Remove openstack-ironic-image

This was replaced by ironic-ipa-ramdisk in #8

.gitattributes

@@ -2,3 +2,4 @@
 *.tar.gz filter=lfs diff=lfs merge=lfs -text
 *.tar.xz filter=lfs diff=lfs merge=lfs -text
 *.obscpio filter=lfs diff=lfs merge=lfs -text
+*.tar.bz2 filter=lfs diff=lfs merge=lfs -text

.gitmodules

@@ -4,3 +4,12 @@
 [submodule "cri-tools"]
 	path = cri-tools
 	url = https://src.opensuse.org/pool/cri-tools.git
+[submodule "fakeroot"]
+	path = fakeroot
+	url = https://src.opensuse.org/pool/fakeroot.git
+[submodule "crudini"]
+	path = crudini
+	url = https://src.opensuse.org/pool/crudini.git
+[submodule "autoconf"]
+	path = autoconf
+	url = https://src.opensuse.org/SLFO-pool/autoconf.git

.obs/delete_package.py

@@ -21,7 +21,7 @@ def delete_package_from_workflow(name: str):
 
 
 def delete_package_from_project(name: str):
-    p = subprocess.run(["osc", "rdelete", PROJECT, name], stdout=subprocess.PIPE)
+    p = subprocess.run(["osc", "rdelete", PROJECT, name, "-m \"Deleted via delete_package.py\"" ], stdout=subprocess.PIPE)
     print(p.stdout)
     print(p.stderr)
     p.check_returncode()

.obs/workflows.yml

@@ -190,11 +190,43 @@ staging_build:
       source_package: metallb-speaker-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
-  - branch_package:
-      source_package: venv
-      source_project: isv:SUSE:Edge:Factory
-      target_project: isv:SUSE:Edge:Factory:Staging
   - branch_package:
       source_package: ironic-image
       source_project: isv:SUSE:Edge:Factory
       target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: cri-tools
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: crudini
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: fakeroot
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: ipcalc
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: autoconf
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: rancher-turtles-airgap-resources-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: rancher-turtles-chart
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: kube-rbac-proxy-image
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging
+  - branch_package:
+      source_package: ironic-ipa-ramdisk
+      source_project: isv:SUSE:Edge:Factory
+      target_project: isv:SUSE:Edge:Factory:Staging

README.md

@@ -13,3 +13,26 @@ Then run the `.obs/add_package.py` script to create the package in the OBS proje
 This script is using the `osc` command behind the scenes, so ensure you have it installed and correctly configured, as well as you have the correct permissions to create a new package in the project.
 
 You will then get asked to push your changes.
+
+## Testing a fork or a development branch
+
+You can create a project in your home space in OBS, use the same prjconf as the one of "isv:SUSE:Edge:Factory", and copy the repositories part of the metadata (adjust self references).
+Then add a scmsync stanza to your metadata like this (adjust repository path and branch):
+
+```xml
+<scmsync>https://src.opensuse.org/suse-edge/Factory#main</scmsync>
+```
+
+## Cutting a release version branch
+
+1. Do the appropriate git branch command
+2. Change the project path in `.obs/common.py` file (e.g. from `isv:SUSE:Edge:Factory` to `isv:SUSE:Edge:3.2`)
+3. Change the branch reference in `.obs/common.py` file (e.g. from `main` to `3.2`)
+4. Edit the `.obs/workflows.yml` file to change the references to the correct projects
+5. Commit those changes to the new branch and push the new branch
+6. Create the base and to-test projects (e.g. `isv:SUSE:Edge:3.2` and `isv:SUSE:Edge:3.2:ToTest`), use the `isv:SUSE:Edge:Factory` projects as example for metadata part
+7. Use the prjconf of Factory in all those projects
+8. Run the `.obs/sync_packages.py` script to create all the packages in the base project
+9. Go take a few cups of coffee/tea/mate/... while waiting for OBS to build everything
+10. Once built do an `osc release` of the project for it to be copied over in the `ToTest` section
+11. Hand over to QA to test whatever is in `ToTest`. (You can continue to work on the base branch if needed meanwhile)

akri-agent-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-agent:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-agent-image/_service

@@ -13,5 +13,7 @@
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

akri-controller-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-controller:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-controller-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-dashboard-extension-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

akri-debug-echo-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-debug-echo-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-debug-echo-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-onvif-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-onvif-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-onvif-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-opcua-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-opcua-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-opcua-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-udev-discovery-handler-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-udev-discovery-handler:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-udev-discovery-handler-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

akri-webhook-configuration-image/Dockerfile

@@ -20,7 +20,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%akri-webhook-configuration:v%PACKAGE_VERSION%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="techpreview"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

akri-webhook-configuration-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

baremetal-operator-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator:%%baremetal-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

baremetal-operator-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

baremetal-operator/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/baremetal-operator</param>
     <param name="scm">git</param>
-    <param name="revision">v0.6.1</param>
+    <param name="revision">v0.8.0</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

baremetal-operator/baremetal-operator.spec

@@ -17,14 +17,14 @@
 
 
 Name:           baremetal-operator
-Version:        0.6.1
+Version:        0.8.0
-Release:        0.6.1
+Release:        0.8.0
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

cdi-chart/_service

@@ -2,7 +2,7 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

cluster-api-controller-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api:%%cluster-api_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-controller-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-operator-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-operator-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-provider-metal3-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-metal3:%%cluster-api-provider-metal3_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-provider-metal3-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-provider-metal3/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/cluster-api-provider-metal3</param>
     <param name="scm">git</param>
-    <param name="revision">v1.7.1</param>
+    <param name="revision">v1.8.2</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

cluster-api-provider-metal3/cluster-api-provider-metal3.spec

@@ -17,14 +17,14 @@
 
 
 Name:           cluster-api-provider-metal3
-Version:        1.7.1
+Version:        1.8.2
 Release:        0
 Summary:        Cluster API Infrastructure Provider for Metal3
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/cluster-api-provider-metal3
 Source:         cluster-api-provider-metal3-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

cluster-api-provider-rke2-bootstrap-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-provider-rke2-bootstrap-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-provider-rke2-controlplane-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

cluster-api-provider-rke2-controlplane-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

cluster-api-provider-rke2/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/rancher-sandbox/cluster-api-provider-rke2</param>
     <param name="scm">git</param>
-    <param name="revision">v0.7.0</param>
+    <param name="revision">v0.8.0</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

cluster-api-provider-rke2/cluster-api-provider-rke2.spec

@@ -17,14 +17,14 @@
 
 
 Name:           cluster-api-provider-rke2
-Version:        0.7.0
+Version:        0.8.0
 Release:        0
 Summary:        Cluster API provider for RKE2
 License:        Apache-2.0
 URL:            https://github.com/rancher-sandbox/cluster-api-provider-rke2
 Source:         cluster-api-provider-rke2-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

cluster-api/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/kubernetes-sigs/cluster-api</param>
     <param name="scm">git</param>
-    <param name="revision">v1.7.5</param>
+    <param name="revision">v1.8.4</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

cluster-api/cluster-api.spec

@@ -17,14 +17,14 @@
 
 
 Name:           cluster-api
-Version:        1.7.5
+Version:        1.8.4
 Release:        0
 Summary:        Cluster API Core Controller
 License:        Apache-2.0
 URL:            https://github.com/kubernetes-sigs/cluster-api
 Source:         cluster-api-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

edge-image-builder-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%edge-image-builder:1.1.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

edge-image-builder-image/_service

@@ -2,13 +2,15 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
     <param name="file">artifacts.yaml</param>
     <param name="eval">CHART_REPO=$(rpm --macros=/root/.rpmmacros -E %chart_repo)</param>
     <param name="var">CHART_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>
 

endpoint-copier-operator-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

endpoint-copier-operator-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%endpoint-copier-operator:%%endpoint-copier-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

endpoint-copier-operator-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ip-address-manager-image/Dockerfile

@@ -22,7 +22,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ip-address-manager:%%ip-address-manager_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

ip-address-manager-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ip-address-manager/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/metal3-io/ip-address-manager</param>
     <param name="scm">git</param>
-    <param name="revision">v1.7.1</param>
+    <param name="revision">v1.8.1</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>

ip-address-manager/ip-address-manager.spec

@@ -17,14 +17,14 @@
 
 
 Name:           ip-address-manager
-Version:        1.7.1
+Version:        1.8.1
 Release:        0
 Summary:        Metal3 IPAM controller
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/ip-address-manager
 Source:         ip-address-manager-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

ipcalc/ipcalc-disable-network-tests.patch

@@ -0,0 +1,50 @@
+Index: ipcalc-1.0.0/tests/meson.build
+===================================================================
+--- ipcalc-1.0.0.orig/tests/meson.build
++++ ipcalc-1.0.0/tests/meson.build
+@@ -64,14 +64,6 @@ test('RandomIPv6Explicit',
+ 		ipcalc.full_path() + ' -6 -r 24' + '|grep Address'
+ 	]
+ )
+-test('HostnameIPv6Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -6 -o localhost',
+-		files('hostname-localhost-ipv6')
+-	]
+-)
+ test('HostnameIPv4Localhost',
+ 	testrunner,
+ 	args : [
+@@ -88,30 +80,6 @@ test('HostnameIPv4LocalhostJson',
+ 		files('hostname-localhost-ipv4-json')
+ 	]
+ )
+-test('IPIPv6Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -h ::1',
+-		files('ip-localhost-ipv6')
+-	]
+-)
+-test('IPIPv4Localhost',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -h 127.0.0.1',
+-		files('ip-localhost-ipv4')
+-	]
+-)
+-test('IPIPv4LocalhostJson',
+-	testrunner,
+-	args : [
+-		'--test-outfile',
+-		ipcalc.full_path() + ' -j -h 127.0.0.1',
+-		files('ip-localhost-ipv4-json')
+-	]
+-)
+ # --class-prefix tests
+ test('AssignClassPrefix12',
+ 	testrunner,

ipcalc/ipcalc.changes

@@ -0,0 +1,64 @@
+-------------------------------------------------------------------
+Tue Jun 27 15:11:20 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.3:
+  * When --no-decorate is given the default output will
+  * include no colors
+  * Correctly split networks with /31
+
+-------------------------------------------------------------------
+Mon Jan  2 20:43:13 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.2:
+  * Fix ULA prefix generator to use only defined ULA range
+  * Corrected manpage generation
+
+-------------------------------------------------------------------
+Sat Oct 16 15:16:34 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.1:
+  - The application will now build even without ronn
+  - Improved JSON output on single host input
+
+-------------------------------------------------------------------
+Sat Apr  3 20:54:10 UTC 2021 - Atri Bhattacharya <badshah400@gmail.com>
+
+- Update to version 1.0.0:
+  * Manpage was converted to markdown.
+- Switch to using meson for building; BuildRequires: meson >=
+  0.49.
+- Addtional BuildRequires now needed: pkgconfig(libmaxminddb),
+  rubygem(ronn).
+- Add ipcalc-disable-network-tests.patch: Disable tests requiring
+  network.
+- Run tests as part of %check section.
+- New upstream URL and Source URL.
+- Drop patch patch-queue: no longer needed.
+
+-------------------------------------------------------------------
+Tue Aug  4 10:07:35 UTC 2015 - mpluskal@suse.com
+
+- Cleanup spec file with spec-clenaer
+
+-------------------------------------------------------------------
+Sun Jun 26 22:24:37 UTC 2011 - lazy.kent@opensuse.org
+
+- refreshed patch to fix build in openSUSE >= 11.3
+- splitted off rpm changelog to changes
+- corrected License tag
+- added Authors
+- formatted spec
+
+-------------------------------------------------------------------
+Sun Nov 18 00:00:00 UTC 2007 - guru@unixtech.be
+
+- moved to openSUSE Build Service
+- added minor patch
+
+-------------------------------------------------------------------
+Sun Oct 22 00:00:00 UTC 2006 - guru@unixtech.be
+
+- new upstream version
+- rewrote spec file
+
+

ipcalc/ipcalc.spec

@@ -0,0 +1,61 @@
+#
+# spec file for package ipcalc
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           ipcalc
+Version:        1.0.3
+Release:        0
+Summary:        IPv4/IPv6 tool assisting in network calculations on the command line
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/System
+URL:            https://gitlab.com/ipcalc/ipcalc
+Source0:        https://gitlab.com/ipcalc/ipcalc/-/archive/%{version}/%{name}-%{version}.tar.bz2
+# PATCH-FEATURE-OPENSUSE ipcalc-disable-network-tests.patch badshah400@gmail.com -- Disable tests requiring network
+Patch0:         ipcalc-disable-network-tests.patch
+BuildRequires:  meson >= 0.49
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(libmaxminddb)
+Conflicts:      netcalc
+
+%description
+ipcalc is a modern tool to assist in network address calculations for IPv4 and
+IPv6. It acts both as a tool to output human readable information about a
+network or address, as well as a tool suitable to be used by scripts or other
+programs.  It supports printing a summary about the provided network address,
+multiple command line options per information to be printed, transparent IPv6
+support, and in addition it will use libGeoIP if available to provide
+geographic information.
+
+%prep
+%autosetup -p1
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+
+%check
+%meson_test
+
+%files
+%doc README.md NEWS
+%license COPYING
+%{_bindir}/ipcalc
+
+%changelog

ironic-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%
 #!BuildVersion: 15.6
 
 ARG SLE_VERSION
@@ -16,7 +16,12 @@ RUN /bin/prepare-efi.sh
 
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api
+RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs crudini openstack-ironic
+
+# DATABASE
+RUN mkdir -p /installroot/var/lib/ironic && \
+  /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
+  zypper --installroot /installroot --non-interactive remove sqlite3
 
 FROM micro AS final
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -26,10 +31,10 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="24.1.2.0"
+LABEL org.opencontainers.image.version="26.1.2.0"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
@@ -48,8 +53,8 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
 COPY mkisofs_wrapper /usr/bin/mkisofs
 RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
 
-COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runironic-api runironic-conductor runironic-exporter runironic-inspector runlogwatch.sh tls-common.sh configure-nonroot.sh /bin/
+COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
-RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runironic-api; chmod +x /bin/runironic-conductor; chmod +x /bin/runironic-exporter; chmod +x /bin/runironic-inspector; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
+RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
 RUN mkdir -p /tftpboot
 RUN mkdir -p $GRUB_DIR
 
@@ -63,7 +68,7 @@ RUN cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi
 COPY --from=base /tmp/esp.img /tmp/uefi_esp.img
 
 COPY ironic.conf.j2 /etc/ironic/
-COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 /tmp/
+COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
 COPY network-data-schema-empty.json /etc/ironic/
 
 # DNSMASQ
@@ -73,14 +78,7 @@ COPY dnsmasq.conf.j2 /etc/
 COPY httpd.conf.j2 /etc/httpd/conf/
 COPY httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
-
+COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
-# IRONIC-INSPECTOR #
-RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
-  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
-  sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal"
-
-COPY ironic-inspector.conf.j2 /etc/ironic-inspector/
-COPY inspector-apache.conf.j2 /etc/httpd/conf.d/
 
 # Workaround
 # Removing the 010-ironic.conf file that comes with the package 

ironic-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ironic-image/apache2-ipxe.conf.j2

@@ -0,0 +1,35 @@
+Listen {{ env.IPXE_TLS_PORT }}
+
+<VirtualHost *:{{ env.IPXE_TLS_PORT }}>
+    ErrorLog /dev/stderr
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    SSLEngine on
+    SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IPXE_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
+
+    <Directory "/shared/html">
+        Order Allow,Deny
+        Allow from all
+    </Directory>
+    <Directory "/shared/html/(redfish|ilo|images)/">
+        Order Deny,Allow
+        Deny from all
+    </Directory>
+</VirtualHost>
+
+<Location ~ "^/grub.*/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/pxelinux.cfg/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/.*\.conf/">
+    SSLRequireSSL
+</Location>
+<Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
+    SSLRequireSSL
+</Location>
+

ironic-image/apache2-vmedia.conf.j2

@@ -9,16 +9,18 @@ Listen {{ env.VMEDIA_TLS_PORT }}
     SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
     SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
     SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
-    
-    <Directory "/shared">
-        AllowOverride None
-        Require all granted
-    </Directory>
 
-    <Directory "/shared/html">
+    <Directory ~ "/shared/html">
-        Options Indexes FollowSymLinks
+         Order deny,allow
-        AllowOverride None
+         deny from all
-        Require all granted
+    </Directory>
+    <Directory ~ "/shared/html/(redfish|ilo)/">
+         Order allow,deny
+         allow from all
+    </Directory>
+    <Directory ~ "/shared/html/images/">
+         Order allow,deny
+         allow from all
     </Directory>
 </VirtualHost>
 

ironic-image/auth-common.sh

@@ -2,36 +2,39 @@
 
 set -euxo pipefail
 
-export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
-export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
+
+# Backward compatibility
+if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
+    export IRONIC_EXPOSE_JSON_RPC=true
+else
+    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
+fi
 
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
-INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
+if [[ -f "/auth/ironic/htpasswd" ]]; then
+    IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
+fi
+export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 
 configure_client_basic_auth()
 {
     local auth_config_file="/auth/$1/auth-config"
     local dest="${2:-/etc/ironic/ironic.conf}"
     if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
+        # Merge configurations in the "auth" directory into the default ironic configuration file
-        # when running the api as a WSGI app.
         crudini --merge "${dest}" < "${auth_config_file}"
     fi
 }
 
 configure_json_rpc_auth()
 {
-    export JSON_RPC_AUTH_STRATEGY="noauth"
+    if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
-    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
+        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
-        if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
+            echo "FATAL: enabling JSON RPC requires authentication"
-            export JSON_RPC_AUTH_STRATEGY="http_basic"
+            exit 1
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
-        else
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
         fi
+        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
     fi
 }
 
@@ -48,24 +51,9 @@ configure_ironic_auth()
     fi
 }
 
-configure_inspector_auth()
-{
-    local config=/etc/ironic-inspector/ironic-inspector.conf
-    if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
-        if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
-            crudini --set "${config}" DEFAULT auth_strategy http_basic
-            crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
-        fi
-    fi
-}
-
 write_htpasswd_files()
 {
     if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
         printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
     fi
-    if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
-    fi
 }

ironic-image/configure-ironic.sh

@@ -2,14 +2,13 @@
 
 set -euxo pipefail
 
-IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
 
 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information
 #   <interface> - all VLANs on a particular interface using LLDP information
 #   <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
-export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
+export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
 
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
@@ -20,13 +19,17 @@ export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
 
 export HTTP_PORT=${HTTP_PORT:-80}
 
-MARIADB_PASSWORD=${MARIADB_PASSWORD}
+export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
+
-MARIADB_USER=${MARIADB_USER:-ironic}
+if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
-MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
+    MARIADB_PASSWORD=${MARIADB_PASSWORD}
-export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
+    MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
-if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
+    MARIADB_USER=${MARIADB_USER:-ironic}
-    export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
+    MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
+    export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
+    if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
+        export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
+    fi
 fi
 
 # TODO(dtantsur): remove the explicit default once we get
@@ -37,9 +40,6 @@ if [[ "$NUMPROC" -lt 4 ]]; then
 fi
 export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
 
-export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
-
 # Whether to enable fast_track provisioning or not
 export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
 
@@ -58,16 +58,14 @@ wait_for_interface_or_ip
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 
 export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
-export IRONIC_INSPECTOR_BASE_URL=${IRONIC_INSPECTOR_BASE_URL:-"${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_ACCESS_PORT}"}
 
 if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
-    export IRONIC_EXTERNAL_CALLBACK_URL="${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"
+    export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
     if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-        export IRONIC_EXTERNAL_HTTP_URL="https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"
+        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
     else
-        export IRONIC_EXTERNAL_HTTP_URL="http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"
+        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
     fi
-    export IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE="https://${IRONIC_EXTERNAL_IP}:${IRONIC_INSPECTOR_ACCESS_PORT}"
 fi
 
 IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
@@ -90,13 +88,32 @@ mkdir -p /shared/ironic_prometheus_exporter
 
 configure_json_rpc_auth
 
+if [[ -f /proc/sys/crypto/fips_enabled ]]; then
+    ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
+    export ENABLE_FIPS_IPA
+fi
+
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
-    configure_client_basic_auth ironic-inspector
-fi
 configure_client_basic_auth ironic-rpc
 
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
+
+PROBE_CURL_ARGS=
+if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
+    if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
+        PROBE_URL="http://127.0.0.1:6385"
+        PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
+    else
+        PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
+    fi
+else
+        PROBE_URL="${IRONIC_BASE_URL}"
+fi
+export PROBE_CURL_ARGS
+export PROBE_URL
+
+PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
+PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness

ironic-image/configure-nonroot.sh

@@ -10,12 +10,12 @@ useradd -r -g ${NONROOT_GID} \
            -d /var/lib/ironic \
            -s /sbin/nologin \
            ${USER}
-           
+
 # create ironic's http_root directory
 mkdir -p /shared/html
 chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
 
-# we'll bind mount shared ca and ironic/inspector certificate dirs here
+# we'll bind mount shared ca and ironic certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
@@ -26,17 +26,15 @@ chmod 2775 /certs{,/ca}
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
 
-# ironic, inspector and httpd related changes
+# ironic and httpd related changes
+mkdir -p /etc/httpd/conf.d
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic-inspector
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
-chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
+chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
 
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
-chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic-inspector
+chmod 664 /var/lib/ironic/ironic.sqlite
-chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
-chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
 
 # dnsmasq, and the capabilities required to run it as non-root user
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
@@ -48,3 +46,8 @@ chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 touch /var/lib/ca-certificates/ca-bundle.pem.new
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
+
+# probes that are created before start
+touch /bin/ironic-{readi,live}ness
+chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
+chmod 775 /bin/ironic-{readi,live}ness

ironic-image/dnsmasq.conf.j2

@@ -29,13 +29,23 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
 # IPv4 Configuration:
 dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
+{%- if env.IPXE_TLS_SETUP == "true"  %}
+# iPXE with (U)EFI
+dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
+# iPXE with BIOS
+dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
+{% else %}
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
+{% endif %}
 
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
+# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
+{%- if env.IPXE_TLS_SETUP == "true"  %}
+dhcp-boot=tag:efi,tag:ipxe,snponly.efi
+{% endif %}
 dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
 
 # Client is running PXE over BIOS; send BIOS version of iPXE chainloader

ironic-image/httpd-ironic-api.conf.j2

@@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
-
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}
     ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
     ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -29,14 +27,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
     {% endif %}
 
-    {% else %}
-    WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
-    WSGIScriptAlias / /usr/bin/ironic-api-wsgi
-    {% endif %}
-
     SetEnv APACHE_RUN_USER ironic-suse
     SetEnv APACHE_RUN_GROUP ironic-suse
-    WSGIProcessGroup ironic-suse
 
     ErrorLog /dev/stderr
     LogLevel debug
@@ -49,7 +41,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
     <Location />
          {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
             AuthType Basic
@@ -58,22 +49,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
             Require valid-user
          {% endif %}
     </Location>
-    {% else %}
-    <Directory /usr/bin >
-        WSGIProcessGroup ironic
-        WSGIApplicationGroup %{GLOBAL}
-        AllowOverride None
-
-        {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
-        AuthType Basic
-        AuthName "Restricted WSGI area"
-        AuthUserFile "/etc/ironic/htpasswd"
-        Require valid-user
-        {% else %}
-        Require all granted
-        {% endif %}
-    </Directory>
-    {% endif %}
 
     <Location ~ "^/(v1/?)?$" >
         Require all granted

ironic-image/httpd-modules.conf

@@ -5,7 +5,6 @@ LoadModule dir_module /usr/lib64/apache2/mod_dir.so
 LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
 #LoadModule unixd_module modules/mod_unixd.so
 #LoadModule mpm_event_module modules/mod_mpm_event.so
-LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so
 LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
 LoadModule env_module /usr/lib64/apache2/mod_env.so
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so

ironic-image/httpd.conf.j2

@@ -1,6 +1,6 @@
 ServerRoot "/etc/httpd"
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen [::]:{{ env.HTTP_PORT }}
+Listen {{ env.HTTP_PORT }}
 {% else %}
 Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 {% endif %}

ironic-image/inspector.ipxe.j2

@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
-initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
+initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot

ironic-image/ipxe_config.template

@@ -0,0 +1,81 @@
+#!ipxe
+
+set attempts:int32 10
+set i:int32 0
+
+goto deploy
+
+:deploy
+imgfree
+{%- if pxe_options.deployment_aki_path %}
+{%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
+{%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
+{%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
+{%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
+{%- endif %}
+{%- if pxe_options.deployment_ari_path %}
+{%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
+{%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
+{%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
+{%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
+{%- endif %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
+
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
+boot
+
+:retry
+iseq ${i} ${attempts} && goto fail ||
+inc i
+echo No response, retrying in ${i} seconds.
+sleep ${i}
+goto deploy
+
+:fail
+echo Failed to get a response after ${attempts} attempts
+echo Powering off in 30 seconds.
+sleep 30
+poweroff
+
+:boot_anaconda
+imgfree
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
+boot
+
+:boot_ramdisk
+imgfree
+{%- if pxe_options.boot_iso_url %}
+sanboot {{ pxe_options.boot_iso_url }}
+{%- else %}
+kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
+initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
+boot
+{%- endif %}
+
+{%- if pxe_options.boot_from_volume %}
+
+:boot_iscsi
+imgfree
+{% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
+{% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
+sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
+{%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
+set username {{ volume.username }}
+set password {{ volume.password }}
+{%- set drive_id = 129 + i %}
+sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
+{%- endfor %}{% endif %}
+{% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
+{% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
+sanboot --no-describe || goto fail_iscsi_retry
+
+:fail_iscsi_retry
+echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
+sleep 10
+goto boot_iscsi
+{%- endif %}
+
+:boot_whole_disk
+sanboot --no-describe || exit 0

ironic-image/ironic-common.sh

@@ -6,6 +6,7 @@ IRONIC_IP="${IRONIC_IP:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
+IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 
 get_provisioning_interface()
 {
@@ -72,7 +73,10 @@ wait_for_interface_or_ip()
 
 render_j2_config()
 {
+    ls $1 # DEBUG
+    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
     python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
+    ls $2 # DEBUG
 }
 
 run_ironic_dbsync()
@@ -86,25 +90,18 @@ run_ironic_dbsync()
         done
     else
         # SQLite does not support some statements. Fortunately, we can just create
-        # the schema in one go instead of going through an upgrade.
+        # the schema in one go if not already created, instead of going through an upgrade
-        ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
+        DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
+        if [[ "${DB_VERSION}" == "None" ]]; then
+            ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
+        fi
     fi
 }
 
 # Use the special value "unix" for unix sockets
-export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-6388}
+export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
-export IRONIC_INSPECTOR_PRIVATE_PORT=${IRONIC_INSPECTOR_PRIVATE_PORT:-5049}
 
 export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
 export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 
-export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
+export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
-export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
-
-# If this is false, built-in inspection is used.
-export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
-export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
-if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
-    echo "Discovery is only supported with ironic-inspector at this point"
-    exit 1
-fi

ironic-image/ironic-probe.j2

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu -o pipefail
+
+curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
+
+# TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
+# to make sure the conductor is ready. This requires having access to secrets
+# since these endpoints are authenticated.

ironic-image/ironic.conf.j2

@@ -1,28 +1,22 @@
 [DEFAULT]
-{% if env.AUTH_STRATEGY is defined %}
-auth_strategy = {{ env.AUTH_STRATEGY }}
-{% if env.AUTH_STRATEGY == "http_basic" %}
-http_basic_auth_user_file=/etc/ironic/htpasswd
-{% endif %}
-{% else %}
 auth_strategy = noauth
-{% endif %}
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
+default_inspect_interface = agent
 default_network_interface = noop
-enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
+enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
-enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
+enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
+enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
-enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
-enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
+enabled_network_interfaces = noop
-enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
+enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
+enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
-enabled_firmware_interfaces = no-firmware,fake,redfish
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -32,14 +26,7 @@ use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
 my_ip = {{ env.IRONIC_IP }}
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-# If we run both API and conductor in the same pod, use localhost
-host = localhost
-{% else %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
-{% endif %}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -96,7 +83,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
+bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -125,7 +112,7 @@ default_boot_option = local
 erase_devices_metadata_priority = 10
 erase_devices_priority = 0
 http_root = /shared/html/
-http_url = {{ env.IRONIC_BOOT_BASE_URL }}
+http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
@@ -143,26 +130,22 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 
 [inspector]
+# NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
+# booting IPA through a separate inspector.ipxe rather than the driver's boot
+# interface), so managed boot is not required.
+require_managed_boot = False
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
-extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
-
-{% if env.USE_IRONIC_INSPECTOR == "true" %}
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
-{% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
-callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
-{% endif %}
-{% else %}
 hooks = $default_hooks,parse-lldp
 add_ports = all
 keep_ports = present
-{% endif %}
+
+[auto_discovery]
+enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
+driver = ipmi
 
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -191,15 +174,9 @@ cipher_suite_versions = 3,17
 # authentication over localhost, using the same credentials as API, to prevent
 # unauthenticated connections from other processes in the same host since the
 # containers are in host networking.
-auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
+auth_strategy = http_basic
 http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-host_ip = localhost
-{% else %}
 host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
-{% endif %}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -224,24 +201,27 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
+{% if env.IPXE_TLS_SETUP | lower == "true" %}
+ipxe_config_template = /tmp/ipxe_config.template
+{% endif %}
 
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 use_web_server_for_images = true
 
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}

ironic-image/rundnsmasq

@@ -4,6 +4,8 @@ set -eux
 
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
+# shellcheck disable=SC1091
+. /bin/tls-common.sh
 
 export HTTP_PORT=${HTTP_PORT:-80}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
@@ -19,7 +21,13 @@ mkdir -p /shared/html/images
 mkdir -p /shared/html/pxelinux.cfg
 
 # Copy files to shared mount
-cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
+if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
+    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
+        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
+        "/shared/tftpboot"
+else
+    cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
+fi
 
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory

ironic-image/runhttpd

@@ -8,10 +8,7 @@
 export HTTP_PORT=${HTTP_PORT:-80}
 export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 
-INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
-INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
-export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 
 # In Metal3 context they are called node images in Ironic context they are
 # called user images.
@@ -33,11 +30,7 @@ chmod 0777 /shared/html
 
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 
-if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
-else
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
-fi
 
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
     INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
@@ -51,14 +44,6 @@ cp /tmp/uefi_esp.img /shared/html/uefi_esp.img
 # Render the core httpd config
 render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
 
-if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
-    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
-        render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
-    fi
-else
-    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
-fi
-
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
     if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
         render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
@@ -74,12 +59,14 @@ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
     render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
 fi
 
-# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
+# Render httpd TLS configuration for /shared/html
-if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
+if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
-    # shellcheck disable=SC2034
+    mkdir -p /shared/html/custom-ipxe
-    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
+    chmod 0777 /shared/html/custom-ipxe
-        kill -WINCH $(pgrep httpd)
+    render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
-    done &
+    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
+       "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
+       "/shared/html/custom-ipxe"
 fi
 
 # Set up inotify to kill the container (restart) whenever cert files for ironic api change

ironic-image/runironic

@@ -1,9 +1,7 @@
 #!/usr/bin/bash
 
-# These settings must go before configure-ironic since it has different
+# This setting must go before configure-ironic since it has different defaults.
-# defaults.
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
 
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh

ironic-image/runlogwatch.sh

@@ -1,20 +1,11 @@
 #!/usr/bin/bash
 
 # Ramdisk logs path
-LOG_DIRS=("/shared/log/ironic/deploy" "/shared/log/ironic-inspector/ramdisk")
+LOG_DIR="/shared/log/ironic/deploy"
 
-while :; do
+inotifywait -m "${LOG_DIR}" -e close_write |
-    for LOG_DIR in "${LOG_DIRS[@]}"; do
+    while read -r path _action file; do
-        if ! ls "${LOG_DIR}"/*.tar.gz 1> /dev/null 2>&1; then
+        echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
-            continue
+        tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
-        fi
+        rm -f "${path}/${file}"
-
-        for fn in "${LOG_DIR}"/*.tar.gz; do
-            echo "************ Contents of $fn ramdisk log file bundle **************"
-            tar -xOzvvf "$fn" | sed -e "s/^/$(basename "$fn"): /"
-            rm -f "$fn"
-        done
     done
-
-    sleep 5
-done

ironic-image/tls-common.sh

@@ -5,24 +5,25 @@ export IRONIC_KEY_FILE=/certs/ironic/tls.key
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
+export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 
-export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
-export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
-export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
-export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
-
 export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
 export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
 
+export IPXE_CERT_FILE=/certs/ipxe/tls.crt
+export IPXE_KEY_FILE=/certs/ipxe/tls.key
+
 export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 
 export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 
+export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
+
 mkdir -p /certs/ironic
-mkdir -p /certs/ironic-inspector
 mkdir -p /certs/ca/ironic
-mkdir -p /certs/ca/ironic-inspector
+mkdir -p /certs/ipxe
+mkdir -p /certs/vmedia
 
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
@@ -33,15 +34,6 @@ if [[ ! -f "$IRONIC_CERT_FILE" ]] && [[ -f "$IRONIC_KEY_FILE" ]]; then
     exit 1
 fi
 
-if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
-    echo "Missing TLS Certificate key file $IRONIC_INSPECTOR_KEY_FILE"
-    exit 1
-fi
-if [[ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
-    echo "Missing TLS Certificate file $IRONIC_INSPECTOR_CERT_FILE"
-    exit 1
-fi
-
 if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ ! -f "$IRONIC_VMEDIA_KEY_FILE" ]]; then
     echo "Missing TLS Certificate key file $IRONIC_VMEDIA_KEY_FILE"
     exit 1
@@ -51,6 +43,15 @@ if [[ ! -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ -f "$IRONIC_VMEDIA_KEY_FILE" ]];
     exit 1
 fi
 
+if [[ -f "$IPXE_CERT_FILE" ]] && [[ ! -f "$IPXE_KEY_FILE" ]]; then
+    echo "Missing TLS Certificate key file $IPXE_KEY_FILE"
+    exit 1
+fi
+if [[ ! -f "$IPXE_CERT_FILE" ]] && [[ -f "$IPXE_KEY_FILE" ]]; then
+    echo "Missing TLS Certificate file $IPXE_CERT_FILE"
+    exit 1
+fi
+
 copy_atomic()
 {
     local src="$1"
@@ -75,25 +76,20 @@ else
     export IRONIC_SCHEME="http"
 fi
 
-if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] || [[ -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
-    export IRONIC_INSPECTOR_TLS_SETUP="true"
-    export IRONIC_INSPECTOR_SCHEME="https"
-    if [[ ! -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
-        copy_atomic "$IRONIC_INSPECTOR_CERT_FILE" "$IRONIC_INSPECTOR_CACERT_FILE"
-    fi
-else
-    export IRONIC_INSPECTOR_TLS_SETUP="false"
-    export IRONIC_INSPECTOR_SCHEME="http"
-fi
-
 if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
-    export IRONIC_VMEDIA_SCHEME="https"
     export IRONIC_VMEDIA_TLS_SETUP="true"
 else
-    export IRONIC_VMEDIA_SCHEME="http"
     export IRONIC_VMEDIA_TLS_SETUP="false"
 fi
 
+if [[ -f "$IPXE_CERT_FILE" ]]; then
+    export IPXE_SCHEME="https"
+    export IPXE_TLS_SETUP="true"
+else
+    export IPXE_SCHEME="http"
+    export IPXE_TLS_SETUP="false"
+fi
+
 if [[ -f "$MARIADB_CACERT_FILE" ]]; then
     export MARIADB_TLS_ENABLED="true"
 else

ironic-ipa-downloader-image/Dockerfile

@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -8,7 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends openstack-ironic-image-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
 #RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release;
 RUN cp /usr/bin/getopt /installroot/
 
@@ -19,13 +19,13 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="2.0.0"
+LABEL org.opencontainers.image.version="3.0.0"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

ironic-ipa-downloader-image/_service

@@ -3,15 +3,17 @@
   <service mode="buildtime" name="docker_label_helper"/>
   <service name="replace_using_package_version" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="regex">%%openstack-ironic-image-x86_64_version%%</param>
+    <param name="regex">%%ironic-ipa-ramdisk-x86_64_version%%</param>
-    <param name="package">openstack-ironic-image-x86_64</param>
+    <param name="package">ironic-ipa-ramdisk-x86_64</param>
     <param name="parse-version">patch</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

ironic-ipa-ramdisk/_constraints

@@ -0,0 +1,8 @@
+<constraints>
+    <hardware>
+        <processors>4</processors>
+        <disk>
+            <size unit="G">12</size>
+        </disk>
+    </hardware>
+</constraints>

ironic-ipa-ramdisk/config.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+
+test -f /.kconfig && . /.kconfig
+test -f /.profile && . /.profile
+
+#======================================
+# Greeting...
+#--------------------------------------
+echo "Configure image: [$kiwi_iname]..."
+
+#==========================================
+# setup build day
+#------------------------------------------
+baseSetupBuildDay
+
+#======================================
+# Mount system filesystems
+#--------------------------------------
+#baseMount
+
+#==========================================
+# remove unneded kernel files
+#------------------------------------------
+suseStripKernel
+baseStripLocales en_US.utf-8 C.utf8
+
+#======================================
+# Setup baseproduct link
+#--------------------------------------
+suseSetupProduct
+
+#======================================
+# Add missing gpg keys to rpm
+#--------------------------------------
+suseImportBuildKey
+
+#======================================
+# Activate services
+#--------------------------------------
+baseInsertService openstack-ironic-python-agent
+baseInsertService suse-ironic-image-setup
+baseInsertService suse-network-setup
+baseInsertService sshd
+baseInsertService NetworkManager
+#suseInsertService sshd
+#suseInsertService openstack-ironic-python-agent
+#suseInsertService suse-ironic-image-setup
+
+echo 'DEFAULT_TIMEZONE="UTC"' >> /etc/sysconfig/clock
+baseUpdateSysConfig /etc/sysconfig/clock HWCLOCK "-u"
+baseUpdateSysConfig /etc/sysconfig/clock TIMEZONE UTC
+baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME no
+baseUpdateSysConfig /etc/sysconfig/network/dhcp WRITE_HOSTNAME_TO_HOSTS no
+
+#==========================================
+# generate autologin@ service
+# based on getty@ service
+#------------------------------------------
+#sed 's/^ExecStart=.*/\0 --autologin root/' /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin\@.service
+sed -E 's/^(ExecStart=.*\/agetty).*(--noclear.*)/\1 \2 --autologin root/' /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin\@.service
+
+#==========================================
+# add fstab entry for tmpfs based /tmp
+#------------------------------------------
+echo 'tmpfs /tmp tmpfs size=3G 0 0' >> /etc/fstab
+
+#==========================================
+# remove package docs and manuals
+#------------------------------------------
+#baseStripDocs
+#baseStripMans
+#baseStripInfos
+
+#======================================
+# only basic version of vim is
+# installed; no syntax highlighting
+#--------------------------------------
+sed -i -e's/^syntax on/" syntax on/' /etc/vimrc
+
+#======================================
+# Remove yast if not in use
+#--------------------------------------
+#suseRemoveYaST
+
+#======================================
+# Remove package manager
+#--------------------------------------
+#suseStripPackager
+
+#rm -f usr/lib/perl5/*/*/auto/Encode/??/??.so # 9MB
+
+#======================================
+# Umount kernel filesystems
+#--------------------------------------
+#baseCleanMount
+
+ln -s /sbin/init /init
+
+#==========================================
+# umount
+#------------------------------------------
+umount /proc >/dev/null 2>&1
+
+exit 0
+

ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi

@@ -0,0 +1,173 @@
+<?xml version="1.0" encoding="utf-8"?>
+<image schemaversion="7.4" name="openstack-ironic-image-201">
+    <description type="system">
+        <author>Cloud developers</author>
+        <contact>cloud-devel@suse.de</contact>
+        <specification>kernel and ramdisk image for metal3</specification>
+    </description>
+    <profiles>
+        <profile name="default" description="Booting default profile" import="true"/>
+    </profiles>
+    <preferences>
+        <locale>en_US</locale>
+        <packagemanager>zypper</packagemanager>
+        <rpm-check-signatures>false</rpm-check-signatures>
+        <timezone>UTC</timezone>
+        <version>1.0.0</version> 
+    </preferences>	
+    <preferences profiles="default">
+        <type image="kis" initrd_system="none" compressed="false"/>
+    </preferences>
+
+    <users>
+        <user password="*" home="/root" name="root" groups="root"/>
+    </users>
+
+    <repository alias="build-binaries" type="rpm-md" priority="99">
+      <source path="dir:///.build.binaries"/>
+    </repository>
+
+    <drivers>
+        <file name="crypto/*"/>
+        <file name="drivers/acpi/*"/>
+        <file name="drivers/acpi/dock.ko"/>
+        <file name="drivers/ata/*"/>
+        <file name="drivers/block/brd.ko"/>
+        <file name="drivers/block/cciss.ko"/>
+        <file name="drivers/block/loop.ko"/>
+        <file name="drivers/block/virtio_blk.ko"/>
+        <file name="drivers/cdrom/*"/>
+        <file name="drivers/char/hw_random/virtio-rng.ko"/>
+        <file name="drivers/char/lp.ko"/>
+        <file name="drivers/char/ipmi/*"/>
+        <file name="drivers/firmware/iscsi_ibft.ko"/>
+        <file name="drivers/firmware/edd.ko"/>
+        <file name="drivers/gpu/drm/*"/>
+        <file name="drivers/hid/*"/>
+        <file name="drivers/hv/*"/>
+        <file name="drivers/hwmon/*"/>
+        <file name="drivers/ide/*"/>
+        <file name="drivers/input/keyboard/*"/>
+        <file name="drivers/input/mouse/*"/>
+        <file name="drivers/md/*"/>
+        <file name="drivers/message/fusion/*"/>
+        <file name="drivers/misc/hpilo.ko"/>
+        <file name="drivers/net/*"/>
+        <file name="drivers/parport/*"/>
+        <file name="drivers/scsi/*"/>
+        <file name="drivers/staging/hv/*"/>
+        <file name="drivers/target/*"/>
+        <file name="drivers/thermal/*"/>
+        <file name="drivers/usb/*"/>
+        <file name="drivers/virtio/*"/>
+        <file name="fs/binfmt_aout.ko"/>
+        <file name="fs/binfmt_misc.ko"/>
+        <file name="fs/overlayfs/*"/>
+        <file name="fs/btrfs/*"/>
+        <file name="fs/exportfs/*"/>
+        <file name="fs/ext4/*"/>
+        <file name="fs/fat/*"/>
+        <file name="fs/fuse/*"/>
+        <file name="fs/hfs/*"/>
+        <file name="fs/jbd2/*"/>
+        <file name="fs/nfs/*"/>
+        <file name="fs/mbcache.ko"/>
+        <file name="fs/nls/nls_cp437.ko"/>
+        <file name="fs/nls/nls_iso8859-1.ko"/>
+        <file name="fs/nls/nls_utf8.ko"/>
+        <file name="fs/quota_v1.ko"/>
+        <file name="fs/quota_v2.ko"/>
+        <file name="fs/squashfs/*"/>
+        <file name="fs/udf/*"/>
+        <file name="fs/vfat/*"/>
+        <file name="fs/xfs/*"/>
+        <file name="fs/isofs/*"/>
+        <file name="lib/crc-t10dif.ko"/>
+        <file name="lib/crc16.ko"/>
+        <file name="lib/libcrc32c.ko"/>
+        <file name="lib/zlib_deflate/zlib_deflate.ko"/>
+        <file name="net/packet/*"/>
+    </drivers>
+
+    <packages type="delete">
+        <package name="gpg2"/>
+        <package name="libcairo2"/>
+        <package name="libpango-1_0-0"/>
+        <package name="libX11-6"/>
+        <package name="libXext6"/>
+        <package name="libXft2"/>
+        <package name="libXrender1"/>
+        <package name="libX11-data"/>
+        <package name="libXau6"/>
+        <package name="libxcb-render0"/>
+        <package name="libxcb-shm0"/>
+        <package name="libxcb1"/>
+        <package name="plymouth"/>
+        <package name="plymouth-branding-SLE"/>
+    </packages>
+
+    <packages type="image">
+        <package name="checkmedia"/>
+        <package name="plymouth-branding-SLE"/>
+        <package name="plymouth-dracut"/>
+        <package name="plymouth-theme-bgrt"/>
+        <package name="grub2-branding-SLE"/>
+        <package name="iputils"/>
+        <package name="vim"/>
+        <package name="grub2"/>
+        <package name="grub2-x86_64-efi" arch="x86_64"/>
+        <package name="grub2-i386-pc"/>
+        <package name="syslinux"/>
+        <package name="lvm2"/>
+        <package name="plymouth"/>
+        <package name="fontconfig"/>
+        <package name="fonts-config"/>
+        <package name="openssh"/>
+        <package name="iproute2"/>
+        <package name="which"/>
+        <package name="kernel-firmware"/>
+        <package name="kernel-default"/>
+        <package name="NetworkManager"/>
+        <package name="nm-configurator"/>
+        <package name="timezone"/>
+        <package name="haveged"/>
+        <!-- ironic-python-agent specific -->
+        <package name="openstack-ironic-python-agent"/>
+        <package name="hdparm"/>
+        <package name="qemu-tools"/>
+        <package name="python311-proliantutils" arch="x86_64"/>
+        <package name="lshw"/>
+        <package name="dmidecode" arch="aarch64"/>
+        <package name="dmidecode" arch="x86_64"/>
+        <package name="efibootmgr" arch="aarch64" />
+        <package name="efibootmgr" arch="x86_64" />
+        <package name="gptfdisk"/>
+        <package name="open-iscsi"/>
+        <package name="hwinfo"/>
+        <package name="ipmitool"/>
+        <package name="iputils"/>
+        <package name="lvm2"/>
+        <package name="net-tools"/>
+        <package name="ntp"/>
+        <package name="parted"/>
+        <package name="psmisc"/>
+        <package name="timezone"/>
+        <package name="which"/>
+        <package name="kbd"/>
+    </packages>
+
+    <packages type="kis">
+        <package name="gfxboot-branding-SLE"/>
+        <package name="dracut-kiwi-oem-repart"/>
+        <package name="dracut-kiwi-oem-dump"/>
+    </packages> 
+
+    <packages type="bootstrap">
+        <package name="glibc-locale"/>
+        <package name="udev"/>
+        <package name="filesystem"/>
+        <package name="cracklib-dict-full"/>
+        <package name="ca-certificates"/>
+        <package name="sles-release"/>
+    </packages>
+</image>

ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec

@@ -0,0 +1,167 @@
+#
+# spec file for package openstack-ironic-image
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+# needsrootforbuild
+# needsbinariesforbuild
+
+
+Name:           ironic-ipa-ramdisk
+Version:        3.0.0
+Release:        0
+Summary:        Kernel and ramdisk image for OpenStack Ironic
+License:        SUSE-EULA
+Group:          System/Management
+URL:            https://github.com/SUSE-Cloud/
+Source0:        config.sh
+Source10:       ironic-ipa-ramdisk.kiwi
+Source20:       root.tar.bz2
+
+BuildRequires:  -post-build-checks
+BuildRequires:  bash
+BuildRequires:  kiwi
+BuildRequires:  kiwi-tools
+BuildRequires:  zypper
+BuildArch:      noarch
+
+BuildRequires:  checkmedia
+BuildRequires:  acl
+BuildRequires:  ca-certificates
+BuildRequires:  cracklib-dict-full
+BuildRequires:  cron
+BuildRequires:  dbus-1
+BuildRequires:  elfutils
+BuildRequires:  filesystem
+BuildRequires:  fipscheck
+BuildRequires:  fontconfig
+BuildRequires:  fonts-config
+BuildRequires:  gptfdisk
+BuildRequires:  grub2
+BuildRequires:  grub2-x86_64-efi
+BuildRequires:  haveged
+BuildRequires:  hdparm
+BuildRequires:  hwinfo
+BuildRequires:  ipmitool
+BuildRequires:  iproute2
+BuildRequires:  iputils
+BuildRequires:  kernel-default
+BuildRequires:  kernel-firmware
+BuildRequires:  lvm2
+BuildRequires:  net-tools
+BuildRequires:  ntp
+BuildRequires:  open-iscsi
+BuildRequires:  openssh
+BuildRequires:  openstack-ironic-python-agent
+BuildRequires:  pam-config
+BuildRequires:  parted
+BuildRequires:  patterns-base-minimal_base
+BuildRequires:  pinentry
+BuildRequires:  pkgconfig
+BuildRequires:  Mesa-gallium
+BuildRequires:  plymouth
+BuildRequires:  plymouth-scripts
+BuildRequires:  python311-proliantutils
+BuildRequires:  psmisc
+BuildRequires:  qemu-tools
+BuildRequires:  sg3_utils
+BuildRequires:  sles-release
+BuildRequires:  sudo
+BuildRequires:  suse-build-key
+BuildRequires:  systemd-presets-branding-SLE
+BuildRequires:  timezone
+BuildRequires:  udev
+BuildRequires:  vim
+BuildRequires:  wpa_supplicant
+BuildRequires:  dhcp-client
+BuildRequires:  which
+BuildRequires:  NetworkManager
+BuildRequires:  nm-configurator
+BuildRequires:  logrotate
+BuildRequires:  plymouth-dracut
+BuildRequires:  plymouth-theme-bgrt
+BuildRequires:  dracut-kiwi-oem-dump
+BuildRequires:  dracut-kiwi-oem-repart
+BuildRequires:  gfxboot-branding-SLE
+BuildRequires:  grub2-branding-SLE
+BuildRequires:  open-iscsi
+BuildRequires:  plymouth-branding-SLE
+BuildRequires:  lshw
+BuildRequires:  kbd
+%ifarch aarch64
+BuildRequires:  dmidecode
+BuildRequires:  efibootmgr
+%endif
+%ifarch x86_64
+BuildRequires:  dmidecode
+BuildRequires:  efibootmgr
+BuildRequires:  syslinux
+%endif
+
+%description
+Kernel and ramdisk image for use with Metal3
+
+%package %{_arch}
+Summary:        Kernel and ramdisk image for Metal3
+Group:          System/Management
+Provides:       openstack-ironic-python-agent = %{version}
+Obsoletes:      openstack-ironic-python-agent < %{version}
+
+%description %{_arch}
+Kernel and ramdisk image for use with Metal3
+For %{_arch}
+
+%prep
+mkdir -p /tmp/openstack-ironic-image/build /tmp/openstack-ironic-image/root /tmp/openstack-ironic-image/img
+
+cp -a %{SOURCE0} /tmp/openstack-ironic-image/config.sh
+
+cp -a %{SOURCE10} /tmp/openstack-ironic-image/config.kiwi
+
+tar -xC /tmp/openstack-ironic-image/root -f %{SOURCE20}
+
+%build
+if ! which kiwi; then
+    cat <<EOF >&2
+kiwi not found in \$PATH; most likely this build was missing
+the --userootforbuild option.  If you are invoking osc build
+manually, please use 'make buildlocal' instead.
+EOF
+    exit 1
+fi
+
+kiwi-ng --debug --profile default system build --description /tmp/openstack-ironic-image --target-dir /tmp/openstack-ironic-image/img
+
+%install
+TDIR=`mktemp -d /tmp/openstack-ironic-image.XXXXX`
+cd /tmp/openstack-ironic-image/img/build/image-root 
+find . | cpio --create --format=newc --quiet > $TDIR/initrdtmp
+cd $TDIR
+gzip -9 -f initrdtmp
+INITRDGZ=`ls *.gz | head -1`
+gzip -cd $INITRDGZ | xz --check=crc32 -c9 > initrd.xz
+INITRD=`ls *.xz | head -1`
+
+ls /tmp/openstack-ironic-image/img/openstack-ironic-image*
+KERNEL=`ls /tmp/openstack-ironic-image/img/openstack-ironic-image*default*kernel | head -1`
+
+mkdir -p %{buildroot}/srv/tftpboot/openstack-ironic-image
+install -p -m 644 $KERNEL $INITRD %{buildroot}/srv/tftpboot/openstack-ironic-image/
+
+%files %{_arch}
+%defattr(644,root,root)
+%dir %attr(755, root, root) /srv/tftpboot/openstack-ironic-image
+%attr(644, root, root) /srv/tftpboot/openstack-ironic-image/*
+
+%changelog

kube-rbac-proxy-image/Dockerfile

@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: Apache-2.0
+#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
+#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
+#!BuildVersion: 15.6
+ARG SLE_VERSION
+FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
+
+FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
+COPY --from=micro / /installroot/
+RUN zypper --installroot /installroot --non-interactive install --no-recommends kube-rbac-proxy; zypper -n clean; rm -rf /var/log/*
+
+FROM micro AS final
+# Define labels according to https://en.opensuse.org/Building_derived_containers
+# labelprefix=com.suse.application.kube-rbac-proxy
+LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
+LABEL org.opencontainers.image.title="SLE kube-rbac-proxy Container Image"
+LABEL org.opencontainers.image.description="kube-rbac-proxy based on the SLE Base Container Image."
+LABEL org.opencontainers.image.version="%%kube-rbac-proxy_version%%"
+LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="SUSE LLC"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%"
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
+LABEL com.suse.eula="SUSE Combined EULA February 2024"
+LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
+LABEL com.suse.image-type="application"
+LABEL com.suse.release-stage="released"
+# endlabelprefix
+
+COPY --from=base /installroot /
+#Install kube-rbac-proxy
+EXPOSE 8080
+USER 65532:65532
+ENTRYPOINT ["/kube-rbac-proxy"]

kube-rbac-proxy-image/_service

@@ -0,0 +1,19 @@
+<services>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service mode="buildtime" name="docker_label_helper"/>
+  <service name="replace_using_package_version" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="regex">%%kube-rbac-proxy_version%%</param>
+    <param name="package">kube-rbac-proxy</param>
+    <param name="parse-version">patch</param>
+  </service>
+  <service name="replace_using_env" mode="buildtime">
+    <param name="file">Dockerfile</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="var">IMG_PREFIX</param>
+    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
+  </service>
+</services>

kube-rbac-proxy/_service

@@ -2,7 +2,7 @@
  <service name="obs_scm">
     <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.18.0</param>
+    <param name="revision">v0.18.1</param>
     <param name="version">_auto_</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
@@ -20,4 +20,4 @@
   <service name="go_modules">
   </service>
   <service mode="buildtime" name="set_version" />
-</services>
+</services>

kube-rbac-proxy/kube-rbac-proxy.spec

@@ -17,14 +17,14 @@
 
 
 Name:           kube-rbac-proxy
-Version:        0.18.0
+Version:        0.18.1
-Release:        0.18.0
+Release:        0.18.1
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.23
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 

metal3-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

metallb-chart/_service

@@ -2,14 +2,14 @@
   <service mode="buildtime" name="kiwi_metainfo_helper"/>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
   </service>
 </services>

metallb-chart/values.yaml

@@ -59,7 +59,7 @@ prometheus:
   # the image to be used for the kuberbacproxy container
   rbacProxy:
     repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
-    tag: "v0.18.0"
+    tag: "0.18.1"
     pullPolicy: IfNotPresent
 
   # Prometheus Operator PodMonitors

metallb-controller-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

metallb-controller-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

metallb-speaker-image/Dockerfile

@@ -21,7 +21,7 @@ LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
-LABEL com.suse.supportlevel="l3"
+LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"

metallb-speaker-image/_service

@@ -9,9 +9,11 @@
   </service>
   <service name="replace_using_env" mode="buildtime">
     <param name="file">Dockerfile</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
     <param name="var">IMG_PREFIX</param>
     <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
     <param name="var">IMG_REPO</param>
+    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
+    <param name="var">SUPPORT_LEVEL</param>
   </service>
 </services>

nm-configurator/nmc.spec

@@ -16,7 +16,7 @@
 #
 
 
-Name:           nm-configurator-031
+Name:           nm-configurator
 Version:        0.3.1
 Release:        0
 Summary:        NM Configurator

rancher-turtles-airgap-resources-chart/Chart.yaml

@@ -0,0 +1,10 @@
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3-%RELEASE%
+apiVersion: v2
+appVersion: 0.11.0
+description: Rancher Turtles utility chart for airgap scenarios
+home: https://github.com/rancher/turtles/
+icon: https://raw.githubusercontent.com/rancher/turtles/main/logos/capi.svg
+name: rancher-turtles-airgap-resources
+type: application
+version: 0.3.3

rancher-turtles-airgap-resources-chart/README.md

@@ -0,0 +1,26 @@
+# Deploy Rancher Turtles in airgapped scenarios
+
+To simplify deployment of the suse-edge rancher-turtles wrapper chart in airgapped scenarios
+this chart deploys the corresponding ConfigMap resources, as described in the
+[Rancher Turtles Documentation](https://turtles.docs.rancher.com/getting-started/air-gapped-environment)
+
+In addition to installing the chart, it will be necessary to adjust the rancher-turtles chart values:
+
+```
+cluster-api-operator:
+  cluster-api:
+    core:
+      fetchConfig:
+        selector: "{\"matchLabels\": {\"provider-components\": \"core\"}}"
+    rke2:
+      bootstrap:
+        fetchConfig:
+          selector: "{\"matchLabels\": {\"provider-components\": \"rke2-bootstrap\"}}"
+      controlPlane:
+        fetchConfig:
+          selector: "{\"matchLabels\": {\"provider-components\": \"rke2-control-plane\"}}"
+    metal3:
+      infrastructure:
+        fetchConfig:
+          selector: "{\"matchLabels\": {\"provider-components\": \"metal3\"}}"
+```