - name: registry.rancher.com/rancher/rke2-cloud-provider:v1.32.0-rc3.0.20241220224140-68fbd1a6b543-build20250101
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:0.9.1.1
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator:0.3.0
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.5
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v0.14.9
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v0.14.9
+  - name: %%IMG_REPO%%/%%IMG_PREFIX%%upgrade-controller:0.1.1
+  - name: registry.rancher.com/rancher/cluster-api-operator:v0.17.0
+  - name: registry.rancher.com/rancher/fleet-agent:v0.12.3
+  - name: registry.rancher.com/rancher/fleet:v0.12.3
+  - name: registry.rancher.com/rancher/hardened-node-feature-discovery:v0.15.7-build20250425
+  - name: registry.rancher.com/rancher/rancher-webhook:v0.7.2
+  - name: registry.rancher.com/rancher/rancher/turtles:v0.20.0
+  - name: registry.rancher.com/rancher/rancher:v2.11.2
+  - name: registry.rancher.com/rancher/shell:v0.4.1
+  - name: registry.rancher.com/rancher/system-upgrade-controller:v0.15.2
+  - name: registry.suse.com/rancher/cluster-api-addon-provider-fleet:v0.10.0
+  - name: registry.suse.com/rancher/cluster-api-controller:v1.9.5
+  - name: registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.3
+  - name: registry.suse.com/rancher/cluster-api-provider-rke2-bootstrap:v0.16.1
+  - name: registry.suse.com/rancher/cluster-api-provider-rke2-controlplane:v0.16.1
+  - name: registry.suse.com/rancher/elemental-operator:1.6.8
+  - name: registry.suse.com/rancher/hardened-sriov-network-operator:v1.5.0-build20250425
+  - name: registry.suse.com/rancher/ip-address-manager:v1.9.4
+  - name: registry.suse.com/suse/sles/15.6/cdi-apiserver:1.61.0-150600.3.12.1
+  - name: registry.suse.com/suse/sles/15.6/cdi-controller:1.61.0-150600.3.12.1
+  - name: registry.suse.com/suse/sles/15.6/cdi-operator:1.61.0-150600.3.12.1
+  - name: registry.suse.com/suse/sles/15.6/cdi-uploadproxy:1.61.0-150600.3.12.1
+  - name: registry.suse.com/suse/sles/15.6/virt-api:1.4.0-150600.5.15.1
+  - name: registry.suse.com/suse/sles/15.6/virt-controller:1.4.0-150600.5.15.1
+  - name: registry.suse.com/suse/sles/15.6/virt-handler:1.4.0-150600.5.15.1
+  - name: registry.suse.com/suse/sles/15.6/virt-launcher:1.4.0-150600.5.15.1
+  - name: registry.suse.com/suse/sles/15.6/virt-operator:1.4.0-150600.5.15.1

release-manifest-image/release_manifest.yaml

@@ -9,81 +9,81 @@ spec:
       k3s:
         version: v1.32.4+k3s1
         coreComponents:
-        - name: traefik-crd
+          - name: traefik-crd
-          version: 34.2.1+up34.2.0
+            version: 34.2.1+up34.2.0
-          type: HelmChart
+            type: HelmChart
-        - name: traefik
+          - name: traefik
-          version: 34.2.1+up34.2.0
+            version: 34.2.1+up34.2.0
-          type: HelmChart
+            type: HelmChart
-        - name: local-path-provisioner
-          containers:
           - name: local-path-provisioner
-            image: rancher/local-path-provisioner:v0.0.31
+            containers:
-          type: Deployment
+              - name: local-path-provisioner
-        - name: coredns
+                image: rancher/local-path-provisioner:v0.0.31
-          containers:
+            type: Deployment
           - name: coredns
-            image: rancher/mirrored-coredns-coredns:1.12.1
+            containers:
-          type: Deployment
+              - name: coredns
-        - name: metrics-server
+                image: rancher/mirrored-coredns-coredns:1.12.1
-          containers:
+            type: Deployment
           - name: metrics-server
-            image: rancher/mirrored-metrics-server:v0.7.2
+            containers:
-          type: Deployment
+              - name: metrics-server
+                image: rancher/mirrored-metrics-server:v0.7.2
+            type: Deployment
       rke2:
         version: v1.32.4+rke2r1
         coreComponents:
-        - name: rke2-cilium
+          - name: rke2-cilium
-          version: 1.17.300
+            version: 1.17.300
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-canal
+          - name: rke2-canal
-          version: v3.29.3-build2025040801
+            version: v3.29.3-build2025040801
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-calico-crd
+          - name: rke2-calico-crd
-          version: v3.29.101
+            version: v3.29.101
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-calico
+          - name: rke2-calico
-          version: v3.29.300
+            version: v3.29.300
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-coredns
+          - name: rke2-coredns
-          version: 1.39.201
+            version: 1.39.201
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-ingress-nginx
+          - name: rke2-ingress-nginx
-          version: 4.12.101
+            version: 4.12.101
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-metrics-server
+          - name: rke2-metrics-server
-          version: 3.12.200
+            version: 3.12.200
-          type: HelmChart
+            type: HelmChart
-        - name: rancher-vsphere-csi
+          - name: rancher-vsphere-csi
-          version: 3.3.1-rancher900
+            version: 3.3.1-rancher900
-          type: HelmChart
+            type: HelmChart
-        - name: rancher-vsphere-cpi
+          - name: rancher-vsphere-cpi
-          version: 1.10.000
+            version: 1.10.000
-          type: HelmChart
+            type: HelmChart
-        - name: harvester-cloud-provider
+          - name: harvester-cloud-provider
-          version: 0.2.900
+            version: 0.2.900
-          type: HelmChart
+            type: HelmChart
-        - name: harvester-csi-driver
+          - name: harvester-csi-driver
-          version: 0.1.2300
+            version: 0.1.2300
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-snapshot-controller-crd
+          - name: rke2-snapshot-controller-crd
-          version: 4.0.002
+            version: 4.0.002
-          type: HelmChart
+            type: HelmChart
-        - name: rke2-snapshot-controller
+          - name: rke2-snapshot-controller
-          version: 4.0.002
+            version: 4.0.002
-          type: HelmChart
+            type: HelmChart
-        # Deprecated this empty chart addon can be removed in v1.34
+          # Deprecated this empty chart addon can be removed in v1.34
-        - name: rke2-snapshot-validation-webhook
+          - name: rke2-snapshot-validation-webhook
-          version: 0.0.0
+            version: 0.0.0
-          type: HelmChart
+            type: HelmChart
     operatingSystem:
-      version: "6.1"
+      version: '6.1'
-      zypperID: "SL-Micro"
+      zypperID: SL-Micro
-      cpeScheme: "cpe:/o:suse:sl-micro:6.1"
+      cpeScheme: cpe:/o:suse:sl-micro:6.1
-      prettyName: "SUSE Linux Micro 6.1"
+      prettyName: SUSE Linux Micro 6.1
       supportedArchs:
-        - "x86_64"
+        - x86_64
-        - "aarch64"
+        - aarch64
     workloads:
       helm:
         - prettyName: Rancher
@@ -106,20 +106,20 @@ spec:
               repository: https://charts.rancher.io
         - prettyName: MetalLB
           releaseName: metallb
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metallb"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metallb'
-          version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+          version: '%%CHART_MAJOR%%.0.0+up0.14.9'
         - prettyName: CDI
           releaseName: cdi
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%cdi"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%cdi'
-          version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+          version: '%%CHART_MAJOR%%.0.0+up0.5.0'
         - prettyName: KubeVirt
           releaseName: kubevirt
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt'
-          version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+          version: '%%CHART_MAJOR%%.0.0+up0.5.0'
           addonCharts:
             - releaseName: kubevirt-dashboard-extension
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt-dashboard-extension"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt-dashboard-extension'
-              version: "%%CHART_MAJOR%%.0.2+up1.3.2"
+              version: '%%CHART_MAJOR%%.0.2+up1.3.2'
         - prettyName: NeuVector
           releaseName: neuvector
           chart: neuvector
@@ -137,8 +137,8 @@ spec:
               version: 2.1.3
         - prettyName: EndpointCopierOperator
           releaseName: endpoint-copier-operator
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%endpoint-copier-operator"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%endpoint-copier-operator'
-          version: "%%CHART_MAJOR%%.0.1+up0.3.0"
+          version: '%%CHART_MAJOR%%.0.1+up0.3.0'
         - prettyName: Elemental
           releaseName: elemental-operator
           chart: oci://registry.suse.com/rancher/elemental-operator-chart
@@ -154,25 +154,29 @@ spec:
               version: 3.0.0
         - prettyName: SRIOV
           releaseName: sriov-network-operator
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%sriov-network-operator"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%sriov-network-operator'
-          version: "%%CHART_MAJOR%%.0.2+up1.5.0"
+          version: '%%CHART_MAJOR%%.0.2+up1.5.0'
           dependencyCharts:
             - releaseName: sriov-crd
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%sriov-crd"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%sriov-crd'
-              version: "%%CHART_MAJOR%%.0.2+up1.5.0"
+              version: '%%CHART_MAJOR%%.0.2+up1.5.0'
         - prettyName: Akri
           releaseName: akri
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%akri"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%akri'
-          version: "%%CHART_MAJOR%%.0.0+up0.12.20"
+          version: '%%CHART_MAJOR%%.0.0+up0.12.20'
           addonCharts:
             - releaseName: akri-dashboard-extension
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%akri-dashboard-extension"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%akri-dashboard-extension'
-              version: "%%CHART_MAJOR%%.0.2+up1.3.1"
+              version: '%%CHART_MAJOR%%.0.2+up1.3.1'
         - prettyName: Metal3
           releaseName: metal3
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metal3"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metal3'
-          version: "%%CHART_MAJOR%%.0.8+up0.11.6"
+          version: '%%CHART_MAJOR%%.0.10+up0.12.0'
         - prettyName: RancherTurtles
           releaseName: rancher-turtles
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles'
-          version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+          version: '%%CHART_MAJOR%%.0.5+up0.21.0'
+        - prettyName: RancherTurtlesAirgapResources
+          releaseName: rancher-turtles-airgap-resources
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles-airgap-resources'
+          version: '%%CHART_MAJOR%%.0.5+up0.21.0'

upgrade-controller-image/Dockerfile

@@ -1,7 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.1
 #!BuildTag: %%IMG_PREFIX%%upgrade-controller:0.1.1-%RELEASE%
-#!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro