From 08a2b2b75654c112fd731b501484a594422a0294 Mon Sep 17 00:00:00 2001 From: Miguel Angel Nieto Jimenez Date: Wed, 18 Feb 2026 16:25:39 +0100 Subject: [PATCH 1/2] [multiple] Co-locate provisionserver with metal3 to prevent DHCP failures II When metal3-dnsmasq pod restarts during a node's DHCP lease renewal on the provisioning network (172.23.0.0/24), NetworkManager fails to renew and sets ipv4.method=disabled. NMState operator then preserves this disabled state, causing permanent loss of provisioning network connectivity on that node. The issue occurs when OpenStackProvisionServer and metal3 pods run on different nodes. If metal3 restarts while a node is attempting DHCP renewal, the temporary unavailability of metal3-dnsmasq causes the renewal to fail. Solution: Automatically detect the node running metal3 pod (via k8s-app=metal3 label) and configure provisionServerNodeSelector in baremetalSetTemplate to schedule OpenStackProvisionServer on the same node. This ensures provisioning network connectivity is maintained because metal3-static-ip-manager maintains a static IP (172.23.0.3) on the metal3 node regardless of dnsmasq restarts. Signed-off-by: Miguel Angel Nieto Jimenez Co-Authored-By: Claude Sonnet 4.5 --- playbooks/06-deploy-architecture.yml | 37 +++++++++++++++ .../common/edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 14 ++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../sriov/edpm-nodeset-values/values.yaml.j2 | 31 +++++++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset-values/values.yaml.j2 | 22 +++++++++ .../edpm-nodeset2-values/values.yaml.j2 | 22 +++++++++ roles/kustomize_deploy/tasks/execute_step.yml | 45 +++++++++++++++++++ 23 files changed, 599 insertions(+) diff --git a/playbooks/06-deploy-architecture.yml b/playbooks/06-deploy-architecture.yml index 38e2907b8b..711acaff7c 100644 --- a/playbooks/06-deploy-architecture.yml +++ b/playbooks/06-deploy-architecture.yml @@ -163,6 +163,43 @@ msg: >- Error detected. Check debugging output above. + - name: Extract registry credentials from OpenShift pull-secret + tags: + - always + when: + - cifmw_sync_pullsecret_credentials | default(true) | bool + block: + - name: Extract credentials for each configured registry + loop: "{{ cifmw_reproducer_registry_list | default(['registry.stage.redhat.io']) }}" + loop_control: + loop_var: registry + ansible.builtin.include_role: + name: edpm_pullsecret_sync + vars: + cifmw_edpm_pullsecret_sync_registry: "{{ registry }}" + cifmw_edpm_pullsecret_sync_fact_name: "cifmw_reproducer_registry_{{ registry | replace('.', '_') | replace('-', '_') }}_creds" + + - name: Build registry credentials dictionary for templates + ansible.builtin.set_fact: + cifmw_ci_gen_kustomize_values_registry_logins: >- + {%- set result = {} -%} + {%- for registry in (cifmw_reproducer_registry_list | default(['registry.stage.redhat.io'])) -%} + {%- set fact_name = 'cifmw_reproducer_registry_' + (registry | replace('.', '_') | replace('-', '_')) + '_creds_dict' -%} + {%- if vars[fact_name] is defined -%} + {%- set _ = result.update({registry: vars[fact_name]}) -%} + {%- endif -%} + {%- endfor -%} + {{ result }} + + - name: Log extracted registry credentials + ansible.builtin.debug: + msg: "Registry credentials extracted for: {{ cifmw_ci_gen_kustomize_values_registry_logins.keys() | list }}" + + rescue: + - name: Log pull-secret extraction failure + ansible.builtin.debug: + msg: "Failed to extract credentials from pull-secret, templates will not include registry credentials" + - name: Set cifmw_architecture_automation_file if not set before when: cifmw_architecture_automation_file is not defined ansible.builtin.set_fact: diff --git a/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 index b0110b530b..ee84958f1c 100644 --- a/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 index d9f1b61b65..14d17d2059 100644 --- a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2 @@ -37,6 +37,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 index f3316b92ff..71d498339c 100644 --- a/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 index 369dae6a2b..b83136aa25 100644 --- a/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 index cc79a738ad..289b109282 100644 --- a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 index 3c62a0657c..50d00f237c 100644 --- a/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 index 8667d91d0b..8390b9b9a3 100644 --- a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 index 3f9a75153b..45a9b52d1f 100644 --- a/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 index 4987ed49d7..0119df58d6 100644 --- a/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2 @@ -38,12 +38,26 @@ data: # see https://access.redhat.com/solutions/253273 dnf -y install conntrack-tools +{% if cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool %} + + # Container policy.json + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} {% if cifmw_ci_gen_kustomize_values_sshd_ranges | default([]) | length > 0 %} edpm_sshd_allowed_ranges: {% for range in cifmw_ci_gen_kustomize_values_sshd_ranges %} - "{{ range }}" {% endfor %} {% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} {% if cifmw_baremetal_hosts | default({}) | length > 0 %} # source roles/deploy_bmh/template/bmh.yml.j2, but it patches kustomize built outputs diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 index 6ae842b92b..312b54ce86 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% if cifmw_baremetal_hosts | default([]) | length > 0 %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% if (('label' in cifmw_baremetal_hosts[_inst]) and @@ -42,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -56,3 +79,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 index 6e2109bc50..3c50efe7b0 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-2nodesets/edpm-nodeset2-values/values.yaml.j2 @@ -42,6 +42,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 index 62ec8dad00..de3eed84d6 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% if cifmw_baremetal_hosts | default([]) | length > 0 %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% if (('label' in cifmw_baremetal_hosts[_inst]) and @@ -42,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -56,3 +79,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 index 80103686c3..031a00d8fc 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6-2nodesets/edpm-nodeset2-values/values.yaml.j2 @@ -42,6 +42,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 index cf1e9ce624..4cb0ea8df5 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov-ipv6/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 index 7d92c69d87..b3fdb1756b 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk-sriov/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -43,3 +66,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 index 3d4fb5cc4d..27aeb0f9ba 100644 --- a/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/ovs-dpdk/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -42,3 +65,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 index 69a2739190..afabb93fc4 100644 --- a/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/shiftstack/edpm-nodeset-values/values.yaml.j2 @@ -69,6 +69,28 @@ data: {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 index 8139a2dc1d..23bb0b9a29 100644 --- a/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/sriov/edpm-nodeset-values/values.yaml.j2 @@ -4,6 +4,7 @@ {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %} {% set _original_nodes = _original_nodeset.nodes | default({}) %} {% set _original_services = _original_nodeset['services'] | default([]) %} +{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %} {% for _inst in cifmw_baremetal_hosts.keys() %} {% set _ = instances_names.append(_inst) %} {% endfor %} @@ -29,6 +30,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: @@ -42,3 +65,11 @@ data: - "{{ svc }}" {% endfor %} {% endif %} +{% if cifmw_kustomize_deploy_metal3_node is defined %} + baremetalSetTemplate: +{% for key, value in _original_baremetal_template.items() %} + {{ key }}: {{ value }} +{% endfor %} + provisionServerNodeSelector: + kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}" +{% endif %} diff --git a/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 index 6022ff2323..5f87f9641e 100644 --- a/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni02beta/edpm-nodeset-values/values.yaml.j2 @@ -43,6 +43,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in instances_names %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 index 69105034d4..92089e3113 100644 --- a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_one_instances %} edpm-{{ instance }}: diff --git a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 index 9f3360974c..061146d045 100644 --- a/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 +++ b/roles/ci_gen_kustomize_values/templates/uni05epsilon/edpm-nodeset2-values/values.yaml.j2 @@ -39,6 +39,28 @@ data: - "{{ range }}" {% endfor %} {% endif %} +{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %} +{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %} +{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %} +{% if _needs_policy_json or _original_bootstrap %} + edpm_bootstrap_command: | +{% if _original_bootstrap %} + {{ _original_bootstrap }} + +{% endif %} +{% if _needs_policy_json %} + mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json +{% endif %} +{% endif %} +{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %} + edpm_container_registry_logins: +{% for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %} + {{ registry }}: +{% for username, password in creds.items() %} + {{ username }}: {{ password }} +{% endfor %} +{% endfor %} +{% endif %} nodes: {% for instance in nodeset_two_instances %} edpm-{{ instance }}: diff --git a/roles/kustomize_deploy/tasks/execute_step.yml b/roles/kustomize_deploy/tasks/execute_step.yml index 76bd5b82bf..96ebb36707 100644 --- a/roles/kustomize_deploy/tasks/execute_step.yml +++ b/roles/kustomize_deploy/tasks/execute_step.yml @@ -126,6 +126,51 @@ ansible.builtin.include_role: name: run_hook + - name: Debug stage information for metal3 detection + ansible.builtin.debug: + msg: + - "Stage path: {{ stage.path }}" + - "Stage path defined: {{ stage.path is defined }}" + - "Matches pattern: {{ stage.path is match('.*/edpm/nodeset.*') if stage.path is defined else false }}" + + - name: Detect metal3 pod node for baremetal nodeset provisioning + when: + - stage.path is defined + - stage.path is match('.*/edpm/nodeset.*') + block: + - name: Debug - Entering metal3 detection block + ansible.builtin.debug: + msg: "INSIDE metal3 detection block for stage: {{ stage.path }}" + + - name: Get metal3 pod information + kubernetes.core.k8s_info: + kubeconfig: "{{ cifmw_openshift_kubeconfig }}" + kind: Pod + namespace: openshift-machine-api + label_selectors: + - k8s-app=metal3 + register: _cifmw_kustomize_deploy_metal3_pod_info + + - name: Set metal3 node for provisionserver nodeSelector + ansible.builtin.set_fact: + cifmw_kustomize_deploy_metal3_node: "{{ _cifmw_kustomize_deploy_metal3_pod_info.resources[0].spec.nodeName }}" + cacheable: true + when: + - _cifmw_kustomize_deploy_metal3_pod_info.resources is defined + - _cifmw_kustomize_deploy_metal3_pod_info.resources | length > 0 + + - name: Log metal3 node location + ansible.builtin.debug: + msg: "Metal3 pod is running on {{ cifmw_kustomize_deploy_metal3_node }}, provisionserver will be co-located there" + when: cifmw_kustomize_deploy_metal3_node is defined + + - name: Debug - metal3 pod info result + ansible.builtin.debug: + msg: + - "Resources found: {{ _cifmw_kustomize_deploy_metal3_pod_info.resources | default([]) | length }}" + - "Variable set: {{ cifmw_kustomize_deploy_metal3_node is defined }}" + - "Variable value: {{ cifmw_kustomize_deploy_metal3_node | default('NOT_SET') }}" + - name: "Generate values.yaml for {{ stage.path }}" when: - _val.src_file is defined From 942fd36c6a5f820a8e9143e11b3ca790869716a0 Mon Sep 17 00:00:00 2001 From: Miguel Angel Nieto Jimenez Date: Tue, 10 Mar 2026 15:44:53 +0100 Subject: [PATCH 2/2] [multiple] Add cifmw_registry_pullsecret role for credential extraction Extracts registry credentials from OpenShift pull-secret during EDPM deployment. Runs after edpm_prepare, before EDPM nodesets are created. New role updates cifmw_registry_token variable and optionally writes credentials to file. Only executes when cifmw_registry_pullsecret_enabled is true (opt-in, backwards compatible). Configuration: - cifmw_registry_pullsecret_enabled: Enable extraction (default: false) - cifmw_registry_pullsecret_registry_url: Registry URL to extract for Modified roles/cifmw_setup/tasks/deploy_edpm.yml to integrate role. Signed-off-by: Miguel Angel Nieto Jimenez Co-Authored-By: Claude Sonnet 4.5 --- roles/cifmw_registry_pullsecret/README.md | 43 ++++++ .../defaults/main.yml | 27 ++++ roles/cifmw_registry_pullsecret/meta/main.yml | 35 +++++ .../cifmw_registry_pullsecret/tasks/main.yml | 130 ++++++++++++++++++ .../cifmw_setup/tasks/deploy_architecture.yml | 7 + 5 files changed, 242 insertions(+) create mode 100644 roles/cifmw_registry_pullsecret/README.md create mode 100644 roles/cifmw_registry_pullsecret/defaults/main.yml create mode 100644 roles/cifmw_registry_pullsecret/meta/main.yml create mode 100644 roles/cifmw_registry_pullsecret/tasks/main.yml diff --git a/roles/cifmw_registry_pullsecret/README.md b/roles/cifmw_registry_pullsecret/README.md new file mode 100644 index 0000000000..d4819ff695 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/README.md @@ -0,0 +1,43 @@ +# cifmw_registry_pullsecret + +Extract registry credentials from OpenShift pull-secret and update the registry token used for EDPM deployment. + +## Privilege escalation + +None required. + +## Parameters + +* `cifmw_registry_pullsecret_enabled`: (Boolean) Enable/disable pull-secret credential extraction. Default: `false` +* `cifmw_registry_pullsecret_registry_url`: (String) Registry URL to extract credentials for. Example: `` +* `cifmw_registry_pullsecret_update_file`: (Boolean) Whether to update the registry token file. Default: `true` +* `cifmw_registry_pullsecret_dest_file`: (String) Destination file for registry token credentials. Default: `{{ ansible_user_dir }}/secrets/registry_token_creds.yaml` + +## Usage + +This role is designed to be called during EDPM deployment, after OpenShift is deployed but before EDPM nodesets are created. + +It extracts credentials from the OpenShift pull-secret in the `openshift-config` namespace and updates the `cifmw_registry_token` variable and optionally the registry token file. + +### Example configuration which can be used in the zuul jobs + +```yaml +vars: + cifmw_registry_pullsecret_enabled: true + cifmw_registry_pullsecret_registry_url: +``` + +### Integration point + +This role is automatically called by `cifmw_setup/tasks/deploy_architecture.yml` when `cifmw_registry_pullsecret_enabled` is `true`. + +## Requirements + +* OpenShift cluster must be deployed and accessible +* `kubernetes.core.k8s_info` module must be available +* Pull-secret must exist in `openshift-config/pull-secret` +* The specified registry URL must be present in the pull-secret + +## Error handling + +If extraction fails for any reason (OpenShift not accessible, registry not in pull-secret, etc.), the role will log a warning and continue, keeping the existing credentials from pre-run. diff --git a/roles/cifmw_registry_pullsecret/defaults/main.yml b/roles/cifmw_registry_pullsecret/defaults/main.yml new file mode 100644 index 0000000000..744ee660cb --- /dev/null +++ b/roles/cifmw_registry_pullsecret/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# Enable/disable pull-secret credential extraction +cifmw_registry_pullsecret_enabled: false + +# Registry URL to extract credentials for +# cifmw_registry_pullsecret_registry_url: registry.stage.redhat.io + +# Whether to update the registry token file with extracted credentials +cifmw_registry_pullsecret_update_file: true + +# Destination file for registry token credentials +cifmw_registry_pullsecret_dest_file: "{{ ansible_user_dir }}/secrets/registry_token_creds.yaml" diff --git a/roles/cifmw_registry_pullsecret/meta/main.yml b/roles/cifmw_registry_pullsecret/meta/main.yml new file mode 100644 index 0000000000..c0536be5f4 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/meta/main.yml @@ -0,0 +1,35 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +galaxy_info: + author: CI Framework + description: Extract registry credentials from OpenShift pull-secret + company: Red Hat + license: Apache-2.0 + min_ansible_version: "2.15" + platforms: + - name: CentOS + versions: + - stream9 + - name: Fedora + versions: + - 39 + - 40 + - name: RedHat + versions: + - "9" + +dependencies: [] diff --git a/roles/cifmw_registry_pullsecret/tasks/main.yml b/roles/cifmw_registry_pullsecret/tasks/main.yml new file mode 100644 index 0000000000..a450444048 --- /dev/null +++ b/roles/cifmw_registry_pullsecret/tasks/main.yml @@ -0,0 +1,130 @@ +--- +# Copyright Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Extract registry credentials from OpenShift pull-secret + when: + - cifmw_registry_pullsecret_enabled | default(false) | bool + - cifmw_registry_pullsecret_registry_url is defined + block: + - name: Get OpenShift pull-secret + no_log: true + kubernetes.core.k8s_info: + kubeconfig: "{{ cifmw_openshift_kubeconfig | default(omit) }}" + api_key: "{{ cifmw_openshift_token | default(omit) }}" + context: "{{ cifmw_openshift_context | default(omit) }}" + api_version: v1 + kind: Secret + name: pull-secret + namespace: openshift-config + register: _pullsecret_info + + - name: Validate pull-secret was retrieved + ansible.builtin.assert: + that: + - _pullsecret_info.resources is defined + - _pullsecret_info.resources | length > 0 + fail_msg: "Could not retrieve pull-secret from OpenShift" + + - name: Parse pull-secret content + no_log: true + ansible.builtin.set_fact: + _dockerconfig: "{{ _pullsecret_info.resources[0].data['.dockerconfigjson'] | b64decode | from_json }}" + + - name: Validate registry exists in pull-secret + ansible.builtin.assert: + that: + - _dockerconfig.auths is defined + - cifmw_registry_pullsecret_registry_url in _dockerconfig.auths + fail_msg: "Registry {{ cifmw_registry_pullsecret_registry_url }} not found in pull-secret" + + - name: Extract and decode registry auth + no_log: true + ansible.builtin.set_fact: + _registry_auth_decoded: "{{ _dockerconfig.auths[cifmw_registry_pullsecret_registry_url].auth | b64decode }}" + + - name: Parse username and password + no_log: true + ansible.builtin.set_fact: + _pullsecret_username: "{{ _registry_auth_decoded.split(':')[0] }}" + _pullsecret_password: "{{ _registry_auth_decoded.split(':')[1] }}" + + - name: Update cifmw_registry_token with pull-secret credentials + no_log: true + ansible.builtin.set_fact: + cifmw_registry_token: + name: "pullsecret_extracted" + description: "Extracted from OpenShift pull-secret" + created: "{{ ansible_date_time.iso8601 }}" + credentials: + username: "{{ _pullsecret_username }}" + password: "{{ _pullsecret_password }}" + + - name: Update cifmw_registry_token_credentials for EDPM deployment + no_log: true + ansible.builtin.set_fact: + cifmw_registry_token_credentials: + - key: "{{ _pullsecret_username }}" + value: "{{ _pullsecret_password }}" + + - name: Update architecture kustomize registry credentials for all stages + when: cifmw_architecture_user_kustomize_90_registry_mirror_login is defined + no_log: true + vars: + _new_logins: + registry.redhat.io: + "{{ cifmw_registry_token.credentials.username }}": "{{ cifmw_registry_token.credentials.password }}" + registry.stage.redhat.io: + "{{ cifmw_registry_token.credentials.username }}": "{{ cifmw_registry_token.credentials.password }}" + _stage_update: + data: + nodeset: + ansible: + ansibleVars: + edpm_container_registry_logins: "{{ _new_logins }}" + ansible.builtin.set_fact: + cifmw_architecture_user_kustomize_90_registry_mirror_login: >- + {{ + cifmw_architecture_user_kustomize_90_registry_mirror_login | + dict2items | + map('combine', {'value': _stage_update}, recursive=true) | + items2dict + }} + + - name: Ensure destination directory exists + when: cifmw_registry_pullsecret_update_file | bool + ansible.builtin.file: + path: "{{ cifmw_registry_pullsecret_dest_file | dirname }}" + state: directory + mode: "0755" + + - name: Update registry token file with pull-secret credentials + when: cifmw_registry_pullsecret_update_file | bool + vars: + _file_content: + cifmw_registry_token: "{{ cifmw_registry_token }}" + ansible.builtin.copy: + content: "{{ _file_content | to_nice_yaml }}" + dest: "{{ cifmw_registry_pullsecret_dest_file }}" + mode: "0644" + + - name: Display success + ansible.builtin.debug: + msg: "Updated registry credentials for {{ cifmw_registry_pullsecret_registry_url }} from OpenShift pull-secret (user: {{ _pullsecret_username }})" + + rescue: + - name: Pull-secret extraction failed + ansible.builtin.debug: + msg: "Could not extract credentials from pull-secret. Keeping existing credentials." diff --git a/roles/cifmw_setup/tasks/deploy_architecture.yml b/roles/cifmw_setup/tasks/deploy_architecture.yml index 3a11b4dbd6..74a0ff27bc 100644 --- a/roles/cifmw_setup/tasks/deploy_architecture.yml +++ b/roles/cifmw_setup/tasks/deploy_architecture.yml @@ -228,6 +228,13 @@ - storage - edpm_bootstrap +- name: Update registry credentials from OpenShift pull-secret + when: cifmw_registry_pullsecret_enabled | default(false) | bool + ansible.builtin.include_role: + name: cifmw_registry_pullsecret + tags: + - edpm_bootstrap + - name: Execute deployment steps tags: - edpm_deploy