diff --git a/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl b/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl index 08dc581..209fcc3 100644 --- a/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl +++ b/metal3-chart/charts/baremetal-operator/templates/_helpers.tpl @@ -61,3 +61,19 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Create the URL to use for connecting to the Ironic servers (e.g. API, cache) +*/}} +{{- define "baremetal-operator.ironicHttpHost" -}} +{{- $ironicIP := include "metal3.provisioningIP" . -}} +{{- with .Values.global }} +{{- if .provisioningHostname }} +{{- .provisioningHostname }} +{{- else if regexMatch ".*:.*" $ironicIP}} +{{- print "[" $ironicIP "]" }} +{{- else }} +{{- $ironicIP }} +{{- end }} +{{- end }} +{{- end }} diff --git a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml index 0e44f23..e27a359 100644 --- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml +++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml @@ -1,10 +1,10 @@ {{- $enableTLS := .Values.global.enable_tls }} {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }} {{- $protocol := ternary "https" "http" $enableTLS }} - {{- $ironicIP := .Values.global.ironicIP | default "" }} - {{- $ironicApiHost := print $ironicIP ":6385" }} - {{- $ironicBootHost := print $ironicIP ":6180" }} - {{- $ironicCacheHost := print $ironicIP ":6180" }} + {{- $ironicHost := include "baremetal-operator.ironicHttpHost" . | required "Missing host information for BMO to connect to Ironic" }} + {{- $ironicApiHost := print $ironicHost ":6385" }} + {{- $ironicBootHost := print $ironicHost ":6180" }} + {{- $ironicCacheHost := print $ironicHost ":6180" }} {{- $deployArch := .Values.global.deployArchitecture }} apiVersion: v1 @@ -12,8 +12,8 @@ data: IRONIC_ENDPOINT: "{{ $protocol }}://{{ $ironicApiHost }}/v1/" # Switch VMedia to HTTP if enable_vmedia_tls is false {{- if and $enableTLS $enableVMediaTLS }} - {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }} - {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }} + {{- $ironicBootHost = print $ironicHost ":" .Values.global.vmediaTLSPort }} + {{- $ironicCacheHost = print $ironicHost ":" .Values.global.vmediaTLSPort }} {{- $protocol = "https" }} RESTART_CONTAINER_CERTIFICATE_UPDATED: "true" {{- else }} diff --git a/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml b/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml index 64f39a6..c7d2ce6 100644 --- a/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml +++ b/metal3-chart/charts/baremetal-operator/templates/metrics_service.yaml @@ -6,6 +6,7 @@ metadata: control-plane: controller-manager name: {{ include "baremetal-operator.fullname" . }}-controller-manager-metrics-service spec: + ipFamilyPolicy: PreferDualStack ports: - name: https port: 8443 diff --git a/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml b/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml index 67fea7f..76834cf 100644 --- a/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml +++ b/metal3-chart/charts/baremetal-operator/templates/service-webhook.yaml @@ -5,6 +5,7 @@ metadata: {{- include "baremetal-operator.labels" . | nindent 4 }} name: {{ include "baremetal-operator.fullname" . }}-webhook-service spec: + ipFamilyPolicy: PreferDualStack ports: - port: 443 targetPort: 9443 diff --git a/metal3-chart/charts/ironic/templates/_helpers.tpl b/metal3-chart/charts/ironic/templates/_helpers.tpl index 0d1ab97..e5d022f 100644 --- a/metal3-chart/charts/ironic/templates/_helpers.tpl +++ b/metal3-chart/charts/ironic/templates/_helpers.tpl @@ -83,3 +83,46 @@ Get ironic CA volumeMounts readOnly: true {{- end }} {{- end }} + +{{/* +Get the formatted "External" hostname or IP address +*/}} +{{- define "ironic.externalHttpHost" }} +{{- with .Values.global }} +{{- if regexMatch ".*:.*" .externalHttpHost }} +{{- print "[" .externalHttpHost "]" }} +{{- else }} +{{- .externalHttpHost }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Get the command to use for Liveness and Readiness probes +*/}} +{{- define "ironic.probeCommand" }} +{{- $host := "127.0.0.1" }} +{{- if eq .Values.listenOnAll false }} +{{- $host = coalesce .Values.global.ironicIP .Values.global.provisioningIP .Values.global.provisioningHostname }} +{{- if regexMatch ".*:.*" $host }} +{{- $host = print "[" $host "]" }} +{{- end }} +{{- end }} +{{- print "curl -sSfk https://" $host ":6385" }} +{{- end }} + +{{/* +Create the subjectAltNames section to be set on the Certificate +*/}} +{{- define "ironic.subjectAltNames" -}} +{{- with .Values.global }} +{{- if .provisioningHostname }} +dnsNames: +- {{ .provisioningHostname }} +{{- end -}} +{{- if or .ironicIP .provisioningIP }} +ipAddresses: + - {{ coalesce .ironicIP .provisioningIP }} +{{- end }} +{{- end }} +{{- end }} diff --git a/metal3-chart/charts/ironic/templates/certificates.yaml b/metal3-chart/charts/ironic/templates/certificates.yaml index e78d329..be35844 100644 --- a/metal3-chart/charts/ironic/templates/certificates.yaml +++ b/metal3-chart/charts/ironic/templates/certificates.yaml @@ -6,8 +6,7 @@ metadata: spec: commonName: ironic-ca isCA: true - ipAddresses: - - {{ .Values.global.ironicIP }} + {{- include "ironic.subjectAltNames" . | indent 2 }} issuerRef: kind: Issuer name: selfsigned-issuer @@ -19,8 +18,7 @@ metadata: name: ironic-cert spec: commonName: ironic-cert - ipAddresses: - - {{ .Values.global.ironicIP }} + {{- include "ironic.subjectAltNames" . | indent 2 }} issuerRef: kind: Issuer name: ca-issuer @@ -33,8 +31,7 @@ metadata: name: ironic-vmedia-cert spec: commonName: ironic-vmedia-cert - ipAddresses: - - {{ .Values.global.ironicIP }} + {{- include "ironic.subjectAltNames" . | indent 2 }} issuerRef: kind: Issuer name: ca-issuer diff --git a/metal3-chart/charts/ironic/templates/configmap.yaml b/metal3-chart/charts/ironic/templates/configmap.yaml index ba43d20..260e4c0 100644 --- a/metal3-chart/charts/ironic/templates/configmap.yaml +++ b/metal3-chart/charts/ironic/templates/configmap.yaml @@ -8,13 +8,9 @@ data: {{- $enableTLS := .Values.global.enable_tls }} {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }} {{- $protocol := ternary "https" "http" $enableTLS }} - {{- $ironicIP := .Values.global.ironicIP | default "" }} - {{- $ironicBootHost := print $ironicIP ":6180" }} - {{- $ironicCacheHost := print $ironicIP ":6180" }} {{- $deployArch := .Values.global.deployArchitecture }} {{- if ( .Values.global.enable_dnsmasq ) }} - DNSMASQ_BOOT_SERVER_ADDRESS: {{ $ironicBootHost }} DNSMASQ_DNS_SERVER_ADDRESS: {{ .Values.global.dnsmasqDNSServer }} DNSMASQ_DEFAULT_ROUTER: {{ .Values.global.dnsmasqDefaultRouter }} DHCP_RANGE: {{ .Values.global.dhcpRange }} @@ -26,27 +22,25 @@ data: PREDICTABLE_NIC_NAMES: "{{ .Values.global.predictableNicNames }}" # Switch VMedia to HTTP if enable_vmedia_tls is false {{- if and $enableTLS $enableVMediaTLS }} - {{- $ironicBootHost = print $ironicIP ":" .Values.global.vmediaTLSPort }} - {{- $ironicCacheHost = print $ironicIP ":" .Values.global.vmediaTLSPort }} {{- $protocol = "https" }} {{- else }} {{- $protocol = "http" }} {{- end }} - IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }} + {{- if .Values.global.externalHttpHost }} + IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ include "ironic.externalHttpHost" . }}:6385 + {{- end }} DEPLOY_ARCHITECTURE: {{ $deployArch }} - IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }} ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}" {{- if .Values.global.provisioningInterface }} PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }} {{- end }} - {{- if .Values.global.provisioningIP }} - PROVISIONING_IP: {{ .Values.global.provisioningIP }} + {{- if or .Values.global.ironicIP .Values.global.provisioningIP }} + PROVISIONING_IP: {{ include "metal3.provisioningIP" . }} + {{- else if .Values.global.provisioningHostname }} + IRONIC_URL_HOSTNAME: {{ .Values.global.provisioningHostname }} {{- end }} IRONIC_FAST_TRACK: "true" - LISTEN_ALL_INTERFACES: "true" - {{- if .Values.global.ironicIP }} - IRONIC_IP: {{ .Values.global.ironicIP }} - {{- end }} + LISTEN_ALL_INTERFACES: "{{ .Values.listenOnAll }}" {{- if ( .Values.global.enable_tls ) }} RESTART_CONTAINER_CERTIFICATE_UPDATED: "true" IRONIC_KERNEL_PARAMS: {{ .Values.global.ironicKernelParams }} tls.enabled=true diff --git a/metal3-chart/charts/ironic/templates/deployment.yaml b/metal3-chart/charts/ironic/templates/deployment.yaml index 56ca391..5204253 100644 --- a/metal3-chart/charts/ironic/templates/deployment.yaml +++ b/metal3-chart/charts/ironic/templates/deployment.yaml @@ -42,7 +42,7 @@ spec: name: ironic livenessProbe: exec: - command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"] + command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"] failureThreshold: 10 initialDelaySeconds: 30 periodSeconds: 30 @@ -60,7 +60,7 @@ spec: {{- end }} readinessProbe: exec: - command: ["sh", "-c", "curl -sSfk https://127.0.0.1:6385"] + command: ["sh", "-c", "{{ include "ironic.probeCommand" . }}"] failureThreshold: 10 initialDelaySeconds: 30 periodSeconds: 30 diff --git a/metal3-chart/charts/ironic/templates/service.yaml b/metal3-chart/charts/ironic/templates/service.yaml index f3f0b51..cbe8c25 100644 --- a/metal3-chart/charts/ironic/templates/service.yaml +++ b/metal3-chart/charts/ironic/templates/service.yaml @@ -10,6 +10,7 @@ metadata: {{- end }} spec: type: {{ .Values.service.type }} + ipFamilyPolicy: PreferDualStack ports: {{- $enableTLS := .Values.global.enable_tls }} {{- $enableVMediaTLS := .Values.global.enable_vmedia_tls }} diff --git a/metal3-chart/charts/ironic/values.yaml b/metal3-chart/charts/ironic/values.yaml index c0e5d62..81ea464 100644 --- a/metal3-chart/charts/ironic/values.yaml +++ b/metal3-chart/charts/ironic/values.yaml @@ -32,6 +32,12 @@ global: # IP Address assigned to network interface on provisioning network provisioningIP: "" + # Fully Qualified Domain Name used by Ironic for both binding (to the + # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and + # media, also used by BMO. Note, this is the only way to enable a fully + # working dual-stack configuration. + provisioningHostname: "" + # Whether the NIC names should be predictable or not predictableNicNames: "true" @@ -52,6 +58,8 @@ global: replicaCount: 1 +listenOnAll: true + images: ironic: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic diff --git a/metal3-chart/charts/mariadb/templates/service.yaml b/metal3-chart/charts/mariadb/templates/service.yaml index 5d0d75d..9a60115 100644 --- a/metal3-chart/charts/mariadb/templates/service.yaml +++ b/metal3-chart/charts/mariadb/templates/service.yaml @@ -5,10 +5,11 @@ metadata: labels: {{- include "mariadb.labels" . | nindent 4 }} spec: + ipFamilyPolicy: PreferDualStack type: {{ .Values.service.type }} selector: {{- include "mariadb.selectorLabels" . | nindent 4 }} ports: {{- with .Values.service.ports }} {{- toYaml . | nindent 2 }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/metal3-chart/charts/media/templates/service.yaml b/metal3-chart/charts/media/templates/service.yaml index 93598e5..dd0c5ac 100644 --- a/metal3-chart/charts/media/templates/service.yaml +++ b/metal3-chart/charts/media/templates/service.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "media.labels" . | nindent 4 }} spec: + ipFamilyPolicy: PreferDualStack type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} diff --git a/metal3-chart/templates/_helpers.tpl b/metal3-chart/templates/_helpers.tpl index 67024dd..caaef3d 100644 --- a/metal3-chart/templates/_helpers.tpl +++ b/metal3-chart/templates/_helpers.tpl @@ -60,3 +60,18 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Produce the correct IP or hostname for Ironic provisioning +*/}} +{{- define "metal3.provisioningIP" -}} +{{- with .Values.global }} +{{- if and .provisioningHostname (or .provisioningIP .ironicIP) }} +{{ fail "Please provide either provisioningHostname or provisioningIP (note: ironic IP is deprecated)" }} +{{- end }} +{{- if and .provisioningIP .ironicIP }} +{{ fail "Please provide either ironicIP or provisioningIP (note: ironicIP is deprecated)" }} +{{- end }} +{{- coalesce .ironicIP .provisioningIP }} +{{- end }} +{{- end }} diff --git a/metal3-chart/values.yaml b/metal3-chart/values.yaml index 2d24c8a..d9f62a0 100644 --- a/metal3-chart/values.yaml +++ b/metal3-chart/values.yaml @@ -60,6 +60,15 @@ global: # IP Address assigned to network interface on provisioning network provisioningIP: "" + # Fully Qualified Domain Name used by Ironic for both binding (to the + # associated IPv4 and/or IPv6 addresses) and exposing the API, dnsmask and + # media, also used by BMO. Note, this is the only way to enable a fully + # working dual-stack configuration. + provisioningHostname: "" + + # Hostname or IP for accessing the Ironic API server from a non-provisioning network + externalHttpHost: "" + # Name for the MariaDB service databaseServiceName: metal3-mariadb