steven.hardy/Factory
SHA256
1
0
Fork 0
forked from suse-edge/Factory
Code Pull Requests Activity

unpack obscpio files

Browse Source
This commit is contained in:
Denislav Prodanov
2024-10-22 10:51:51 +03:00
parent beab68c274
commit 21086b77bb
182 changed files with 15763 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
metal3-chart/charts/ironic/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
metal3-chart/charts/ironic/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 24.1.2
description: A Helm chart for Ironic, used by Metal3
name: ironic
type: application
version: 0.7.0

24
metal3-chart/charts/ironic/README.md Normal file
View File

@@ -0,0 +1,24 @@
## How to Enable Provisioning Network
By default PXE boot functionality is disabled, so deployments via e.g redfish-virtualmedia may
be performed without any dedicated provisioning network.
For PXE boot a dedicated network is required, in this case we run a dnsmasq instance to provide
DHCP and require a dedicated NIC for connectivity to the provisioning network on each host.
To enable this mode you must provide the following additional configuration (note the values are
examples and will depend on your environment):
```
global:
enable_dnsmasq: true
enable_pxe_boot: true
dnsmasqDefaultRouter: 192.168.21.254
dnsmasqDNSServer: 192.168.20.5
dhcpRange: 192.168.20.20,192.168.20.80
provisioningInterface: ens4
provisioningIP: 192.168.20.5
```
Note that these values *must not* conflict with your controlplane or other networks otherwise unexpected
behavior is likely - a dedicated physical network is required in this configuration.

16
metal3-chart/charts/ironic/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,16 @@
1. Get the application URL by running these commands:
{{- if eq .Values.service.type "NodePort" }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ironic.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if eq .Values.service.type "LoadBalancer" }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "ironic.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "ironic.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:6385
{{- else if eq .Values.service.type "ClusterIP" }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ironic.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

88
metal3-chart/charts/ironic/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,88 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "ironic.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "ironic.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ironic.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "ironic.labels" -}}
helm.sh/chart: {{ include "ironic.chart" . }}
{{ include "ironic.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "ironic.selectorLabels" -}}
app.kubernetes.io/component: ironic
app.kubernetes.io/name: {{ include "ironic.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "ironic.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "ironic.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Shared directory volumeMount
*/}}
{{- define "ironic.sharedVolumeMount" -}}
- mountPath: /shared
name: ironic-data-volume
{{- end }}
{{/*
Get ironic CA volumeMounts
*/}}
{{- define "ironic.CAVolumeMounts" -}}
- name: cert-ironic-ca
mountPath: "/certs/ca/ironic"
readOnly: true
- name: cert-ironic-inspector-ca
mountPath: "/certs/ca/ironic-inspector"
readOnly: true
{{- if .Values.global.enable_vmedia_tls }}
- name: cert-ironic-vmedia-ca
mountPath: "/certs/ca/vmedia"
readOnly: true
{{- end }}
{{- end }}

56
metal3-chart/charts/ironic/templates/certificates.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{- if .Values.global.enable_tls -}}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ironic-cacert
spec:
commonName: ironic-ca
isCA: true
ipAddresses:
- {{ .Values.global.ironicIP }}
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: ironic-cacert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ironic-cert
spec:
commonName: ironic-cert
ipAddresses:
- {{ .Values.global.ironicIP }}
issuerRef:
kind: Issuer
name: ca-issuer
secretName: ironic-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ironic-inspector-cert
spec:
commonName: ironic-inspector-cert
ipAddresses:
- {{ .Values.global.ironicIP }}
issuerRef:
kind: Issuer
name: ca-issuer
secretName: ironic-inspector-cert
{{- if .Values.global.enable_vmedia_tls }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ironic-vmedia-cert
spec:
commonName: ironic-vmedia-cert
ipAddresses:
- {{ .Values.global.ironicIP }}
issuerRef:
kind: Issuer
name: ca-issuer
secretName: ironic-vmedia-cert
{{- end }}
{{- end }}

12
metal3-chart/charts/ironic/templates/configmap-ipa-downloader.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ironic-ipa-downloader
labels:
{{- include "ironic.labels" . | nindent 4 }}
data:
{{- with .Values.baremetaloperator }}
{{ if .ipaBaseUri }}
IPA_BASEURI: {{ .ipaBaseUri }}
{{ end }}
{{ end }}

86
metal3-chart/charts/ironic/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,86 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ironic-bmo
labels:
{{- include "ironic.labels" . | nindent 4 }}
data:
{{- $enableTLS := .Values.global.enable_tls }}
{{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
{{- $protocol := ternary "https" "http" $enableTLS }}
{{- $ironicIP := .Values.global.ironicIP | default "" }}
{{- $ironicApiHost := print $ironicIP ":6385" }}
{{- $ironicInspectorHost := print $ironicIP ":5050" }}
{{- $ironicBootHost := print $ironicIP ":6180" }}
{{- $ironicCacheHost := print $ironicIP ":6180" }}
{{- if ( .Values.global.enable_dnsmasq ) }}
DNSMASQ_BOOT_SERVER_ADDRESS: {{ $ironicBootHost }}
DNSMASQ_DNS_SERVER_ADDRESS: {{ .Values.global.dnsmasqDNSServer }}
DNSMASQ_DEFAULT_ROUTER: {{ .Values.global.dnsmasqDefaultRouter }}
DHCP_RANGE: {{ .Values.global.dhcpRange }}
{{- end }}
{{- if .Values.debug.ironicRamdiskSshKey }}
IRONIC_RAMDISK_SSH_KEY: {{ .Values.debug.ironicRamdiskSshKey }}
{{- end }}
HTTP_PORT: "6180"
PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
USE_IRONIC_INSPECTOR: "true"
IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
IRONIC_API_HOST: {{ $ironicApiHost }}
IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
IRONIC_INSPECTOR_BASE_URL: {{ $protocol }}://{{ $ironicInspectorHost }}
IRONIC_INSPECTOR_ENDPOINT: {{ $protocol }}://{{ $ironicInspectorHost }}/v1/
IRONIC_INSPECTOR_HOST: {{ $ironicInspectorHost }}
IRONIC_INSPECTOR_HTTPD_SERVER_NAME: {{ $ironicInspectorHost }}
# Switch VMedia to HTTP if enable_vmedia_tls is false
{{- if and $enableTLS $enableVMediaTLS }}
{{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
{{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
{{- $protocol = "https" }}
{{- else }}
{{- $protocol = "http" }}
{{- end }}
IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }}
CACHEURL: {{ $protocol }}://{{ $ironicCacheHost }}/images
DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.kernel
DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.initramfs
IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }}
IRONIC_VMEDIA_HTTPD_SERVER_NAME: {{ $ironicBootHost }}
ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}"
{{- if .Values.global.provisioningInterface }}
PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
{{- end }}
{{- if .Values.global.provisioningIP }}
PROVISIONING_IP: {{ .Values.global.provisioningIP }}
{{- end }}
IRONIC_INSPECTOR_VLAN_INTERFACES: all
IRONIC_ILO_USE_SWIFT: "false"
IRONIC_ILO_USE_WEB_SERVER_FOR_IMAGES: "true"
IRONIC_FAST_TRACK: "true"
IRONIC_USE_MARIADB: "true"
LISTEN_ALL_INTERFACES: "true"
{{- if .Values.global.ironicIP }}
IRONIC_IP: {{ .Values.global.ironicIP }}
{{- end }}
{{- if ( .Values.global.enable_tls ) }}
RESTART_CONTAINER_CERTIFICATE_UPDATED: "true"
IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }} tls.enabled=true
IPA_INSECURE: "0"
IRONIC_REVERSE_PROXY_SETUP: "true"
INSPECTOR_REVERSE_PROXY_SETUP: "true"
{{- if ( .Values.global.enable_vmedia_tls ) }}
VMEDIA_TLS_PORT: "{{ .Values.global.vmediaTLSPort }}"
{{- end }}
{{- else }}
RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }}
IPA_INSECURE: "1"
IRONIC_REVERSE_PROXY_SETUP: "false"
{{- end }}
{{- if ( .Values.global.enable_basicAuth ) }}
AUTH_STRATEGY: "http_basic"
INSPECTOR_AUTH_STRATEGY: "http_basic"
{{- end }}
MARIADB_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local

367
metal3-chart/charts/ironic/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,367 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "ironic.fullname" . }}
labels:
{{- include "ironic.labels" . | nindent 4 }}
spec:
minReadySeconds: 10
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "ironic.selectorLabels" . | nindent 6 }}
strategy:
type: Recreate
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "ironic.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
{{- if .Values.baremetaloperator.ironichostNetwork }}
hostNetwork: {{ .Values.baremetaloperator.ironichostNetwork }}
{{- end }}
containers:
- name: ironic-httpd
image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
command:
- /bin/runhttpd
envFrom:
- configMapRef:
name: ironic-bmo
livenessProbe:
exec:
command:
- /bin/sh
- -c
- curl {{ if and .Values.global.enable_tls .Values.global.enable_vmedia_tls }}-sSfk https://127.0.0.1:{{ .Values.global.vmediaTLSPort }}/boot.ipxe {{ else }}-sSf http://127.0.0.1:6180/boot.ipxe{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
ports:
{{- if and .Values.global.enable_tls .Values.global.enable_vmedia_tls }}
- containerPort: {{ .Values.global.vmediaTLSPort }}
name: httpd-tls
protocol: TCP
{{- else }}
- containerPort: 6180
name: httpd
protocol: TCP
{{- end }}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- curl {{ if and .Values.global.enable_tls .Values.global.enable_vmedia_tls }}-sSfk https://127.0.0.1:{{ .Values.global.vmediaTLSPort }}/boot.ipxe {{ else }}-sSf http://127.0.0.1:6180/boot.ipxe{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
{{- if .Values.global.enable_tls }}
{{- include "ironic.CAVolumeMounts" . | nindent 10 }}
- name: cert-ironic
mountPath: "/certs/ironic"
readOnly: true
- name: cert-ironic-inspector
mountPath: "/certs/ironic-inspector"
readOnly: true
{{- if .Values.global.enable_vmedia_tls }}
- name: cert-ironic-vmedia
mountPath: "/certs/vmedia"
readOnly: true
{{- end }}
- mountPath: /shared/html/tstcerts
name: cert-ironic-ca
readOnly: true
{{- end }}
- name: ironic-inspector
image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
command:
- /bin/runironic-inspector
envFrom:
- configMapRef:
name: ironic-bmo
env:
{{- if .Values.global.enable_basicAuth }}
- name: INSPECTOR_HTPASSWD
valueFrom:
secretKeyRef:
name: ironic-inspector-basic-auth
key: htpasswd
{{- end }}
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: ironic-mariadb
livenessProbe:
exec:
command:
- /bin/sh
- -c
- curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}5049{{ else }}5050{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
ports:
- containerPort: 5050
name: inspector
protocol: TCP
readinessProbe:
exec:
command:
- /bin/sh
- -c
- curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}5049{{ else }}5050{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
{{- if .Values.global.enable_basicAuth }}
- mountPath: "/auth/ironic/auth-config"
name: ironic-basic-auth
subPath: auth-config
readOnly: true
- mountPath: "/auth/ironic-inspector/auth-config"
name: ironic-inspector-basic-auth
subPath: auth-config
readOnly: true
{{- end }}
{{- if .Values.global.enable_tls }}
{{- include "ironic.CAVolumeMounts" . | nindent 10 }}
- name: cert-ironic-inspector
mountPath: "/certs/ironic-inspector"
readOnly: true
{{- end }}
- name: ironic-log-watch
image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
command:
- /bin/runlogwatch.sh
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
- name: ironic
image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
command:
- /bin/runironic
envFrom:
- configMapRef:
name: ironic-bmo
env:
{{- if .Values.global.enable_basicAuth }}
- name: IRONIC_HTPASSWD
valueFrom:
secretKeyRef:
name: ironic-basic-auth
key: htpasswd
{{- end }}
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: ironic-mariadb
livenessProbe:
exec:
command:
- /bin/sh
- -c
- curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}6388{{ else }}6385{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
ports:
- containerPort: 6385
name: api
protocol: TCP
readinessProbe:
exec:
command:
- /bin/sh
- -c
- curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}6388{{ else }}6385{{ end }}
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
{{- if .Values.global.enable_basicAuth }}
- mountPath: "/auth/ironic/auth-config"
name: ironic-basic-auth
subPath: auth-config
readOnly: true
- mountPath: "/auth/ironic-inspector/auth-config"
name: ironic-inspector-basic-auth
subPath: auth-config
readOnly: true
{{- end }}
{{- if .Values.global.enable_tls }}
{{- include "ironic.CAVolumeMounts" . | nindent 10 }}
- name: cert-ironic
mountPath: "/certs/ironic"
readOnly: true
- mountPath: /etc/pki/trust/anchors
name: trusted-certs
readOnly: true
lifecycle:
postStart:
exec:
command:
- update-ca-certificates
{{- end }}
{{- if .Values.global.enable_dnsmasq }}
- name: ironic-dnsmasq
image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
command:
- /bin/rundnsmasq
envFrom:
- configMapRef:
name: ironic-bmo
livenessProbe:
exec:
command:
- sh
- -c
- ss -lun | grep :67 && ss -lun | grep :69
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
ports:
- containerPort: 67
name: dhcp
protocol: UDP
- containerPort: 69
name: tftp
protocol: UDP
readinessProbe:
exec:
command:
- sh
- -c
- ss -lun | grep :67 && ss -lun | grep :69
failureThreshold: 10
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 10
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
{{- end }}
initContainers:
- name: ironic-ipa-downloader
image: {{ .Values.images.ironicIPADownloader.repository }}:{{ .Values.images.ironicIPADownloader.tag }}
imagePullPolicy: {{ .Values.images.ironicIPADownloader.pullPolicy }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
command:
- /usr/local/bin/get-resource.sh
envFrom:
- configMapRef:
name: ironic-ipa-downloader
volumeMounts:
{{- include "ironic.sharedVolumeMount" . | nindent 10 }}
{{- if .Values.global.enable_tls }}
- mountPath: /tmp/ironic-certificates
name: trusted-certs
{{- end }}
volumes:
- name: ironic-data-volume
persistentVolumeClaim:
claimName: ironic-shared-volume
{{- if .Values.global.enable_basicAuth }}
- name: ironic-basic-auth
secret:
secretName: ironic-basic-auth
- name: ironic-inspector-basic-auth
secret:
secretName: ironic-inspector-basic-auth
{{- if .Values.global.enable_tls }}
- name: trusted-certs
projected:
sources:
- secret:
name: ironic-cacert
{{- if .Values.global.additionalTrustedCAs }}
- secret:
name: tls-ca-additional
{{- end }}
- name: cert-ironic-ca
secret:
secretName: ironic-cacert
- name: cert-ironic
secret:
secretName: ironic-cert
- name: cert-ironic-inspector-ca
secret:
secretName: ironic-cacert
- name: cert-ironic-inspector
secret:
secretName: ironic-inspector-cert
{{- if .Values.global.enable_vmedia_tls }}
- name: cert-ironic-vmedia-ca
secret:
secretName: ironic-cacert
- name: cert-ironic-vmedia
secret:
secretName: ironic-vmedia-cert
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.dnsPolicy }}
dnsPolicy:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

16
metal3-chart/charts/ironic/templates/issuers.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.global.enable_tls -}}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer
spec:
ca:
secretName: ironic-cacert
{{- end }}

24
metal3-chart/charts/ironic/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ironic-shared-volume
{{- if .Values.persistence.ironic.keep }}
annotations:
"helm.sh/resource-policy": keep
{{- end }}
spec:
accessModes:
{{- if .Values.persistence.ironic.accessMode }}
- {{ .Values.persistence.ironic.accessMode }}
{{- else if eq (int .Values.replicaCount) 1 }}
- ReadWriteOnce
{{- else }}
- ReadWriteMany
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.ironic.size }}
{{- if .Values.persistence.ironic.storageClass }}
storageClassName: {{ .Values.persistence.ironic.storageClass }}
{{- end }}
volumeMode: Filesystem

16
metal3-chart/charts/ironic/templates/secret-tls.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and (.Values.global.enable_tls)
(ne .Values.tlscerts.crt "")
(ne .Values.tlscerts.key "")
(ne .Values.tlscerts.cacert "") -}}
apiVersion: v1
kind: Secret
metadata:
name: ironic-cacert
labels:
{{- include "ironic.labels" . | nindent 4 }}
type: Opaque
data:
tls.crt: {{ .Values.tlscerts.crt | toString | b64enc }}
tls.key: {{ .Values.tlscerts.key | toString | b64enc }}
ca.crt: {{ .Values.tlscerts.cacert | toString | b64enc }}
{{- end }}

62
metal3-chart/charts/ironic/templates/secrets-basic-auth.yaml Normal file
View File

@@ -0,0 +1,62 @@
{{- if .Values.global.enable_basicAuth }}
{{- $ironicUsername := "" -}}
{{- $ironicPassword := "" -}}
{{- $ironicSecretName := "ironic-basic-auth" -}}
# Check if the secret is deployed and has a password
{{- $oldIronicSecret := lookup "v1" "Secret" .Release.Namespace $ironicSecretName }}
{{- if and $oldIronicSecret (index $oldIronicSecret.data "username") (index $oldIronicSecret.data "password") }}
{{- $ironicUsername = b64dec (index $oldIronicSecret.data "username" | toString) -}}
{{- $ironicPassword = b64dec (index $oldIronicSecret.data "password" | toString) -}}
# If not, check if a username and password are provided in values.yaml
{{- else if and (.Values.global.auth.ironicUsername) (.Values.global.auth.ironicPassword) }}
{{- $ironicUsername = .Values.global.auth.ironicUsername -}}
{{- $ironicPassword = .Values.global.auth.ironicPassword -}}
{{- else }}
# If no username and password are provided in values.yaml, generate new ones
{{- $ironicUsername = "ironic" -}}
{{- $ironicPassword = (randAlphaNum 20) -}}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $ironicSecretName }}
type: Opaque
data:
username: {{ $ironicUsername | b64enc }}
password: {{ $ironicPassword | b64enc }}
htpasswd: {{ b64enc (htpasswd $ironicUsername $ironicPassword) }}
auth-config: |
{{- printf "[ironic]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicUsername $ironicPassword | b64enc | nindent 4 }}
---
{{- $ironicInspectorUsername := "" -}}
{{- $ironicInspectorPassword := "" -}}
{{- $inspectorSecretName := "ironic-inspector-basic-auth" -}}
# Check if the secret is deployed and has a password
{{- $oldInspectorSecret := lookup "v1" "Secret" .Release.Namespace $inspectorSecretName }}
{{- if and $oldInspectorSecret (index $oldInspectorSecret.data "username") (index $oldInspectorSecret.data "password") }}
{{- $ironicInspectorUsername = b64dec (index $oldInspectorSecret.data "username" | toString) -}}
{{- $ironicInspectorPassword = b64dec (index $oldInspectorSecret.data "password" | toString) -}}
# If not, check if a username and password are provided in values.yaml
{{- else if and (.Values.global.auth.ironicInspectorUsername) (.Values.global.auth.ironicInspectorPassword) }}
{{- $ironicInspectorUsername = .Values.global.auth.ironicInspectorUsername -}}
{{- $ironicInspectorPassword = .Values.global.auth.ironicInspectorPassword -}}
{{- else }}
# If no username and password are provided in values.yaml, generate new ones
{{- $ironicInspectorUsername = "ironic" -}}
{{- $ironicInspectorPassword = (randAlphaNum 20) -}}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $inspectorSecretName }}
type: Opaque
data:
username: {{ $ironicInspectorUsername | b64enc }}
password: {{ $ironicInspectorPassword | b64enc }}
htpasswd: {{ b64enc (htpasswd $ironicInspectorUsername $ironicInspectorPassword) }}
auth-config: |
{{- printf "[inspector]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicInspectorUsername $ironicInspectorPassword | b64enc | nindent 4 }}
{{- end }}

39
metal3-chart/charts/ironic/templates/service.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "ironic.fullname" . }}
labels:
{{- include "ironic.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
{{- $enableTLS := .Values.global.enable_tls }}
{{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }}
{{- range .Values.service.ports }}
{{- if and (eq .name "httpd") (or (not $enableTLS) (not $enableVMediaTLS)) }}
- name: {{ .name }}
port: {{ .port }}
protocol: {{ .protocol }}
targetPort: {{ .targetPort }}
{{- else if and (eq .name "httpd-tls") ($enableTLS) ($enableVMediaTLS) }}
- name: {{ .name }}
port: {{ .port }}
protocol: {{ .protocol }}
targetPort: {{ .targetPort }}
{{- else if and (ne .name "httpd") (ne .name "httpd-tls") }}
- name: {{ .name }}
port: {{ .port }}
protocol: {{ .protocol }}
targetPort: {{ .targetPort }}
{{- end }}
{{- end }}
selector:
{{- include "ironic.selectorLabels" . | nindent 4 }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalIPs:
{{- toYaml .Values.service.externalIPs | nindent 4 }}
{{- end }}

12
metal3-chart/charts/ironic/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ironic.serviceAccountName" . }}
labels:
{{- include "ironic.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

153
metal3-chart/charts/ironic/values.yaml Normal file
View File

@@ -0,0 +1,153 @@
# Default values for ironic.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
# whether to enable dnsmasq on the provisioning network (for PXE boot)
enable_dnsmasq: false
# whether to enable PXE boot capability
# NOTE: enable_dnsmasq must set to 'true' in order for this option to be effective.
enable_pxe_boot: false
# DNS Policy of the Ironic pod
dnsPolicy: "ClusterFirstWithHostNet"
# IP address of the router associated with the specified DHCP
# address range
dnsmasqDefaultRouter: ""
# IP address of the dns server to be provided with DHCP
# response
dnsmasqDNSServer: ""
# specify comma-delimited xrange of IP addresses the DHCP server will manage.
# e.g 192.168.20.20,192.168.20.80
dhcpRange: ""
# Network interface on which provisioning network can be accessed
# Note this must be a dedicated NIC separate from the controlplane network
provisioningInterface: ""
# IP Address assigned to network interface on provisioning network
provisioningIP: ""
# Whether the NIC names should be predictable or not
predictableNicNames: "true"
# The kernel params for Ironic
ironicKernelParams: "console=ttyS0"
databaseServiceName: "metal3-mariadb"
# In a multi-node kubernetes cluster, we need to "pin" the
# ironic containers to the given host where the
# provisioningIP exists. Uncomment the nodeSelector
# here and update the hostname accordingly.
#nodeSelector:
#kubernetes.io/hostname: "csrancher-n1"
# Comment this out when pinning the pdns containers to a specfic host.
nodeSelector: {}
replicaCount: 1
images:
ironic:
repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
pullPolicy: IfNotPresent
tag: 24.1.2.0
ironicIPADownloader:
repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
pullPolicy: IfNotPresent
tag: 2.0.0
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext:
runAsUser: 10475
fsGroup: 10475
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
service:
type: LoadBalancer
annotations: {}
externalIPs: []
ports:
- name: httpd
port: 6180
protocol: TCP
targetPort: 6180
- name: httpd-tls
port: 6185
protocol: TCP
targetPort: 6185
- name: inspector
port: 5050
protocol: TCP
targetPort: 5050
- name: api
port: 6385
protocol: TCP
targetPort: 6385
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
tolerations: []
affinity: {}
baremetaloperator:
cloudflareApiToken: "foo"
ironichostNetwork: true
debug:
ironicRamdiskSshKey: ""
tlscerts:
cacert: ""
key: ""
crt: ""
persistence:
ironic:
# storageClass for the ironic shared volume
# Ensure the storageClass is defined
storageClass: ""
# size of the ironic shared volume
size: "1Gi"
# accessMode of the ironic shared volume PVC
# If empty defaults to ReadWriteOnce when replicaCount=1 otherwise ReadWriteMany
accessMode: ""
# flag to indicate to keep pvc upon helm uninstall
keep: false