steven.hardy/Factory
SHA256
1
0
Fork 0
forked from suse-edge/Factory
Code Pull Requests Activity

Compare commits

merge into: steven.hardy:main
Branches Tags
steven.hardy:main steven.hardy:turtles_021 steven.hardy:arm_config steven.hardy:turtles_3.2 steven.hardy:turtles_fix_3.2 steven.hardy:turtles_upgrade_fix steven.hardy:cdi_fix steven.hardy:kubevirt_chart steven.hardy:sriov_update steven.hardy:capm3_downgrade steven.hardy:rm_capi_images steven.hardy:kiwi_fix steven.hardy:kiwi_builder steven.hardy:metal3_chart_090 steven.hardy:turtles_013 steven.hardy:rm_old_ipa steven.hardy:ipa-fix steven.hardy:kube-rbac-proxy-fix2 steven.hardy:turtles_fix steven.hardy:metal3_090 steven.hardy:metallb_rbac_proxy steven.hardy:kube-rbac-proxy-fix steven.hardy:kube_rbac_proxy steven.hardy:document-branch steven.hardy:supportlvl-macro steven.hardy:run-sync suse-edge:main suse-edge:3.3 suse-edge:dprodanov-patch-1 suse-edge:update-eib suse-edge:devel suse-edge:3.2
...
pull from: steven.hardy:turtles_013
Branches Tags
steven.hardy:turtles_021 steven.hardy:arm_config steven.hardy:turtles_3.2 steven.hardy:turtles_fix_3.2 steven.hardy:turtles_upgrade_fix steven.hardy:cdi_fix steven.hardy:kubevirt_chart steven.hardy:sriov_update steven.hardy:capm3_downgrade steven.hardy:rm_capi_images steven.hardy:kiwi_fix steven.hardy:kiwi_builder steven.hardy:metal3_chart_090 steven.hardy:turtles_013 steven.hardy:rm_old_ipa steven.hardy:ipa-fix steven.hardy:kube-rbac-proxy-fix2 steven.hardy:turtles_fix steven.hardy:metal3_090 steven.hardy:metallb_rbac_proxy steven.hardy:kube-rbac-proxy-fix steven.hardy:kube_rbac_proxy steven.hardy:main steven.hardy:document-branch steven.hardy:supportlvl-macro steven.hardy:run-sync suse-edge:main suse-edge:3.3 suse-edge:dprodanov-patch-1 suse-edge:update-eib suse-edge:devel suse-edge:3.2

15 Commits
main ... turtles_01

Author SHA256 Message Date
Steven Hardy
f38d3486d1 rancher-turtles-airgap-resources: update to 0.13 release 2024-11-14 18:17:20 +00:00
Steven Hardy
8209fa1064 rancher-turtles: Update to 0.13 upstream version 
Aligns with https://github.com/suse-edge/charts/pull/166
 2024-11-14 18:14:20 +00:00
Steven Hardy
6bd4999fe8 Remove openstack-ironic-image 
This was replaced by ironic-ipa-ramdisk in #8
 2024-11-13 14:08:10 +00:00
Steven Hardy
784cd801cd delete_package.py: Fix command to add message 
Without this it launches an editor to interactively specify the
message which doesn't seem to work from inside the python script
 2024-11-13 14:05:38 +00:00
Steven Hardy
fc9325ccf9 ironic-ipa-ramdisk: fix nmc package name 2024-11-13 12:34:23 +00:00
Steven Hardy
5d2b779c68 ironic-image: Update to 26.1.2.0 
To align with isv:SUSE:Edge:Metal3:Ironic:2024.2
 2024-11-13 10:29:19 +01:00
Steven Hardy
2151ada687 ironic-ipa-downloader-image: Update to 3.0.0 
Align with isv:SUSE:Edge:Metal3:Ironic:2024.2
 2024-11-13 10:29:19 +01:00
Steven Hardy
8247b33a98 ironic-ipa-ramdisk: add new/renamed package 
To align with isv:SUSE:Edge:Metal3:Ironic:2024.2
 2024-11-13 10:29:19 +01:00
Steven Hardy
9d927c2af8 baremetal-operator: update to 0.8.0 2024-11-13 10:29:19 +01:00
Steven Hardy
ff0e5f2b33 kube-rbac-proxy: bump go to 1.23 2024-11-13 09:27:37 +00:00
Steven Hardy
cf76ed917b metallb-chart: update kube-rbac-proxy image version 2024-11-13 10:23:57 +01:00
Steven Hardy
eee07009bb rancher-turtles: Fix IMG_PREFIX macros 
Currently the substitution is not working correctly
 2024-11-12 19:00:22 +00:00
Steven Hardy
a52af83ddd kube-rbac-proxy-image: fix _service file 
Add missing prefix and support level replacements
 2024-11-12 18:11:56 +00:00
Steven Hardy
1492cfce52 Add kube-rbac-proxy-image 2024-11-12 17:38:22 +00:00
Steven Hardy
f3728884d9 Update kube-rbac-proxy to 0.18.1 2024-11-12 17:19:02 +00:00
65 changed files with 1412 additions and 384 deletions
Expand all files Collapse all files

2
.obs/delete_package.py
View File

@@ -21,7 +21,7 @@ def delete_package_from_workflow(name: str):
def delete_package_from_project(name: str):
p = subprocess.run(["osc", "rdelete", PROJECT, name], stdout=subprocess.PIPE)
p = subprocess.run(["osc", "rdelete", PROJECT, name, "-m \"Deleted via delete_package.py\"" ], stdout=subprocess.PIPE)
print(p.stdout)
print(p.stderr)
p.check_returncode()

12
.obs/workflows.yml
View File

@@ -198,10 +198,6 @@ staging_build:
source_package: cri-tools
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: openstack-ironic-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: crudini
source_project: isv:SUSE:Edge:Factory
@@ -226,3 +222,11 @@ staging_build:
source_package: rancher-turtles-chart
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: kube-rbac-proxy-image
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging
- branch_package:
source_package: ironic-ipa-ramdisk
source_project: isv:SUSE:Edge:Factory
target_project: isv:SUSE:Edge:Factory:Staging

2
baremetal-operator/_service
View File

@@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/metal3-io/baremetal-operator</param>
<param name="scm">git</param>
<param name="revision">v0.6.1</param>
<param name="revision">v0.8.0</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>

6
baremetal-operator/baremetal-operator.spec
View File

@@ -17,14 +17,14 @@
Name: baremetal-operator
Version: 0.6.1
Release: 0.6.1
Version: 0.8.0
Release: 0.8.0
Summary: Implements a Kubernetes API for managing bare metal hosts
License: Apache-2.0
URL: https://github.com/metal3-io/baremetal-operator
Source: baremetal-operator-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.21
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}

30
ironic-image/Dockerfile
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0
#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0
#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
@@ -16,7 +16,12 @@ RUN /bin/prepare-efi.sh
COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api
RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs crudini openstack-ironic
# DATABASE
RUN mkdir -p /installroot/var/lib/ironic && \
/installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
zypper --installroot /installroot --non-interactive remove sqlite3
FROM micro AS final
MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -26,8 +31,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opencontainers.image.version="24.1.2.0"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%"
LABEL org.opencontainers.image.version="26.1.2.0"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -48,8 +53,8 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
COPY mkisofs_wrapper /usr/bin/mkisofs
RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runironic-api runironic-conductor runironic-exporter runironic-inspector runlogwatch.sh tls-common.sh configure-nonroot.sh /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runironic-api; chmod +x /bin/runironic-conductor; chmod +x /bin/runironic-exporter; chmod +x /bin/runironic-inspector; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
RUN mkdir -p /tftpboot
RUN mkdir -p $GRUB_DIR
@@ -63,7 +68,7 @@ RUN cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi
COPY --from=base /tmp/esp.img /tmp/uefi_esp.img
COPY ironic.conf.j2 /etc/ironic/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 /tmp/
COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
COPY network-data-schema-empty.json /etc/ironic/
# DNSMASQ
@@ -73,14 +78,7 @@ COPY dnsmasq.conf.j2 /etc/
COPY httpd.conf.j2 /etc/httpd/conf/
COPY httpd-modules.conf /etc/httpd/conf.modules.d/
COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
# IRONIC-INSPECTOR #
RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal"
COPY ironic-inspector.conf.j2 /etc/ironic-inspector/
COPY inspector-apache.conf.j2 /etc/httpd/conf.d/
COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
# Workaround
# Removing the 010-ironic.conf file that comes with the package

35
ironic-image/apache2-ipxe.conf.j2 Normal file
View File

@@ -0,0 +1,35 @@
Listen {{ env.IPXE_TLS_PORT }}
<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
ErrorLog /dev/stderr
LogLevel debug
CustomLog /dev/stdout combined
SSLEngine on
SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IPXE_CERT_FILE }}
SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
<Directory "/shared/html">
Order Allow,Deny
Allow from all
</Directory>
<Directory "/shared/html/(redfish|ilo|images)/">
Order Deny,Allow
Deny from all
</Directory>
</VirtualHost>
<Location ~ "^/grub.*/">
SSLRequireSSL
</Location>
<Location ~ "^/pxelinux.cfg/">
SSLRequireSSL
</Location>
<Location ~ "^/.*\.conf/">
SSLRequireSSL
</Location>
<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
SSLRequireSSL
</Location>

20
ironic-image/apache2-vmedia.conf.j2
View File

@@ -9,16 +9,18 @@ Listen {{ env.VMEDIA_TLS_PORT }}
SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
<Directory "/shared">
AllowOverride None
Require all granted
</Directory>
<Directory "/shared/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
<Directory ~ "/shared/html">
Order deny,allow
deny from all
</Directory>
<Directory ~ "/shared/html/(redfish|ilo)/">
Order allow,deny
allow from all
</Directory>
<Directory ~ "/shared/html/images/">
Order allow,deny
allow from all
</Directory>
</VirtualHost>

46
ironic-image/auth-common.sh
View File

@@ -2,36 +2,39 @@
set -euxo pipefail
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi
IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
if [[ -f "/auth/ironic/htpasswd" ]]; then
IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
fi
export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
configure_client_basic_auth()
{
local auth_config_file="/auth/$1/auth-config"
local dest="${2:-/etc/ironic/ironic.conf}"
if [[ -f "${auth_config_file}" ]]; then
# Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
# when running the api as a WSGI app.
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${dest}" < "${auth_config_file}"
fi
}
configure_json_rpc_auth()
{
export JSON_RPC_AUTH_STRATEGY="noauth"
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
export JSON_RPC_AUTH_STRATEGY="http_basic"
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
else
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
if [[ -z "${IRONIC_HTPASSWD}" ]]; then
echo "FATAL: enabling JSON RPC requires authentication"
exit 1
fi
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
fi
}
@@ -48,24 +51,9 @@ configure_ironic_auth()
fi
}
configure_inspector_auth()
{
local config=/etc/ironic-inspector/ironic-inspector.conf
if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
crudini --set "${config}" DEFAULT auth_strategy http_basic
crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
fi
fi
}
write_htpasswd_files()
{
if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
fi
if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
fi
}

57
ironic-image/configure-ironic.sh
View File

@@ -2,14 +2,13 @@
set -euxo pipefail
IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
# Define the VLAN interfaces to be included in introspection report, e.g.
# all - all VLANs on all interfaces using LLDP information
# <interface> - all VLANs on a particular interface using LLDP information
# <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
# shellcheck disable=SC1091
. /bin/tls-common.sh
@@ -20,13 +19,17 @@ export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
export HTTP_PORT=${HTTP_PORT:-80}
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
MARIADB_PASSWORD=${MARIADB_PASSWORD}
MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
MARIADB_USER=${MARIADB_USER:-ironic}
MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
fi
fi
# TODO(dtantsur): remove the explicit default once we get
@@ -37,9 +40,6 @@ if [[ "$NUMPROC" -lt 4 ]]; then
fi
export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
@@ -58,16 +58,14 @@ wait_for_interface_or_ip
export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
export IRONIC_INSPECTOR_BASE_URL=${IRONIC_INSPECTOR_BASE_URL:-"${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_ACCESS_PORT}"}
if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
export IRONIC_EXTERNAL_CALLBACK_URL="${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"
export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
export IRONIC_EXTERNAL_HTTP_URL="https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
else
export IRONIC_EXTERNAL_HTTP_URL="http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"
export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
fi
export IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE="https://${IRONIC_EXTERNAL_IP}:${IRONIC_INSPECTOR_ACCESS_PORT}"
fi
IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
@@ -90,13 +88,32 @@ mkdir -p /shared/ironic_prometheus_exporter
configure_json_rpc_auth
if [[ -f /proc/sys/crypto/fips_enabled ]]; then
ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
export ENABLE_FIPS_IPA
fi
# The original ironic.conf is empty, and can be found in ironic.conf_orig
render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
configure_client_basic_auth ironic-inspector
fi
configure_client_basic_auth ironic-rpc
# Make sure ironic traffic bypasses any proxies
export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
PROBE_CURL_ARGS=
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
PROBE_URL="http://127.0.0.1:6385"
PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
else
PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
fi
else
PROBE_URL="${IRONIC_BASE_URL}"
fi
export PROBE_CURL_ARGS
export PROBE_URL
PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

21
ironic-image/configure-nonroot.sh
View File

@@ -10,12 +10,12 @@ useradd -r -g ${NONROOT_GID} \
-d /var/lib/ironic \
-s /sbin/nologin \
${USER}
# create ironic's http_root directory
mkdir -p /shared/html
chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
# we'll bind mount shared ca and ironic/inspector certificate dirs here
# we'll bind mount shared ca and ironic certificate dirs here
# that need to have correct ownership as the entire ironic in BMO
# deployment shares a single fsGroup in manifest's securityContext
mkdir -p /certs/ca
@@ -26,17 +26,15 @@ chmod 2775 /certs{,/ca}
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
# ironic, inspector and httpd related changes
# ironic and httpd related changes
mkdir -p /etc/httpd/conf.d
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic-inspector
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic-inspector
chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
chmod 664 /var/lib/ironic/ironic.sqlite
# dnsmasq, and the capabilities required to run it as non-root user
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
@@ -48,3 +46,8 @@ chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
touch /var/lib/ca-certificates/ca-bundle.pem.new
chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
chmod -R +w /var/lib/ca-certificates/
# probes that are created before start
touch /bin/ironic-{readi,live}ness
chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
chmod 775 /bin/ironic-{readi,live}ness

12
ironic-image/dnsmasq.conf.j2
View File

@@ -29,13 +29,23 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
# IPv4 Configuration:
dhcp-match=ipxe,175
# Client is already running iPXE; move to next stage of chainloading
{%- if env.IPXE_TLS_SETUP == "true" %}
# iPXE with (U)EFI
dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
# iPXE with BIOS
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
{% else %}
dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
{% endif %}
# Note: Need to test EFI booting
dhcp-match=set:efi,option:client-arch,7
dhcp-match=set:efi,option:client-arch,9
dhcp-match=set:efi,option:client-arch,11
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
{%- if env.IPXE_TLS_SETUP == "true" %}
dhcp-boot=tag:efi,tag:ipxe,snponly.efi
{% endif %}
dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
# Client is running PXE over BIOS; send BIOS version of iPXE chainloader

25
ironic-image/httpd-ironic-api.conf.j2
View File

@@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
{% endif %}
{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
{% if env.IRONIC_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -29,14 +27,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
{% endif %}
{% else %}
WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
WSGIScriptAlias / /usr/bin/ironic-api-wsgi
{% endif %}
SetEnv APACHE_RUN_USER ironic-suse
SetEnv APACHE_RUN_GROUP ironic-suse
WSGIProcessGroup ironic-suse
ErrorLog /dev/stderr
LogLevel debug
@@ -49,7 +41,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
{% endif %}
{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
<Location />
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
@@ -58,22 +49,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
Require valid-user
{% endif %}
</Location>
{% else %}
<Directory /usr/bin >
WSGIProcessGroup ironic
WSGIApplicationGroup %{GLOBAL}
AllowOverride None
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
AuthName "Restricted WSGI area"
AuthUserFile "/etc/ironic/htpasswd"
Require valid-user
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}
<Location ~ "^/(v1/?)?$" >
Require all granted

1
ironic-image/httpd-modules.conf
View File

@@ -5,7 +5,6 @@ LoadModule dir_module /usr/lib64/apache2/mod_dir.so
LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
#LoadModule unixd_module modules/mod_unixd.so
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so
LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
LoadModule env_module /usr/lib64/apache2/mod_env.so
LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so

2
ironic-image/httpd.conf.j2
View File

@@ -1,6 +1,6 @@
ServerRoot "/etc/httpd"
{%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
Listen [::]:{{ env.HTTP_PORT }}
Listen {{ env.HTTP_PORT }}
{% else %}
Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
{% endif %}

4
ironic-image/inspector.ipxe.j2
View File

@@ -5,6 +5,6 @@ echo In inspector.ipxe
imgfree
# NOTE(dtantsur): keep inspection kernel params in [mdns]params in
# ironic-inspector-image and configuration in configure-ironic.sh
kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
boot

81
ironic-image/ipxe_config.template Normal file
View File

@@ -0,0 +1,81 @@
#!ipxe
set attempts:int32 10
set i:int32 0
goto deploy
:deploy
imgfree
{%- if pxe_options.deployment_aki_path %}
{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
{%- endif %}
{%- if pxe_options.deployment_ari_path %}
{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
{%- endif %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
boot
:retry
iseq ${i} ${attempts} && goto fail ||
inc i
echo No response, retrying in ${i} seconds.
sleep ${i}
goto deploy
:fail
echo Failed to get a response after ${attempts} attempts
echo Powering off in 30 seconds.
sleep 30
poweroff
:boot_anaconda
imgfree
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
boot
:boot_ramdisk
imgfree
{%- if pxe_options.boot_iso_url %}
sanboot {{ pxe_options.boot_iso_url }}
{%- else %}
kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
boot
{%- endif %}
{%- if pxe_options.boot_from_volume %}
:boot_iscsi
imgfree
{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
set username {{ volume.username }}
set password {{ volume.password }}
{%- set drive_id = 129 + i %}
sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
{%- endfor %}{% endif %}
{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
sanboot --no-describe || goto fail_iscsi_retry
:fail_iscsi_retry
echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
sleep 10
goto boot_iscsi
{%- endif %}
:boot_whole_disk
sanboot --no-describe || exit 0

25
ironic-image/ironic-common.sh
View File

@@ -6,6 +6,7 @@ IRONIC_IP="${IRONIC_IP:-}"
PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
PROVISIONING_IP="${PROVISIONING_IP:-}"
PROVISIONING_MACS="${PROVISIONING_MACS:-}"
IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
get_provisioning_interface()
{
@@ -72,7 +73,10 @@ wait_for_interface_or_ip()
render_j2_config()
{
ls $1 # DEBUG
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
ls $2 # DEBUG
}
run_ironic_dbsync()
@@ -86,25 +90,18 @@ run_ironic_dbsync()
done
else
# SQLite does not support some statements. Fortunately, we can just create
# the schema in one go instead of going through an upgrade.
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
# the schema in one go if not already created, instead of going through an upgrade
DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
if [[ "${DB_VERSION}" == "None" ]]; then
ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
fi
fi
}
# Use the special value "unix" for unix sockets
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-6388}
export IRONIC_INSPECTOR_PRIVATE_PORT=${IRONIC_INSPECTOR_PRIVATE_PORT:-5049}
export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
# If this is false, built-in inspection is used.
export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
echo "Discovery is only supported with ironic-inspector at this point"
exit 1
fi
export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}

9
ironic-image/ironic-probe.j2 Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
set -eu -o pipefail
curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
# to make sure the conductor is ready. This requires having access to secrets
# since these endpoints are authenticated.

78
ironic-image/ironic.conf.j2
View File

@@ -1,28 +1,22 @@
[DEFAULT]
{% if env.AUTH_STRATEGY is defined %}
auth_strategy = {{ env.AUTH_STRATEGY }}
{% if env.AUTH_STRATEGY == "http_basic" %}
http_basic_auth_user_file=/etc/ironic/htpasswd
{% endif %}
{% else %}
auth_strategy = noauth
{% endif %}
debug = true
default_deploy_interface = direct
default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
default_inspect_interface = agent
default_network_interface = noop
enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
enabled_firmware_interfaces = no-firmware,fake,redfish
# NOTE(dtantsur): when changing this, make sure to update the driver
# dependencies in Dockerfile.
enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
enabled_firmware_interfaces = no-firmware,fake,redfish
enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
enabled_network_interfaces = noop
enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
{% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
rpc_transport = json-rpc
{% else %}
@@ -32,14 +26,7 @@ use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
my_ip = {{ env.IRONIC_IP }}
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
# If we run both API and conductor in the same pod, use localhost
host = localhost
{% else %}
host = {{ env.IRONIC_CONDUCTOR_HOST }}
{% endif %}
# If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %}
@@ -96,7 +83,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
# Power state is checked every 60 seconds and BMC activity should
# be avoided more often than once every sixty seconds.
send_sensor_data_interval = 160
bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
verify_step_priority_override = management.clear_job_queue:90
# We don't use this feature, and it creates an additional load on the database
node_history = False
@@ -125,7 +112,7 @@ default_boot_option = local
erase_devices_metadata_priority = 10
erase_devices_priority = 0
http_root = /shared/html/
http_url = {{ env.IRONIC_BOOT_BASE_URL }}
http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
fast_track = {{ env.IRONIC_FAST_TRACK }}
{% if env.IRONIC_BOOT_ISO_SOURCE %}
ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
@@ -143,26 +130,22 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
dhcp_provider = none
[inspector]
# NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
# booting IPA through a separate inspector.ipxe rather than the driver's boot
# interface), so managed boot is not required.
require_managed_boot = False
power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
# NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
# Also keep in mind that only parameters unique for inspection go here.
# No need to duplicate pxe_append_params/kernel_append_params.
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
{% if env.USE_IRONIC_INSPECTOR == "true" %}
endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
{% endif %}
{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
{% endif %}
{% else %}
extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
hooks = $default_hooks,parse-lldp
add_ports = all
keep_ports = present
{% endif %}
[auto_discovery]
enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
driver = ipmi
[ipmi]
# use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -191,15 +174,9 @@ cipher_suite_versions = 3,17
# authentication over localhost, using the same credentials as API, to prevent
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
host_ip = localhost
{% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
{% endif %}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -224,24 +201,27 @@ images_path = /shared/html/tmp
instance_master_path = /shared/html/master_images
tftp_master_path = /shared/tftpboot/master_images
tftp_root = /shared/tftpboot
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
# This makes networking boot templates generated even for nodes using local
# boot (the default), ensuring that they boot correctly even if they start
# netbooting for some reason (e.g. with the noop management interface).
enable_netboot_fallback = true
# Enable the fallback path to in-band inspection
ipxe_fallback_script = inspector.ipxe
{% if env.IPXE_TLS_SETUP | lower == "true" %}
ipxe_config_template = /tmp/ipxe_config.template
{% endif %}
[redfish]
use_swift = false
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
[ilo]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
use_web_server_for_images = true
[irmc]
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
[service_catalog]
endpoint_override = {{ env.IRONIC_BASE_URL }}

10
ironic-image/rundnsmasq
View File

@@ -4,6 +4,8 @@ set -eux
# shellcheck disable=SC1091
. /bin/ironic-common.sh
# shellcheck disable=SC1091
. /bin/tls-common.sh
export HTTP_PORT=${HTTP_PORT:-80}
DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
@@ -19,7 +21,13 @@ mkdir -p /shared/html/images
mkdir -p /shared/html/pxelinux.cfg
# Copy files to shared mount
cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
"${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
"/shared/tftpboot"
else
cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
fi
# Template and write dnsmasq.conf
# we template via /tmp as sed otherwise creates temp files in /etc directory

31
ironic-image/runhttpd
View File

@@ -8,10 +8,7 @@
export HTTP_PORT=${HTTP_PORT:-80}
export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
# In Metal3 context they are called node images in Ironic context they are
# called user images.
@@ -33,11 +30,7 @@ chmod 0777 /shared/html
IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
else
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
fi
INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
@@ -51,14 +44,6 @@ cp /tmp/uefi_esp.img /shared/html/uefi_esp.img
# Render the core httpd config
render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
fi
else
export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi
if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
@@ -74,12 +59,14 @@ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
fi
# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
# shellcheck disable=SC2034
inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
kill -WINCH $(pgrep httpd)
done &
# Render httpd TLS configuration for /shared/html
if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
mkdir -p /shared/html/custom-ipxe
chmod 0777 /shared/html/custom-ipxe
render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
"${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
"/shared/html/custom-ipxe"
fi
# Set up inotify to kill the container (restart) whenever cert files for ironic api change

4
ironic-image/runironic
View File

@@ -1,9 +1,7 @@
#!/usr/bin/bash
# These settings must go before configure-ironic since it has different
# defaults.
# This setting must go before configure-ironic since it has different defaults.
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
# shellcheck disable=SC1091
. /bin/configure-ironic.sh

21
ironic-image/runlogwatch.sh
View File

@@ -1,20 +1,11 @@
#!/usr/bin/bash
# Ramdisk logs path
LOG_DIRS=("/shared/log/ironic/deploy" "/shared/log/ironic-inspector/ramdisk")
LOG_DIR="/shared/log/ironic/deploy"
while :; do
for LOG_DIR in "${LOG_DIRS[@]}"; do
if ! ls "${LOG_DIR}"/*.tar.gz 1> /dev/null 2>&1; then
continue
fi
for fn in "${LOG_DIR}"/*.tar.gz; do
echo "************ Contents of $fn ramdisk log file bundle **************"
tar -xOzvvf "$fn" | sed -e "s/^/$(basename "$fn"): /"
rm -f "$fn"
done
inotifywait -m "${LOG_DIR}" -e close_write |
while read -r path _action file; do
echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
rm -f "${path}/${file}"
done
sleep 5
done

54
ironic-image/tls-common.sh
View File

@@ -5,24 +5,25 @@ export IRONIC_KEY_FILE=/certs/ironic/tls.key
export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
export IPXE_CERT_FILE=/certs/ipxe/tls.crt
export IPXE_KEY_FILE=/certs/ipxe/tls.key
export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
mkdir -p /certs/ironic
mkdir -p /certs/ironic-inspector
mkdir -p /certs/ca/ironic
mkdir -p /certs/ca/ironic-inspector
mkdir -p /certs/ipxe
mkdir -p /certs/vmedia
if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
@@ -33,15 +34,6 @@ if [[ ! -f "$IRONIC_CERT_FILE" ]] && [[ -f "$IRONIC_KEY_FILE" ]]; then
exit 1
fi
if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_INSPECTOR_KEY_FILE"
exit 1
fi
if [[ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
echo "Missing TLS Certificate file $IRONIC_INSPECTOR_CERT_FILE"
exit 1
fi
if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ ! -f "$IRONIC_VMEDIA_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IRONIC_VMEDIA_KEY_FILE"
exit 1
@@ -51,6 +43,15 @@ if [[ ! -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ -f "$IRONIC_VMEDIA_KEY_FILE" ]];
exit 1
fi
if [[ -f "$IPXE_CERT_FILE" ]] && [[ ! -f "$IPXE_KEY_FILE" ]]; then
echo "Missing TLS Certificate key file $IPXE_KEY_FILE"
exit 1
fi
if [[ ! -f "$IPXE_CERT_FILE" ]] && [[ -f "$IPXE_KEY_FILE" ]]; then
echo "Missing TLS Certificate file $IPXE_CERT_FILE"
exit 1
fi
copy_atomic()
{
local src="$1"
@@ -75,25 +76,20 @@ else
export IRONIC_SCHEME="http"
fi
if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] || [[ -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
export IRONIC_INSPECTOR_TLS_SETUP="true"
export IRONIC_INSPECTOR_SCHEME="https"
if [[ ! -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
copy_atomic "$IRONIC_INSPECTOR_CERT_FILE" "$IRONIC_INSPECTOR_CACERT_FILE"
fi
else
export IRONIC_INSPECTOR_TLS_SETUP="false"
export IRONIC_INSPECTOR_SCHEME="http"
fi
if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
export IRONIC_VMEDIA_SCHEME="https"
export IRONIC_VMEDIA_TLS_SETUP="true"
else
export IRONIC_VMEDIA_SCHEME="http"
export IRONIC_VMEDIA_TLS_SETUP="false"
fi
if [[ -f "$IPXE_CERT_FILE" ]]; then
export IPXE_SCHEME="https"
export IPXE_TLS_SETUP="true"
else
export IPXE_SCHEME="http"
export IPXE_TLS_SETUP="false"
fi
if [[ -f "$MARIADB_CACERT_FILE" ]]; then
export MARIADB_TLS_ENABLED="true"
else

10
ironic-ipa-downloader-image/Dockerfile
View File

@@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0
#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -8,7 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
RUN zypper --installroot /installroot --non-interactive install --no-recommends openstack-ironic-image-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
#RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release;
RUN cp /usr/bin/getopt /installroot/
@@ -19,11 +19,11 @@ FROM micro AS final
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="2.0.0"
LABEL org.opencontainers.image.version="3.0.0"
LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"

4
ironic-ipa-downloader-image/_service
View File

@@ -3,8 +3,8 @@
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%openstack-ironic-image-x86_64_version%%</param>
<param name="package">openstack-ironic-image-x86_64</param>
<param name="regex">%%ironic-ipa-ramdisk-x86_64_version%%</param>
<param name="package">ironic-ipa-ramdisk-x86_64</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">

0
openstack-ironic-image/_constraints → ironic-ipa-ramdisk/_constraints
View File

0
openstack-ironic-image/config.sh → ironic-ipa-ramdisk/config.sh
View File

2
openstack-ironic-image/openstack-ironic-image.kiwi → ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<image schemaversion="7.4" name="openstack-ironic-image">
<image schemaversion="7.4" name="openstack-ironic-image-201">
<description type="system">
<author>Cloud developers</author>
<contact>cloud-devel@suse.de</contact>

6
openstack-ironic-image/openstack-ironic-image.spec → ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec
View File

@@ -18,15 +18,15 @@
# needsbinariesforbuild
Name: openstack-ironic-image
Version: 2.0.0
Name: ironic-ipa-ramdisk
Version: 3.0.0
Release: 0
Summary: Kernel and ramdisk image for OpenStack Ironic
License: SUSE-EULA
Group: System/Management
URL: https://github.com/SUSE-Cloud/
Source0: config.sh
Source10: openstack-ironic-image.kiwi
Source10: ironic-ipa-ramdisk.kiwi
Source20: root.tar.bz2
BuildRequires: -post-build-checks

BIN
ironic-ipa-ramdisk/root.tar.bz2 Normal file
View File

Binary file not shown.

35
kube-rbac-proxy-image/Dockerfile Normal file
View File

@@ -0,0 +1,35 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends kube-rbac-proxy; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.kube-rbac-proxy
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE kube-rbac-proxy Container Image"
LABEL org.opencontainers.image.description="kube-rbac-proxy based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%kube-rbac-proxy_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
#Install kube-rbac-proxy
EXPOSE 8080
USER 65532:65532
ENTRYPOINT ["/kube-rbac-proxy"]

19
kube-rbac-proxy-image/_service Normal file
View File

@@ -0,0 +1,19 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%kube-rbac-proxy_version%%</param>
<param name="package">kube-rbac-proxy</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
<param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
<param name="var">SUPPORT_LEVEL</param>
</service>
</services>

4
kube-rbac-proxy/_service
View File

@@ -2,7 +2,7 @@
<service name="obs_scm">
<param name="url">https://github.com/brancz/kube-rbac-proxy</param>
<param name="scm">git</param>
<param name="revision">v0.18.0</param>
<param name="revision">v0.18.1</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
@@ -20,4 +20,4 @@
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>
</services>

6
kube-rbac-proxy/kube-rbac-proxy.spec
View File

@@ -17,14 +17,14 @@
Name: kube-rbac-proxy
Version: 0.18.0
Release: 0.18.0
Version: 0.18.1
Release: 0.18.1
Summary: The kube-rbac-proxy is a small HTTP proxy for a single upstream
License: Apache-2.0
URL: https://github.com/brancz/kube-rbac-proxy
Source: kube-rbac-proxy-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
BuildRequires: golang(API) = 1.23
ExcludeArch: s390
ExcludeArch: %{ix86}

2
metallb-chart/values.yaml
View File

@@ -59,7 +59,7 @@ prometheus:
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
tag: "v0.18.0"
tag: "0.18.1"
pullPolicy: IfNotPresent
# Prometheus Operator PodMonitors

BIN
openstack-ironic-image/root.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

8
rancher-turtles-airgap-resources-chart/Chart.yaml
View File

@@ -1,10 +1,10 @@
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:302.0.0_up0.13.0
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:302.0.0_up0.13.0
apiVersion: v2
appVersion: 0.11.0
appVersion: 0.13.0
description: Rancher Turtles utility chart for airgap scenarios
home: https://github.com/rancher/turtles/
icon: https://raw.githubusercontent.com/rancher/turtles/main/logos/capi.svg
name: rancher-turtles-airgap-resources
type: application
version: 0.3.3
version: 302.0.0+up0.13.0

2
rancher-turtles-airgap-resources-chart/_service
View File

@@ -2,7 +2,7 @@
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

4
rancher-turtles-airgap-resources-chart/templates/airgap-cm-core.yaml
View File

File diff suppressed because one or more lines are too long

6
rancher-turtles-airgap-resources-chart/templates/airgap-cm-metal3.yaml
View File

@@ -3647,7 +3647,7 @@ data:
envFrom:
- configMapRef:
name: capm3-capm3fasttrack-configmap
image: quay.io/metal3-io/cluster-api-provider-metal3:v1.7.1
image: quay.io/metal3-io/cluster-api-provider-metal3:v1.7.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -3731,7 +3731,7 @@ data:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/metal3-io/ip-address-manager:v1.7.1
image: quay.io/metal3-io/ip-address-manager:v1.7.2
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -4384,7 +4384,7 @@ data:
kind: ConfigMap
metadata:
creationTimestamp: null
name: v1.7.1
name: v1.7.2
namespace: capm3-system
labels:
provider-components: metal3

17
rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-bootstrap.yaml
View File

@@ -868,6 +868,11 @@ data:
type: string
type: array
type: object
podSecurityAdmissionConfigFile:
description: |-
PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
spec.Files field.
type: string
protectKernelDefaults:
description: |-
ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2050,6 +2055,11 @@ data:
type: string
type: array
type: object
podSecurityAdmissionConfigFile:
description: |-
PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
spec.Files field.
type: string
protectKernelDefaults:
description: |-
ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2535,7 +2545,7 @@ data:
- --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
command:
- /manager
image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.7.1
image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.8.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -2742,10 +2752,13 @@ data:
- major: 0
minor: 7
contract: v1beta1
- major: 0
minor: 8
contract: v1beta1
kind: ConfigMap
metadata:
creationTimestamp: null
name: v0.7.1
name: v0.8.0
namespace: rke2-bootstrap-system
labels:
provider-components: rke2-bootstrap

17
rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-control-plane.yaml
View File

@@ -1513,6 +1513,11 @@ data:
type: string
type: array
type: object
podSecurityAdmissionConfigFile:
description: |-
PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
spec.Files field.
type: string
protectKernelDefaults:
description: |-
ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2926,6 +2931,11 @@ data:
type: string
type: array
type: object
podSecurityAdmissionConfigFile:
description: |-
PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
spec.Files field.
type: string
protectKernelDefaults:
description: |-
ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -4285,7 +4295,7 @@ data:
valueFrom:
fieldRef:
fieldPath: metadata.uid
image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.7.1
image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.8.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
@@ -4499,10 +4509,13 @@ data:
- major: 0
minor: 7
contract: v1beta1
- major: 0
minor: 8
contract: v1beta1
kind: ConfigMap
metadata:
creationTimestamp: null
name: v0.7.1
name: v0.8.0
namespace: rke2-control-plane-system
labels:
provider-components: rke2-control-plane

6
rancher-turtles-chart/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: cluster-api-operator
repository: https://kubernetes-sigs.github.io/cluster-api-operator
version: 0.12.0
digest: sha256:c167c074ca89ef7a520ec18a5afd380b9edaee513810aa3ac0e0bda51db9c526
generated: "2024-08-22T14:23:18.589443298Z"
version: 0.14.0
digest: sha256:9e9e851dbab3212c279efec06bcf0da147228ea1590470f3a8cbbb5806a250d4
generated: "2024-10-28T11:44:34.392387979Z"

10
rancher-turtles-chart/Chart.yaml
View File

@@ -1,5 +1,5 @@
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:0.3.3
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:0.3.3-%RELEASE%
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:302.0.0_up0.13.0
#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:302.0.0_up0.13.0-%RELEASE%
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Rancher Turtles - the Cluster API Extension
@@ -12,12 +12,12 @@ annotations:
catalog.cattle.io/scope: management
catalog.cattle.io/type: cluster-tool
apiVersion: v2
appVersion: 0.11.0
appVersion: 0.13.0
dependencies:
- condition: cluster-api-operator.enabled
name: cluster-api-operator
repository: file://./charts/cluster-api-operator
version: 0.12.0
version: 0.14.0
description: Rancher Turtles is an extension to Rancher that brings full Cluster API
integration to Rancher.
home: https://github.com/rancher/turtles/
@@ -29,4 +29,4 @@ keywords:
- provisioning
name: rancher-turtles
type: application
version: 0.3.3+up0.11.0
version: 302.0.0+up0.13.0

10
rancher-turtles-chart/RELEASE_NOTES.md
View File

@@ -1,6 +1,4 @@
## Changes since test/v0.11.0
---
## :chart_with_upwards_trend: Overview
_Thanks to all our contributors!_ 😊
gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
env:
GH_TOKEN: ${{ github.token }}
: exit status 4

4
rancher-turtles-chart/_service
View File

@@ -2,14 +2,14 @@
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">values.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

4
rancher-turtles-chart/charts/cluster-api-operator/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v2
appVersion: 0.12.0
appVersion: 0.14.0
description: Cluster API Operator
name: cluster-api-operator
type: application
version: 0.12.0
version: 0.14.0

4
rancher-turtles-chart/charts/cluster-api-operator/templates/addon.yaml
View File

@@ -26,7 +26,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
"argocd.argoproj.io/sync-wave": "1"
name: {{ $addonNamespace }}
@@ -37,7 +37,7 @@ metadata:
name: {{ $addonName }}
namespace: {{ $addonNamespace }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
"argocd.argoproj.io/sync-wave": "2"
{{- if or $addonVersion $.Values.secretName }}

4
rancher-turtles-chart/charts/cluster-api-operator/templates/bootstrap.yaml
View File

@@ -26,7 +26,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
name: {{ $bootstrapNamespace }}
---
@@ -36,7 +36,7 @@ metadata:
name: {{ $bootstrapName }}
namespace: {{ $bootstrapNamespace }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
{{- if or $bootstrapVersion $.Values.configSecret.name }}
spec:

4
rancher-turtles-chart/charts/cluster-api-operator/templates/control-plane.yaml
View File

@@ -26,7 +26,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
name: {{ $controlPlaneNamespace }}
---
@@ -36,7 +36,7 @@ metadata:
name: {{ $controlPlaneName }}
namespace: {{ $controlPlaneNamespace }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
{{- if or $controlPlaneVersion $.Values.configSecret.name }}
spec:

4
rancher-turtles-chart/charts/cluster-api-operator/templates/core-conditions.yaml
View File

@@ -6,7 +6,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
name: capi-system
---
@@ -16,7 +16,7 @@ metadata:
name: cluster-api
namespace: capi-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
{{- with .Values.configSecret }}
spec:

4
rancher-turtles-chart/charts/cluster-api-operator/templates/core.yaml
View File

@@ -25,7 +25,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
name: {{ $coreNamespace }}
---
@@ -35,7 +35,7 @@ metadata:
name: {{ $coreName }}
namespace: {{ $coreNamespace }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
"argocd.argoproj.io/sync-wave": "2"
{{- if or $coreVersion $.Values.configSecret.name }}

3
rancher-turtles-chart/charts/cluster-api-operator/templates/deployment.yaml
View File

@@ -74,6 +74,9 @@ spec:
{{- if .Values.insecureDiagnostics }}
- --insecure-diagnostics={{ .Values.insecureDiagnostics }}
{{- end }}
{{- if .Values.watchConfigSecret }}
- --watch-configsecret
{{- end }}
{{- with .Values.leaderElection }}
- --leader-elect={{ .enabled }}
{{- if .leaseDuration }}

8
rancher-turtles-chart/charts/cluster-api-operator/templates/infra-conditions.yaml
View File

@@ -7,7 +7,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
"argocd.argoproj.io/sync-wave": "1"
name: capi-kubeadm-bootstrap-system
@@ -18,7 +18,7 @@ metadata:
name: kubeadm
namespace: capi-kubeadm-bootstrap-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
"argocd.argoproj.io/sync-wave": "2"
{{- with .Values.configSecret }}
@@ -37,7 +37,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
"argocd.argoproj.io/sync-wave": "1"
name: capi-kubeadm-control-plane-system
@@ -48,7 +48,7 @@ metadata:
name: kubeadm
namespace: capi-kubeadm-control-plane-system
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
"argocd.argoproj.io/sync-wave": "2"
{{- with .Values.configSecret }}

17
rancher-turtles-chart/charts/cluster-api-operator/templates/infra.yaml
View File

@@ -1,13 +1,3 @@
{{- define "recursivePrinter" }}
{{- range $key, $value := . }}
{{- if kindIs "map" $value }}
{{ $key }}:
{{- include "recursivePrinter" $value | indent 2 }}
{{- else }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
{{- end }}
# Infrastructure providers
{{- if .Values.infrastructure }}
{{- $infrastructures := split ";" .Values.infrastructure }}
@@ -36,7 +26,7 @@ apiVersion: v1
kind: Namespace
metadata:
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "1"
"argocd.argoproj.io/sync-wave": "1"
name: {{ $infrastructureNamespace }}
@@ -47,7 +37,7 @@ metadata:
name: {{ $infrastructureName }}
namespace: {{ $infrastructureNamespace }}
annotations:
"helm.sh/hook": "post-install"
"helm.sh/hook": "post-install,post-upgrade"
"helm.sh/hook-weight": "2"
"argocd.argoproj.io/sync-wave": "2"
{{- if or $infrastructureVersion $.Values.configSecret.name $.Values.manager $.Values.additionalDeployments }}
@@ -77,8 +67,7 @@ spec:
{{- end }}
{{- end }}
{{- if $.Values.additionalDeployments }}
additionalDeployments:
{{- include "recursivePrinter" $.Values.additionalDeployments | indent 2 }}
additionalDeployments: {{ toYaml $.Values.additionalDeployments | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

7
rancher-turtles-chart/charts/cluster-api-operator/templates/operator-components.yaml
View File

@@ -13,7 +13,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -3023,7 +3022,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -7618,7 +7616,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -12216,7 +12213,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -16811,7 +16807,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -21409,7 +21404,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'
@@ -24419,7 +24413,6 @@ spec:
strategy: Webhook
webhook:
clientConfig:
caBundle: Cg==
service:
name: capi-operator-webhook-service
namespace: '{{ .Release.Namespace }}'

3
rancher-turtles-chart/charts/cluster-api-operator/values.yaml
View File

@@ -19,7 +19,7 @@ leaderElection:
image:
manager:
repository: registry.k8s.io/capi-operator/cluster-api-operator
tag: v0.12.0
tag: v0.14.0
pullPolicy: IfNotPresent
env:
manager: []
@@ -27,6 +27,7 @@ healthAddr: ":8081"
metricsBindAddr: "127.0.0.1:8080"
diagnosticsAddress: "8443"
insecureDiagnostics: false
watchConfigSecret: false
imagePullSecrets: {}
resources:
manager:

66
rancher-turtles-chart/templates/clusterctl-cm-cleanup-job.yaml Normal file
View File

@@ -0,0 +1,66 @@
{{- if index .Values "rancherTurtles" "features" "rancher-webhook" "cleanup" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pre-upgrade-job
namespace: '{{ .Values.rancherTurtles.namespace }}'
annotations:
"helm.sh/hook": "post-delete, pre-upgrade"
"helm.sh/hook-weight": "-2"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pre-upgrade-job-delete-clusterctl-configmap
annotations:
"helm.sh/hook": "post-delete, pre-upgrade"
"helm.sh/hook-weight": "-2"
rules:
- apiGroups: [""]
resources:
- configmaps
verbs:
- list
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pre-upgrade-job-clusterctl-configmap-cleanup
annotations:
"helm.sh/hook": "post-delete, pre-upgrade"
"helm.sh/hook-weight": "-2"
subjects:
- kind: ServiceAccount
name: pre-upgrade-job
namespace: '{{ .Values.rancherTurtles.namespace }}'
roleRef:
kind: ClusterRole
name: pre-upgrade-job-delete-clusterctl-configmap
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: Job
metadata:
name: rancher-clusterctl-configmap-cleanup
namespace: '{{ .Values.rancherTurtles.namespace }}'
annotations:
"helm.sh/hook": "post-delete, pre-upgrade"
"helm.sh/hook-weight": "-1"
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: pre-upgrade-job
containers:
- name: rancher-clusterctl-configmap-cleanup
image: {{ index .Values "rancherTurtles" "features" "rancher-webhook" "kubectlImage" }}
args:
- delete
- configmap
- --namespace={{ .Values.rancherTurtles.namespace }}
- clusterctl-config
- --ignore-not-found=true
restartPolicy: Never
{{- end }}

2
rancher-turtles-chart/templates/deployment.yaml
View File

@@ -26,7 +26,7 @@ spec:
containers:
- args:
- --leader-elect
- --feature-gates=etcd-snapshot-restore={{ index .Values "rancherTurtles" "features" "etcd-snapshot-restore" "enabled"}},propagate-labels={{ index .Values "rancherTurtles" "features" "propagate-labels" "enabled"}},managementv3-cluster={{ index .Values "rancherTurtles" "features" "managementv3-cluster" "enabled"}},rancher-kube-secret-patch={{ index .Values "rancherTurtles" "features" "rancher-kubeconfigs" "label"}}
- --feature-gates=propagate-labels={{ index .Values "rancherTurtles" "features" "propagate-labels" "enabled"}},managementv3-cluster={{ index .Values "rancherTurtles" "features" "managementv3-cluster" "enabled"}},rancher-kube-secret-patch={{ index .Values "rancherTurtles" "features" "rancher-kubeconfigs" "label"}}
{{- range .Values.rancherTurtles.managerArguments }}
- {{ . }}
{{- end }}

11
rancher-turtles-chart/templates/metal3-infrastructure.yaml
View File

@@ -2,6 +2,17 @@
{{- $namespace := index .Values "cluster-api-operator" "cluster-api" "metal3" "infrastructure" "namespace" }}
{{- if not (lookup "v1" "Namespace" "" $namespace) }}
---
apiVersion: turtles-capi.cattle.io/v1alpha1
kind: ClusterctlConfig
metadata:
name: clusterctl-config
namespace: rancher-turtles-system
spec:
providers:
- name: metal3
url: "https://github.com/metal3-io/cluster-api-provider-metal3/releases/v1.7.2/infrastructure-components.yaml"
type: InfrastructureProvider
---
apiVersion: v1
kind: Namespace
metadata:

2
rancher-turtles-chart/templates/pre-install-job.yaml
View File

@@ -1,4 +1,5 @@
{{- if index .Values "rancherTurtles" "features" "embedded-capi" "disabled" }}
{{- if index .Values "rancherTurtles" "rancherInstalled"}}
---
apiVersion: management.cattle.io/v3
kind: Feature
@@ -10,6 +11,7 @@ metadata:
spec:
value: false
{{- end }}
{{- end }}
{{- if index .Values "rancherTurtles" "features" "rancher-webhook" "cleanup" }}
---
apiVersion: v1

116
rancher-turtles-chart/templates/rancher-turtles-components.yaml
View File

@@ -18,7 +18,7 @@ spec:
- jsonPath: .spec.type
name: Type
type: string
- jsonPath: .spec.name
- jsonPath: .status.name
name: ProviderName
type: string
- jsonPath: .status.installedVersion
@@ -2979,15 +2979,7 @@ spec:
type: string
type:
description: Type is the type of the provider to enable
enum:
- infrastructure
- core
- controlPlane
- bootstrap
- addon
- runtimeextension
- ipam
example: infrastructure
example: InfrastructureProvider
type: string
variables:
additionalProperties:
@@ -3073,6 +3065,10 @@ spec:
description: InstalledVersion is the version of the provider that
is installed.
type: string
name:
description: Name reflects actual provider name, which will be visible
to users in 'kubectl get capiproviders -A -o wide'
type: string
observedGeneration:
description: ObservedGeneration is the latest generation observed
by the controller.
@@ -3102,6 +3098,104 @@ spec:
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
helm.sh/resource-policy: keep
name: clusterctlconfigs.turtles-capi.cattle.io
spec:
group: turtles-capi.cattle.io
names:
kind: ClusterctlConfig
listKind: ClusterctlConfigList
plural: clusterctlconfigs
singular: clusterctlconfig
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterctlConfig is the Schema for the CAPI Clusterctl config
API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ClusterctlConfigSpec defines the user overrides for images
and known providers with sources
properties:
images:
description: Images is a list of image overrided for specified providers
items:
description: Image allows to define transformations to apply to
the image contained in the YAML manifests.
properties:
name:
description: Name of the provider image override
example: all
type: string
repository:
description: Repository sets the container registry override
to pull images from.
example: my-registry/my-org
type: string
tag:
description: Tag allows to specify a tag for the images.
type: string
required:
- name
type: object
type: array
providers:
description: Provider overrides
items:
description: Provider allows to define providers with known URLs
to pull the components.
properties:
name:
description: Name of the provider
type: string
type:
description: Type is the type of the provider
example: InfrastructureProvider
type: string
url:
description: URL of the provider components. Will be used unless
and override is specified
type: string
required:
- name
- type
- url
type: object
type: array
type: object
type: object
x-kubernetes-validations:
- message: Clusterctl Config should be named clusterctl-config.
rule: self.metadata.name == 'clusterctl-config'
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
@@ -3277,6 +3371,8 @@ rules:
resources:
- capiproviders
- capiproviders/status
- clusterctlconfigs
- clusterctlconfigs/status
verbs:
- get
- list

754
rancher-turtles-chart/templates/rancher-turtles-exp-etcdrestore-components.yaml
View File

@@ -3,13 +3,16 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: rancher-turtles-system/rancher-turtles-etcdsnapshotrestore-serving-cert
controller-gen.kubebuilder.io/version: v0.14.0
labels:
turtles-capi.cattle.io: etcd-restore
name: etcdmachinesnapshots.turtles-capi.cattle.io
spec:
group: turtles-capi.cattle.io
names:
kind: EtcdMachineSnapshot
listKind: EtcdMachineSnapshotList
kind: ETCDMachineSnapshot
listKind: ETCDMachineSnapshotList
plural: etcdmachinesnapshots
singular: etcdmachinesnapshot
scope: Namespaced
@@ -17,7 +20,7 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: EtcdMachineSnapshot is the Schema for the EtcdMachineSnapshot
description: ETCDMachineSnapshot is the Schema for the ETCDMachineSnapshot
API.
properties:
apiVersion:
@@ -38,21 +41,81 @@ spec:
metadata:
type: object
spec:
description: EtcdMachineSnapshotSpec defines the desired state of EtcdMachineSnapshot.
description: ETCDMachineSnapshotSpec defines the desired state of EtcdMachineSnapshot
properties:
foo:
clusterName:
type: string
configRef:
type: string
location:
type: string
machineName:
type: string
required:
- foo
- clusterName
- configRef
- location
- machineName
type: object
x-kubernetes-validations:
- message: ETCD snapshot location can't be empty.
rule: size(self.location)>0
status:
default: {}
description: EtcdMachineSnapshotStatus defines observed state of EtcdMachineSnapshot.
description: EtcdSnapshotRestoreStatus defines observed state of EtcdSnapshotRestore
properties:
bar:
conditions:
description: Conditions provide observations of the operational state
of a Cluster API resource.
items:
description: Condition defines an observation of a Cluster API resource
operational state.
properties:
lastTransitionTime:
description: |-
Last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when
the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
A human readable message indicating details about the transition.
This field may be empty.
type: string
reason:
description: |-
The reason for the condition's last transition in CamelCase.
The specific API may choose whether or not this field is considered a guaranteed API.
This field may not be empty.
type: string
severity:
description: |-
Severity provides an explicit classification of Reason code, so the users or machines can immediately
understand the current situation and act accordingly.
The Severity field MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: |-
Type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability to deconflict is important.
type: string
required:
- lastTransitionTime
- status
- type
type: object
type: array
manual:
type: boolean
phase:
description: ETCDSnapshotPhase is a string representation of the phase
of the etcd snapshot
type: string
required:
- bar
type: object
type: object
served: true
@@ -64,13 +127,16 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: rancher-turtles-system/rancher-turtles-etcdsnapshotrestore-serving-cert
controller-gen.kubebuilder.io/version: v0.14.0
labels:
turtles-capi.cattle.io: etcd-restore
name: etcdsnapshotrestores.turtles-capi.cattle.io
spec:
group: turtles-capi.cattle.io
names:
kind: EtcdSnapshotRestore
listKind: EtcdSnapshotRestoreList
kind: ETCDSnapshotRestore
listKind: ETCDSnapshotRestoreList
plural: etcdsnapshotrestores
singular: etcdsnapshotrestore
scope: Namespaced
@@ -78,7 +144,7 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: EtcdSnapshotRestore is the schema for the EtcdSnapshotRestore
description: ETCDSnapshotRestore is the schema for the ETCDSnapshotRestore
API.
properties:
apiVersion:
@@ -99,25 +165,673 @@ spec:
metadata:
type: object
spec:
description: EtcdSnapshotRestoreSpec defines the desired state of EtcdSnapshotRestore.
description: ETCDSnapshotRestoreSpec defines the desired state of EtcdSnapshotRestore.
properties:
foo:
clusterName:
type: string
etcdMachineSnapshotName:
type: string
required:
- foo
- clusterName
- etcdMachineSnapshotName
type: object
x-kubernetes-validations:
- message: Cluster Name can't be empty.
rule: size(self.clusterName)>0
- message: ETCD machine snapshot name can't be empty.
rule: size(self.etcdMachineSnapshotName)>0
status:
default: {}
description: EtcdSnapshotRestoreStatus defines observed state of EtcdSnapshotRestore.
description: ETCDSnapshotRestoreStatus defines observed state of EtcdSnapshotRestore.
properties:
bar:
conditions:
description: Conditions provide observations of the operational state
of a Cluster API resource.
items:
description: Condition defines an observation of a Cluster API resource
operational state.
properties:
lastTransitionTime:
description: |-
Last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when
the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
A human readable message indicating details about the transition.
This field may be empty.
type: string
reason:
description: |-
The reason for the condition's last transition in CamelCase.
The specific API may choose whether or not this field is considered a guaranteed API.
This field may not be empty.
type: string
severity:
description: |-
Severity provides an explicit classification of Reason code, so the users or machines can immediately
understand the current situation and act accordingly.
The Severity field MUST be set only when Status=False.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: |-
Type of condition in CamelCase or in foo.example.com/CamelCase.
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
can be useful (see .node.status.conditions), the ability to deconflict is important.
type: string
required:
- lastTransitionTime
- status
- type
type: object
type: array
phase:
default: Pending
description: ETCDSnapshotPhase is a string representation of the phase
of the etcd snapshot
type: string
required:
- bar
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: rancher-turtles-system/rancher-turtles-etcdsnapshotrestore-serving-cert
controller-gen.kubebuilder.io/version: v0.14.0
labels:
turtles-capi.cattle.io: etcd-restore
name: rke2etcdmachinesnapshotconfigs.turtles-capi.cattle.io
spec:
group: turtles-capi.cattle.io
names:
kind: RKE2EtcdMachineSnapshotConfig
listKind: RKE2EtcdMachineSnapshotConfigList
plural: rke2etcdmachinesnapshotconfigs
singular: rke2etcdmachinesnapshotconfig
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: RKE2EtcdMachineSnapshotConfig is the config for the RKE2EtcdMachineSnapshotConfig
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: RKE2EtcdMachineSnapshotConfigSpec defines the desired state
of RKE2EtcdMachineSnapshotConfig
properties:
local:
properties:
dataDir:
type: string
required:
- dataDir
type: object
s3:
properties:
bucket:
type: string
endpoint:
type: string
endpointCAsecret:
type: string
folder:
type: string
insecure:
type: boolean
location:
type: string
region:
type: string
s3CredentialSecret:
type: string
skipSSLVerify:
type: boolean
type: object
required:
- local
- s3
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: rancher-turtles
app.kubernetes.io/instance: controller-manager-sa
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: serviceaccount
app.kubernetes.io/part-of: rancher-turtles
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-manager
namespace: rancher-turtles-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: rancher-turtles
app.kubernetes.io/instance: leader-election-role
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: role
app.kubernetes.io/part-of: rancher-turtles
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-leader-election-role
namespace: rancher-turtles-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rancher-turtles-exp/aggregate-to-manager: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-aggregated-manager-role
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rancher-turtles-exp/aggregate-to-manager: "true"
rancher-turtles/aggregate-to-manager: "true"
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-manager-role
rules:
- apiGroups:
- ""
resources:
- configmaps
- events
- secrets
- serviceaccounts
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- get
- apiGroups:
- bootstrap.cluster.x-k8s.io
resources:
- rke2configs
- rke2configs/finalizers
- rke2configs/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- clusters/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- cluster.x-k8s.io
resources:
- machines
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- management.cattle.io
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdmachinesnapshots
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdmachinesnapshots/finalizers
verbs:
- update
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdmachinesnapshots/status
verbs:
- get
- patch
- update
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdsnapshotrestores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdsnapshotrestores/finalizers
verbs:
- update
- apiGroups:
- turtles-capi.cattle.io
resources:
- etcdsnapshotrestores/status
verbs:
- get
- patch
- update
- apiGroups:
- turtles-capi.cattle.io
resources:
- rke2etcdmachinesnapshotconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- turtles-capi.cattle.io
resources:
- rke2etcdmachinesnapshotconfigs/finalizers
verbs:
- update
- apiGroups:
- turtles-capi.cattle.io
resources:
- rke2etcdmachinesnapshotconfigs/status
verbs:
- get
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: rancher-turtles
app.kubernetes.io/instance: leader-election-rolebinding
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: rolebinding
app.kubernetes.io/part-of: rancher-turtles
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-leader-election-rolebinding
namespace: rancher-turtles-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: rancher-turtles-etcdsnapshotrestore-leader-election-role
subjects:
- kind: ServiceAccount
name: rancher-turtles-etcdsnapshotrestore-manager
namespace: rancher-turtles-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: rancher-turtles
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/part-of: rancher-turtles
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rancher-turtles-etcdsnapshotrestore-aggregated-manager-role
subjects:
- kind: ServiceAccount
name: rancher-turtles-etcdsnapshotrestore-manager
namespace: rancher-turtles-system
---
apiVersion: v1
kind: Service
metadata:
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-webhook-service
namespace: rancher-turtles-system
spec:
ports:
- port: 443
targetPort: webhook-server
selector:
turtles-capi.cattle.io: etcd-restore
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: controller-manager
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-controller-manager
namespace: rancher-turtles-system
spec:
replicas: 1
selector:
matchLabels:
control-plane: controller-manager
turtles-capi.cattle.io: etcd-restore
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: manager
labels:
control-plane: controller-manager
turtles-capi.cattle.io: etcd-restore
spec:
containers:
- args:
- --leader-elect
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
image: ghcr.io/rancher/turtles-etcd-snapshot-restore:dev
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /healthz
port: 9440
initialDelaySeconds: 15
periodSeconds: 20
name: manager
ports:
- containerPort: 9443
name: webhook-server
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 9440
initialDelaySeconds: 5
periodSeconds: 10
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
serviceAccountName: rancher-turtles-etcdsnapshotrestore-manager
terminationGracePeriodSeconds: 10
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
volumes:
- name: cert
secret:
secretName: rancher-turtles-etcdsnapshotrestore-webhook-service-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-serving-cert
namespace: rancher-turtles-system
spec:
dnsNames:
- rancher-turtles-etcdsnapshotrestore-webhook-service.rancher-turtles-system.svc
- rancher-turtles-etcdsnapshotrestore-webhook-service.rancher-turtles-system.svc.cluster.local
issuerRef:
kind: Issuer
name: rancher-turtles-etcdsnapshotrestore-selfsigned-issuer
secretName: rancher-turtles-etcdsnapshotrestore-webhook-service-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-selfsigned-issuer
namespace: rancher-turtles-system
spec:
selfSigned: {}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: rancher-turtles-system/rancher-turtles-etcdsnapshotrestore-serving-cert
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: rancher-turtles-etcdsnapshotrestore-webhook-service
namespace: rancher-turtles-system
path: /mutate-bootstrap-cluster-x-k8s-io-v1beta1-rke2config
failurePolicy: Fail
name: systemagentrke2config.kb.io
rules:
- apiGroups:
- bootstrap.cluster.x-k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- rke2configs
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: rancher-turtles-system/rancher-turtles-etcdsnapshotrestore-serving-cert
labels:
turtles-capi.cattle.io: etcd-restore
name: rancher-turtles-etcdsnapshotrestore-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: rancher-turtles-etcdsnapshotrestore-webhook-service
namespace: rancher-turtles-system
path: /validate-turtles-capi-cattle-io-v1alpha1-etcdmachinesnapshot
failurePolicy: Fail
matchPolicy: Equivalent
name: etcdmachinesnapshot.kb.io
rules:
- apiGroups:
- turtles-capi.cattle.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- etcdmachinesnapshots
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: rancher-turtles-etcdsnapshotrestore-webhook-service
namespace: rancher-turtles-system
path: /validate-turtles-capi-cattle-io-v1alpha1-etcdsnapshotrestore
failurePolicy: Fail
matchPolicy: Equivalent
name: etcdsnapshotrestore.kb.io
rules:
- apiGroups:
- turtles-capi.cattle.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- etcdsnapshotrestores
sideEffects: None
{{- end }}

20
rancher-turtles-chart/values.yaml
View File

@@ -1,10 +1,11 @@
rancherTurtles:
image: registry.rancher.com/rancher/rancher/turtles
imageVersion: v0.11.0
imageVersion: v0.13.0
imagePullPolicy: IfNotPresent
namespace: rancher-turtles-system
managerArguments: []
imagePullSecrets: []
rancherInstalled: true
features:
cluster-api-operator:
cleanup: true
@@ -30,10 +31,6 @@ cluster-api-operator:
enabled: true
cert-manager:
enabled: false
image:
manager:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-operator"
tag: 0.12.0
volumes:
- name: cert
secret:
@@ -42,6 +39,9 @@ cluster-api-operator:
- name: clusterctl-config
configMap:
name: clusterctl-config
image:
manager:
repository: registry.rancher.com/rancher/cluster-api-operator
volumeMounts:
manager:
- mountPath: /tmp/k8s-webhook-server/serving-certs
@@ -57,7 +57,7 @@ cluster-api-operator:
defaultName: capi-env-variables
core:
namespace: capi-system
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-controller:1.7.5"
imageUrl: ""
fetchConfig:
url: ""
selector: ""
@@ -66,13 +66,13 @@ cluster-api-operator:
version: ""
bootstrap:
namespace: rke2-bootstrap-system
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:0.7.1"
imageUrl: "registry.rancher.com/rancher/cluster-api-provider-rke2-bootstrap:v0.8.0"
fetchConfig:
url: ""
selector: ""
controlPlane:
namespace: rke2-control-plane-system
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:0.7.1"
imageUrl: "registry.rancher.com/rancher/cluster-api-provider-rke2-controlplane:v0.8.0"
fetchConfig:
url: ""
selector: ""
@@ -81,10 +81,10 @@ cluster-api-operator:
version: ""
infrastructure:
namespace: capm3-system
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-metal3:1.7.1"
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-metal3:1.7.2"
fetchConfig:
url: ""
selector: ""
ipam:
namespace: capm3-system
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%ip-address-manager:1.7.1"
imageUrl: "%%IMG_REPO%%/%%IMG_PREFIX%%images/ip-address-manager:1.7.2"