Merge pull request 'changed the entry point for pre-commit to call the script from the venv' (#249) from backport-pre-commit-fix into 3.3

Reviewed-on: suse-edge/Factory#249
Reviewed-by: Nicolas Belouin <nbelouin@noreply.src.opensuse.org>

.gitea/workflows/check_manifest.yaml

@@ -17,7 +17,7 @@ jobs:
           object-format: 'sha256'
       - name: Setup dependencies
         run: |
-          zypper in -y python3-PyYAML
+          zypper in -y python3-ruamel.yaml
       - name: Check release manifest
         run: |
-          python3 .obs/manifest-check.py
+          python3 .obs/manifest-check.py --check

.gitignore

@@ -1,4 +1,3 @@
 */.osc
 */__pycache__
 .venv/
-.idea/

.obs/common.py

@@ -1,3 +1,3 @@
-PROJECT = "isv:SUSE:Edge:Factory"
+PROJECT = "isv:SUSE:Edge:3.3"
 REPOSITORY = "https://src.opensuse.org/suse-edge/Factory"
-BRANCH = "main"
+BRANCH = "3.3"

.obs/manifest-check.py

@@ -1,11 +1,15 @@
 #!/usr/bin/python3
 
-import yaml
+import ruamel.yaml
+import pathlib
+import argparse
 import sys
 
+yaml = ruamel.yaml.YAML()
+
 def get_chart_version(chart_name: str) -> str:
     with open(f"./{chart_name}-chart/Chart.yaml") as f:
-        chart = yaml.safe_load(f)
+        chart = yaml.load(f)
         return chart["version"]
 
 def get_charts(chart):
@@ -21,22 +25,57 @@ def get_charts(chart):
 
 def get_charts_list():
     with open("./release-manifest-image/release_manifest.yaml") as f:
-        manifest = yaml.safe_load(f)
+        manifest = yaml.load(f)
     charts = {}
     for chart in manifest["spec"]["components"]["workloads"]["helm"]:
         charts.update(get_charts(chart))
     return charts
 
-def main():
+def check_charts(fix: bool) -> bool:
-    print("Checking charts versions in release manifest")
     success = True
     charts = get_charts_list()
+    to_fix = {}
     for chart in charts:
         expected_version = get_chart_version(chart)
         if expected_version != charts[chart]:
             success = False
+            to_fix[f'%%CHART_REPO%%/%%CHART_PREFIX%%{chart}'] = expected_version
             print(f"{chart}: Expected: {expected_version}, Got: {charts[chart]}")
-    if not success:
+    if fix and not success:
+        fix_charts(to_fix)
+        return True
+    return success
+
+def fix_charts(to_fix):
+    manifest_path = pathlib.Path("./release-manifest-image/release_manifest.yaml")
+    manifest = yaml.load(manifest_path)
+    yaml.indent(mapping=2, sequence=4, offset=2)
+    yaml.width = 4096
+    for chart_index, chart in enumerate(manifest["spec"]["components"]["workloads"]["helm"]):
+        changed = False
+        if chart["chart"] in to_fix.keys():
+            changed = True
+            chart["version"] = to_fix[chart["chart"]]
+        for subchart_index, subchart in enumerate(chart.get("addonCharts", [])):
+            if subchart["chart"] in to_fix.keys():
+                changed = True
+                subchart["version"] = to_fix[subchart["chart"]]
+                chart["addonCharts"][subchart_index] = subchart
+        for subchart_index, subchart in enumerate(chart.get("dependencyCharts", [])):
+            if subchart["chart"] in to_fix.keys():
+                changed = True
+                subchart["version"] = to_fix[subchart["chart"]]
+                chart["dependencyCharts"][subchart_index] = subchart
+        if changed:
+            manifest["spec"]["components"]["workloads"]["helm"][chart_index] = chart
+    yaml.dump(manifest, manifest_path)
+
+def main():
+    print("Checking charts versions in release manifest")
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-c', '--check', action='store_true')
+    args = parser.parse_args()
+    if not check_charts(not args.check):
         sys.exit(1)
     else:
         print("All local charts in release manifest are using the right version")

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check-manifest
+        name: "Check release-manifest"
+        entry: python3 .obs/manifest-check.py
+        language: python
+        additional_dependencies: ['ruamel.yaml']
+        pass_filenames: false
+        always_run: true

_config

@@ -60,7 +60,6 @@ BuildFlags: onlybuild:release-manifest-image
     BuildFlags: excludebuild:endpoint-copier-operator-image
     BuildFlags: excludebuild:ironic-image
     BuildFlags: excludebuild:ironic-ipa-downloader-image
-    BuildFlags: excludebuild:kiwi-builder-image
     BuildFlags: excludebuild:kubectl-image
     BuildFlags: excludebuild:kube-rbac-proxy-image
     BuildFlags: excludebuild:metallb-controller-image
@@ -150,10 +149,6 @@ BuildFlags: onlybuild:release-manifest-image
 %else
     %if "%{sub %{reverse %_project} 1 7}" != "%{reverse :ToTest}" && "%{sub %{reverse %_project} 1 9}" != "%{reverse :Snapshot}"
       BuildFlags: excludebuild:kiwi-builder-image
-    %else
-      %ifarch aarch64
-        BuildFlags: onlybuild:kiwi-builder-image
-      %endif
     %endif
 %endif
 

akri-dashboard-extension-chart/Chart.yaml

@@ -1,3 +1,4 @@
+#!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2
 #!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1
 #!BuildTag: %%CHART_PREFIX%%akri-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.1-%RELEASE%
 annotations:

edge-image-builder-image/artifacts.yaml

@@ -5,7 +5,7 @@ metallb:
 endpoint-copier-operator:
   chart: endpoint-copier-operator
   repository: "%%CHART_REPO%%/%%CHART_PREFIX%%"
-  version: "%%CHART_MAJOR%%.0.1+up0.3.0"
+  version: "%%CHART_MAJOR%%.0.0+up0.2.1"
 kubernetes:
   k3s:
     selinuxPackage: k3s-selinux-1.6-1.slemicro.noarch

endpoint-copier-operator-chart/Chart.yaml

@@ -1,8 +1,8 @@
-#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0
+#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.0_up0.2.1
-#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.1_up0.3.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%endpoint-copier-operator:%%CHART_MAJOR%%.0.0_up0.2.1-%RELEASE%
 apiVersion: v2
-appVersion: v0.3.0
+appVersion: v0.2.0
 description: A Helm chart for Kubernetes
 name: endpoint-copier-operator
 type: application
-version: "%%CHART_MAJOR%%.0.1+up0.3.0"
+version: "%%CHART_MAJOR%%.0.0+up0.2.1"

endpoint-copier-operator-chart/templates/deployment.yaml

@@ -20,23 +20,8 @@ spec:
       labels:
         {{- include "endpoint-copier-operator.selectorLabels" . | nindent 8 }}
     spec:
-      {{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName }}
-      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
       containers:
       - command:
         - /manager

endpoint-copier-operator-chart/templates/rbac/role.yaml

@@ -7,9 +7,9 @@ metadata:
   name: {{ include "endpoint-copier-operator.fullname" . }}
 rules:
 - apiGroups:
-  - "discovery.k8s.io"
+  - ""
   resources:
-  - endpointslices
+  - endpoints
   verbs:
   - create
   - delete

endpoint-copier-operator-chart/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: %%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "0.3.0"
+  tag: "0.2.0"
 
 nameOverride: "endpoint-copier-operator"
 fullnameOverride: "endpoint-copier-operator"
@@ -29,8 +29,6 @@ podSecurityContext:
   seccompProfile:
     type: RuntimeDefault
 
-priorityClassName: "system-cluster-critical"
-
 securityContext:
   allowPrivilegeEscalation: false
   capabilities:
@@ -39,11 +37,11 @@ securityContext:
 
 resources:
   limits:
-    cpu: 100m
+    cpu: 500m
-    memory: 64Mi
+    memory: 128Mi
   requests:
-    cpu: 5m
+    cpu: 10m
-    memory: 32Mi
+    memory: 64Mi
 
 autoscaling:
   enabled: false

endpoint-copier-operator/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/suse-edge/endpoint-copier-operator</param>
     <param name="scm">git</param>
-    <param name="revision">v0.3.0</param>
+    <param name="revision">v0.2.0</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

endpoint-copier-operator/endpoint-copier-operator.spec

@@ -17,14 +17,14 @@
 
 
 Name:           endpoint-copier-operator
-Version:        0.3.0
+Version:        0.2.0
-Release:        0.3.0
+Release:        0.2.0
 Summary:        Implements a Kubernetes API for copying endpoint resources
 License:        Apache-2.0
 URL:            https://github.com/suse-edge/endpoint-copier-operator
 Source:         endpoint-copier-operator-%{version}.tar
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.24
+BuildRequires:  golang(API) = 1.20
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

ironic-image/Dockerfile

@@ -20,11 +20,11 @@ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes
 
 #!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "x86_64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
+      zypper --installroot /installroot --non-interactive install --no-recommends syslinux python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
     fi
 #!ArchExclusiveLine: aarch64
 RUN if [ "$(uname -m)" = "aarch64" ];then \
-      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python311-pyinotify python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
+      zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api; \
     fi
     
 # DATABASE
@@ -32,9 +32,7 @@ RUN mkdir -p /installroot/var/lib/ironic && \
   /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
   zypper --installroot /installroot --non-interactive remove sqlite3
 
-# build actual image
 FROM micro AS final
-
 MAINTAINER SUSE LLC (https://www.suse.com/)
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 LABEL org.opencontainers.image.title="SLE Openstack Ironic Container Image"
@@ -64,15 +62,14 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
 COPY mkisofs_wrapper /usr/bin/mkisofs
 RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
 
+COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
+RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
 RUN mkdir -p /tftpboot
 RUN mkdir -p $GRUB_DIR
 
-COPY scripts/ /bin/
+# No need to support the Legacy BIOS boot
-COPY configure-nonroot.sh /bin/
+#RUN cp /usr/share/syslinux/pxelinux.0 /tftpboot
-RUN set -euo pipefail; chmod +x /bin/configure-ironic.sh /bin/rundnsmasq /bin/runhttpd /bin/runironic /bin/runlogwatch.sh /bin/configure-nonroot.sh
+#RUN cp /usr/share/syslinux/chain.c32 /tftpboot/
-
-COPY ironic-config/inspector.ipxe.j2 ironic-config/httpd-ironic-api.conf.j2 \
-     ironic-config/ipxe_config.template /tmp/
 
 # IRONIC #
 RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
@@ -80,7 +77,7 @@ RUN cp /usr/share/ipxe/undionly.kpxe /tftpboot/undionly.kpxe
 RUN if [ "$(uname -m)" = "x86_64" ];then \
       cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi ;\
     fi
-#!ArchExclusiveLine: aarch64 
+#!ArchExclusiveLine: x86_64
 RUN if [ "$(uname -m)" = "aarch64" ]; then\ 
      cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\
     fi
@@ -88,21 +85,23 @@ RUN if [ "$(uname -m)" = "aarch64" ]; then\
 COPY --from=base /tmp/esp-x86_64.img /tmp/uefi_esp-x86_64.img
 COPY --from=base /tmp/esp-aarch64.img /tmp/uefi_esp-arm64.img
 
-COPY ironic-config/ironic.conf.j2 /etc/ironic/
+COPY ironic.conf.j2 /etc/ironic/
-COPY ironic-config/network-data-schema-empty.json /etc/ironic/
+COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
+COPY network-data-schema-empty.json /etc/ironic/
 
 # DNSMASQ
-COPY ironic-config/dnsmasq.conf.j2 /etc/
+COPY dnsmasq.conf.j2 /etc/
+
+# Custom httpd config, removes all but the bare minimum needed modules
+COPY httpd.conf.j2 /etc/httpd/conf/
+COPY httpd-modules.conf /etc/httpd/conf.modules.d/
+COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
+COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
 
 # Workaround
 # Removing the 010-ironic.conf file that comes with the package 
 RUN rm /etc/ironic/ironic.conf.d/010-ironic.conf
 
-# Custom httpd config, removes all but the bare minimum needed modules
-COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
-COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
-COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
-COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
-
 # configure non-root user and set relevant permissions
-RUN configure-nonroot.sh && rm -f /bin/configure-nonroot.sh
+RUN configure-nonroot.sh && \
+  rm -f /bin/configure-nonroot.sh

ironic-image/configure-ironic.sh

@@ -84,6 +84,7 @@ echo 'Options set from Environment variables'
 env | grep "^OS_" || true
 
 mkdir -p /shared/html
+mkdir -p /shared/ironic_prometheus_exporter
 
 configure_json_rpc_auth
 

ironic-image/inspector-apache.conf.j2

@@ -0,0 +1,57 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
+Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
+ <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% else %}
+Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
+ <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% endif %}
+    {% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
+    ProxyPass "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
+    ProxyPassReverse "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
+    {% else %}
+    ProxyPass "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
+    ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
+    {% endif %}
+
+    SetEnv APACHE_RUN_USER ironic-suse
+    SetEnv APACHE_RUN_GROUP ironic-suse
+
+    ErrorLog /dev/stdout
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    SSLEngine On
+    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }} 
+    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+
+    {% if "INSPECTOR_HTPASSWD" in env and env.INSPECTOR_HTPASSWD | length %}
+    <Location / >
+        AuthType Basic
+        AuthName "Restricted area"
+        AuthUserFile "/etc/ironic-inspector/htpasswd"
+        Require valid-user
+    </Location>
+
+    <Location ~ "^/(v1/?)?$" >
+        Require all granted
+    </Location>
+
+    <Location /v1/continue >
+        Require all granted
+    </Location>
+    {% endif %}
+</VirtualHost>

ironic-image/ironic-inspector.conf.j2

@@ -0,0 +1,68 @@
+[DEFAULT]
+auth_strategy = noauth
+debug = true
+transport_url = fake://
+use_stderr = true
+{% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %}
+{% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
+listen_unix_socket = /shared/inspector.sock
+# NOTE(dtantsur): this is not ideal, but since the socket is accessed from
+# another container, we need to make it world-writeable.
+listen_unix_socket_mode = 0666
+{% else %}
+listen_port = {{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}
+listen_address = 127.0.0.1
+{% endif %}
+{% elif env.LISTEN_ALL_INTERFACES | lower == "true" %}
+listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
+listen_address = ::
+{% else %}
+listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
+listen_address = {{ env.IRONIC_IP }}
+{% endif %}
+host = {{ env.IRONIC_IP }}
+{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
+use_ssl = true
+{% endif %}
+
+[database]
+connection = sqlite:////var/lib/ironic-inspector/ironic-inspector.db
+
+{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
+[discovery]
+enroll_node_driver = ipmi
+{% endif %}
+
+[ironic]
+auth_type = none
+endpoint_override = {{ env.IRONIC_BASE_URL }}
+{% if env.IRONIC_TLS_SETUP == "true" %}
+cafile = {{ env.IRONIC_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSECURE }}
+{% endif %}
+
+[processing]
+add_ports = all
+always_store_ramdisk_logs = true
+keep_ports = present
+{% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
+node_not_found_hook = enroll
+{% endif %}
+permit_active_introspection = true
+power_off = false
+processing_hooks = $default_processing_hooks,lldp_basic
+ramdisk_logs_dir = /shared/log/ironic-inspector/ramdisk
+store_data = database
+
+[pxe_filter]
+driver = noop
+
+[service_catalog]
+auth_type = none
+endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
+
+{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
+[ssl]
+cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+{% endif %}

ironic-image/ironic.conf.j2

@@ -187,6 +187,11 @@ insecure = {{ env.IRONIC_INSECURE }}
 [nova]
 send_power_notifications = false
 
+[oslo_messaging_notifications]
+driver = prometheus_exporter
+location = /shared/ironic_prometheus_exporter
+transport_url = fake://
+
 [pxe]
 # NOTE(dtantsur): keep this value at least 3x lower than
 # [conductor]deploy_callback_timeout so that at least some retries happen.

ironic-image/runhttpd

@@ -72,7 +72,7 @@ fi
 # Set up inotify to kill the container (restart) whenever cert files for ironic api change
 if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
     # shellcheck disable=SC2034
-    python3.11 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${IRONIC_CERT_FILE}" | while read -r file event; do
+    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
         kill -WINCH $(pgrep httpd)
     done &
 fi
@@ -80,7 +80,7 @@ fi
 # Set up inotify to kill the container (restart) whenever cert of httpd for /shared/html/<redifsh;ilo> path change
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
     # shellcheck disable=SC2034
-    python3.11 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do
+    inotifywait -m -e delete_self "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do
         kill -WINCH $(pgrep httpd)
     done &
 fi

ironic-image/runironic

@@ -13,7 +13,7 @@ run_ironic_dbsync
 
 if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
     # shellcheck disable=SC2034
-    python3.11 -m pyinotify --raw-format -e IN_DELETE_SELF -v "${IRONIC_CERT_FILE}" | while read -r file event; do
+    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
         kill $(pgrep ironic)
     done &
 fi

ironic-image/runironic-api

@@ -0,0 +1,13 @@
+#!/usr/bin/bash
+
+export IRONIC_DEPLOYMENT="API"
+
+# shellcheck disable=SC1091
+. /bin/configure-ironic.sh
+
+export IRONIC_REVERSE_PROXY_SETUP=false
+
+python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
+
+# shellcheck disable=SC1091
+. /bin/runhttpd

ironic-image/runironic-conductor

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+export IRONIC_DEPLOYMENT="Conductor"
+
+# shellcheck disable=SC1091
+. /bin/configure-ironic.sh
+
+# Ramdisk logs
+mkdir -p /shared/log/ironic/deploy
+
+run_ironic_dbsync
+
+if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    # shellcheck disable=SC2034
+    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
+        kill $(pgrep ironic)
+    done &
+fi
+
+exec /usr/bin/ironic-conductor

ironic-image/runironic-exporter

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+
+# shellcheck disable=SC1091
+. /bin/configure-ironic.sh
+
+FLASK_RUN_HOST=${FLASK_RUN_HOST:-0.0.0.0}
+FLASK_RUN_PORT=${FLASK_RUN_PORT:-9608}
+
+export IRONIC_CONFIG="/etc/ironic/ironic.conf"
+
+exec gunicorn -b "${FLASK_RUN_HOST}:${FLASK_RUN_PORT}" -w 4 \
+    ironic_prometheus_exporter.app.wsgi:application

ironic-image/runironic-inspector

@@ -0,0 +1,62 @@
+#!/usr/bin/bash
+
+set -euxo pipefail
+
+CONFIG=/etc/ironic-inspector/ironic-inspector.conf
+
+export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
+export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
+
+# shellcheck disable=SC1091
+. /bin/tls-common.sh
+# shellcheck disable=SC1091
+. /bin/ironic-common.sh
+# shellcheck disable=SC1091
+. /bin/auth-common.sh
+
+if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
+    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
+    exit 1
+fi
+
+wait_for_interface_or_ip
+
+IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
+if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
+    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]] && [[ "${IRONIC_INSPECTOR_PRIVATE_PORT}" != "unix" ]]; then
+        IRONIC_INSPECTOR_PORT=$IRONIC_INSPECTOR_PRIVATE_PORT
+    fi
+else
+    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
+fi
+
+export IRONIC_INSPECTOR_BASE_URL="${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_PORT}"
+export IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"
+
+build_j2_config()
+{
+    local CONFIG_FILE="$1"
+    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
+}
+
+# Merge with the original configuration file from the package.
+build_j2_config "$CONFIG" | crudini --merge "$CONFIG"
+
+configure_inspector_auth
+
+configure_client_basic_auth ironic "${CONFIG}"
+
+ironic-inspector-dbsync --config-file "${CONFIG}" upgrade
+
+if [[ "$INSPECTOR_REVERSE_PROXY_SETUP" == "false" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+    # shellcheck disable=SC2034
+    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
+        kill $(pgrep ironic)
+    done &
+fi
+
+# Make sure ironic traffic bypasses any proxies
+export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+
+# shellcheck disable=SC2086
+exec /usr/bin/ironic-inspector

ironic-image/runlogwatch.sh

@@ -11,7 +11,7 @@ while [ ! -d "${LOG_DIR}" ]; do
   sleep 5
 done
 
-python3.11 -m pyinotify --raw-format -e IN_CLOSE_WRITE -v "${LOG_DIR}" |
+inotifywait -m "${LOG_DIR}" -e close_write |
     while read -r path _action file; do
         echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
         tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"

ironic-ipa-downloader-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.aarch64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-aarch64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/Dockerfile.x86_64

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.8-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader-x86_64:3.0.7-%RELEASE%
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 
@@ -33,6 +33,8 @@ LABEL com.suse.release-stage="released"
 
 COPY --from=base /installroot /
 RUN cp /getopt /usr/bin/
+RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp
+RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp
 RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256
 # configure non-root user
 COPY configure-nonroot.sh /bin/

ironic-ipa-downloader-image/get-resource.sh

@@ -6,8 +6,6 @@ export http_proxy=${http_proxy:-$HTTP_PROXY}
 export https_proxy=${https_proxy:-$HTTPS_PROXY}
 export no_proxy=${no_proxy:-$NO_PROXY}
 
-IMAGES_BASE_PATH="/srv/tftpboot/openstack-ironic-image"
-
 if [ -d "/tmp/ironic-certificates" ]; then
   sha256sum /tmp/ironic-certificates/* > /tmp/certificates.sha256
   if cmp "/shared/certificates.sha256" "/tmp/certificates.sha256"; then
@@ -29,13 +27,13 @@ if [ -z "${IPA_BASEURI}" ]; then
   # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages
   mkdir -p /shared/html/images
   if [ -f /tmp/initrd-x86_64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
+    cp /tmp/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
+    cp /tmp/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel
   fi
   # Use arm64 as destination for iPXE compatibility
   if [ -f /tmp/initrd-aarch64.zst ]; then
-    cp ${IMAGES_BASE_PATH}/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
+    cp /tmp/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs
-    cp ${IMAGES_BASE_PATH}/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
+    cp /tmp/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel
   fi
 
   cp /tmp/images.sha256 /shared/images.sha256

kubevirt-dashboard-extension-chart/Chart.yaml

@@ -1,3 +1,4 @@
+#!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.2
 #!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.2
 #!BuildTag: %%CHART_PREFIX%%kubevirt-dashboard-extension:%%CHART_MAJOR%%.0.2_up1.3.2-%RELEASE%
 annotations:

metal3-chart/Chart.yaml

@@ -1,7 +1,7 @@
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.7_up0.11.5
-#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.8_up0.11.6-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%metal3:%%CHART_MAJOR%%.0.7_up0.11.5-%RELEASE%
 apiVersion: v2
-appVersion: 0.11.6
+appVersion: 0.11.5
 dependencies:
 - alias: metal3-baremetal-operator
   name: baremetal-operator
@@ -15,7 +15,7 @@ dependencies:
   condition: global.enable_mariadb
   name: mariadb
   repository: file://./charts/mariadb
-  version: 0.6.0
+  version: 0.5.4
 - alias: metal3-media
   condition: global.enable_metal3_media_server
   name: media
@@ -25,4 +25,4 @@ description: A Helm chart that installs all of the dependencies needed for Metal
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: "%%CHART_MAJOR%%.0.8+up0.11.6"
+version: "%%CHART_MAJOR%%.0.7+up0.11.5"

metal3-chart/charts/ironic/values.yaml

@@ -60,7 +60,7 @@ images:
   ironicIPADownloader:
     repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
     pullPolicy: IfNotPresent
-    tag: 3.0.8
+    tag: 3.0.7
 
 nameOverride: ""
 fullnameOverride: ""

metal3-chart/charts/mariadb/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: "10.11"
+appVersion: 10.6.7
 description: A Helm chart for MariaDB, used by Metal3
 name: mariadb
 type: application
-version: 0.6.0
+version: 0.5.4

metal3-chart/charts/mariadb/templates/configmap-mariadb.yaml

@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: ConfigMap 
-metadata:
-  name: mariadb-config
-  labels:
-    {{- include "mariadb.labels" . | nindent 4 }}
-data:
-  ironic.conf: |
-    [mariadb]
-    max_connections 64
-    max_heap_table_size 1M
-    innodb_buffer_pool_size 5M
-    innodb_log_buffer_size 512K

metal3-chart/charts/mariadb/templates/configmap.yaml

@@ -5,7 +5,4 @@ metadata:
   labels:
     {{- include "mariadb.labels" . | nindent 4 }}
 data:
-  MARIADB_USER: ironic
+  RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
-  MARIADB_RANDOM_ROOT_PASSWORD: "yes"
-  MARIADB_DATABASE: ironic
-  MARIADB_AUTO_UPGRADE: "yes"

metal3-chart/charts/mariadb/templates/deployment.yaml

@@ -25,50 +25,23 @@ spec:
       serviceAccountName: {{ include "mariadb.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      initContainers:
-      # This would run during entrypoint if run as root
-      - name: set-volume-owners
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        securityContext:
-            runAsUser: 0
-            allowPrivilegeEscalation: true
-            capabilities:
-              drop:
-              - ALL
-              add:
-              - CHOWN
-              - FOWNER
-              - DAC_OVERRIDE
-            seccompProfile:
-              type: RuntimeDefault
-        volumeMounts:
-          - name: mariadb-conf
-            mountPath: /etc/mysql/conf.d
-          - name: mariadb-run
-            mountPath: /run/mysql
-          {{- $volmounts }}
-        command: ['bash', '-c', 'source /usr/local/bin/docker-entrypoint.sh && docker_create_db_directories']
-        env:
-          - name: DATADIR
-            value: /var/lib/mysql
-          - name: SOCKET
-            value: /run/mysql/mysql.sock
       containers:
       - name: mariadb
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.securityContext | nindent 12 }}
-        envFrom:
-          - configMapRef:
-              name: mariadb-cm
         env:
           - name: MARIADB_PASSWORD
             valueFrom:
               secretKeyRef:
                 key: password
                 name: ironic-mariadb
+          - name: RESTART_CONTAINER_CERTIFICATE_UPDATED
+            valueFrom:
+              configMapKeyRef:
+                name: mariadb-cm
+                key: RESTART_CONTAINER_CERTIFICATE_UPDATED
         lifecycle:
           preStop:
             exec:
@@ -79,9 +52,9 @@ spec:
         livenessProbe:
           exec:
             command:
-              - healthcheck.sh
+              - sh
-              - --connect
+              - -c
-              - --innodb_initialized
+              - mysqladmin status -uironic -p$(printenv MARIADB_PASSWORD)
           failureThreshold: 10
           initialDelaySeconds: 30
           periodSeconds: 30
@@ -94,29 +67,19 @@ spec:
         readinessProbe:
           exec:
             command:
-              - healthcheck.sh
+              - sh
-              - --connect
+              - -c
-              - --innodb_initialized
+              - mysqladmin status -uironic -p$(printenv MARIADB_PASSWORD)
           failureThreshold: 10
           initialDelaySeconds: 30
           periodSeconds: 30
           successThreshold: 1
           timeoutSeconds: 10
         volumeMounts:
-            - name: mariadb-conf
-              mountPath: /etc/mysql/conf.d
-            - name: mariadb-run
-              mountPath: /run/mysql
             {{- $volmounts }}
       {{- with .Values.global.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        - name: mariadb-conf
-          configMap:
-            name: mariadb-config
-        - name: mariadb-run
-          emptyDir:
-            sizeLimit: 20Mi
         {{- $volumes }}

metal3-chart/charts/mariadb/values.yaml

@@ -12,9 +12,9 @@ service:
     targetPort: 3306
 
 image:
-  repository: registry.suse.com/suse/mariadb
+  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/suse/mariadb
   pullPolicy: IfNotPresent
-  tag: 10.11
+  tag: 10.6.15.1
 
 nameOverride: ""
 fullnameOverride: ""
@@ -31,8 +31,8 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext:
-  runAsUser: 60
+  runAsUser: 10060
-  fsGroup: 60
+  fsGroup: 10060
 
 securityContext:
   allowPrivilegeEscalation: false
@@ -60,7 +60,6 @@ persistence:
 volumeMounts:
   - name: mariadb-data-volume
     mountPath: /var/lib/mysql
-    subPath: data
 
 volumes:
   - name: mariadb-data-volume

metal3-chart/values.yaml

@@ -115,8 +115,8 @@ metal3-mariadb:
   persistence:
     storageClass: ""
   image:
-    repository: "registry.suse.com/suse/mariadb"
+    repository: "registry.suse.com/edge/mariadb"
-    tag: "10.11"
+    tag: "10.6.15.1"
 
 #
 # Baremetal Operator

rancher-turtles-airgap-resources-chart/Chart.yaml

@@ -1,10 +1,10 @@
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.4_up0.20.0
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.5_up0.21.0
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.4_up0.20.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles-airgap-resources:%%CHART_MAJOR%%.0.5_up0.21.0-%RELEASE%
 apiVersion: v2
-appVersion: 0.20.0
+appVersion: 0.21.0
 description: Rancher Turtles utility chart for airgap scenarios
 home: https://github.com/rancher/turtles/
 icon: https://raw.githubusercontent.com/rancher/turtles/main/logos/capi.svg
 name: rancher-turtles-airgap-resources
 type: application
-version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+version: "%%CHART_MAJOR%%.0.5+up0.21.0"

rancher-turtles-airgap-resources-chart/templates/airgap-cm-fleet-addon.yaml

@@ -656,12 +656,8 @@ data:
       - list
       - get
       - watch
-    - apiGroups:
-      - ""
-      resources:
-      - namespaces
-      verbs:
       - create
+      - patch
     - apiGroups:
       - events.k8s.io
       resources:
@@ -817,7 +813,7 @@ data:
             control-plane: controller-manager
         spec:
           containers:
-          - image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.10.0
+          - image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.11.0
             imagePullPolicy: IfNotPresent
             name: manager
             ports:
@@ -839,7 +835,7 @@ data:
                 memory: 100Mi
           - args:
             - --helm-install
-            image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.10.0
+            image: ghcr.io/rancher-sandbox/cluster-api-addon-provider-fleet:v0.11.0
             name: helm-manager
             resources:
               limits:
@@ -891,10 +887,13 @@ data:
       - major: 0
         minor: 10
         contract: v1beta1
+      - major: 0
+        minor: 11
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.10.0
+  name: v0.11.0
   namespace: rancher-turtles-system
   labels:
     provider-components: fleet

rancher-turtles-airgap-resources-chart/templates/airgap-cm-metal3.yaml

@@ -3734,7 +3734,7 @@ data:
             envFrom:
             - configMapRef:
                 name: capm3-capm3fasttrack-configmap
-            image: registry.rancher.com/rancher/cluster-api-provider-metal3:v1.9.3
+            image: registry.rancher.com/rancher/cluster-api-provider-metal3:v1.9.4
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -3820,7 +3820,7 @@ data:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            image: quay.io/metal3-io/ip-address-manager:v1.9.4
+            image: quay.io/metal3-io/ip-address-manager:v1.9.5
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -4524,7 +4524,7 @@ data:
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v1.9.3
+  name: v1.9.4
   namespace: capm3-system
   labels:
     provider-components: metal3

rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-bootstrap.yaml

@@ -985,6 +985,9 @@ data:
                       - path
                       type: object
                     type: array
+                  gzipUserData:
+                    description: GzipUserData specifies if the user data should be gzipped.
+                    type: boolean
                   postRKE2Commands:
                     description: PostRKE2Commands specifies extra commands to run after
                       rke2 setup runs.
@@ -2164,6 +2167,10 @@ data:
                               - path
                               type: object
                             type: array
+                          gzipUserData:
+                            description: GzipUserData specifies if the user data should
+                              be gzipped.
+                            type: boolean
                           postRKE2Commands:
                             description: PostRKE2Commands specifies extra commands to
                               run after rke2 setup runs.
@@ -2525,11 +2532,12 @@ data:
             - --leader-elect
             - --diagnostics-address=${CAPRKE2_DIAGNOSTICS_ADDRESS:=:8443}
             - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
-            - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=true}
             - --v=${CAPRKE2_DEBUG_LEVEL:=0}
+            - --feature-gates=MachinePool=${EXP_MACHINE_POOL:=true},ClusterTopology=${CLUSTER_TOPOLOGY:=true}
+            - --concurrency=${CONCURRENCY_NUMBER:=10}
             command:
             - /manager
-            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.16.1
+            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.18.0
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -2764,10 +2772,16 @@ data:
       - major: 0
         minor: 16
         contract: v1beta1
+      - major: 0
+        minor: 17
+        contract: v1beta1
+      - major: 0
+        minor: 18
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.16.1
+  name: v0.18.0
   namespace: rke2-bootstrap-system
   labels:
     provider-components: rke2-bootstrap

rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-control-plane.yaml

@@ -1624,6 +1624,9 @@ data:
                       - path
                       type: object
                     type: array
+                  gzipUserData:
+                    description: GzipUserData specifies if the user data should be gzipped.
+                    type: boolean
                   infrastructureRef:
                     description: |-
                       InfrastructureRef is a required reference to a custom resource
@@ -2434,6 +2437,51 @@ data:
                               if value is false, ETCD metrics will NOT be exposed
                             type: boolean
                         type: object
+                      externalDatastoreSecret:
+                        description: |-
+                          ExternalDatastoreSecret is a reference to a Secret that contains configuration about connecting to an external datastore.
+                          The secret must contain a key named "endpoint" that contains the connection string for the external datastore.
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
                       kubeAPIServer:
                         description: KubeAPIServer defines optional custom configuration
                           of the Kube API Server.
@@ -3125,6 +3173,10 @@ data:
                               - path
                               type: object
                             type: array
+                          gzipUserData:
+                            description: GzipUserData specifies if the user data should
+                              be gzipped.
+                            type: boolean
                           infrastructureRef:
                             description: |-
                               InfrastructureRef is a required reference to a custom resource
@@ -3950,6 +4002,51 @@ data:
                                       if value is false, ETCD metrics will NOT be exposed
                                     type: boolean
                                 type: object
+                              externalDatastoreSecret:
+                                description: |-
+                                  ExternalDatastoreSecret is a reference to a Secret that contains configuration about connecting to an external datastore.
+                                  The secret must contain a key named "endpoint" that contains the connection string for the external datastore.
+                                properties:
+                                  apiVersion:
+                                    description: API version of the referent.
+                                    type: string
+                                  fieldPath:
+                                    description: |-
+                                      If referring to a piece of an object instead of an entire object, this string
+                                      should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                                      For example, if the object reference is to a container within a pod, this would take on a value like:
+                                      "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                                      the event) or if no container name is specified "spec.containers[2]" (container with
+                                      index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                                      referencing a part of an object.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of the referent.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                                    type: string
+                                  resourceVersion:
+                                    description: |-
+                                      Specific resourceVersion to which this reference is made, if any.
+                                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                                    type: string
+                                  uid:
+                                    description: |-
+                                      UID of the referent.
+                                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                                    type: string
+                                type: object
+                                x-kubernetes-map-type: atomic
                               kubeAPIServer:
                                 description: KubeAPIServer defines optional custom configuration
                                   of the Kube API Server.
@@ -4446,6 +4543,7 @@ data:
             - --diagnostics-address=${CAPRKE2_DIAGNOSTICS_ADDRESS:=:8443}
             - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
             - --v=${CAPRKE2_DEBUG_LEVEL:=0}
+            - --concurrency=${CONCURRENCY_NUMBER:=10}
             command:
             - /manager
             env:
@@ -4461,7 +4559,7 @@ data:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.uid
-            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.16.1
+            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.18.0
             imagePullPolicy: IfNotPresent
             livenessProbe:
               httpGet:
@@ -4703,10 +4801,16 @@ data:
       - major: 0
         minor: 16
         contract: v1beta1
+      - major: 0
+        minor: 17
+        contract: v1beta1
+      - major: 0
+        minor: 18
+        contract: v1beta1
 kind: ConfigMap
 metadata:
   creationTimestamp: null
-  name: v0.16.1
+  name: v0.18.0
   namespace: rke2-control-plane-system
   labels:
     provider-components: rke2-control-plane

rancher-turtles-chart/Chart.lock

@@ -3,4 +3,4 @@ dependencies:
   repository: https://kubernetes-sigs.github.io/cluster-api-operator
   version: 0.18.1
 digest: sha256:7ad59ce8888c32723b4ef1ae5f334fdff00a8aba87e6f1de76d605f134bff354
-generated: "2025-05-29T09:13:16.863770955Z"
+generated: "2025-06-30T13:10:01.066923702Z"

rancher-turtles-chart/Chart.yaml

@@ -1,5 +1,5 @@
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.4_up0.20.0
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.5_up0.21.0
-#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.4_up0.20.0-%RELEASE%
+#!BuildTag: %%CHART_PREFIX%%rancher-turtles:%%CHART_MAJOR%%.0.5_up0.21.0-%RELEASE%
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: Rancher Turtles - the Cluster API Extension
@@ -12,12 +12,12 @@ annotations:
   catalog.cattle.io/scope: management
   catalog.cattle.io/type: cluster-tool
 apiVersion: v2
-appVersion: 0.20.0
+appVersion: 0.21.0
 dependencies:
 - condition: cluster-api-operator.enabled
   name: cluster-api-operator
   repository: file://./charts/cluster-api-operator
-  version: 0.17.0
+  version: 0.18.1
 description: Rancher Turtles is an extension to Rancher that brings full Cluster API
   integration to Rancher.
 home: https://github.com/rancher/turtles/
@@ -29,4 +29,4 @@ keywords:
 - provisioning
 name: rancher-turtles
 type: application
-version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+version: "%%CHART_MAJOR%%.0.5+up0.21.0"

rancher-turtles-chart/RELEASE_NOTES.md

@@ -1,4 +1,4 @@
-## Changes since v0.20.0-rc.0
+## Changes since examples/v0.21.0
 ---
 ## :chart_with_upwards_trend: Overview
 

rancher-turtles-chart/charts/cluster-api-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.17.0
+appVersion: 0.18.1
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.17.0
+version: 0.18.1

rancher-turtles-chart/charts/cluster-api-operator/templates/addon.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $addonNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $addonName }}
   namespace: {{ $addonNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $addonVersion $.Values.secretName }}
 spec:

rancher-turtles-chart/charts/cluster-api-operator/templates/bootstrap.yaml

@@ -26,8 +26,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $bootstrapNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -36,8 +39,11 @@ metadata:
   name: {{ $bootstrapName }}
   namespace: {{ $bootstrapNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $bootstrapVersion $.Values.configSecret.name }}
 spec:
 {{- end}}

rancher-turtles-chart/charts/cluster-api-operator/templates/control-plane.yaml

@@ -26,8 +26,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $controlPlaneNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -36,8 +39,11 @@ metadata:
   name: {{ $controlPlaneName }}
   namespace: {{ $controlPlaneNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $controlPlaneVersion $.Values.configSecret.name $.Values.manager }}
 spec:
 {{- end}}

rancher-turtles-chart/charts/cluster-api-operator/templates/core-conditions.yaml

@@ -1,4 +1,4 @@
-{{- if or .Values.addon .Values.bootstrap .Values.controlPlane .Values.infrastructure }}
+{{- if or .Values.addon .Values.bootstrap .Values.controlPlane .Values.infrastructure .Values.ipam }}
 # Deploy core components if not specified
 {{- if not .Values.core }}
 ---
@@ -6,8 +6,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: capi-system
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -16,8 +19,11 @@ metadata:
   name: cluster-api
   namespace: capi-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
   configSecret:
@@ -28,4 +34,3 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
-

rancher-turtles-chart/charts/cluster-api-operator/templates/core.yaml

@@ -25,8 +25,11 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
+    "argocd.argoproj.io/sync-wave": "1"
   name: {{ $coreNamespace }}
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
@@ -35,8 +38,10 @@ metadata:
   name: {{ $coreName }}
   namespace: {{ $coreNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $coreVersion $.Values.configSecret.name $.Values.manager }}
 spec:
@@ -45,8 +50,8 @@ spec:
   version: {{ $coreVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and $.Values.manager.featureGates $.Values.manager.featureGates.core }}
+  manager:
     featureGates:
     {{- range $key, $value := $.Values.manager.featureGates.core }}
       {{ $key }}: {{ $value }}

rancher-turtles-chart/charts/cluster-api-operator/templates/infra-conditions.yaml

@@ -7,8 +7,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-bootstrap-system
 ---
@@ -18,8 +20,10 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-bootstrap-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
@@ -37,8 +41,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: capi-kubeadm-control-plane-system
 ---
@@ -48,14 +54,16 @@ metadata:
   name: kubeadm
   namespace: capi-kubeadm-control-plane-system
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- with .Values.configSecret }}
 spec:
 {{- if $.Values.manager }}
-  manager:
 {{- if and $.Values.manager.featureGates $.Values.manager.featureGates.kubeadm }}
+  manager:
     featureGates:
     {{- range $key, $value := $.Values.manager.featureGates.kubeadm }}
       {{ $key }}: {{ $value }}

rancher-turtles-chart/charts/cluster-api-operator/templates/infra.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $infrastructureNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $infrastructureName }}
   namespace: {{ $infrastructureNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
 spec:
@@ -47,8 +51,8 @@ spec:
   version: {{ $infrastructureVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $infrastructureName) }}
+  manager:
 {{- range $key, $value := $.Values.manager.featureGates }}
   {{- if eq $key $infrastructureName }}
     featureGates:

rancher-turtles-chart/charts/cluster-api-operator/templates/ipam.yaml

@@ -26,8 +26,10 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "1"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "1"
   name: {{ $ipamNamespace }}
 ---
@@ -37,8 +39,10 @@ metadata:
   name: {{ $ipamName }}
   namespace: {{ $ipamNamespace }}
   annotations:
+    {{- if $.Values.enableHelmHook }}
     "helm.sh/hook": "post-install,post-upgrade"
     "helm.sh/hook-weight": "2"
+    {{- end }}
     "argocd.argoproj.io/sync-wave": "2"
 {{- if or $ipamVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
 spec:
@@ -47,8 +51,8 @@ spec:
   version: {{ $ipamVersion }}
 {{- end }}
 {{- if $.Values.manager }}
-  manager:
 {{- if and (kindIs "map" $.Values.manager.featureGates) (hasKey $.Values.manager.featureGates $ipamName) }}
+  manager:
 {{- range $key, $value := $.Values.manager.featureGates }}
   {{- if eq $key $ipamName }}
     featureGates:

rancher-turtles-chart/charts/cluster-api-operator/values.yaml

@@ -21,7 +21,7 @@ leaderElection:
 image:
   manager:
     repository: registry.k8s.io/capi-operator/cluster-api-operator
-    tag: v0.17.0
+    tag: v0.18.1
     pullPolicy: IfNotPresent
 env:
   manager: []
@@ -69,3 +69,4 @@ volumeMounts:
     - mountPath: /tmp/k8s-webhook-server/serving-certs
       name: cert
       readOnly: true
+enableHelmHook: true

rancher-turtles-chart/questions.yml

@@ -36,7 +36,7 @@ questions:
         label: Enable Agent TLS Mode
         group: "Rancher Turtles Features Settings"
       - variable: rancherTurtles.kubectlImage
-        default: "registry.suse.com/edge/3.2/kubectl:1.32.4"
+        default: "registry.suse.com/edge/3.3/kubectl:1.32.4"
         description: "Specify the image to use when running kubectl in jobs."
         type: string
         label: Kubectl Image

rancher-turtles-chart/values.yaml

@@ -9,8 +9,8 @@ turtlesUI:
 rancherTurtles:
   # image: registry.rancher.com/rancher/rancher/turtles
   image: registry.rancher.com/rancher/rancher/turtles
-  # imageVersion: v0.20.0
+  # imageVersion: v0.21.0
-  imageVersion: v0.20.0
+  imageVersion: v0.21.0
   # imagePullPolicy: IfNotPresent
   imagePullPolicy: IfNotPresent
   # namespace: Select namespace for Turtles to run.
@@ -31,8 +31,8 @@ rancherTurtles:
       enabled: false
       # image: registry.rancher.com/rancher/rancher/turtles
       image: registry.rancher.com/rancher/rancher/turtles
-      # imageVersion: v0.20.0
+      # imageVersion: v0.21.0
-      imageVersion: v0.20.0
+      imageVersion: v0.21.0
       # imagePullPolicy: IfNotPresent
       imagePullPolicy: IfNotPresent
       # etcdBackupRestore: Alpha feature. Manages etcd backup/restore.
@@ -49,8 +49,8 @@ rancherTurtles:
       enabled: false
       # image: registry.rancher.com/rancher/rancher/turtles
       image: registry.rancher.com/rancher/rancher/turtles
-      # imageVersion: v0.20.0
+      # imageVersion: v0.21.0
-      imageVersion: v0.20.0
+      imageVersion: v0.21.0
       # imagePullPolicy: IfNotPresent
       imagePullPolicy: IfNotPresent
 
@@ -127,7 +127,7 @@ cluster-api-operator:
       # enabled: Turn on or off.
       enabled: true
       # version: RKE2 version.
-      version: "v0.16.1"
+      version: "v0.18.0"
       # bootstrap: RKE2 bootstrap provider.
       bootstrap:
         # namespace: Bootstrap namespace.
@@ -154,10 +154,10 @@ cluster-api-operator:
           selector: ""
     metal3:
       enabled: true
-      version: "v1.9.3"
+      version: "v1.9.4"
       infrastructure:
         namespace: capm3-system
-        imageUrl: "registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.3"
+        imageUrl: "registry.suse.com/rancher/cluster-api-provider-metal3:v1.9.4"
         fetchConfig:
           url: ""
           selector: ""

release-manifest-image/Dockerfile

@@ -1,4 +1,4 @@
-#!BuildTag: %%IMG_PREFIX%%release-manifest:3.4.0
+#!BuildTag: %%IMG_PREFIX%%release-manifest:3.3.2
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION
 
@@ -7,11 +7,11 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SUSE Edge Release Manifest"
 LABEL org.opencontainers.image.description="Release Manifest containing information about a specific SUSE Edge release"
-LABEL org.opencontainers.image.version="3.4.0"
+LABEL org.opencontainers.image.version="3.3.2"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%release-manifest:3.4.0"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%release-manifest:3.3.2"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"

release-manifest-image/release_manifest.yaml

@@ -1,13 +1,13 @@
 apiVersion: lifecycle.suse.com/v1alpha1
 kind: ReleaseManifest
 metadata:
-  name: release-manifest-3-4-0
+  name: release-manifest-3-3-2
 spec:
-  releaseVersion: 3.4.0
+  releaseVersion: 3.3.2
   components:
     kubernetes:
       k3s:
-        version: v1.32.4+k3s1
+        version: v1.32.5+k3s1
         coreComponents:
           - name: traefik-crd
             version: 34.2.1+up34.2.0
@@ -31,28 +31,28 @@ spec:
                 image: rancher/mirrored-metrics-server:v0.7.2
             type: Deployment
       rke2:
-        version: v1.32.4+rke2r1
+        version: v1.32.5+rke2r1
         coreComponents:
           - name: rke2-cilium
-          version: 1.17.300
+            version: 1.17.301
             type: HelmChart
           - name: rke2-canal
-          version: v3.29.3-build2025040801
+            version: v3.30.0-build2025051500
             type: HelmChart
           - name: rke2-calico-crd
-          version: v3.29.101
+            version: v3.30.001
             type: HelmChart
           - name: rke2-calico
-          version: v3.29.300
+            version: v3.30.001
             type: HelmChart
           - name: rke2-coredns
-          version: 1.39.201
+            version: 1.42.000
             type: HelmChart
           - name: rke2-ingress-nginx
-          version: 4.12.101
+            version: 4.12.103
             type: HelmChart
           - name: rke2-metrics-server
-          version: 3.12.200
+            version: 3.12.201
             type: HelmChart
           - name: rancher-vsphere-csi
             version: 3.3.1-rancher900
@@ -61,7 +61,7 @@ spec:
             version: 1.10.000
             type: HelmChart
           - name: harvester-cloud-provider
-          version: 0.2.900
+            version: 0.2.1000
             type: HelmChart
           - name: harvester-csi-driver
             version: 0.1.2300
@@ -77,19 +77,19 @@ spec:
             version: 0.0.0
             type: HelmChart
     operatingSystem:
-      version: "6.1"
+      version: '6.1'
-      zypperID: "SL-Micro"
+      zypperID: SL-Micro
-      cpeScheme: "cpe:/o:suse:sl-micro:6.1"
+      cpeScheme: cpe:/o:suse:sl-micro:6.1
-      prettyName: "SUSE Linux Micro 6.1"
+      prettyName: SUSE Linux Micro 6.1
       supportedArchs:
-        - "x86_64"
+        - x86_64
-        - "aarch64"
+        - aarch64
     workloads:
       helm:
         - prettyName: Rancher
           releaseName: rancher
           chart: rancher
-          version: 2.11.2
+          version: 2.11.3
           repository: https://charts.rancher.com/server-charts/prime
           values:
             postDelete:
@@ -97,38 +97,38 @@ spec:
         - prettyName: Longhorn
           releaseName: longhorn
           chart: longhorn
-          version: 106.2.0+up1.8.1
+          version: 106.2.1+up1.8.2
           repository: https://charts.rancher.io
           dependencyCharts:
             - releaseName: longhorn-crd
               chart: longhorn-crd
-              version: 106.2.0+up1.8.1
+              version: 106.2.1+up1.8.2
               repository: https://charts.rancher.io
         - prettyName: MetalLB
           releaseName: metallb
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metallb"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metallb'
-          version: "%%CHART_MAJOR%%.0.0+up0.14.9"
+          version: '%%CHART_MAJOR%%.0.0+up0.14.9'
         - prettyName: CDI
           releaseName: cdi
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%cdi"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%cdi'
-          version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+          version: '%%CHART_MAJOR%%.0.0+up0.5.0'
         - prettyName: KubeVirt
           releaseName: kubevirt
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt'
-          version: "%%CHART_MAJOR%%.0.0+up0.5.0"
+          version: '%%CHART_MAJOR%%.0.0+up0.5.0'
           addonCharts:
             - releaseName: kubevirt-dashboard-extension
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt-dashboard-extension"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%kubevirt-dashboard-extension'
-              version: "%%CHART_MAJOR%%.0.2+up1.3.2"
+              version: '%%CHART_MAJOR%%.0.2+up1.3.2'
         - prettyName: NeuVector
           releaseName: neuvector
           chart: neuvector
-          version: 106.0.1+up2.8.6
+          version: 106.0.2+up2.8.7
           repository: https://charts.rancher.io
           dependencyCharts:
             - releaseName: neuvector-crd
               chart: neuvector-crd
-              version: 106.0.1+up2.8.6
+              version: 106.0.2+up2.8.7
               repository: https://charts.rancher.io
           addonCharts:
             - releaseName: neuvector-ui-ext
@@ -137,8 +137,8 @@ spec:
               version: 2.1.3
         - prettyName: EndpointCopierOperator
           releaseName: endpoint-copier-operator
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%endpoint-copier-operator"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%endpoint-copier-operator'
-          version: "%%CHART_MAJOR%%.0.1+up0.3.0"
+          version: '%%CHART_MAJOR%%.0.0+up0.2.1'
         - prettyName: Elemental
           releaseName: elemental-operator
           chart: oci://registry.suse.com/rancher/elemental-operator-chart
@@ -154,25 +154,29 @@ spec:
               version: 3.0.0
         - prettyName: SRIOV
           releaseName: sriov-network-operator
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%sriov-network-operator"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%sriov-network-operator'
-          version: "%%CHART_MAJOR%%.0.2+up1.5.0"
+          version: '%%CHART_MAJOR%%.0.2+up1.5.0'
           dependencyCharts:
             - releaseName: sriov-crd
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%sriov-crd"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%sriov-crd'
-              version: "%%CHART_MAJOR%%.0.2+up1.5.0"
+              version: '%%CHART_MAJOR%%.0.2+up1.5.0'
         - prettyName: Akri
           releaseName: akri
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%akri"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%akri'
-          version: "%%CHART_MAJOR%%.0.0+up0.12.20"
+          version: '%%CHART_MAJOR%%.0.0+up0.12.20'
           addonCharts:
             - releaseName: akri-dashboard-extension
-              chart: "%%CHART_REPO%%/%%CHART_PREFIX%%akri-dashboard-extension"
+              chart: '%%CHART_REPO%%/%%CHART_PREFIX%%akri-dashboard-extension'
-              version: "%%CHART_MAJOR%%.0.2+up1.3.1"
+              version: '%%CHART_MAJOR%%.0.2+up1.3.1'
         - prettyName: Metal3
           releaseName: metal3
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%metal3"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%metal3'
-          version: "%%CHART_MAJOR%%.0.8+up0.11.6"
+          version: '%%CHART_MAJOR%%.0.7+up0.11.5'
         - prettyName: RancherTurtles
           releaseName: rancher-turtles
-          chart: "%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles"
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles'
-          version: "%%CHART_MAJOR%%.0.4+up0.20.0"
+          version: '%%CHART_MAJOR%%.0.5+up0.21.0'
+        - prettyName: RancherTurtlesAirgapResources
+          releaseName: rancher-turtles-airgap-resources
+          chart: '%%CHART_REPO%%/%%CHART_PREFIX%%rancher-turtles-airgap-resources'
+          version: '%%CHART_MAJOR%%.0.5+up0.21.0'