added macro to set support level l3

2024-11-07 15:57:22 +02:00
123 changed files with 1047 additions and 3740 deletions
--- a/.obs/delete_package.py
+++ b/.obs/delete_package.py
@@ -21,7 +21,7 @@ def delete_package_from_workflow(name: str):
 def delete_package_from_project(name: str):
-    p = subprocess.run(["osc", "rdelete", PROJECT, name, "-m \"Deleted via delete_package.py\"" ], stdout=subprocess.PIPE)
+    p = subprocess.run(["osc", "rdelete", PROJECT, name], stdout=subprocess.PIPE)
    print(p.stdout)
    print(p.stderr)
    p.check_returncode()
--- a/.obs/workflows.yml
+++ b/.obs/workflows.yml
@@ -66,6 +66,14 @@ staging_build:
      source_package: frr-k8s
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-operator
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: kubectl
      source_project: isv:SUSE:Edge:Factory
@@ -74,6 +82,10 @@ staging_build:
      source_package: upgrade-controller
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-provider-rke2
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: nm-configurator
      source_project: isv:SUSE:Edge:Factory
@@ -110,6 +122,10 @@ staging_build:
      source_package: cdi-chart
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-controller-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-provider-metal3-image
      source_project: isv:SUSE:Edge:Factory
@@ -118,6 +134,10 @@ staging_build:
      source_package: metallb-chart
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-operator-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: sriov-crd-chart
      source_project: isv:SUSE:Edge:Factory
@@ -134,6 +154,10 @@ staging_build:
      source_package: ironic-ipa-downloader-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-provider-rke2-controlplane-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: upgrade-controller-image
      source_project: isv:SUSE:Edge:Factory
@@ -146,6 +170,10 @@ staging_build:
      source_package: baremetal-operator-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cluster-api-provider-rke2-bootstrap-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: sriov-network-operator-chart
      source_project: isv:SUSE:Edge:Factory
@@ -166,47 +194,3 @@ staging_build:
      source_package: ironic-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: cri-tools
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: crudini
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: fakeroot
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: ipcalc
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: autoconf
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: rancher-turtles-airgap-resources-chart
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: rancher-turtles-chart
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: kube-rbac-proxy-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: ironic-ipa-ramdisk
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: kubevirt-dashboard-extension-chart
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
  - branch_package:
      source_package: kiwi-builder-image
      source_project: isv:SUSE:Edge:Factory
      target_project: isv:SUSE:Edge:Factory:Staging
--- a/README.md
+++ b/README.md
@@ -13,26 +13,3 @@ Then run the `.obs/add_package.py` script to create the package in the OBS proje
 This script is using the `osc` command behind the scenes, so ensure you have it installed and correctly configured, as well as you have the correct permissions to create a new package in the project.
 You will then get asked to push your changes.
 ## Testing a fork or a development branch
 You can create a project in your home space in OBS, use the same prjconf as the one of "isv:SUSE:Edge:Factory", and copy the repositories part of the metadata (adjust self references).
 Then add a scmsync stanza to your metadata like this (adjust repository path and branch):
 ```xml
 <scmsync>https://src.opensuse.org/suse-edge/Factory#main</scmsync>
 ```
 ## Cutting a release version branch
 1. Do the appropriate git branch command
 2. Change the project path in `.obs/common.py` file (e.g. from `isv:SUSE:Edge:Factory` to `isv:SUSE:Edge:3.2`)
 3. Change the branch reference in `.obs/common.py` file (e.g. from `main` to `3.2`)
 4. Edit the `.obs/workflows.yml` file to change the references to the correct projects
 5. Commit those changes to the new branch and push the new branch
 6. Create the base and to-test projects (e.g. `isv:SUSE:Edge:3.2` and `isv:SUSE:Edge:3.2:ToTest`), use the `isv:SUSE:Edge:Factory` projects as example for metadata part
 7. Use the prjconf of Factory in all those projects
 8. Run the `.obs/sync_packages.py` script to create all the packages in the base project
 9. Go take a few cups of coffee/tea/mate/... while waiting for OBS to build everything
 10. Once built do an `osc release` of the project for it to be copied over in the `ToTest` section
 11. Hand over to QA to test whatever is in `ToTest`. (You can continue to work on the base branch if needed meanwhile)
--- a/akri-dashboard-extension-chart/Chart.yaml
+++ b/akri-dashboard-extension-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.2.0
+#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0
-#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.2.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%akri-dashboard-extension-chart:1.1.0-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: Akri
@@ -7,14 +7,14 @@ annotations:
  catalog.cattle.io/namespace: cattle-ui-plugin-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/permits-os: linux, windows
-  catalog.cattle.io/rancher-version: '>= 2.10.0-0'
+  catalog.cattle.io/rancher-version: '>= v2.9.0'
  catalog.cattle.io/scope: management
  catalog.cattle.io/ui-component: plugins
-  catalog.cattle.io/ui-extensions-version: '>= 3.0.0'
+  catalog.cattle.io/ui-extensions-version: '>= 2.0.1'
 apiVersion: v2
-appVersion: 1.2.0
+appVersion: 1.1.0
 description: 'SUSE Edge: Akri extension for Rancher Dashboard'
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/akri/icon/color/akri-icon-color.svg
 name: akri-dashboard-extension
 type: application
-version: 1.2.0
+version: 1.1.0
--- a/akri-dashboard-extension-chart/templates/_helpers.tpl
+++ b/akri-dashboard-extension-chart/templates/_helpers.tpl
@@ -60,4 +60,4 @@ Pkg annotations
 {{ $key }}: {{ $value | quote }}
 {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}
--- a/akri-dashboard-extension-chart/templates/cr.yaml
+++ b/akri-dashboard-extension-chart/templates/cr.yaml
@@ -8,7 +8,7 @@ spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
-    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.2.0
+    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/akri-dashboard-extension/1.1.0
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
-    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
+    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/akri-dashboard-extension-chart/values.yaml
+++ b/akri-dashboard-extension-chart/values.yaml
@@ -7,6 +7,6 @@ plugin:
  noAuth: false
  metadata:
    catalog.cattle.io/display-name: Akri
-    catalog.cattle.io/rancher-version: ">= 2.10.0-0"
+    catalog.cattle.io/rancher-version: ">= v2.9.0"
-    catalog.cattle.io/ui-extensions-version: ">= 3.0.0"
+    catalog.cattle.io/ui-extensions-version: ">= 2.0.1"
    catalog.cattle.io/kube-version: ">= v1.26.0-0"
--- a/baremetal-operator/_service
+++ b/baremetal-operator/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metal3-io/baremetal-operator</param>
    <param name="scm">git</param>
-    <param name="revision">v0.8.0</param>
+    <param name="revision">v0.6.1</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/baremetal-operator/baremetal-operator.spec
+++ b/baremetal-operator/baremetal-operator.spec
@@ -17,14 +17,14 @@
 Name:           baremetal-operator
-Version:        0.8.0
+Version:        0.6.1
-Release:        0.8.0
+Release:        0.6.1
 Summary:        Implements a Kubernetes API for managing bare metal hosts
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/baremetal-operator
 Source:         baremetal-operator-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/cluster-api-controller-image/Dockerfile
+++ b/cluster-api-controller-image/Dockerfile
@@ -1,25 +1,26 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%
+#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:v%%cluster-api_version%%
-#!BuildTag: %%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-controller:%%cluster-api_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
-RUN zypper --installroot /installroot --non-interactive install --no-recommends kube-rbac-proxy; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api shadow; zypper -n clean; rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
-# labelprefix=com.suse.application.kube-rbac-proxy
+# labelprefix=com.suse.application.cluster-api
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
-LABEL org.opencontainers.image.title="SLE kube-rbac-proxy Container Image"
+LABEL org.opencontainers.image.title="SLE cluster-api Container Image"
-LABEL org.opencontainers.image.description="kube-rbac-proxy based on the SLE Base Container Image."
+LABEL org.opencontainers.image.description="cluster-api based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="%%kube-rbac-proxy_version%%"
+LABEL org.opencontainers.image.version="%%cluster-api_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy:%%kube-rbac-proxy_version%%-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api:%%cluster-api_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -29,7 +30,7 @@ LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
-#Install kube-rbac-proxy
+RUN mv /usr/bin/cluster-api-controller /manager
-EXPOSE 8080
+# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
-USER 65532:65532
+USER 65532
-ENTRYPOINT ["/kube-rbac-proxy"]
+ENTRYPOINT [ "/manager" ]
--- a/cluster-api-controller-image/_service
+++ b/cluster-api-controller-image/_service
@@ -3,8 +3,8 @@
  <service mode="buildtime" name="docker_label_helper"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
-    <param name="regex">%%kube-rbac-proxy_version%%</param>
+    <param name="regex">%%cluster-api_version%%</param>
-    <param name="package">kube-rbac-proxy</param>
+    <param name="package">cluster-api</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
--- a/cluster-api-operator-image/Dockerfile
+++ b/cluster-api-operator-image/Dockerfile
@@ -0,0 +1,35 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-operator shadow; zypper -n clean; rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.cluster-api-operator
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE cluster-api-operator Container Image"
 LABEL org.opencontainers.image.description="cluster-api-operator based on the SLE Base Container Image."
 LABEL org.opencontainers.image.version="%%cluster-api-operator_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-operator:%%cluster-api-operator_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN mv /usr/bin/cluster-api-operator-controller /manager
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
 USER 65532
 ENTRYPOINT [ "/manager" ]
--- a/cluster-api-operator-image/_service
+++ b/cluster-api-operator-image/_service
@@ -1,11 +1,11 @@
 <services>
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
-  <service name="replace_using_env" mode="buildtime">
+  <service mode="buildtime" name="docker_label_helper"/>
-    <param name="file">README</param>
+  <service name="replace_using_package_version" mode="buildtime">
-    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
+    <param name="file">Dockerfile</param>
-    <param name="var">IMG_REPO</param>
+    <param name="regex">%%cluster-api-operator_version%%</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="package">cluster-api-operator</param>
-    <param name="var">IMG_PREFIX</param>
+    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Dockerfile</param>
--- a/cluster-api-operator/_service
+++ b/cluster-api-operator/_service
@@ -0,0 +1,23 @@
 <services>
 <service name="obs_scm">
    <param name="url">https://github.com/kubernetes-sigs/cluster-api-operator</param>
    <param name="scm">git</param>
    <param name="revision">v0.12.0</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="changesauthor">steven.hardy@suse.com</param>
    <param name="match-tag">v*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="without-version">yes</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
  <service mode="buildtime" name="tar" />
  <service mode="buildtime" name="recompress">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
  </service>
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
 </services>
--- a/cluster-api-operator/cluster-api-operator.spec
+++ b/cluster-api-operator/cluster-api-operator.spec
@@ -0,0 +1,52 @@
 #
 # spec file for package cluster-api-operator
 #
 # Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           cluster-api-operator
 Version:        0.12.0
 Release:        0
 Summary:        Cluster API Core Controller
 License:        Apache-2.0
 URL:            https://github.com/kubernetes-sigs/cluster-api-operator
 Source:         cluster-api-operator-%{version}.tar.gz
 Source1:        vendor.tar.gz
 BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 %description
 Cluster API operator
 %prep
 %autosetup -a1 -n cluster-api-operator-%{version}
 %build
 go build \
   -mod=vendor \
   -buildmode=pie \
   -o cluster-api-operator cmd/main.go
 %install
 install -D -m0755 cluster-api-operator %{buildroot}%{_bindir}/cluster-api-operator-controller
 %files
 %license LICENSE
 %doc README.md
 %{_bindir}/cluster-api-operator-controller
 %changelog
--- a/cluster-api-provider-metal3/_service
+++ b/cluster-api-provider-metal3/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metal3-io/cluster-api-provider-metal3</param>
    <param name="scm">git</param>
-    <param name="revision">v1.7.2</param>
+    <param name="revision">v1.8.2</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/cluster-api-provider-metal3/cluster-api-provider-metal3.spec
+++ b/cluster-api-provider-metal3/cluster-api-provider-metal3.spec
@@ -17,14 +17,14 @@
 Name:           cluster-api-provider-metal3
-Version:        1.7.2
+Version:        1.8.2
 Release:        0
 Summary:        Cluster API Infrastructure Provider for Metal3
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/cluster-api-provider-metal3
 Source:         cluster-api-provider-metal3-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/cluster-api-provider-rke2-bootstrap-image/Dockerfile
+++ b/cluster-api-provider-rke2-bootstrap-image/Dockerfile
@@ -0,0 +1,36 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:v%%cluster-api-provider-rke2_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-bootstrap shadow; zypper -n clean; rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.cluster-api-provider-rke2
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
 LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
 LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-bootstrap:%%cluster-api-provider-rke2_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN mv /usr/bin/rke2-bootstrap-manager /manager
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
 USER 65532
 ENTRYPOINT [ "/manager" ]
--- a/cluster-api-provider-rke2-bootstrap-image/_service
+++ b/cluster-api-provider-rke2-bootstrap-image/_service
@@ -0,0 +1,19 @@
 <services>
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service mode="buildtime" name="docker_label_helper"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="regex">%%cluster-api-provider-rke2_version%%</param>
    <param name="package">cluster-api-provider-rke2-bootstrap</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
    <param name="var">SUPPORT_LEVEL</param>
  </service>
 </services>
--- a/cluster-api-provider-rke2-controlplane-image/Dockerfile
+++ b/cluster-api-provider-rke2-controlplane-image/Dockerfile
@@ -0,0 +1,36 @@
 # SPDX-License-Identifier: Apache-2.0
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:v%%cluster-api-provider-rke2_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%
 #!BuildTag: %%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN zypper --installroot /installroot --non-interactive install --no-recommends cluster-api-provider-rke2-control-plane shadow; zypper -n clean; rm -rf /var/log/*
 FROM micro AS final
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.cluster-api-provider-rke2
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE cluster-api-provider-rke2 Container Image"
 LABEL org.opencontainers.image.description="cluster-api-provider-rke2 based on the SLE Base Container Image."
 LABEL org.opencontainers.image.version="%%cluster-api-provider-rke2_version%%"
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%cluster-api-provider-rke2-controlplane:%%cluster-api-provider-rke2_version%%-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 COPY --from=base /installroot /
 RUN mv /usr/bin/rke2-control-plane-manager /manager
 # Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
 USER 65532
 ENTRYPOINT [ "/manager" ]
--- a/cluster-api-provider-rke2-controlplane-image/_service
+++ b/cluster-api-provider-rke2-controlplane-image/_service
@@ -0,0 +1,19 @@
 <services>
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service mode="buildtime" name="docker_label_helper"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="regex">%%cluster-api-provider-rke2_version%%</param>
    <param name="package">cluster-api-provider-rke2-control-plane</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Dockerfile</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
    <param name="eval">SUPPORT_LEVEL=$(rpm --macros=/root/.rpmmacros -E %support_level)</param>
    <param name="var">SUPPORT_LEVEL</param>
  </service>
 </services>
--- a/cluster-api-provider-rke2/_service
+++ b/cluster-api-provider-rke2/_service
@@ -0,0 +1,23 @@
 <services>
 <service name="obs_scm">
    <param name="url">https://github.com/rancher-sandbox/cluster-api-provider-rke2</param>
    <param name="scm">git</param>
    <param name="revision">v0.8.0</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="changesauthor">steven.hardy@suse.com</param>
    <param name="match-tag">v*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="without-version">yes</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
  <service mode="buildtime" name="tar" />
  <service mode="buildtime" name="recompress">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
  </service>
   <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
 </services>
--- a/cluster-api-provider-rke2/cluster-api-provider-rke2.spec
+++ b/cluster-api-provider-rke2/cluster-api-provider-rke2.spec
@@ -0,0 +1,61 @@
 #
 # spec file for package cluster-api-provider-rke2
 #
 # Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           cluster-api-provider-rke2
 Version:        0.8.0
 Release:        0
 Summary:        Cluster API provider for RKE2
 License:        Apache-2.0
 URL:            https://github.com/rancher-sandbox/cluster-api-provider-rke2
 Source:         cluster-api-provider-rke2-%{version}.tar.gz
 Source1:        vendor.tar.gz
 BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 %description
 Cluster API provider for RKE2
 %package bootstrap
 Summary: Cluster API bootstrap controller for RKE2
 %description bootstrap
 Cluster API bootstrap controller for RKE2
 %package control-plane
 Summary: Cluster API control-plane controller for RKE2
 %description control-plane
 Cluster API control-plane controller for RKE2
 %prep
 %autosetup -a1 -n cluster-api-provider-rke2-%{version}
 %build
 make managers
 %install
 install -D -m0755 bin/rke2-bootstrap-manager %{buildroot}%{_bindir}/rke2-bootstrap-manager
 install -D -m0755 bin/rke2-control-plane-manager %{buildroot}%{_bindir}/rke2-control-plane-manager
 %files bootstrap
 %{_bindir}/rke2-bootstrap-manager
 %files control-plane
 %{_bindir}/rke2-control-plane-manager
 %changelog
--- a/cluster-api/_service
+++ b/cluster-api/_service
@@ -0,0 +1,23 @@
 <services>
 <service name="obs_scm">
    <param name="url">https://github.com/kubernetes-sigs/cluster-api</param>
    <param name="scm">git</param>
    <param name="revision">v1.8.4</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
    <param name="changesauthor">steven.hardy@suse.com</param>
    <param name="match-tag">v*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="without-version">yes</param>
    <param name="versionrewrite-replacement">\1</param>
  </service>
  <service mode="buildtime" name="tar" />
  <service mode="buildtime" name="recompress">
    <param name="file">*.tar</param>
    <param name="compression">gz</param>
  </service>
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
 </services>
--- a/cluster-api/cluster-api.spec
+++ b/cluster-api/cluster-api.spec
@@ -0,0 +1,51 @@
 #
 # spec file for package cluster-api
 #
 # Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
 # upon. The license for this file, and modifications and additions to the
 # file, is the same license as for the pristine package itself (unless the
 # license for the pristine package is not an Open Source License, in which
 # case the license is the MIT License). An "Open Source License" is a
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 Name:           cluster-api
 Version:        1.8.4
 Release:        0
 Summary:        Cluster API Core Controller
 License:        Apache-2.0
 URL:            https://github.com/kubernetes-sigs/cluster-api
 Source:         cluster-api-%{version}.tar.gz
 Source1:        vendor.tar.gz
 BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
 %description
 Cluster API core controller
 %prep
 %autosetup -a1 -n cluster-api-%{version}
 %build
 go build \
   -mod=vendor \
   -buildmode=pie \
 %install
 install -D -m0755 cluster-api %{buildroot}%{_bindir}/cluster-api-controller
 %files
 %license LICENSE
 %doc README.md
 %{_bindir}/cluster-api-controller
 %changelog
--- a/ip-address-manager/_service
+++ b/ip-address-manager/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/metal3-io/ip-address-manager</param>
    <param name="scm">git</param>
-    <param name="revision">v1.7.2</param>
+    <param name="revision">v1.8.1</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
--- a/ip-address-manager/ip-address-manager.spec
+++ b/ip-address-manager/ip-address-manager.spec
@@ -17,14 +17,14 @@
 Name:           ip-address-manager
-Version:        1.7.2
+Version:        1.8.1
 Release:        0
 Summary:        Metal3 IPAM controller
 License:        Apache-2.0
 URL:            https://github.com/metal3-io/ip-address-manager
 Source:         ip-address-manager-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.21
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/ironic-image/Dockerfile
+++ b/ironic-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0
+#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0
-#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
@@ -16,12 +16,7 @@ RUN /bin/prepare-efi.sh
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs crudini openstack-ironic
+RUN zypper --installroot /installroot --non-interactive install --no-recommends python311-devel python311 python311-pip python-dracclient python311-sushy-oem-idrac python311-proliantutils python311-sushy python3-ironicclient git curl sles-release tar gzip vim gawk dnsmasq dosfstools apache2 apache2-mod_wsgi inotify-tools ipcalc ipmitool iproute2 procps qemu-tools sqlite3 util-linux xorriso tftp syslinux ipxe-bootimgs python311-sushy-tools crudini openstack-ironic openstack-ironic-inspector-api
 # DATABASE
 RUN mkdir -p /installroot/var/lib/ironic && \
  /installroot/usr/bin/sqlite3 /installroot/var/lib/ironic/ironic.sqlite "pragma journal_mode=wal" && \
  zypper --installroot /installroot --non-interactive remove sqlite3
 FROM micro AS final
 MAINTAINER SUSE LLC (https://www.suse.com/)
@@ -31,8 +26,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba
 LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opencontainers.image.version="26.1.2.0"
+LABEL org.opencontainers.image.version="24.1.2.0"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:24.1.2.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
@@ -53,8 +48,8 @@ RUN echo 'alias mkisofs="xorriso -as mkisofs"' >> ~/.bashrc
 COPY mkisofs_wrapper /usr/bin/mkisofs
 RUN set -euo pipefail; chmod +x /usr/bin/mkisofs
-COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runlogwatch.sh tls-common.sh configure-nonroot.sh ironic-probe.j2 /bin/
+COPY auth-common.sh configure-ironic.sh ironic-common.sh rundnsmasq runhttpd runironic runironic-api runironic-conductor runironic-exporter runironic-inspector runlogwatch.sh tls-common.sh configure-nonroot.sh /bin/
-RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
+RUN set -euo pipefail; chmod +x /bin/auth-common.sh; chmod +x /bin/configure-ironic.sh; chmod +x /bin/ironic-common.sh; chmod +x /bin/rundnsmasq; chmod +x /bin/runhttpd; chmod +x /bin/runironic; chmod +x /bin/runironic-api; chmod +x /bin/runironic-conductor; chmod +x /bin/runironic-exporter; chmod +x /bin/runironic-inspector; chmod +x /bin/runlogwatch.sh; chmod +x /bin/tls-common.sh; chmod +x /bin/configure-nonroot.sh;
 RUN mkdir -p /tftpboot
 RUN mkdir -p $GRUB_DIR
@@ -68,7 +63,7 @@ RUN cp /usr/share/ipxe/ipxe-x86_64.efi /tftpboot/ipxe.efi
 COPY --from=base /tmp/esp.img /tmp/uefi_esp.img
 COPY ironic.conf.j2 /etc/ironic/
-COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/
+COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 /tmp/
 COPY network-data-schema-empty.json /etc/ironic/
 # DNSMASQ
@@ -78,7 +73,14 @@ COPY dnsmasq.conf.j2 /etc/
 COPY httpd.conf.j2 /etc/httpd/conf/
 COPY httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
-COPY apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
+
 # IRONIC-INSPECTOR #
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \
  sqlite3 /var/lib/ironic/ironic.db "pragma journal_mode=wal" && \
  sqlite3 /var/lib/ironic-inspector/ironic-inspector.db "pragma journal_mode=wal"
 COPY ironic-inspector.conf.j2 /etc/ironic-inspector/
 COPY inspector-apache.conf.j2 /etc/httpd/conf.d/
 # Workaround
 # Removing the 010-ironic.conf file that comes with the package 
--- a/ironic-image/apache2-ipxe.conf.j2
+++ b/ironic-image/apache2-ipxe.conf.j2
@@ -1,35 +0,0 @@
 Listen {{ env.IPXE_TLS_PORT }}
 <VirtualHost *:{{ env.IPXE_TLS_PORT }}>
    ErrorLog /dev/stderr
    LogLevel debug
    CustomLog /dev/stdout combined
    SSLEngine on
    SSLProtocol {{ env.IPXE_SSL_PROTOCOL }}
    SSLCertificateFile {{ env.IPXE_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IPXE_KEY_FILE }}
    <Directory "/shared/html">
        Order Allow,Deny
        Allow from all
    </Directory>
    <Directory "/shared/html/(redfish|ilo|images)/">
        Order Deny,Allow
        Deny from all
    </Directory>
 </VirtualHost>
 <Location ~ "^/grub.*/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/pxelinux.cfg/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/.*\.conf/">
    SSLRequireSSL
 </Location>
 <Location ~ "^/(([0-9]|[a-z]).*-){4}([0-9]|[a-z]).*/">
    SSLRequireSSL
 </Location>
--- a/ironic-image/apache2-vmedia.conf.j2
+++ b/ironic-image/apache2-vmedia.conf.j2
@@ -9,18 +9,16 @@ Listen {{ env.VMEDIA_TLS_PORT }}
    SSLProtocol {{ env.IRONIC_VMEDIA_SSL_PROTOCOL }}
    SSLCertificateFile {{ env.IRONIC_VMEDIA_CERT_FILE }}
    SSLCertificateKeyFile {{ env.IRONIC_VMEDIA_KEY_FILE }}
    <Directory "/shared">
        AllowOverride None
        Require all granted
    </Directory>
-    <Directory ~ "/shared/html">
+    <Directory "/shared/html">
-         Order deny,allow
+        Options Indexes FollowSymLinks
-         deny from all
+        AllowOverride None
-    </Directory>
+        Require all granted
    <Directory ~ "/shared/html/(redfish|ilo)/">
         Order allow,deny
         allow from all
    </Directory>
    <Directory ~ "/shared/html/images/">
         Order allow,deny
         allow from all
    </Directory>
 </VirtualHost>
--- a/ironic-image/auth-common.sh
+++ b/ironic-image/auth-common.sh
@@ -2,39 +2,36 @@
 set -euxo pipefail
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
-
+export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # Backward compatibility
 if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
    export IRONIC_EXPOSE_JSON_RPC=true
 else
    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
 fi
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
-if [[ -f "/auth/ironic/htpasswd" ]]; then
+INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
    IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
 fi
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 configure_client_basic_auth()
 {
    local auth_config_file="/auth/$1/auth-config"
    local dest="${2:-/etc/ironic/ironic.conf}"
    if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file
+        # Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
        # when running the api as a WSGI app.
        crudini --merge "${dest}" < "${auth_config_file}"
    fi
 }
 configure_json_rpc_auth()
 {
-    if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
+    export JSON_RPC_AUTH_STRATEGY="noauth"
-        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
+    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
-            echo "FATAL: enabling JSON RPC requires authentication"
+        if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
-            exit 1
+            export JSON_RPC_AUTH_STRATEGY="http_basic"
            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
        else
            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
        fi
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
    fi
 }
@@ -51,9 +48,24 @@ configure_ironic_auth()
    fi
 }
 configure_inspector_auth()
 {
    local config=/etc/ironic-inspector/ironic-inspector.conf
    if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
        if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
            crudini --set "${config}" DEFAULT auth_strategy http_basic
            crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
        fi
    fi
 }
 write_htpasswd_files()
 {
    if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
    fi
    if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
    fi
 }
--- a/ironic-image/configure-ironic.sh
+++ b/ironic-image/configure-ironic.sh
@@ -2,13 +2,14 @@
 set -euxo pipefail
 IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
 # Define the VLAN interfaces to be included in introspection report, e.g.
 #   all - all VLANs on all interfaces using LLDP information
 #   <interface> - all VLANs on a particular interface using LLDP information
 #   <interface.vlan> - a particular VLAN on an interface, not relying on LLDP
-export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}}
+export IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-all}
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
@@ -19,17 +20,13 @@ export IRONIC_ENABLE_VLAN_INTERFACES=${IRONIC_ENABLE_VLAN_INTERFACES:-${IRONIC_I
 export HTTP_PORT=${HTTP_PORT:-80}
-export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
+MARIADB_PASSWORD=${MARIADB_PASSWORD}
-
+MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
-if [[ "$IRONIC_USE_MARIADB" == "true" ]]; then
+MARIADB_USER=${MARIADB_USER:-ironic}
-    MARIADB_PASSWORD=${MARIADB_PASSWORD}
+MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
-    MARIADB_DATABASE=${MARIADB_DATABASE:-ironic}
+export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
-    MARIADB_USER=${MARIADB_USER:-ironic}
+if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
-    MARIADB_HOST=${MARIADB_HOST:-127.0.0.1}
+    export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
    export MARIADB_CONNECTION="mysql+pymysql://${MARIADB_USER}:${MARIADB_PASSWORD}@${MARIADB_HOST}/${MARIADB_DATABASE}?charset=utf8"
    if [[ "$MARIADB_TLS_ENABLED" == "true" ]]; then
        export MARIADB_CONNECTION="${MARIADB_CONNECTION}&ssl=on&ssl_ca=${MARIADB_CACERT_FILE}"
    fi
 fi
 # TODO(dtantsur): remove the explicit default once we get
@@ -40,6 +37,9 @@ if [[ "$NUMPROC" -lt 4 ]]; then
 fi
 export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
 export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
 # Whether to enable fast_track provisioning or not
 export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
@@ -58,14 +58,16 @@ wait_for_interface_or_ip
 export IRONIC_CONDUCTOR_HOST=${IRONIC_CONDUCTOR_HOST:-${IRONIC_URL_HOST}}
 export IRONIC_BASE_URL=${IRONIC_BASE_URL:-"${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"}
 export IRONIC_INSPECTOR_BASE_URL=${IRONIC_INSPECTOR_BASE_URL:-"${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_ACCESS_PORT}"}
 if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then
-    export IRONIC_EXTERNAL_CALLBACK_URL=${IRONIC_EXTERNAL_CALLBACK_URL:-"${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"}
+    export IRONIC_EXTERNAL_CALLBACK_URL="${IRONIC_SCHEME}://${IRONIC_EXTERNAL_IP}:${IRONIC_ACCESS_PORT}"
    if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
-        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"}
+        export IRONIC_EXTERNAL_HTTP_URL="https://${IRONIC_EXTERNAL_IP}:${VMEDIA_TLS_PORT}"
    else
-        export IRONIC_EXTERNAL_HTTP_URL=${IRONIC_EXTERNAL_HTTP_URL:-"http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"}
+        export IRONIC_EXTERNAL_HTTP_URL="http://${IRONIC_EXTERNAL_IP}:${HTTP_PORT}"
    fi
    export IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE="https://${IRONIC_EXTERNAL_IP}:${IRONIC_INSPECTOR_ACCESS_PORT}"
 fi
 IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent
@@ -88,32 +90,13 @@ mkdir -p /shared/ironic_prometheus_exporter
 configure_json_rpc_auth
 if [[ -f /proc/sys/crypto/fips_enabled ]]; then
    ENABLE_FIPS_IPA=$(cat /proc/sys/crypto/fips_enabled)
    export ENABLE_FIPS_IPA
 fi
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
    configure_client_basic_auth ironic-inspector
 fi
 configure_client_basic_auth ironic-rpc
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
 PROBE_CURL_ARGS=
 if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
    if [[ "${IRONIC_PRIVATE_PORT}" == "unix" ]]; then
        PROBE_URL="http://127.0.0.1:6385"
        PROBE_CURL_ARGS="--unix-socket /shared/ironic.sock"
    else
        PROBE_URL="http://127.0.0.1:${IRONIC_PRIVATE_PORT}"
    fi
 else
        PROBE_URL="${IRONIC_BASE_URL}"
 fi
 export PROBE_CURL_ARGS
 export PROBE_URL
 PROBE_KIND=readiness render_j2_config /bin/ironic-probe.j2 /bin/ironic-readiness
 PROBE_KIND=liveness render_j2_config /bin/ironic-probe.j2 /bin/ironic-liveness
--- a/ironic-image/configure-nonroot.sh
+++ b/ironic-image/configure-nonroot.sh
@@ -10,12 +10,12 @@ useradd -r -g ${NONROOT_GID} \
           -d /var/lib/ironic \
           -s /sbin/nologin \
           ${USER}
-
+           
 # create ironic's http_root directory
 mkdir -p /shared/html
 chown "${NONROOT_UID}":"${NONROOT_GID}" /shared/html
-# we'll bind mount shared ca and ironic certificate dirs here
+# we'll bind mount shared ca and ironic/inspector certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO
 # deployment shares a single fsGroup in manifest's securityContext
 mkdir -p /certs/ca
@@ -26,15 +26,17 @@ chmod 2775 /certs{,/ca}
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/apache2
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /run
-# ironic and httpd related changes
+# ironic, inspector and httpd related changes
 mkdir -p /etc/httpd/conf.d
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic /etc/httpd /etc/httpd
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/ironic-inspector
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/log
-chmod 2775 /etc/ironic /etc/httpd/conf /etc/httpd/conf.d
+chmod 2775 /etc/ironic /etc/ironic-inspector /etc/httpd/conf /etc/httpd/conf.d
-chmod 664 /etc/ironic/* /etc/httpd/conf/* /etc/httpd/conf.d/*
+chmod 664 /etc/ironic/* /etc/ironic-inspector/* /etc/httpd/conf/* /etc/httpd/conf.d/*
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic
-chmod 664 /var/lib/ironic/ironic.sqlite
+chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ironic-inspector
 chmod 2775 /var/lib/ironic /var/lib/ironic-inspector
 chmod 664 /var/lib/ironic/ironic.db /var/lib/ironic-inspector/ironic-inspector.db
 # dnsmasq, and the capabilities required to run it as non-root user
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /etc/dnsmasq.conf /var/lib/dnsmasq
@@ -46,8 +48,3 @@ chmod 664 /etc/dnsmasq.conf /var/lib/dnsmasq/dnsmasq.leases
 touch /var/lib/ca-certificates/ca-bundle.pem.new
 chown -R "${NONROOT_UID}":"${NONROOT_GID}" /var/lib/ca-certificates/
 chmod -R +w /var/lib/ca-certificates/
 # probes that are created before start
 touch /bin/ironic-{readi,live}ness
 chown root:"${NONROOT_GID}" /bin/ironic-{readi,live}ness
 chmod 775 /bin/ironic-{readi,live}ness
--- a/ironic-image/dnsmasq.conf.j2
+++ b/ironic-image/dnsmasq.conf.j2
@@ -29,23 +29,13 @@ dhcp-option=option{% if ":" in env["DNS_IP"] %}6{% endif %}:dns-server,{{ env["D
 # IPv4 Configuration:
 dhcp-match=ipxe,175
 # Client is already running iPXE; move to next stage of chainloading
 {%- if env.IPXE_TLS_SETUP == "true"  %}
 # iPXE with (U)EFI
 dhcp-boot=tag:efi,tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/snponly.efi
 # iPXE with BIOS
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/custom-ipxe/undionly.kpxe
 {% else %}
 dhcp-boot=tag:ipxe,http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/boot.ipxe
 {% endif %}
 # Note: Need to test EFI booting
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 dhcp-match=set:efi,option:client-arch,11
-# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader do the same also if iPXE ROM boots but TLS is enabled
+# Client is PXE booting over EFI without iPXE ROM; send EFI version of iPXE chainloader
 {%- if env.IPXE_TLS_SETUP == "true"  %}
 dhcp-boot=tag:efi,tag:ipxe,snponly.efi
 {% endif %}
 dhcp-boot=tag:efi,tag:!ipxe,snponly.efi
 # Client is running PXE over BIOS; send BIOS version of iPXE chainloader
--- a/ironic-image/httpd-ironic-api.conf.j2
+++ b/ironic-image/httpd-ironic-api.conf.j2
@@ -19,6 +19,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
 <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
    {% if env.IRONIC_PRIVATE_PORT == "unix" %}
    ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
    ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -27,8 +29,14 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
    ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
    {% endif %}
    {% else %}
    WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
    WSGIScriptAlias / /usr/bin/ironic-api-wsgi
    {% endif %}
    SetEnv APACHE_RUN_USER ironic-suse
    SetEnv APACHE_RUN_GROUP ironic-suse
    WSGIProcessGroup ironic-suse
    ErrorLog /dev/stderr
    LogLevel debug
@@ -41,6 +49,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
    SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
    <Location />
         {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
            AuthType Basic
@@ -49,6 +58,22 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
            Require valid-user
         {% endif %}
    </Location>
    {% else %}
    <Directory /usr/bin >
        WSGIProcessGroup ironic
        WSGIApplicationGroup %{GLOBAL}
        AllowOverride None
        {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
        AuthType Basic
        AuthName "Restricted WSGI area"
        AuthUserFile "/etc/ironic/htpasswd"
        Require valid-user
        {% else %}
        Require all granted
        {% endif %}
    </Directory>
    {% endif %}
    <Location ~ "^/(v1/?)?$" >
        Require all granted
--- a/ironic-image/httpd-modules.conf
+++ b/ironic-image/httpd-modules.conf
@@ -5,6 +5,7 @@ LoadModule dir_module /usr/lib64/apache2/mod_dir.so
 LoadModule authz_core_module /usr/lib64/apache2/mod_authz_core.so
 #LoadModule unixd_module modules/mod_unixd.so
 #LoadModule mpm_event_module modules/mod_mpm_event.so
 LoadModule wsgi_module /usr/lib64/apache2/mod_wsgi.so
 LoadModule ssl_module /usr/lib64/apache2/mod_ssl.so
 LoadModule env_module /usr/lib64/apache2/mod_env.so
 LoadModule proxy_module /usr/lib64/apache2/mod_proxy.so
--- a/ironic-image/httpd.conf.j2
+++ b/ironic-image/httpd.conf.j2
@@ -1,6 +1,6 @@
 ServerRoot "/etc/httpd"
 {%- if env.LISTEN_ALL_INTERFACES | lower == "true" %}
-Listen {{ env.HTTP_PORT }}
+Listen [::]:{{ env.HTTP_PORT }}
 {% else %}
 Listen {{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
 {% endif %}
--- a/ironic-image/inspector.ipxe.j2
+++ b/ironic-image/inspector.ipxe.j2
@@ -5,6 +5,6 @@ echo In inspector.ipxe
 imgfree
 # NOTE(dtantsur): keep inspection kernel params in [mdns]params in
 # ironic-inspector-image and configuration in configure-ironic.sh
-kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
+kernel --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot
-initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
+initrd --timeout 60000 http://{{ env.IRONIC_IP }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot
 boot
--- a/ironic-image/ipxe_config.template
+++ b/ironic-image/ipxe_config.template
@@ -1,81 +0,0 @@
 #!ipxe
 set attempts:int32 10
 set i:int32 0
 goto deploy
 :deploy
 imgfree
 {%- if pxe_options.deployment_aki_path %}
 {%- set aki_path_https_elements = pxe_options.deployment_aki_path.split(':') %}
 {%- set aki_port_and_path = aki_path_https_elements[2].split('/') %}
 {%- set aki_afterport = aki_port_and_path[1:]|join('/') %}
 {%- set aki_path_https = ['https:', aki_path_https_elements[1], ':8084/', aki_afterport]|join %}
 {%- endif %}
 {%- if pxe_options.deployment_ari_path %}
 {%- set ari_path_https_elements = pxe_options.deployment_ari_path.split(':') %}
 {%- set ari_port_and_path = ari_path_https_elements[2].split('/') %}
 {%- set ari_afterport = ari_port_and_path[1:]|join('/') %}
 {%- set ari_path_https = ['https:', ari_path_https_elements[1], ':8084/', ari_afterport]|join %}
 {%- endif %}
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} selinux=0 troubleshoot=0 text {{ pxe_options.pxe_append_params|default("", true) }} BOOTIF=${mac} initrd={{ pxe_options.initrd_filename|default("deploy_ramdisk", true) }} || goto retry
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto retry
 boot
 :retry
 iseq ${i} ${attempts} && goto fail ||
 inc i
 echo No response, retrying in ${i} seconds.
 sleep ${i}
 goto deploy
 :fail
 echo Failed to get a response after ${attempts} attempts
 echo Powering off in 30 seconds.
 sleep 30
 poweroff
 :boot_anaconda
 imgfree
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} text {{ pxe_options.pxe_append_params|default("", true) }} inst.ks={{ pxe_options.ks_cfg_url }} {% if pxe_options.repo_url %}inst.repo={{ pxe_options.repo_url }}{% else %}inst.stage2={{ pxe_options.stage2_url }}{% endif %} initrd=ramdisk || goto boot_anaconda
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_anaconda
 boot
 :boot_ramdisk
 imgfree
 {%- if pxe_options.boot_iso_url %}
 sanboot {{ pxe_options.boot_iso_url }}
 {%- else %}
 kernel {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ aki_path_https }} root=/dev/ram0 text {{ pxe_options.pxe_append_params|default("", true) }} {{ pxe_options.ramdisk_opts|default('', true) }} initrd=ramdisk || goto boot_ramdisk
 initrd {% if pxe_options.ipxe_timeout > 0 %}--timeout {{ pxe_options.ipxe_timeout }} {% endif %}{{ ari_path_https }} || goto boot_ramdisk
 boot
 {%- endif %}
 {%- if pxe_options.boot_from_volume %}
 :boot_iscsi
 imgfree
 {% if pxe_options.username %}set username {{ pxe_options.username }}{% endif %}
 {% if pxe_options.password %}set password {{ pxe_options.password }}{% endif %}
 {% if pxe_options.iscsi_initiator_iqn %}set initiator-iqn {{ pxe_options.iscsi_initiator_iqn }}{% endif %}
 sanhook --drive 0x80 {{ pxe_options.iscsi_boot_url }} || goto fail_iscsi_retry
 {%- if pxe_options.iscsi_volumes %}{% for i, volume in enumerate(pxe_options.iscsi_volumes) %}
 set username {{ volume.username }}
 set password {{ volume.password }}
 {%- set drive_id = 129 + i %}
 sanhook --drive {{ '0x%x' % drive_id }} {{ volume.url }} || goto fail_iscsi_retry
 {%- endfor %}{% endif %}
 {% if pxe_options.iscsi_volumes %}set username {{ pxe_options.username }}{% endif %}
 {% if pxe_options.iscsi_volumes %}set password {{ pxe_options.password }}{% endif %}
 sanboot --no-describe || goto fail_iscsi_retry
 :fail_iscsi_retry
 echo Failed to attach iSCSI volume(s), retrying in 10 seconds.
 sleep 10
 goto boot_iscsi
 {%- endif %}
 :boot_whole_disk
 sanboot --no-describe || exit 0
--- a/ironic-image/ironic-common.sh
+++ b/ironic-image/ironic-common.sh
@@ -6,7 +6,6 @@ IRONIC_IP="${IRONIC_IP:-}"
 PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-}"
 PROVISIONING_IP="${PROVISIONING_IP:-}"
 PROVISIONING_MACS="${PROVISIONING_MACS:-}"
 IPXE_CUSTOM_FIRMWARE_DIR="${IPXE_CUSTOM_FIRMWARE_DIR:-/shared/custom_ipxe_firmware}"
 get_provisioning_interface()
 {
@@ -73,10 +72,7 @@ wait_for_interface_or_ip()
 render_j2_config()
 {
    ls $1 # DEBUG
    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1"
    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$1" > "$2"
    ls $2 # DEBUG
 }
 run_ironic_dbsync()
@@ -90,18 +86,25 @@ run_ironic_dbsync()
        done
    else
        # SQLite does not support some statements. Fortunately, we can just create
-        # the schema in one go if not already created, instead of going through an upgrade
+        # the schema in one go instead of going through an upgrade.
-        DB_VERSION="$(ironic-dbsync --config-file /etc/ironic/ironic.conf version)"
+        ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
        if [[ "${DB_VERSION}" == "None" ]]; then
            ironic-dbsync --config-file /etc/ironic/ironic.conf create_schema
        fi
    fi
 }
 # Use the special value "unix" for unix sockets
-export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-unix}
+export IRONIC_PRIVATE_PORT=${IRONIC_PRIVATE_PORT:-6388}
 export IRONIC_INSPECTOR_PRIVATE_PORT=${IRONIC_INSPECTOR_PRIVATE_PORT:-5049}
 export IRONIC_ACCESS_PORT=${IRONIC_ACCESS_PORT:-6385}
 export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
-export IRONIC_ENABLE_DISCOVERY=${IRONIC_ENABLE_DISCOVERY:-${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}}
+export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
 export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
 # If this is false, built-in inspection is used.
 export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
 export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
 if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
    echo "Discovery is only supported with ironic-inspector at this point"
    exit 1
 fi
--- a/ironic-image/ironic-probe.j2
+++ b/ironic-image/ironic-probe.j2
@@ -1,9 +0,0 @@
 #!/bin/bash
 set -eu -o pipefail
 curl -sSf {{ env.PROBE_CURL_ARGS }} "{{ env.PROBE_URL }}"
 # TODO(dtantsur): when PROBE_KIND==readiness, try the conductor and driver API
 # to make sure the conductor is ready. This requires having access to secrets
 # since these endpoints are authenticated.
--- a/ironic-image/ironic.conf.j2
+++ b/ironic-image/ironic.conf.j2
@@ -1,22 +1,28 @@
 [DEFAULT]
 {% if env.AUTH_STRATEGY is defined %}
 auth_strategy = {{ env.AUTH_STRATEGY }}
 {% if env.AUTH_STRATEGY == "http_basic" %}
 http_basic_auth_user_file=/etc/ironic/htpasswd
 {% endif %}
 {% else %}
 auth_strategy = noauth
 {% endif %}
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = agent
+default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
 default_network_interface = noop
-enabled_bios_interfaces = no-bios,redfish,idrac-redfish,irmc,ilo
+enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
-enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media,redfish-https
+enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
 enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 enabled_firmware_interfaces = no-firmware,fake,redfish
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,manual-management,ilo,ilo5
-enabled_inspect_interfaces = agent,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
-enabled_management_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
+enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo,ilo5,noop
-enabled_network_interfaces = noop
+enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ilo
-enabled_power_interfaces = ipmitool,irmc,fake,redfish,idrac-redfish,ilo
+enabled_raid_interfaces = no-raid,irmc,agent,fake,idrac-wsman,redfish,idrac-redfish,ilo5
-enabled_raid_interfaces = no-raid,irmc,agent,fake,redfish,idrac-redfish,ilo5
+enabled_vendor_interfaces = no-vendor,ipmitool,idrac-wsman,idrac-redfish,redfish,ilo,fake
-enabled_vendor_interfaces = no-vendor,ipmitool,idrac-redfish,redfish,ilo,fake
+enabled_firmware_interfaces = no-firmware,fake,redfish
 {% if env.IRONIC_EXPOSE_JSON_RPC | lower == "true" %}
 rpc_transport = json-rpc
 {% else %}
@@ -26,7 +32,14 @@ use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
 my_ip = {{ env.IRONIC_IP }}
 {% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
 # if access is unauthenticated, we bind only to localhost - use that as the
 # host name also, so that the client can find the server
 # If we run both API and conductor in the same pod, use localhost
 host = localhost
 {% else %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
 {% endif %}
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -83,7 +96,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }}
 # Power state is checked every 60 seconds and BMC activity should
 # be avoided more often than once every sixty seconds.
 send_sensor_data_interval = 160
-bootloader = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/uefi_esp.img
+bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img
 verify_step_priority_override = management.clear_job_queue:90
 # We don't use this feature, and it creates an additional load on the database
 node_history = False
@@ -112,7 +125,7 @@ default_boot_option = local
 erase_devices_metadata_priority = 10
 erase_devices_priority = 0
 http_root = /shared/html/
-http_url = http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}
+http_url = {{ env.IRONIC_BOOT_BASE_URL }}
 fast_track = {{ env.IRONIC_FAST_TRACK }}
 {% if env.IRONIC_BOOT_ISO_SOURCE %}
 ramdisk_image_download_source = {{ env.IRONIC_BOOT_ISO_SOURCE }}
@@ -130,22 +143,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 [inspector]
 # NOTE(dtantsur): we properly configure the "unmanaged" inspection boot (i.e.
 # booting IPA through a separate inspector.ipxe rather than the driver's boot
 # interface), so managed boot is not required.
 require_managed_boot = False
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
-extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
+extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
 {% if env.USE_IRONIC_INSPECTOR == "true" %}
 endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
 {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
 cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
 insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
 {% endif %}
 {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
 callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
 {% endif %}
 {% else %}
 hooks = $default_hooks,parse-lldp
 add_ports = all
 keep_ports = present
-
+{% endif %}
 [auto_discovery]
 enabled = {{ env.IRONIC_ENABLE_DISCOVERY }}
 driver = ipmi
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -174,9 +191,15 @@ cipher_suite_versions = 3,17
 # authentication over localhost, using the same credentials as API, to prevent
 # unauthenticated connections from other processes in the same host since the
 # containers are in host networking.
-auth_strategy = http_basic
+auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
 http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
 {% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
 # if access is unauthenticated, we bind only to localhost - use that as the
 # host name also, so that the client can find the server
 host_ip = localhost
 {% else %}
 host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
 {% endif %}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}
@@ -201,27 +224,24 @@ images_path = /shared/html/tmp
 instance_master_path = /shared/html/master_images
 tftp_master_path = /shared/tftpboot/master_images
 tftp_root = /shared/tftpboot
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 # This makes networking boot templates generated even for nodes using local
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
 # Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 {% if env.IPXE_TLS_SETUP | lower == "true" %}
 ipxe_config_template = /tmp/ipxe_config.template
 {% endif %}
 [redfish]
 use_swift = false
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 [ilo]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 use_web_server_for_images = true
 [irmc]
-kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.ENABLE_FIPS_IPA %}fips={{ env.ENABLE_FIPS_IPA|trim }}{% endif %} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes net.ifnames={{ '0' if env.PREDICTABLE_NIC_NAMES == 'false' else '1' }}
+kernel_append_params = nofb nomodeset vga=normal ipa-insecure={{ env.IPA_INSECURE }} {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} systemd.journald.forward_to_console=yes
 [service_catalog]
 endpoint_override = {{ env.IRONIC_BASE_URL }}
--- a/ironic-image/rundnsmasq
+++ b/ironic-image/rundnsmasq
@@ -4,8 +4,6 @@ set -eux
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
 export HTTP_PORT=${HTTP_PORT:-80}
 DNSMASQ_EXCEPT_INTERFACE=${DNSMASQ_EXCEPT_INTERFACE:-lo}
@@ -21,13 +19,7 @@ mkdir -p /shared/html/images
 mkdir -p /shared/html/pxelinux.cfg
 # Copy files to shared mount
-if [[ -r "${IPXE_CUSTOM_FIRMWARE_DIR}" ]]; then
+cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
        "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
        "/shared/tftpboot"
 else
    cp /tftpboot/undionly.kpxe /tftpboot/snponly.efi /shared/tftpboot
 fi
 # Template and write dnsmasq.conf
 # we template via /tmp as sed otherwise creates temp files in /etc directory
--- a/ironic-image/runhttpd
+++ b/ironic-image/runhttpd
@@ -8,7 +8,10 @@
 export HTTP_PORT=${HTTP_PORT:-80}
 export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
 INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # In Metal3 context they are called node images in Ironic context they are
 # called user images.
@@ -30,7 +33,11 @@ chmod 0777 /shared/html
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
-INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
+if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
 else
    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
 fi
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
    INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
@@ -44,6 +51,14 @@ cp /tmp/uefi_esp.img /shared/html/uefi_esp.img
 # Render the core httpd config
 render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
 if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
        render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
    fi
 else
    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
 fi
 if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
    if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
        render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
@@ -59,14 +74,12 @@ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
    render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
 fi
-# Render httpd TLS configuration for /shared/html
+# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
-if [[ "$IPXE_TLS_SETUP" == "true" ]]; then
+if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
-    mkdir -p /shared/html/custom-ipxe
+    # shellcheck disable=SC2034
-    chmod 0777 /shared/html/custom-ipxe
+    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
-    render_j2_config "/etc/httpd-ipxe.conf.j2" "/etc/httpd/conf.d/ipxe.conf"
+        kill -WINCH $(pgrep httpd)
-    cp "${IPXE_CUSTOM_FIRMWARE_DIR}/undionly.kpxe" \
+    done &
       "${IPXE_CUSTOM_FIRMWARE_DIR}/snponly.efi" \
       "/shared/html/custom-ipxe"
 fi
 # Set up inotify to kill the container (restart) whenever cert files for ironic api change
--- a/ironic-image/runironic
+++ b/ironic-image/runironic
@@ -1,7 +1,9 @@
 #!/usr/bin/bash
-# This setting must go before configure-ironic since it has different defaults.
+# These settings must go before configure-ironic since it has different
 # defaults.
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
 export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
--- a/ironic-image/runlogwatch.sh
+++ b/ironic-image/runlogwatch.sh
@@ -1,11 +1,20 @@
 #!/usr/bin/bash
 # Ramdisk logs path
-LOG_DIR="/shared/log/ironic/deploy"
+LOG_DIRS=("/shared/log/ironic/deploy" "/shared/log/ironic-inspector/ramdisk")
-inotifywait -m "${LOG_DIR}" -e close_write |
+while :; do
-    while read -r path _action file; do
+    for LOG_DIR in "${LOG_DIRS[@]}"; do
-        echo "************ Contents of ${path}/${file} ramdisk log file bundle **************"
+        if ! ls "${LOG_DIR}"/*.tar.gz 1> /dev/null 2>&1; then
-        tar -xOzvvf "${path}/${file}" | sed -e "s/^/${file}: /"
+            continue
-        rm -f "${path}/${file}"
+        fi
        for fn in "${LOG_DIR}"/*.tar.gz; do
            echo "************ Contents of $fn ramdisk log file bundle **************"
            tar -xOzvvf "$fn" | sed -e "s/^/$(basename "$fn"): /"
            rm -f "$fn"
        done
    done
    sleep 5
 done
--- a/ironic-image/tls-common.sh
+++ b/ironic-image/tls-common.sh
@@ -5,25 +5,24 @@ export IRONIC_KEY_FILE=/certs/ironic/tls.key
 export IRONIC_CACERT_FILE=/certs/ca/ironic/tls.crt
 export IRONIC_INSECURE=${IRONIC_INSECURE:-false}
 export IRONIC_SSL_PROTOCOL=${IRONIC_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IPXE_SSL_PROTOCOL=${IPXE_SSL_PROTOCOL:-"-ALL +TLSv1.2 +TLSv1.3"}
 export IRONIC_VMEDIA_SSL_PROTOCOL=${IRONIC_VMEDIA_SSL_PROTOCOL:-"ALL"}
 export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt
 export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key
 export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt
 export IRONIC_INSPECTOR_INSECURE=${IRONIC_INSPECTOR_INSECURE:-$IRONIC_INSECURE}
 export IRONIC_VMEDIA_CERT_FILE=/certs/vmedia/tls.crt
 export IRONIC_VMEDIA_KEY_FILE=/certs/vmedia/tls.key
 export IPXE_CERT_FILE=/certs/ipxe/tls.crt
 export IPXE_KEY_FILE=/certs/ipxe/tls.key
 export RESTART_CONTAINER_CERTIFICATE_UPDATED=${RESTART_CONTAINER_CERTIFICATE_UPDATED:-"false"}
 export MARIADB_CACERT_FILE=/certs/ca/mariadb/tls.crt
 export IPXE_TLS_PORT="${IPXE_TLS_PORT:-8084}"
 mkdir -p /certs/ironic
 mkdir -p /certs/ironic-inspector
 mkdir -p /certs/ca/ironic
-mkdir -p /certs/ipxe
+mkdir -p /certs/ca/ironic-inspector
 mkdir -p /certs/vmedia
 if [[ -f "$IRONIC_CERT_FILE" ]] && [[ ! -f "$IRONIC_KEY_FILE" ]]; then
    echo "Missing TLS Certificate key file $IRONIC_KEY_FILE"
@@ -34,6 +33,15 @@ if [[ ! -f "$IRONIC_CERT_FILE" ]] && [[ -f "$IRONIC_KEY_FILE" ]]; then
    exit 1
 fi
 if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
    echo "Missing TLS Certificate key file $IRONIC_INSPECTOR_KEY_FILE"
    exit 1
 fi
 if [[ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ]] && [[ -f "$IRONIC_INSPECTOR_KEY_FILE" ]]; then
    echo "Missing TLS Certificate file $IRONIC_INSPECTOR_CERT_FILE"
    exit 1
 fi
 if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ ! -f "$IRONIC_VMEDIA_KEY_FILE" ]]; then
    echo "Missing TLS Certificate key file $IRONIC_VMEDIA_KEY_FILE"
    exit 1
@@ -43,15 +51,6 @@ if [[ ! -f "$IRONIC_VMEDIA_CERT_FILE" ]] && [[ -f "$IRONIC_VMEDIA_KEY_FILE" ]];
    exit 1
 fi
 if [[ -f "$IPXE_CERT_FILE" ]] && [[ ! -f "$IPXE_KEY_FILE" ]]; then
    echo "Missing TLS Certificate key file $IPXE_KEY_FILE"
    exit 1
 fi
 if [[ ! -f "$IPXE_CERT_FILE" ]] && [[ -f "$IPXE_KEY_FILE" ]]; then
    echo "Missing TLS Certificate file $IPXE_CERT_FILE"
    exit 1
 fi
 copy_atomic()
 {
    local src="$1"
@@ -76,18 +75,23 @@ else
    export IRONIC_SCHEME="http"
 fi
-if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
+if [[ -f "$IRONIC_INSPECTOR_CERT_FILE" ]] || [[ -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
-    export IRONIC_VMEDIA_TLS_SETUP="true"
+    export IRONIC_INSPECTOR_TLS_SETUP="true"
    export IRONIC_INSPECTOR_SCHEME="https"
    if [[ ! -f "$IRONIC_INSPECTOR_CACERT_FILE" ]]; then
        copy_atomic "$IRONIC_INSPECTOR_CERT_FILE" "$IRONIC_INSPECTOR_CACERT_FILE"
    fi
 else
-    export IRONIC_VMEDIA_TLS_SETUP="false"
+    export IRONIC_INSPECTOR_TLS_SETUP="false"
    export IRONIC_INSPECTOR_SCHEME="http"
 fi
-if [[ -f "$IPXE_CERT_FILE" ]]; then
+if [[ -f "$IRONIC_VMEDIA_CERT_FILE" ]]; then
-    export IPXE_SCHEME="https"
+    export IRONIC_VMEDIA_SCHEME="https"
-    export IPXE_TLS_SETUP="true"
+    export IRONIC_VMEDIA_TLS_SETUP="true"
 else
-    export IPXE_SCHEME="http"
+    export IRONIC_VMEDIA_SCHEME="http"
-    export IPXE_TLS_SETUP="false"
+    export IRONIC_VMEDIA_TLS_SETUP="false"
 fi
 if [[ -f "$MARIADB_CACERT_FILE" ]]; then
--- a/ironic-ipa-downloader-image/Dockerfile
+++ b/ironic-ipa-downloader-image/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0
-#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%
 #!BuildVersion: 15.6
 ARG SLE_VERSION
 FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
@@ -8,7 +8,7 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
 FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
 COPY --from=micro / /installroot/
 RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf
-RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
+RUN zypper --installroot /installroot --non-interactive install --no-recommends openstack-ironic-image-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*
 #RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release;
 RUN cp /usr/bin/getopt /installroot/
@@ -19,11 +19,11 @@ FROM micro AS final
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image"
 LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image."
-LABEL org.opencontainers.image.version="3.0.0"
+LABEL org.opencontainers.image.version="2.0.0"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
-LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.0-%RELEASE%"
+LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:2.0.0-%RELEASE%"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
--- a/ironic-ipa-downloader-image/_service
+++ b/ironic-ipa-downloader-image/_service
@@ -3,8 +3,8 @@
  <service mode="buildtime" name="docker_label_helper"/>
  <service name="replace_using_package_version" mode="buildtime">
    <param name="file">Dockerfile</param>
-    <param name="regex">%%ironic-ipa-ramdisk-x86_64_version%%</param>
+    <param name="regex">%%openstack-ironic-image-x86_64_version%%</param>
-    <param name="package">ironic-ipa-ramdisk-x86_64</param>
+    <param name="package">openstack-ironic-image-x86_64</param>
    <param name="parse-version">patch</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
--- a/ironic-ipa-ramdisk/root.tar.bz2
+++ b/ironic-ipa-ramdisk/root.tar.bz2
--- a/kiwi-builder-image/Dockerfile
+++ b/kiwi-builder-image/Dockerfile
@@ -1,38 +0,0 @@
 #!BuildTag: kiwi-builder:10.1
 FROM registry.suse.com/bci/kiwi:10.1.10
 MAINTAINER SUSE LLC (https://www.suse.com/)
 # Define labels according to https://en.opensuse.org/Building_derived_containers
 # labelprefix=com.suse.application.akri
 LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
 LABEL org.opencontainers.image.title="SLE Kiwi Builder Container Image"
 LABEL org.opencontainers.image.description="kiwi-builder based on the SLE Base Container Image."
 LABEL org.opencontainers.image.version="%PACKAGE_VERSION%"
 LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/"
 LABEL org.opencontainers.image.created="%BUILDTIME%"
 LABEL org.opencontainers.image.vendor="SUSE LLC"
 LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%kiwi-builder:10.1"
 LABEL org.openbuildservice.disturl="%DISTURL%"
 LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%"
 LABEL com.suse.eula="SUSE Combined EULA February 2024"
 LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
 LABEL com.suse.image-type="application"
 LABEL com.suse.release-stage="released"
 # endlabelprefix
 # Install required packages for Kiwi to function as expected
 # Should be provided via https://github.com/SUSE/BCI-dockerfile-generator/pull/1770
 # RUN zypper in -y gawk && zypper clean -a
 # Configure Kiwi to use kpartx
 RUN echo -e "mapper:\n  - part_mapper: kpartx" > /etc/kiwi.yml
 # Copy build script into image and make it executable
 ADD build-image.sh /usr/bin/build-image
 RUN chmod a+x /usr/bin/build-image
 # Make a directory for the standard SL Micro Kiwi definition and config file and copy them in
 RUN mkdir -p /micro-sdk/defs
 ADD SL-Micro.kiwi /micro-sdk/defs
 ADD SL-Micro.kiwi.4096 /micro-sdk/defs
 ADD config.sh /micro-sdk/defs
--- a/kiwi-builder-image/README
+++ b/kiwi-builder-image/README
@@ -1,51 +0,0 @@
 ###########################
 Kiwi SDK Image Instructions
 ###########################
 Please ensure that you're running this on a registered SLE Micro 6.0 system, and make sure that SELinux is disabled:
 # setenforce 0
 Next, download the podman image:
 # podman pull %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10
 Make a local output directory (where the images will reside):
 # mkdir output
 Then, to build a standard "Default" image, run the following in podman:
 # podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image
 To build a SelfInstall ISO, you can add additional flags, for example:
 # podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Default-SelfInstall
 To build an image with a RealTime kernel, e.g. a RAW disk image ("Default"), use the following:
 # podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Base-RT
 To build an image that supports a large block/sectorsize (4096), use the "-b" flag, for example:
 # podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image -p Default-SelfInstall -b
 # mkdir mydefs/
 # cp /path/to/SL-Micro.kiwi mydefs/
 # cp /path/to/config.sh mydefs/
 # podman run --privileged -v /etc/zypp/repos.d:/micro-sdk/repos/ -v ./output:/tmp/output -v ./mydefs/:/micro-sdk/defs/ -it %%IMG_REPO%%/%%IMG_PREFIXkiwi-builder:10 build-image
 All output will be in the local $(pwd)/output directory, for example:
 # ls -1 output/
 SLE-Micro.x86_64-6.0.changes
 SLE-Micro.x86_64-6.0.packages
 SLE-Micro.x86_64-6.0.raw
 SLE-Micro.x86_64-6.0.verified
 build
 kiwi.result
 kiwi.result.json
 Note, if you want to rebuild the image, you'll need to empty the output directory, or Kiwi will error due to existing output files:
 # rm -rf output/*
--- a/kiwi-builder-image/SL-Micro.kiwi
+++ b/kiwi-builder-image/SL-Micro.kiwi
@@ -1,777 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- OBS-Profiles: @BUILD_FLAVOR@ -->
 <!-- OBS-Milestone: %current_milestone -->
 <!-- OBS-BcntSyncTag: SL-Micro -->
 <image schemaversion="7.5" name="SL-Micro" displayname="SL Micro">
    <description type="system">
        <author>SUSE</author>
        <contact>crc@suse.com</contact>
        <specification>SL Micro</specification>
    </description>
    <profiles>
        <!-- Profiles used as dependencies of actual image profiles -->
        <!-- Flavors -->
        <profile name="full" description="SL Micro as KVM and Container host"/>
        <profile name="container-host" description="SL Micro as Container host"/>
        <profile name="ecs_anywhere" description="Amazon ECS Anywhere support"/>
        <!-- Platforms - support profiles -->
        <profile name="bootloader" description="Bootloader files for x86_64 and aarch64"/>
        <profile name="self_install" description="Self Installing ISO media"/>
        <!-- Platforms -->
        <profile name="x86" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-vmware" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-encrypted" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-legacy" description="Raw disk for x86_64 - legacy boot" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt-encrypted" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt-self_install" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
 	<profile name="aarch64-qcow" description="qcow2 for aarch64 - uEFI" arch="aarch64">
 	  <requires profile="bootloader"/>
 	</profile>
        <profile name="s390-kvm" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <profile name="s390-dasd" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <profile name="s390-fba" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86"/>
        </profile>
        <profile name="Default-VMware" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-vmware"/>
        </profile>
        <profile name="Base-VMware" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
 	    <requires profile="x86-vmware"/>
        </profile>
        <profile name="Default-encrypted" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-encrypted"/>
        </profile>
        <profile name="Base-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-encrypted"/>
        </profile>
        <profile name="Base-RT-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt-encrypted"/>
        </profile>
        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="ECS-Anywhere" description="SL Micro with Podman and ECS Anywhere packagesas raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="ecs_anywhere"/>
            <requires profile="x86"/>
        </profile>
        <profile name="ECS-Anywhere-SelfInstall" description="SL Micro with Podman and ECS Anywhere packages as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="full"/>
            <requires profile="ecs_anywhere"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-kvm"/>
        </profile>
        <profile name="Base-qcow" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-kvm"/>
        </profile>
        <profile name="Default-dasd" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-dasd"/>
        </profile>
        <profile name="Base-dasd" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-dasd"/>
        </profile>
        <profile name="Default-fba" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-fba"/>
        </profile>
        <profile name="Base-fba" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-fba"/>
        </profile>
        <profile name="Default-legacy" description="SL Micro with Podman as raw image with legacy boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-legacy"/>
        </profile>
        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-qcow"/>
        </profile>
        <profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-qcow"/>
        </profile>
 	<profile name="Default-qcow" description="SL Micro with Podman and KMV as raw image with uEFI boot" arch="aarch64">
 	    <requires profile="full"/>
 	    <requires profile="aarch64-qcow"/>
        </profile>
 	<profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
 	    <requires profile="container-host"/>
 	    <requires profile="aarch64-qcow"/>
        </profile>
    </profiles>
    <preferences profiles="x86-encrypted,x86-rt-encrypted">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
 	    luks_pbkdf="pbkdf2"
        >
            <luksformat>
                <option name="--cipher" value="aes"/>
            </luksformat>
            <bootloader name="grub2" console="gfxterm" use_disk_password="true" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">4</size>
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="x86-self_install,x86-rt-self_install">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="rpi">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"     
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="aarch64-self_install">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
            efipartsize="128"     
 	    kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="s390-kvm">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            filesystem="btrfs"
            bootpartition="true"
            bootpartsize="300"
            bootfilesystem="ext2"
        initrd_system="dracut"
        format="qcow2"
            kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
        devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
    >
            <bootloader name="grub2_s390x_emu" timeout="3" />
              <systemdisk>
                  <volume name="home"/>
                  <volume name="root"/>
                  <volume name="opt"/>
                  <volume name="srv"/>
          <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                  <volume name="boot/writable"/>
                  <volume name="usr/local"/>
                  <volume name="var" copy_on_write="false"/>
               </systemdisk>
           <size unit="G">32</size>
      </type>
    </preferences>
    <preferences profiles="s390-dasd">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
          image="oem"
          filesystem="btrfs"
          bootpartition="true"
          bootpartsize="300"
          bootfilesystem="ext2"
          initrd_system="dracut"
          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
          devicepersistency="by-uuid"
          target_blocksize="4096"
          btrfs_root_is_snapshot="true"
          btrfs_root_is_readonly_snapshot="true"
          btrfs_quota_groups="true"
      >
            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="CDL" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">5</size>
      </type>
    </preferences>
    <preferences profiles="s390-fba">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
          image="oem"
          filesystem="btrfs"
          bootpartition="true"
          bootpartsize="300"
          bootfilesystem="ext2"
          initrd_system="dracut"
          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
          devicepersistency="by-uuid"
          btrfs_root_is_snapshot="true"
          btrfs_root_is_readonly_snapshot="true"
          btrfs_quota_groups="true"
        >
            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="FBA"/>
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">5</size>
        </type>
    </preferences>
    <preferences profiles="x86-vmware">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <bootloader name="grub2" console="gfxterm" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">32</size>
        </type>
    </preferences>
    <preferences profiles="aarch64-qcow">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
 	<locale>en_US</locale>
        <type
            image="oem"
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
            efipartsize="128"     
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
 		<volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">20</size>
        </type>
    </preferences>
   <repository type="rpm-md" >
        <source path='obsrepositories:/'/>
    </repository>
    <packages type="image" profiles="full">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="salt_minion"/>
 	<package name="patterns-base-salt_minion"/>
        <namedCollection name="kvm_host"/>
 	<package name="patterns-base-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
        <package name="patterns-base-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
        <package name="wpa_supplicant" arch="x86_64,aarch64"/>
 	<package name="libpwquality-tools"/>
        <!-- <package name="k3s-install"/> -->
    </packages>
    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
        <package name="system-user-tss"/>
        <package name="libtss2-fapi1"/>
        <package name="libtss2-tcti-device0"/>
        <package name="tpm2.0-tools"/>
        <package name="tpm2-0-tss"/>
        <package name="fde-firstboot"/>
    </packages>
    <packages type="image" profiles="container-host">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/> 
        <namedCollection name="cockpit"/>
        <package name="patterns-base-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
 	<package name="libpwquality-tools"/>
    </packages>
    <packages type="image" profiles="ecs_anywhere">
        <package name="amazon-ssm-agent"/>
        <package name="amazon-ecs-init"/>
        <package name="aws-cli"/>
        <package name="docker"/>
    </packages>
    <!-- Ignition / Combustion everywhere, cloud-init only in selected images
    <packages type="image" profiles="aarch64-self_install,rpi,s390-dasd,s390-fba,s390-kvm,x86,x86-encrypted,x86-legacy,x86-rt,x86-rt-encrypted,x86-rt-self_install,x86-self_install"> -->
    <packages type="image">
        <package name="ignition"/>
        <package name="combustion &gt;= 1.2"/> <!-- New firstboot mechanism -->
 	<package name="jeos-firstboot"/>
    </packages>
    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>
    <packages type="image">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="hardware"/>
        <package name="patterns-base-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
 	<package name="SL-Micro-release"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
 	<package name="NetworkManager-tui"/>
        <package name="growpart-generator"/>
        <package name="suse-build-key"/>
        <!-- for debugging -->
        <package name="less"/>
        <package name="vim-small"/>
        <namedCollection name="micro_defaults"/>
        <package name="patterns-micro-defaults"/>
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
 	<!-- FIXME does not build without control file which is obsolete 
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
    </packages>
    <packages type="image" profiles="bootloader">
        <package name="grub2-i386-pc" arch="x86_64"/>
        <package name="grub2-x86_64-efi" arch="x86_64"/>
        <package name="grub2-arm64-efi" arch="aarch64"/>
        <package name="grub2-s390x-emu" arch="s390x"/>
        <package name="grub2-branding-SLE" bootinclude="true" arch="x86_64,aarch64"/>
        <package name="grub2-snapper-plugin"/>
        <package name="shim" arch="x86_64,aarch64"/>
 	<package name="mokutil" arch="x86_64,aarch64"/>
 	<!-- obsoleted by kiwi-settings
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
    <packages type="image" profiles="x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted">
        <package name="kernel-rt"/>
 	<package name="kernel-firmware-all"/>
 	<!-- FIXME intentionally removed from ALP code stream 
 	<package name="cpuset"/> -->
    </packages>
    <!-- makes the image build, but also include kernel-default
    <packages type="image" profiles="x86-rt-encrypted">
        <package name="kernel-default-extra"/>
    </packages> -->
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="blog"/>
    </packages>
    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,rpi,aarch64-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
    <packages type="image" profiles="rpi,aarch64-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="kernel-firmware-all"/><!-- Fix choice between kernel-firmware and kernel-firmware-all -->
        <package name="wireless-regdb"/>
        <package name="wireless-tools"/>
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
        <!-- kernel-default-base does not have all required drivers -->
        <package name="kernel-default"/>
    </packages>
    <packages type="bootstrap">
        <package name="coreutils"/>
        <package name="filesystem"/>
        <package name="ca-certificates"/>
        <package name="ca-certificates-mozilla"/>
    </packages>
    <!-- bsc#1221936 -->
    <packages type="image" profiles="x86-vmware">
        <package name="open-vm-tools"/>
    </packages>
    <!-- bsc#1221727-->
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
 </image>
--- a/kiwi-builder-image/SL-Micro.kiwi.4096
+++ b/kiwi-builder-image/SL-Micro.kiwi.4096
@@ -1,784 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- OBS-Profiles: @BUILD_FLAVOR@ -->
 <!-- OBS-Milestone: %current_milestone -->
 <!-- OBS-BcntSyncTag: SL-Micro -->
 <image schemaversion="7.5" name="SL-Micro" displayname="SL Micro">
    <description type="system">
        <author>SUSE</author>
        <contact>crc@suse.com</contact>
        <specification>SL Micro</specification>
    </description>
    <profiles>
        <!-- Profiles used as dependencies of actual image profiles -->
        <!-- Flavors -->
        <profile name="full" description="SL Micro as KVM and Container host"/>
        <profile name="container-host" description="SL Micro as Container host"/>
        <profile name="ecs_anywhere" description="Amazon ECS Anywhere support"/>
        <!-- Platforms - support profiles -->
        <profile name="bootloader" description="Bootloader files for x86_64 and aarch64"/>
        <profile name="self_install" description="Self Installing ISO media"/>
        <!-- Platforms -->
        <profile name="x86" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-vmware" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-encrypted" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-self_install" description="Raw disk for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="aarch64-self_install" description="Raw disk for aarch64" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-legacy" description="Raw disk for x86_64 - legacy boot" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt-encrypted" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-rt-self_install" description="Raw disk for x86_64 with RT kernel - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="rpi" description="Raw disk for Raspberry Pi" arch="aarch64">
            <requires profile="bootloader"/>
        </profile>
        <profile name="x86-qcow" description="qcow2 for x86_64 - uEFI" arch="x86_64">
            <requires profile="bootloader"/>
        </profile>
 	<profile name="aarch64-qcow" description="qcow2 for aarch64 - uEFI" arch="aarch64">
 	  <requires profile="bootloader"/>
 	</profile>
        <profile name="s390-kvm" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <profile name="s390-dasd" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <profile name="s390-fba" description="Raw disk for s390 - DASD" arch="s390x">
            <requires profile="bootloader"/>
        </profile>
        <!-- Images (flavor + platform) -->
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86"/>
        </profile>
        <profile name="Default-VMware" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-vmware"/>
        </profile>
        <profile name="Base-VMware" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
 	    <requires profile="x86-vmware"/>
        </profile>
        <profile name="Default-encrypted" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-encrypted"/>
        </profile>
        <profile name="Base-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-encrypted"/>
        </profile>
        <profile name="Base-RT-encrypted" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt-encrypted"/>
        </profile>
        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default-SelfInstall" description="SL Micro with Podman and KVM as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="full"/>
            <requires profile="aarch64-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Base-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="aarch64-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="ECS-Anywhere" description="SL Micro with Podman and ECS Anywhere packagesas raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="ecs_anywhere"/>
            <requires profile="x86"/>
        </profile>
        <profile name="ECS-Anywhere-SelfInstall" description="SL Micro with Podman and ECS Anywhere packages as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="full"/>
            <requires profile="ecs_anywhere"/>
            <requires profile="x86-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="aarch64">
            <requires profile="full"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
            <requires profile="container-host"/>
            <requires profile="rpi"/>
        </profile>
        <profile name="Base-RT" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt"/>
        </profile>
        <profile name="Base-RT-SelfInstall" description="SL Micro with Podman as raw image with uEFI boot - SelfInstall" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-rt-self_install"/>
            <requires profile="self_install"/>
        </profile>
        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-kvm"/>
        </profile>
        <profile name="Base-qcow" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-kvm"/>
        </profile>
        <profile name="Default-dasd" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-dasd"/>
        </profile>
        <profile name="Base-dasd" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-dasd"/>
        </profile>
        <profile name="Default-fba" description="SL Micro with Podman and KVM as raw image for KVM on System z" arch="s390x">
            <requires profile="full"/>
            <requires profile="s390-fba"/>
        </profile>
        <profile name="Base-fba" description="SL Micro with Podman as raw image for KVM on System z" arch="s390x">
            <requires profile="container-host"/>
            <requires profile="s390-fba"/>
        </profile>
        <profile name="Default-legacy" description="SL Micro with Podman as raw image with legacy boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-legacy"/>
        </profile>
        <profile name="Default-qcow" description="SL Micro with Podman and KVM as raw image with uEFI boot" arch="x86_64">
            <requires profile="full"/>
            <requires profile="x86-qcow"/>
        </profile>
        <profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="x86_64">
            <requires profile="container-host"/>
            <requires profile="x86-qcow"/>
        </profile>
 	<profile name="Default-qcow" description="SL Micro with Podman and KMV as raw image with uEFI boot" arch="aarch64">
 	    <requires profile="full"/>
 	    <requires profile="aarch64-qcow"/>
        </profile>
 	<profile name="Base-qcow" description="SL Micro with Podman as raw image with uEFI boot" arch="aarch64">
 	    <requires profile="container-host"/>
 	    <requires profile="aarch64-qcow"/>
        </profile>
    </profiles>
    <preferences profiles="x86-encrypted,x86-rt-encrypted">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            luks_version="luks2"
            luks="1234"
 	    luks_randomize="false"
 	    luks_pbkdf="pbkdf2"
            target_blocksize="4096"
            efipartsize="200"
        >
            <luksformat>
                <option name="--cipher" value="aes"/>
            </luksformat>
            <bootloader name="grub2" console="gfxterm" use_disk_password="true" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">4</size>
        </type>
    </preferences>
    <preferences profiles="x86,x86-rt">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
    	    <bootloader name="grub2" console="gfxterm" timeout="3"/>
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="x86-self_install,x86-rt-self_install">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="rpi">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            fsmountoptions="noatime"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200n8 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            efipartsize="128"
            editbootinstall="editbootinstall_rpi.sh"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="false"
            disk_start_sector="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="aarch64-self_install">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            initrd_system="dracut"
            installiso="true"
            filesystem="btrfs"
            installboot="install"
            install_continue_on_timeout="false"
            firmware="uefi"
            efipartsize="128"
 	    kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            disk_start_sector="4096"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
        </type>
    </preferences>
    <preferences profiles="s390-kvm">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            filesystem="btrfs"
            bootpartition="true"
            bootpartsize="300"
            bootfilesystem="ext2"
        initrd_system="dracut"
        format="qcow2"
            kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
        devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
    >
            <bootloader name="grub2_s390x_emu" timeout="3" />
              <systemdisk>
                  <volume name="home"/>
                  <volume name="root"/>
                  <volume name="opt"/>
                  <volume name="srv"/>
          <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                  <volume name="boot/writable"/>
                  <volume name="usr/local"/>
                  <volume name="var" copy_on_write="false"/>
               </systemdisk>
           <size unit="G">32</size>
      </type>
    </preferences>
    <preferences profiles="s390-dasd">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
          image="oem"
          filesystem="btrfs"
          bootpartition="true"
          bootpartsize="300"
          bootfilesystem="ext2"
          initrd_system="dracut"
          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
          devicepersistency="by-uuid"
          target_blocksize="4096"
          btrfs_root_is_snapshot="true"
          btrfs_root_is_readonly_snapshot="true"
          btrfs_quota_groups="true"
      >
            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="CDL" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">5</size>
      </type>
    </preferences>
    <preferences profiles="s390-fba">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
          image="oem"
          filesystem="btrfs"
          bootpartition="true"
          bootpartsize="300"
          bootfilesystem="ext2"
          initrd_system="dracut"
          kernelcmdline="hvc_iucv=8 TERM=dumb security=selinux selinux=1 quiet"
          devicepersistency="by-uuid"
          btrfs_root_is_snapshot="true"
          btrfs_root_is_readonly_snapshot="true"
          btrfs_quota_groups="true"
        >
            <bootloader name="grub2_s390x_emu" console="serial" timeout="3" targettype="FBA"/>
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/s390x-emu" mountpoint="boot/grub2/s390x-emu"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">5</size>
        </type>
    </preferences>
    <preferences profiles="x86-vmware">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            filesystem="btrfs"
            format="vmdk"
            firmware="uefi"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <bootloader name="grub2" console="gfxterm" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">24</size>
            <machine memory="1024" HWversion="10" guestOS="suse-64"/>
        </type>
    </preferences>
    <preferences profiles="x86-qcow">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
        <locale>en_US</locale>
        <type
            image="oem"
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
            target_blocksize="4096"
            efipartsize="200"
        >
            <bootloader name="grub2" console="gfxterm" timeout="3" />
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
                <!-- on tmpfs jsc#SMO-2                <volume name="tmp"/> -->
                <volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/i386-pc"/>
                <volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
                <volume name="boot/writable"/>
                <volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">32</size>
        </type>
    </preferences>
    <preferences profiles="aarch64-qcow">
        <version>6.0</version>
        <packagemanager>zypper</packagemanager>
        <bootsplash-theme>SLE</bootsplash-theme>
        <bootloader-theme>SLE</bootloader-theme>
        <rpm-excludedocs>true</rpm-excludedocs>
 	<locale>en_US</locale>
        <type
            image="oem"
            format="qcow2"
            filesystem="btrfs"
            firmware="uefi"
            efipartsize="128"
            kernelcmdline="console=ttyS0,115200 console=tty0 security=selinux selinux=1 quiet net.ifnames=0 ignition.platform.id=qemu"
            bootpartition="false"
            bootkernel="custom"
            devicepersistency="by-uuid"
            btrfs_root_is_snapshot="true"
            btrfs_root_is_readonly_snapshot="true"
            btrfs_quota_groups="true"
        >
            <systemdisk>
                <volume name="home"/>
                <volume name="root"/>
 		<volume name="opt"/>
                <volume name="srv"/>
                <volume name="boot/grub2/arm64-efi" mountpoint="boot/grub2/arm64-efi"/>
                <volume name="boot/writable"/>
 		<volume name="usr/local"/>
                <volume name="var" copy_on_write="false"/>
            </systemdisk>
            <size unit="G">20</size>
        </type>
    </preferences>
   <repository type="rpm-md" >
        <source path='obsrepositories:/'/>
    </repository>
    <packages type="image" profiles="full">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="salt_minion"/>
 	<package name="patterns-base-salt_minion"/>
        <namedCollection name="kvm_host"/>
 	<package name="patterns-base-kvm_host"/>
 	<package name="lzop"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="cockpit"/>
        <package name="patterns-base-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
        <package name="wpa_supplicant" arch="x86_64,aarch64"/>
 	<package name="libpwquality-tools"/>
    </packages>
    <packages type="image" profiles="x86-encrypted,x86-rt-encrypted">
        <!-- full disk encryption stuff -->
        <package name="device-mapper"/>
        <package name="cryptsetup"/>
        <package name="system-user-tss"/>
        <package name="libtss2-fapi1"/>
        <package name="libtss2-tcti-device0"/>
        <package name="tpm2.0-tools"/>
        <package name="tpm2-0-tss"/>
        <package name="fde-firstboot"/>
    </packages>
    <packages type="image" profiles="container-host">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="container_runtime_podman"/>
        <package name="patterns-container-runtime_podman"/>
        <namedCollection name="cockpit"/>
        <package name="patterns-base-cockpit"/>
        <namedCollection name="selinux"/>
        <package name="patterns-base-selinux"/>
        <package name="suseconnect-ng"/>
        <package name="SL-Micro-release"/>
        <package name="grub2-branding-SLE" arch="x86_64,aarch64"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
 	<package name="libpwquality-tools"/>
    </packages>
    <packages type="image" profiles="ecs_anywhere">
        <package name="amazon-ssm-agent"/>
        <package name="amazon-ecs-init"/>
        <package name="aws-cli"/>
        <package name="docker"/>
    </packages>
    <!-- Ignition / Combustion everywhere, cloud-init only in selected images
    <packages type="image" profiles="aarch64-self_install,rpi,s390-dasd,s390-fba,s390-kvm,x86,x86-encrypted,x86-legacy,x86-rt,x86-rt-encrypted,x86-rt-self_install,x86-self_install"> -->
    <packages type="image">
        <package name="ignition"/>
        <package name="combustion &gt;= 1.2"/> <!-- New firstboot mechanism -->
 	<package name="jeos-firstboot"/>
    </packages>
    <packages type="image" profiles="x86-qcow,x86-vmware,aarch64-qcow">
        <package name="cloud-init"/>
        <package name="cloud-init-config-suse"/>
    </packages>
    <packages type="image">
        <namedCollection name="base_transactional"/>
        <package name="patterns-base-transactional"/>
        <namedCollection name="hardware"/>
        <package name="patterns-base-hardware"/>
        <package name="grub2"/>
        <package name="glibc-locale-base"/>
        <package name="ca-certificates"/>
 	<package name="SL-Micro-release"/>
        <package name="systemd-default-settings-branding-SLE-Micro"/>
        <package name="firewalld"/>
 	<package name="NetworkManager-tui"/>
        <package name="growpart-generator"/>
        <package name="suse-build-key"/>
        <!-- for debugging -->
        <package name="less"/>
        <package name="vim-small"/>
        <namedCollection name="micro_defaults"/>
        <package name="patterns-micro-defaults"/>
        <package name="NetworkManager"/>
        <package name="NetworkManager-branding-SLE"/>
 	<package name="ModemManager"/>
 	<!-- FIXME does not build without control file which is obsolete
 	<package name="live-add-yast-repos"/> -->
 	<package name="parted"/> <!-- seems missing to deploy the image -->
    </packages>
    <packages type="image" profiles="bootloader">
        <package name="grub2-i386-pc" arch="x86_64"/>
        <package name="grub2-x86_64-efi" arch="x86_64"/>
        <package name="grub2-arm64-efi" arch="aarch64"/>
        <package name="grub2-s390x-emu" arch="s390x"/>
        <package name="grub2-branding-SLE" bootinclude="true" arch="x86_64,aarch64"/>
        <package name="grub2-snapper-plugin"/>
        <package name="shim" arch="x86_64,aarch64"/>
 	<package name="mokutil" arch="x86_64,aarch64"/>
 	<!-- obsoleted by kiwi-settings
 	    <package name="kpartx" arch="s390x"/>--> <!-- previous releases picked it always, now kiwi picks partx instead -->
    </packages>
    <!-- rpi kernel-default-base does not provide all necessary drivers -->
    <packages type="image" profiles="x86,x86-encrypted,x86-legacy,x86-self_install,x86-vmware,x86-qcow,aarch64-qcow,s390-kvm,s390-dasd,s390-fba">
        <package name="kernel-default"/>
        <package name="kernel-firmware-all"/>
    </packages>
    <packages type="image" profiles="x86-rt,x86-rt-self_install,x86-rt-encrypted">
        <package name="kernel-rt"/>
 	<package name="kernel-firmware-all"/>
 	<!-- FIXME intentionally removed from ALP code stream
 	<package name="cpuset"/> -->
    </packages>
    <!-- makes the image build, but also include kernel-default
    <packages type="image" profiles="x86-rt-encrypted">
        <package name="kernel-default-extra"/>
    </packages> -->
    <packages type="image" profiles="s390-kvm,s390-dasd,s390-fba">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="blog"/>
    </packages>
    <packages type="image" profiles="x86,x86-encrypted,x86-rt-encrypted,x86-self_install,x86-legacy,x86-vmware,x86-rt,x86-rt-self_install,x86-qcow,aarch64-qcow,rpi,aarch64-self_install">
        <package name="dracut-kiwi-oem-repart"/>
        <package name="dracut-kiwi-oem-dump"/>
    </packages>
    <packages type="image" profiles="rpi,aarch64-self_install">
        <package name="raspberrypi-firmware" arch="aarch64"/>
        <package name="raspberrypi-firmware-config" arch="aarch64"/>
        <package name="raspberrypi-firmware-dt" arch="aarch64"/>
        <package name="u-boot-rpiarm64" arch="aarch64"/>
        <package name="dracut-kiwi-oem-repart"/>
        <package name="bcm43xx-firmware"/>
        <package name="kernel-firmware-all"/><!-- Fix choice between kernel-firmware and kernel-firmware-all -->
        <package name="wireless-regdb"/>
        <package name="wireless-tools"/>
        <package name="wpa_supplicant"/>
        <package name="grub2-arm64-efi"/>
        <!-- kernel-default-base does not have all required drivers -->
        <package name="kernel-default"/>
    </packages>
    <packages type="bootstrap">
        <package name="coreutils"/>
        <package name="filesystem"/>
        <package name="ca-certificates"/>
        <package name="ca-certificates-mozilla"/>
    </packages>
    <!-- bsc#1221936 -->
    <packages type="image" profiles="x86-vmware">
        <package name="open-vm-tools"/>
    </packages>
    <!-- bsc#1221727-->
    <packages type="image" profiles="x86-qcow,aarch64-qcow">
        <package name="qemu-guest-agent"/>
    </packages>
 </image>
--- a/kiwi-builder-image/build-image.sh
+++ b/kiwi-builder-image/build-image.sh
@@ -1,91 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2024 SUSE LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 #
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 #
 # Set image build defaults, blocksize is an empty string
 PROFILE="Default"
 LARGEBLOCK=false
 # Print usage
 usage(){
 	cat <<-EOF
 	==============================
 	SLE Micro 6.0 Kiwi SDK Builder
 	==============================
 	Usage: ${0} [-p <profile>] [-b]
 	Profile Options (-p):
 	* Default: RAW Disk Image with kernel-default
 	* Default-SelfInstall: SelfInstall ISO with kernel-default
 	* Base-RT: RAW Disk Image with kernel-rt
 	* Base-RT-SelfInstall: SelfInstall ISO with kernel-rt
 	4096 Blocksize (-b): If specified, use a 4096 blocksize (rather than 512) when generating the image.
 	NOTE: If both options are omitted, the "Default" profile with a standard "512" blocksize is used.
 	EOF
 }
 # Grab CLI options and handle
 while getopts 'p:bh' OPTION; do
 	case "${OPTION}" in
 		p)
 			PROFILE="${OPTARG}"
 			;;
 		b)
 			LARGEBLOCK=true
 			;;
 		?)
 			usage && exit 2
 			;;
 	esac
 done
 # To avoid wasting time, perform the loop creation test first, and exit with a warning to re-run.
 # This only happens when the container hasn't been ran on the host before, and is avoided by mounting /dev/ into the image.
 qemu-img create /tmp/output/test.img 1M
 if LOOP=$(losetup -f --show /tmp/output/test.img); then
  rm -f /tmp/output/test.img
  losetup -d $LOOP
 else
  echo -e "\nERROR: Early loop device test failed, please retry the container run."
  exit 1
 fi
 # Grab local SLE Micro repos and create a list to use as part of the image build
 REPOS=`for i in $(cat /micro-sdk/repos/*.repo | awk '/baseurl/ {split($0,string,"="); print string[2]}'); do echo -n "--add-repo $i "; done`
 if $LARGEBLOCK; then
  mv /micro-sdk/defs/SL-Micro.kiwi.4096 /micro-sdk/defs/SL-Micro.kiwi
 fi
 # Build the image
 kiwi-ng --debug --profile $PROFILE system build \
    --description /micro-sdk/defs --target-dir /tmp/output --ignore-repos-used-for-build $REPOS
 # Print output
 RESULT=$?
 if [ $RESULT -eq 0 ]; then
  echo -e "\n\nINFO: Image build successful, generated images are available in the 'output' directory."
 else
  echo -e "\n\nERROR: Failed to build the image, please see above logs."
 fi
--- a/kiwi-builder-image/config.sh
+++ b/kiwi-builder-image/config.sh
@@ -1,317 +0,0 @@
 #!/bin/bash
 # Copyright (c) 2023 SUSE LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
 # in the Software without restriction, including without limitation the rights
 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 # copies of the Software, and to permit persons to whom the Software is
 # furnished to do so, subject to the following conditions:
 # 
 # The above copyright notice and this permission notice shall be included in
 # all copies or substantial portions of the Software.
 # 
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 # 
 #======================================
 # Functions...
 #--------------------------------------
 test -f /.kconfig && . /.kconfig
 test -f /.profile && . /.profile
 set -euxo pipefail
 mkdir /var/lib/misc/reconfig_system
 #======================================
 # Greeting...
 #--------------------------------------
 echo "Configure image: [$kiwi_iname]-[$kiwi_profiles]..."
 #======================================
 # This is a workaround - someone,
 # somewhere needs to load the xts crypto
 # module, otherwise luksOpen will fail while
 # creating the image.
 #--------------------------------------
 modprobe xts || true
 #======================================
 # add missing fonts
 #--------------------------------------
 CONSOLE_FONT="eurlatgr.psfu"
 #======================================
 # prepare for setting root pw, timezone
 #--------------------------------------
 echo ** "reset machine settings"
 sed -i 's/^root:[^:]*:/root:*:/' /etc/shadow
 rm /etc/machine-id
 rm /var/lib/zypp/AnonymousUniqueId
 #======================================
 # Setup baseproduct link
 #--------------------------------------
 suseSetupProduct
 #======================================
 # Specify default runlevel
 #--------------------------------------
 baseSetRunlevel 3
 #======================================
 # Add missing gpg keys to rpm
 #--------------------------------------
 suseImportBuildKey
 #======================================
 # If SELinux is installed, configure it like transactional-update setup-selinux
 #--------------------------------------
 if [[ -e /etc/selinux/config ]]; then
 	# Check if we don't have selinux already enabled.
 	grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub | grep -q security=selinux || \
 	    sed -i -e 's|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 security=selinux selinux=1"|g' "/etc/default/grub"
 	# Adjust selinux config
 	sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \
 	    -e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \
 	    "/etc/selinux/config"
 	# Move an /.autorelabel file from initial installation to writeable location
 	test -f /.autorelabel && mv /.autorelabel /etc/selinux/.autorelabel
 fi
 ##======================================
 ## Enable DHCP on eth0
 ##--------------------------------------
 #cat >/etc/sysconfig/network/ifcfg-eth0 <<EOF
 #BOOTPROTO='dhcp'
 #MTU=''
 #REMOTE_IPADDR=''
 #STARTMODE='auto'
 #ETHTOOL_OPTIONS=''
 #USERCONTROL='no'
 #EOF
 systemctl enable NetworkManager
 systemctl enable ModemManager
 #======================================
 # Enable cloud-init
 #--------------------------------------
 suseInsertService cloud-init-local
 suseInsertService cloud-init
 suseInsertService cloud-config
 suseInsertService cloud-final
 # Enable chrony
 suseInsertService chronyd
 #======================================
 # Sysconfig Update
 #--------------------------------------
 echo '** Update sysconfig entries...'
 echo FONT="$CONSOLE_FONT" >> /etc/vconsole.conf
 # fix security level (boo#1171174)
 sed -e '/^PERMISSION_SECURITY=s/easy/paranoid/' /etc/sysconfig/security
 chkstat --set --system
 #======================================
 # SSL Certificates Configuration
 #--------------------------------------
 echo '** Rehashing SSL Certificates...'
 update-ca-certificates
 #======================================
 # Import trusted rpm keys
 #--------------------------------------
 for i in /usr/lib/rpm/gnupg/keys/gpg-pubkey*asc; do
    # importing can fail if it already exists
    rpm --import $i || true
 done
 # Temporary workaround for bsc#1212187
 echo "techpreview.ZYPP_MEDIANETWORK=1" >> /etc/zypp/zypp.conf
 #======================================
 # Enable kubelet if installed
 #--------------------------------------
 if [ -e /usr/lib/systemd/system/kubelet.service ]; then
 	suseInsertService kubelet
 fi
 # Adjust zypp conf
 # https://github.com/openSUSE/libzypp/issues/212
 # in yast that's done in packager/cfa/zypp_conf.rb
 sed -i 's/.*solver.onlyRequires.*/solver.onlyRequires = true/g' /etc/zypp/zypp.conf
 sed -i 's/.*rpm.install.excludedocs.*/rpm.install.excludedocs = yes/g' /etc/zypp/zypp.conf
 sed -i 's/^multiversion =.*/multiversion =/g' /etc/zypp/zypp.conf
 #=====================================
 # Configure snapper
 #-------------------------------------
 if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
        echo "creating initial snapper config ..."
        cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
        baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
 	# Adjust parameters
 	sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' /etc/snapper/configs/root
 	sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' /etc/snapper/configs/root
 	sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' /etc/snapper/configs/root
 fi
 # Enable jeos-firstboot if installed, disabled by combustion/ignition
 if rpm -q --whatprovides jeos-firstboot >/dev/null; then
        mkdir -p /var/lib/YaST2
        touch /var/lib/YaST2/reconfig_system
        systemctl enable jeos-firstboot.service
 fi
 # Enable cloud-init if installed
 if rpm -q --whatprovides cloud-init >/dev/null; then
 	systemctl enable cloud-init
 	systemctl enable cloud-init-local
 fi
 # The %post script can't edit /etc/fstab sys due to https://github.com/OSInside/kiwi/issues/945
 # so use the kiwi custom hack
 cat >/etc/fstab.script <<"EOF"
 #!/bin/sh
 set -eux
 /usr/sbin/setup-fstab-for-overlayfs
 # If /var is on a different partition than /...
 if [ "$(findmnt -snT / -o SOURCE)" != "$(findmnt -snT /var -o SOURCE)" ]; then
 	# ... set options for autoexpanding /var
 	gawk -i inplace '$2 == "/var" { $4 = $4",x-growpart.grow,x-systemd.growfs" } { print $0 }' /etc/fstab
 fi
 EOF
 chmod a+x /etc/fstab.script
 # To make x-systemd.growfs work from inside the initrd
 cat >/etc/dracut.conf.d/50-microos-growfs.conf <<"EOF"
 install_items+=" /usr/lib/systemd/systemd-growfs "
 EOF
 #======================================
 # Add repos from control.xml
 #--------------------------------------
 if [ -x /usr/sbin/add-yast-repos ]; then
 	add-yast-repos
 	zypper --non-interactive rm -u live-add-yast-repos
 fi
 #======================================
 # Configure SelfInstall specifics
 #--------------------------------------
 if [[ "$kiwi_profiles" == *"SelfInstall"* ]]; then
 	cat > /etc/systemd/system/selfinstallbootloader.service <<-EOF
 	[Unit]
 	Description=
 	After=systemd-machine-id-commit.service
 	Before=jeos-firstboot.service
 	[Service]
 	Type=oneshot
 	ExecStart=rm /etc/systemd/system/selfinstallbootloader.service
 	ExecStart=rm /etc/systemd/system/default.target.wants/selfinstallbootloader.service
 	ExecStart=/sbin/transactional-update bootloader
 	ExecStart=/sbin/transactional-update apply
 	[Install]
 	WantedBy=default.target
 	EOF
 	ln -s /etc/systemd/system/selfinstallbootloader.service /etc/systemd/system/default.target.wants/selfinstallbootloader.service
 fi
 #======================================
 # Boot TimeOut Configuration for iSCSI
 #--------------------------------------
 cat > /etc/systemd/system/iscsi-init-delay.service <<-EOF
 [Unit]
 # Workaround for boo#1198457 delay gen-initiatorname after local-fs
 Description=One time delay for the iscsid.service
 ConditionPathExists=!/etc/iscsi/initiatorname.iscsi
 ConditionPathExists=/sbin/iscsi-gen-initiatorname
 DefaultDependencies=no
 RequiresMountsFor=/etc/iscsi
 After=local-fs.target
 Before=iscsi-init.service
 [Install]
 WantedBy=default.target
 [Service]
 Type=oneshot
 RemainAfterExit=no
 ExecStart=/sbin/iscsi-gen-initiatorname
 EOF
 ln -s /etc/systemd/system/iscsi-init-delay.service /etc/systemd/system/default.target.wants/iscsi-init-delay.service
 #======================================
 # Configure Pine64 specifics
 #--------------------------------------
 if [[ "$kiwi_profiles" == *"Pine64" ]]; then
    echo 'add_drivers+=" fixed sunxi-mmc axp20x-regulator axp20x-rsb "' > /etc/dracut.conf.d/sunxi_modules.conf
 fi
 #======================================
 # Configure Raspberry Pi specifics
 #--------------------------------------
 if [[ "$kiwi_profiles" == *"RaspberryPi"* ]]; then
 	# Add necessary kernel modules to initrd (will disappear with bsc#1084272)
 	echo 'add_drivers+=" bcm2835_dma dwc2 "' > /etc/dracut.conf.d/raspberrypi_modules.conf
 	# Add necessary kernel modules to initrd (will disappear with boo#1162669)
 	echo 'add_drivers+=" pcie-brcmstb "' >> /etc/dracut.conf.d/raspberrypi_modules.conf
 	# Work around network issues
  	cat > /etc/modprobe.d/50-rpi3.conf <<-EOF
 		# Prevent too many page allocations (bsc#1012449)
 		options smsc95xx turbo_mode=N
 	EOF
 	cat > /usr/lib/sysctl.d/50-rpi3.conf <<-EOF
 		# Avoid running out of DMA pages for smsc95xx (bsc#1012449)
 		vm.min_free_kbytes = 2048
 	EOF
 fi
 #======================================
 # Configure Vagrant specifics
 #--------------------------------------
 if [[ "$kiwi_profiles" == *"Vagrant"* ]]; then
        # create vagrant user
        useradd vagrant
        # allow password-less sudo
        echo "vagrant ALL=(ALL)NOPASSWD:ALL" > /etc/sudoers.d/vagrant
        # add vagrant's insecure key
        mkdir -p /home/vagrant/.ssh
        chmod 0700 /home/vagrant/.ssh
        cat > /home/vagrant/.ssh/authorized_keys << EOF
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
 EOF
        chmod 0600 /home/vagrant/.ssh/authorized_keys
        chown -R vagrant /home/vagrant
 fi
 #======================================
 # cloud-init specific settings
 #--------------------------------------
 # We do not want cloud-init to run in an environment when there is no data
 # source found. bsc#1222113
 if [[ "$kiwi_profiles" =~ ^(x86-qcow|x86-vmware|aarch64-qcow)$ ]]; then
    echo "policy: search,found=all,maybe=disabled,notfound=disabled" > /etc/cloud/ds-identify.cfg
 fi
 exit 0
--- a/kube-rbac-proxy/_service
+++ b/kube-rbac-proxy/_service
@@ -2,7 +2,7 @@
 <service name="obs_scm">
    <param name="url">https://github.com/brancz/kube-rbac-proxy</param>
    <param name="scm">git</param>
-    <param name="revision">v0.18.1</param>
+    <param name="revision">v0.18.0</param>
    <param name="version">_auto_</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="changesgenerate">enable</param>
@@ -20,4 +20,4 @@
  <service name="go_modules">
  </service>
  <service mode="buildtime" name="set_version" />
-</services>
+</services>
--- a/kube-rbac-proxy/kube-rbac-proxy.spec
+++ b/kube-rbac-proxy/kube-rbac-proxy.spec
@@ -17,14 +17,14 @@
 Name:           kube-rbac-proxy
-Version:        0.18.1
+Version:        0.18.0
-Release:        0.18.1
+Release:        0.18.0
 Summary:        The kube-rbac-proxy is a small HTTP proxy for a single upstream
 License:        Apache-2.0
 URL:            https://github.com/brancz/kube-rbac-proxy
 Source:         kube-rbac-proxy-%{version}.tar.gz
 Source1:        vendor.tar.gz
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.22
 ExcludeArch:    s390
 ExcludeArch:    %{ix86}
--- a/kubevirt-dashboard-extension-chart/Chart.yaml
+++ b/kubevirt-dashboard-extension-chart/Chart.yaml
@@ -1,20 +0,0 @@
 #!BuildTag: %%IMG_PREFIX%%kubevirt-dashboard-extension-chart:1.2.0
 #!BuildTag: %%IMG_PREFIX%%kubevirt-dashboard-extension-chart:1.2.0-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: KubeVirt
  catalog.cattle.io/kube-version: '>= v1.26.0-0'
  catalog.cattle.io/namespace: cattle-ui-plugin-system
  catalog.cattle.io/os: linux
  catalog.cattle.io/permits-os: linux, windows
  catalog.cattle.io/rancher-version: '>= 2.10.0-0'
  catalog.cattle.io/scope: management
  catalog.cattle.io/ui-component: plugins
  catalog.cattle.io/ui-extensions-version: '>= 3.0.0'
 apiVersion: v2
 appVersion: 1.2.0
 description: 'SUSE Edge: KubeVirt extension for Rancher Dashboard'
 icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/kubevirt/icon/color/kubevirt-icon-color.svg
 name: kubevirt-dashboard-extension
 type: application
 version: 1.2.0
--- a/kubevirt-dashboard-extension-chart/README.md
+++ b/kubevirt-dashboard-extension-chart/README.md
@@ -1,6 +0,0 @@
 # SUSE Edge: KubeVirt extension for Rancher Dashboard
 An Edge focused extension for Rancher Dashboard allowing to monitor and interact virtual machine based workloads.
 For more information on SUSE Edge see https://suse-edge.github.io/ \
 For more information on Kubevirt see https://kubevirt.io/
--- a/kubevirt-dashboard-extension-chart/_service
+++ b/kubevirt-dashboard-extension-chart/_service
@@ -1,15 +0,0 @@
 <services>
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">values.yaml</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Chart.yaml</param>
    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
    <param name="var">IMG_PREFIX</param>
  </service>
 </services>
--- a/kubevirt-dashboard-extension-chart/templates/_helpers.tpl
+++ b/kubevirt-dashboard-extension-chart/templates/_helpers.tpl
@@ -1,63 +0,0 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "extension-server.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "extension-server.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "extension-server.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "extension-server.labels" -}}
 helm.sh/chart: {{ include "extension-server.chart" . }}
 {{ include "extension-server.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "extension-server.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "extension-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Pkg annotations
 */}}
 {{- define "extension-server.pluginMetadata" -}}
 {{- with .Values.plugin.metadata }}
 {{- range $key, $value := . }}
 {{ $key }}: {{ $value | quote }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/kubevirt-dashboard-extension-chart/templates/cr.yaml
+++ b/kubevirt-dashboard-extension-chart/templates/cr.yaml
@@ -1,14 +0,0 @@
 apiVersion: catalog.cattle.io/v1
 kind: UIPlugin
 metadata:
  name: {{ include "extension-server.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels: {{ include "extension-server.labels" . | nindent 4 }}
 spec:
  plugin:
    name: {{ include "extension-server.fullname" . }}
    version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }}
    endpoint: https://raw.githubusercontent.com/suse-edge/dashboard-extensions/gh-pages/extensions/kubevirt-dashboard-extension/1.2.0
    noCache: {{ .Values.plugin.noCache }}
    noAuth: {{ .Values.plugin.noAuth }}
    metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }}
--- a/kubevirt-dashboard-extension-chart/values.yaml
+++ b/kubevirt-dashboard-extension-chart/values.yaml
@@ -1,12 +0,0 @@
 nameOverride: ""
 fullnameOverride: ""
 plugin:
  enabled: true
  versionOverride: ""
  noCache: false
  noAuth: false
  metadata:
    catalog.cattle.io/display-name: KubeVirt
    catalog.cattle.io/rancher-version: ">= 2.10.0-0"
    catalog.cattle.io/ui-extensions-version: ">= 3.0.0"
    catalog.cattle.io/kube-version: ">= v1.26.0-0"
--- a/metal3-chart/Chart.yaml
+++ b/metal3-chart/Chart.yaml
@@ -1,18 +1,17 @@
-#!BuildTag: %%IMG_PREFIX%%metal3-chart:302.0.0_up0.9.0
+#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1
-#!BuildTag: %%IMG_PREFIX%%metal3-chart:302.0.0_up0.9.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%metal3-chart:0.8.1-%RELEASE%
 apiVersion: v2
-appVersion: 0.9.0
+appVersion: 1.16.0
 dependencies:
 - alias: metal3-baremetal-operator
  name: baremetal-operator
  repository: file://./charts/baremetal-operator
-  version: 0.6.0
+  version: 0.5.0
 - alias: metal3-ironic
  name: ironic
  repository: file://./charts/ironic
-  version: 0.8.0
+  version: 0.7.0
 - alias: metal3-mariadb
  condition: global.enable_mariadb
  name: mariadb
  repository: file://./charts/mariadb
  version: 0.5.4
@@ -20,9 +19,9 @@ dependencies:
  condition: global.enable_metal3_media_server
  name: media
  repository: file://./charts/media
-  version: 0.6.0
+  version: 0.5.0
 description: A Helm chart that installs all of the dependencies needed for Metal3
 icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
 name: metal3
 type: application
-version: 302.0.0+up0.9.0
+version: 0.8.1
--- a/metal3-chart/charts/baremetal-operator/Chart.yaml
+++ b/metal3-chart/charts/baremetal-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.8.0
+appVersion: 0.6.1
 description: A Helm chart for baremetal-operator, used by Metal3
 name: baremetal-operator
 type: application
-version: 0.6.0
+version: 0.5.0
--- a/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
+++ b/metal3-chart/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml
@@ -39,6 +39,11 @@ spec:
      name: BMC
      priority: 1
      type: string
    - description: The type of hardware detected
      jsonPath: .status.hardwareProfile
      name: Hardware_Profile
      priority: 1
      type: string
    - description: Whether the host is online or not
      jsonPath: .spec.online
      name: Online
@@ -735,7 +740,6 @@ spec:
                type: object
              hardwareProfile:
                description: The name of the profile matching the hardware details.
                  Hardware profiles are deprecated and should not be relied on.
                type: string
              lastUpdated:
                description: LastUpdated identifies when this status was last observed.
@@ -1132,6 +1136,7 @@ spec:
            required:
            - errorCount
            - errorMessage
            - hardwareProfile
            - operationalStatus
            - poweredOn
            - provisioning
--- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml
@@ -3,12 +3,14 @@
  {{- $protocol := ternary "https" "http" $enableTLS }}
  {{- $ironicIP := .Values.global.ironicIP | default "" }}
  {{- $ironicApiHost := print $ironicIP ":6385" }}
  {{- $ironicInspectorHost := print $ironicIP ":5050" }}
  {{- $ironicBootHost := print $ironicIP ":6180" }}
  {{- $ironicCacheHost := print $ironicIP ":6180" }}
 apiVersion: v1
 data:
  IRONIC_ENDPOINT: "{{ $protocol }}://{{ $ironicApiHost }}/v1/"
  IRONIC_INSPECTOR_ENDPOINT: "{{ $protocol }}://{{ $ironicInspectorHost }}/v1/"
  RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
  # Switch VMedia to HTTP if enable_vmedia_tls is false
  {{- if and $enableTLS $enableVMediaTLS }}
--- a/metal3-chart/charts/baremetal-operator/templates/deployment.yaml
+++ b/metal3-chart/charts/baremetal-operator/templates/deployment.yaml
@@ -78,6 +78,14 @@ spec:
          mountPath: "/opt/metal3/auth/ironic/password"
          subPath: password
          readOnly: true
        - name: ironic-inspector-basic-auth
          mountPath: "/opt/metal3/auth/ironic-inspector/username"
          subPath: username
          readOnly: true
        - name: ironic-inspector-basic-auth
          mountPath: "/opt/metal3/auth/ironic-inspector/password"
          subPath: password
          readOnly: true
        {{- end }}
        {{- if .Values.global.enable_tls }}
        - name: cacert
@@ -108,6 +116,9 @@ spec:
      - name: ironic-basic-auth
        secret:
          secretName: ironic-basic-auth
      - name: ironic-inspector-basic-auth
        secret:
          secretName: ironic-inspector-basic-auth
      {{- end }}
      {{- if .Values.global.enable_tls }}
      - name: cacert
--- a/metal3-chart/charts/baremetal-operator/values.yaml
+++ b/metal3-chart/charts/baremetal-operator/values.yaml
@@ -28,11 +28,11 @@ images:
  baremetalOperator:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/baremetal-operator
    pullPolicy: IfNotPresent
-    tag: "0.8.0"
+    tag: "0.6.1"
  rbacProxy:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/kube-rbac-proxy
    pullPolicy: IfNotPresent
-    tag: "0.18.1"
+    tag: "v0.14.2"
 imagePullSecrets: []
 nameOverride: "manger"
--- a/metal3-chart/charts/ironic/Chart.yaml
+++ b/metal3-chart/charts/ironic/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 26.1.2
+appVersion: 24.1.2
 description: A Helm chart for Ironic, used by Metal3
 name: ironic
 type: application
-version: 0.8.0
+version: 0.7.0
--- a/metal3-chart/charts/ironic/templates/_helpers.tpl
+++ b/metal3-chart/charts/ironic/templates/_helpers.tpl
@@ -77,6 +77,9 @@ Get ironic CA volumeMounts
 - name: cert-ironic-ca
  mountPath: "/certs/ca/ironic"
  readOnly: true
 - name: cert-ironic-inspector-ca
  mountPath: "/certs/ca/ironic-inspector"
  readOnly: true
 {{- if .Values.global.enable_vmedia_tls }}
 - name: cert-ironic-vmedia-ca
  mountPath: "/certs/ca/vmedia"
--- a/metal3-chart/charts/ironic/templates/certificates.yaml
+++ b/metal3-chart/charts/ironic/templates/certificates.yaml
@@ -25,6 +25,19 @@ spec:
    kind: Issuer
    name: ca-issuer
  secretName: ironic-cert
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: ironic-inspector-cert
 spec:
  commonName: ironic-inspector-cert
  ipAddresses:
  - {{ .Values.global.ironicIP }}
  issuerRef:
    kind: Issuer
    name: ca-issuer
  secretName: ironic-inspector-cert
 {{- if .Values.global.enable_vmedia_tls }}
 ---
 apiVersion: cert-manager.io/v1
--- a/metal3-chart/charts/ironic/templates/configmap.yaml
+++ b/metal3-chart/charts/ironic/templates/configmap.yaml
@@ -10,6 +10,7 @@ data:
  {{- $protocol := ternary "https" "http" $enableTLS }}
  {{- $ironicIP := .Values.global.ironicIP | default "" }}
  {{- $ironicApiHost := print $ironicIP ":6385" }}
  {{- $ironicInspectorHost := print $ironicIP ":5050" }}
  {{- $ironicBootHost := print $ironicIP ":6180" }}
  {{- $ironicCacheHost := print $ironicIP ":6180" }}
@@ -24,11 +25,15 @@ data:
  {{- end }}
  HTTP_PORT: "6180"
  PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}"
-  USE_IRONIC_INSPECTOR: "false"
+  USE_IRONIC_INSPECTOR: "true"
  IRONIC_API_BASE_URL: {{ $protocol }}://{{ $ironicApiHost }}
  IRONIC_API_HOST: {{ $ironicApiHost }}
  IRONIC_API_HTTPD_SERVER_NAME: {{ $ironicApiHost }}
  IRONIC_ENDPOINT: {{ $protocol }}://{{ $ironicApiHost }}/v1/
  IRONIC_INSPECTOR_BASE_URL: {{ $protocol }}://{{ $ironicInspectorHost }}
  IRONIC_INSPECTOR_ENDPOINT: {{ $protocol }}://{{ $ironicInspectorHost }}/v1/
  IRONIC_INSPECTOR_HOST: {{ $ironicInspectorHost }}
  IRONIC_INSPECTOR_HTTPD_SERVER_NAME: {{ $ironicInspectorHost }}
  # Switch VMedia to HTTP if enable_vmedia_tls is false
  {{- if and $enableTLS $enableVMediaTLS }}
    {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }}
@@ -50,9 +55,11 @@ data:
  {{- if .Values.global.provisioningIP }}
  PROVISIONING_IP: {{ .Values.global.provisioningIP }}
  {{- end }}
  IRONIC_INSPECTOR_VLAN_INTERFACES: all
  IRONIC_ILO_USE_SWIFT: "false"
  IRONIC_ILO_USE_WEB_SERVER_FOR_IMAGES: "true"
  IRONIC_FAST_TRACK: "true"
  IRONIC_USE_MARIADB: "true"
  LISTEN_ALL_INTERFACES: "true"
  {{- if .Values.global.ironicIP }}
  IRONIC_IP: {{ .Values.global.ironicIP }}
@@ -62,6 +69,7 @@ data:
  IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }} tls.enabled=true
  IPA_INSECURE: "0"
  IRONIC_REVERSE_PROXY_SETUP: "true"
  INSPECTOR_REVERSE_PROXY_SETUP: "true"
  {{- if  ( .Values.global.enable_vmedia_tls ) }}
  VMEDIA_TLS_PORT: "{{ .Values.global.vmediaTLSPort }}"
  {{- end }}
@@ -73,10 +81,6 @@ data:
  {{- end }}
  {{- if  ( .Values.global.enable_basicAuth ) }}
  AUTH_STRATEGY: "http_basic"
  INSPECTOR_AUTH_STRATEGY: "http_basic"
  {{- end }}
  {{- if .Values.global.enable_mariadb }}
  MARIADB_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local
  IRONIC_USE_MARIADB: "true"
  {{- else }}
  IRONIC_USE_MARIADB: "false"
  {{- end }}
--- a/metal3-chart/charts/ironic/templates/deployment.yaml
+++ b/metal3-chart/charts/ironic/templates/deployment.yaml
@@ -41,7 +41,10 @@ spec:
            name: ironic-bmo
        livenessProbe:
          exec:
-            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
+            command:
            - /bin/sh
            - -c
            - curl {{ if and .Values.global.enable_tls .Values.global.enable_vmedia_tls }}-sSfk https://127.0.0.1:{{ .Values.global.vmediaTLSPort }}/boot.ipxe {{ else }}-sSf http://127.0.0.1:6180/boot.ipxe{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
@@ -59,7 +62,10 @@ spec:
        {{- end }}
        readinessProbe:
          exec:
-            command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"]
+            command:
            - /bin/sh
            - -c
            - curl {{ if and .Values.global.enable_tls .Values.global.enable_vmedia_tls }}-sSfk https://127.0.0.1:{{ .Values.global.vmediaTLSPort }}/boot.ipxe {{ else }}-sSf http://127.0.0.1:6180/boot.ipxe{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
@@ -72,6 +78,9 @@ spec:
          - name: cert-ironic
            mountPath: "/certs/ironic"
            readOnly: true
          - name: cert-ironic-inspector
            mountPath: "/certs/ironic-inspector"
            readOnly: true
          {{- if .Values.global.enable_vmedia_tls }}
          - name: cert-ironic-vmedia
            mountPath: "/certs/vmedia"
@@ -81,6 +90,73 @@ spec:
            name: cert-ironic-ca
            readOnly: true
        {{- end }}
      - name: ironic-inspector
        image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
        imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
        securityContext:
          {{- toYaml .Values.securityContext | nindent 10 }}
        command:
        - /bin/runironic-inspector
        envFrom:
        - configMapRef:
            name: ironic-bmo
        env:
        {{- if .Values.global.enable_basicAuth }}
        - name: INSPECTOR_HTPASSWD
          valueFrom:
            secretKeyRef:
              name: ironic-inspector-basic-auth
              key: htpasswd
        {{- end }}
        - name: MARIADB_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: ironic-mariadb
        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}5049{{ else }}5050{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 10
        ports:
        - containerPort: 5050
          name: inspector
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}5049{{ else }}5050{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 10
        volumeMounts:
          {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
        {{- if .Values.global.enable_basicAuth }}
          - mountPath: "/auth/ironic/auth-config"
            name: ironic-basic-auth
            subPath: auth-config
            readOnly: true
          - mountPath: "/auth/ironic-inspector/auth-config"
            name: ironic-inspector-basic-auth
            subPath: auth-config
            readOnly: true
        {{- end }}
        {{- if .Values.global.enable_tls }}
          {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
          - name: cert-ironic-inspector
            mountPath: "/certs/ironic-inspector"
            readOnly: true
        {{- end }}
      - name: ironic-log-watch
        image: {{ .Values.images.ironic.repository }}:{{ .Values.images.ironic.tag }}
        imagePullPolicy: {{ .Values.images.ironic.pullPolicy }}
@@ -108,33 +184,37 @@ spec:
              name: ironic-basic-auth
              key: htpasswd
        {{- end }}
        {{- if .Values.global.enable_mariadb }}
        - name: MARIADB_PASSWORD
          valueFrom:
            secretKeyRef:
              key: password
              name: ironic-mariadb
        {{- end }}
        livenessProbe:
          exec:
-            command: ["/bin/ironic-liveness"]
+            command:
            - /bin/sh
            - -c
            - curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}6388{{ else }}6385{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
          timeoutSeconds: 10
          successThreshold: 1
-          failureThreshold: 10
+          timeoutSeconds: 10
        ports:
        - containerPort: 6385
          name: api
          protocol: TCP
        readinessProbe:
          exec:
-            command: ["/bin/ironic-readiness"]
+            command:
            - /bin/sh
            - -c
            - curl -sSf http://127.0.0.1:{{ if .Values.global.enable_tls }}6388{{ else }}6385{{ end }}
          failureThreshold: 10
          initialDelaySeconds: 30
          periodSeconds: 30
          timeoutSeconds: 10
          successThreshold: 1
-          failureThreshold: 10
+          timeoutSeconds: 10
        volumeMounts:
          {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
          {{- if .Values.global.enable_basicAuth }}
@@ -142,6 +222,10 @@ spec:
            name: ironic-basic-auth
            subPath: auth-config
            readOnly: true
          - mountPath: "/auth/ironic-inspector/auth-config"
            name: ironic-inspector-basic-auth
            subPath: auth-config
            readOnly: true
          {{- end }}
          {{- if .Values.global.enable_tls }}
          {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
@@ -224,16 +308,15 @@ spec:
        {{- end }}
      volumes:
      - name: ironic-data-volume
      {{- if .Values.persistence.ironic.size }}
        persistentVolumeClaim:
          claimName: ironic-shared-volume
      {{- else }}
        emptyDir: {}
      {{- end }}
      {{- if .Values.global.enable_basicAuth }}
      - name: ironic-basic-auth
        secret:
          secretName: ironic-basic-auth
      - name: ironic-inspector-basic-auth
        secret:
          secretName: ironic-inspector-basic-auth
      {{- if .Values.global.enable_tls }}
      - name: trusted-certs
        projected:
@@ -250,6 +333,12 @@ spec:
      - name: cert-ironic
        secret:
          secretName: ironic-cert
      - name: cert-ironic-inspector-ca
        secret:
          secretName: ironic-cacert
      - name: cert-ironic-inspector
        secret:
          secretName: ironic-inspector-cert
      {{- if .Values.global.enable_vmedia_tls }}
      - name: cert-ironic-vmedia-ca
        secret:
--- a/metal3-chart/charts/ironic/templates/pvc.yaml
+++ b/metal3-chart/charts/ironic/templates/pvc.yaml
@@ -1,4 +1,3 @@
 {{- if .Values.persistence.ironic.size }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -23,4 +22,3 @@ spec:
  storageClassName: {{ .Values.persistence.ironic.storageClass }}
  {{- end }}
  volumeMode: Filesystem
 {{- end }}
--- a/metal3-chart/charts/ironic/templates/secrets-basic-auth.yaml
+++ b/metal3-chart/charts/ironic/templates/secrets-basic-auth.yaml
@@ -29,5 +29,34 @@ data:
  htpasswd: {{ b64enc (htpasswd $ironicUsername $ironicPassword) }}
  auth-config: |
  {{- printf "[ironic]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicUsername $ironicPassword | b64enc | nindent 4 }}
 ---
 {{- $ironicInspectorUsername := "" -}}
 {{- $ironicInspectorPassword := "" -}}
 {{- $inspectorSecretName := "ironic-inspector-basic-auth" -}}
 # Check if the secret is deployed and has a password
 {{- $oldInspectorSecret := lookup "v1" "Secret" .Release.Namespace $inspectorSecretName }}
 {{- if and $oldInspectorSecret (index $oldInspectorSecret.data "username") (index $oldInspectorSecret.data "password") }}
 {{- $ironicInspectorUsername = b64dec (index $oldInspectorSecret.data "username" | toString) -}}
 {{- $ironicInspectorPassword = b64dec (index $oldInspectorSecret.data "password" | toString) -}}
 # If not, check if a username and password are provided in values.yaml
 {{- else if and (.Values.global.auth.ironicInspectorUsername) (.Values.global.auth.ironicInspectorPassword) }}
 {{- $ironicInspectorUsername = .Values.global.auth.ironicInspectorUsername -}}
 {{- $ironicInspectorPassword = .Values.global.auth.ironicInspectorPassword -}}
 {{- else }}
 # If no username and password are provided in values.yaml, generate new ones
 {{- $ironicInspectorUsername = "ironic" -}}
 {{- $ironicInspectorPassword = (randAlphaNum 20) -}}
 {{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ $inspectorSecretName }}
 type: Opaque
 data:
  username: {{ $ironicInspectorUsername | b64enc }}
  password: {{ $ironicInspectorPassword | b64enc }}
  htpasswd: {{ b64enc (htpasswd $ironicInspectorUsername  $ironicInspectorPassword) }}
  auth-config: |
  {{- printf "[inspector]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicInspectorUsername $ironicInspectorPassword | b64enc | nindent 4 }}
 {{- end }}
--- a/metal3-chart/charts/ironic/values.yaml
+++ b/metal3-chart/charts/ironic/values.yaml
@@ -56,11 +56,11 @@ images:
  ironic:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
    pullPolicy: IfNotPresent
-    tag: 26.1.2.0
+    tag: 24.1.2.0
  ironicIPADownloader:
    repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader
    pullPolicy: IfNotPresent
-    tag: 3.0.0
+    tag: 2.0.0
 nameOverride: ""
 fullnameOverride: ""
@@ -102,6 +102,10 @@ service:
    port: 6185
    protocol: TCP
    targetPort: 6185
  - name: inspector
    port: 5050
    protocol: TCP
    targetPort: 5050
  - name: api
    port: 6385
    protocol: TCP
@@ -140,9 +144,8 @@ persistence:
    # storageClass for the ironic shared volume
    # Ensure the storageClass is defined
    storageClass: ""
-    # size of the ironic shared volume e.g "1Gi"
+    # size of the ironic shared volume
-    # When unset persistent storage is disabled and emptyDir is enabled
+    size: "1Gi"
    size: ""
    # accessMode of the ironic shared volume PVC
    # If empty defaults to ReadWriteOnce when replicaCount=1 otherwise ReadWriteMany
    accessMode: ""
--- a/metal3-chart/charts/media/Chart.yaml
+++ b/metal3-chart/charts/media/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.16.0
 description: A Helm chart for Media, used by Metal3
 name: media
 type: application
-version: 0.6.0
+version: 0.5.0
--- a/metal3-chart/charts/media/values.yaml
+++ b/metal3-chart/charts/media/values.yaml
@@ -24,7 +24,7 @@ replicaCount: 1
 image:
  repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic
  pullPolicy: IfNotPresent
-  tag: 26.1.2.0
+  tag: 24.1.2.0
 imagePullSecrets: []
 nameOverride: ""
--- a/metal3-chart/values.yaml
+++ b/metal3-chart/values.yaml
@@ -6,9 +6,6 @@ global:
  # IP on which the Ironic services will be exposed
  ironicIP: ""
  # whether to enable mariadb (default is sqlite)
  enable_mariadb: false
  # whether to enable media server.
  enable_metal3_media_server: false
@@ -31,6 +28,8 @@ global:
  auth:
    ironicUsername: ""
    ironicPassword: ""
    ironicInspectorUsername: ""
    ironicInspectorPassword: ""
  # whether to have additional trusted CA
  # NOTE: If enabled, a secret with name tls-ca-additional should be deployed
@@ -126,4 +125,6 @@ metal3-baremetal-operator:
      repository: "%%IMG_REPO%%/%%IMG_PREFIX%%baremetal-operator"
    rbacProxy:
      repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
      tag: "v0.18.0"
--- a/metallb-chart/values.yaml
+++ b/metallb-chart/values.yaml
@@ -59,7 +59,7 @@ prometheus:
  # the image to be used for the kuberbacproxy container
  rbacProxy:
    repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
-    tag: "0.18.1"
+    tag: "v0.18.0"
    pullPolicy: IfNotPresent
  # Prometheus Operator PodMonitors
--- a/openstack-ironic-image/_constraints
+++ b/openstack-ironic-image/_constraints
--- a/openstack-ironic-image/config.sh
+++ b/openstack-ironic-image/config.sh
--- a/openstack-ironic-image/openstack-ironic-image.kiwi
+++ b/openstack-ironic-image/openstack-ironic-image.kiwi
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<image schemaversion="7.4" name="openstack-ironic-image-201">
+<image schemaversion="7.4" name="openstack-ironic-image">
    <description type="system">
        <author>Cloud developers</author>
        <contact>cloud-devel@suse.de</contact>
--- a/openstack-ironic-image/openstack-ironic-image.spec
+++ b/openstack-ironic-image/openstack-ironic-image.spec
@@ -18,15 +18,15 @@
 # needsbinariesforbuild
-Name:           ironic-ipa-ramdisk
+Name:           openstack-ironic-image
-Version:        3.0.0
+Version:        2.0.0
 Release:        0
 Summary:        Kernel and ramdisk image for OpenStack Ironic
 License:        SUSE-EULA
 Group:          System/Management
 URL:            https://github.com/SUSE-Cloud/
 Source0:        config.sh
-Source10:       ironic-ipa-ramdisk.kiwi
+Source10:       openstack-ironic-image.kiwi
 Source20:       root.tar.bz2
 BuildRequires:  -post-build-checks
--- a/openstack-ironic-image/root.tar.bz2
+++ b/openstack-ironic-image/root.tar.bz2
--- a/rancher-turtles-airgap-resources-chart/Chart.yaml
+++ b/rancher-turtles-airgap-resources-chart/Chart.yaml
@@ -1,10 +1,10 @@
-#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:302.0.0_up0.13.0
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3
-#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:302.0.0_up0.13.0
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-airgap-resources-chart:0.3.3-%RELEASE%
 apiVersion: v2
-appVersion: 0.13.0
+appVersion: 0.11.0
 description: Rancher Turtles utility chart for airgap scenarios
 home: https://github.com/rancher/turtles/
 icon: https://raw.githubusercontent.com/rancher/turtles/main/logos/capi.svg
 name: rancher-turtles-airgap-resources
 type: application
-version: 302.0.0+up0.13.0
+version: 0.3.3
--- a/rancher-turtles-airgap-resources-chart/_service
+++ b/rancher-turtles-airgap-resources-chart/_service
@@ -2,7 +2,7 @@
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
    <param name="var">IMG_PREFIX</param>
  </service>
 </services>
--- a/rancher-turtles-airgap-resources-chart/templates/airgap-cm-core.yaml
+++ b/rancher-turtles-airgap-resources-chart/templates/airgap-cm-core.yaml
--- a/rancher-turtles-airgap-resources-chart/templates/airgap-cm-metal3.yaml
+++ b/rancher-turtles-airgap-resources-chart/templates/airgap-cm-metal3.yaml
@@ -3647,7 +3647,7 @@ data:
            envFrom:
            - configMapRef:
                name: capm3-capm3fasttrack-configmap
-            image: quay.io/metal3-io/cluster-api-provider-metal3:v1.7.2
+            image: quay.io/metal3-io/cluster-api-provider-metal3:v1.7.1
            imagePullPolicy: IfNotPresent
            livenessProbe:
              httpGet:
@@ -3731,7 +3731,7 @@ data:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
-            image: quay.io/metal3-io/ip-address-manager:v1.7.2
+            image: quay.io/metal3-io/ip-address-manager:v1.7.1
            imagePullPolicy: IfNotPresent
            livenessProbe:
              httpGet:
@@ -4384,7 +4384,7 @@ data:
 kind: ConfigMap
 metadata:
  creationTimestamp: null
-  name: v1.7.2
+  name: v1.7.1
  namespace: capm3-system
  labels:
    provider-components: metal3
--- a/rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-bootstrap.yaml
+++ b/rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-bootstrap.yaml
@@ -868,11 +868,6 @@ data:
                              type: string
                            type: array
                        type: object
                      podSecurityAdmissionConfigFile:
                        description: |-
                          PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
                          spec.Files field.
                        type: string
                      protectKernelDefaults:
                        description: |-
                          ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2055,11 +2050,6 @@ data:
                                      type: string
                                    type: array
                                type: object
                              podSecurityAdmissionConfigFile:
                                description: |-
                                  PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
                                  spec.Files field.
                                type: string
                              protectKernelDefaults:
                                description: |-
                                  ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2545,7 +2535,7 @@ data:
            - --insecure-diagnostics=${CAPRKE2_INSECURE_DIAGNOSTICS:=false}
            command:
            - /manager
-            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.8.0
+            image: ghcr.io/rancher/cluster-api-provider-rke2-bootstrap:v0.7.1
            imagePullPolicy: IfNotPresent
            livenessProbe:
              httpGet:
@@ -2752,13 +2742,10 @@ data:
      - major: 0
        minor: 7
        contract: v1beta1
      - major: 0
        minor: 8
        contract: v1beta1
 kind: ConfigMap
 metadata:
  creationTimestamp: null
-  name: v0.8.0
+  name: v0.7.1
  namespace: rke2-bootstrap-system
  labels:
    provider-components: rke2-bootstrap
--- a/rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-control-plane.yaml
+++ b/rancher-turtles-airgap-resources-chart/templates/airgap-cm-rke2-control-plane.yaml
@@ -1513,11 +1513,6 @@ data:
                              type: string
                            type: array
                        type: object
                      podSecurityAdmissionConfigFile:
                        description: |-
                          PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
                          spec.Files field.
                        type: string
                      protectKernelDefaults:
                        description: |-
                          ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -2931,11 +2926,6 @@ data:
                                      type: string
                                    type: array
                                type: object
                              podSecurityAdmissionConfigFile:
                                description: |-
                                  PodSecurityPolicyConfigFile contains the path to the PodSecurityPolicy configuration file. The file can be passed through
                                  spec.Files field.
                                type: string
                              protectKernelDefaults:
                                description: |-
                                  ProtectKernelDefaults defines Kernel tuning behavior. If true, error if kernel tunables are different than kubelet defaults.
@@ -4295,7 +4285,7 @@ data:
              valueFrom:
                fieldRef:
                  fieldPath: metadata.uid
-            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.8.0
+            image: ghcr.io/rancher/cluster-api-provider-rke2-controlplane:v0.7.1
            imagePullPolicy: IfNotPresent
            livenessProbe:
              httpGet:
@@ -4509,13 +4499,10 @@ data:
      - major: 0
        minor: 7
        contract: v1beta1
      - major: 0
        minor: 8
        contract: v1beta1
 kind: ConfigMap
 metadata:
  creationTimestamp: null
-  name: v0.8.0
+  name: v0.7.1
  namespace: rke2-control-plane-system
  labels:
    provider-components: rke2-control-plane
--- a/rancher-turtles-chart/Chart.lock
+++ b/rancher-turtles-chart/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: cluster-api-operator
  repository: https://kubernetes-sigs.github.io/cluster-api-operator
-  version: 0.14.0
+  version: 0.12.0
-digest: sha256:9e9e851dbab3212c279efec06bcf0da147228ea1590470f3a8cbbb5806a250d4
+digest: sha256:c167c074ca89ef7a520ec18a5afd380b9edaee513810aa3ac0e0bda51db9c526
-generated: "2024-10-28T11:44:34.392387979Z"
+generated: "2024-08-22T14:23:18.589443298Z"
--- a/rancher-turtles-chart/Chart.yaml
+++ b/rancher-turtles-chart/Chart.yaml
@@ -1,5 +1,5 @@
-#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:302.0.0_up0.13.0
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:0.3.3
-#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:302.0.0_up0.13.0-%RELEASE%
+#!BuildTag: %%IMG_PREFIX%%rancher-turtles-chart:0.3.3-%RELEASE%
 annotations:
  catalog.cattle.io/certified: rancher
  catalog.cattle.io/display-name: Rancher Turtles - the Cluster API Extension
@@ -12,12 +12,12 @@ annotations:
  catalog.cattle.io/scope: management
  catalog.cattle.io/type: cluster-tool
 apiVersion: v2
-appVersion: 0.13.0
+appVersion: 0.11.0
 dependencies:
 - condition: cluster-api-operator.enabled
  name: cluster-api-operator
  repository: file://./charts/cluster-api-operator
-  version: 0.14.0
+  version: 0.12.0
 description: Rancher Turtles is an extension to Rancher that brings full Cluster API
  integration to Rancher.
 home: https://github.com/rancher/turtles/
@@ -29,4 +29,4 @@ keywords:
 - provisioning
 name: rancher-turtles
 type: application
-version: 302.0.0+up0.13.0
+version: 0.3.3+up0.11.0
--- a/rancher-turtles-chart/RELEASE_NOTES.md
+++ b/rancher-turtles-chart/RELEASE_NOTES.md
@@ -1,4 +1,6 @@
-gh: To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable. Example:
+## Changes since test/v0.11.0
-  env:
+---
-    GH_TOKEN: ${{ github.token }}
+## :chart_with_upwards_trend: Overview
-: exit status 4
+
 _Thanks to all our contributors!_ 😊
--- a/rancher-turtles-chart/_service
+++ b/rancher-turtles-chart/_service
@@ -2,14 +2,14 @@
  <service mode="buildtime" name="kiwi_metainfo_helper"/>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">values.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
    <param name="var">IMG_PREFIX</param>
    <param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
    <param name="var">IMG_REPO</param>
  </service>
  <service name="replace_using_env" mode="buildtime">
    <param name="file">Chart.yaml</param>
-    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
+    <param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %img_prefix)</param>
    <param name="var">IMG_PREFIX</param>
  </service>
 </services>
--- a/rancher-turtles-chart/charts/cluster-api-operator/Chart.yaml
+++ b/rancher-turtles-chart/charts/cluster-api-operator/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 0.14.0
+appVersion: 0.12.0
 description: Cluster API Operator
 name: cluster-api-operator
 type: application
-version: 0.14.0
+version: 0.12.0
--- a/rancher-turtles-chart/charts/cluster-api-operator/templates/addon.yaml
+++ b/rancher-turtles-chart/charts/cluster-api-operator/templates/addon.yaml
@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
-    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
    "argocd.argoproj.io/sync-wave": "1"
  name: {{ $addonNamespace }}
@@ -37,7 +37,7 @@ metadata:
  name: {{ $addonName }}
  namespace: {{ $addonNamespace }}
  annotations:
-    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
    "argocd.argoproj.io/sync-wave": "2"
 {{- if or $addonVersion $.Values.secretName }}
--- a/rancher-turtles-chart/charts/cluster-api-operator/templates/bootstrap.yaml
+++ b/rancher-turtles-chart/charts/cluster-api-operator/templates/bootstrap.yaml
@@ -26,7 +26,7 @@ apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
-    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "1"
  name: {{ $bootstrapNamespace }}
 ---
@@ -36,7 +36,7 @@ metadata:
  name: {{ $bootstrapName }}
  namespace: {{ $bootstrapNamespace }}
  annotations:
-    "helm.sh/hook": "post-install,post-upgrade"
+    "helm.sh/hook": "post-install"
    "helm.sh/hook-weight": "2"
 {{- if or $bootstrapVersion $.Values.configSecret.name }}
 spec:
--- a/Show More
+++ b/Show More