Hostnetworkless ironic with nodeports

Signed-off-by: Mohammed Boukhalfa <[email protected]>

02_configure_host.sh

@@ -310,7 +310,8 @@ mkdir -p "${M3PATH}"
 # of the path
 detect_mismatch "${BMO_LOCAL_IMAGE:-}" "${BMOPATH}"
 clone_repo "${BMOREPO}" "${BMOBRANCH}" "${BMOPATH}" "${BMOCOMMIT}"
-
+# edit cloned bmo to run ironic without hostnetwork access
+cp -f ironic.yaml "${BMOPATH}/ironic-deployment/base/ironic.yaml"
 detect_mismatch "${CAPM3_LOCAL_IMAGE:-}" "${CAPM3PATH}"
 clone_repo "${CAPM3REPO}" "${CAPM3BRANCH}" "${CAPM3PATH}" "${CAPM3COMMIT}"
 

03_launch_mgmt_cluster.sh

@@ -16,7 +16,7 @@ export REPO_IMAGE_PREFIX="quay.io"
 
 declare -a BMO_IRONIC_ARGS
 # -k is for keepalived
-BMO_IRONIC_ARGS=(-k)
+BMO_IRONIC_ARGS=()
 if [ "${IRONIC_TLS_SETUP}" == "true" ]; then
   BMO_IRONIC_ARGS+=("-t")
 fi
@@ -138,7 +138,7 @@ function update_images(){
 #
 function launch_ironic() {
   pushd "${BMOPATH}"
-
+  _INTERFACE="eth0"
   inspector_default=$(grep USE_IRONIC_INSPECTOR "${BMOPATH}/ironic-deployment/default/ironic_bmo_configmap.env" || true)
 
     # Update Configmap parameters with correct urls
@@ -147,9 +147,7 @@ function launch_ironic() {
     # called PROVISIONER_IP and CIDR in dev-env
     cat << EOF | sudo tee "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"
 HTTP_PORT=${HTTP_PORT}
-PROVISIONING_IP=${CLUSTER_BARE_METAL_PROVISIONER_IP}
-PROVISIONING_CIDR=${BARE_METAL_PROVISIONER_CIDR}
-PROVISIONING_INTERFACE=${BARE_METAL_PROVISIONER_INTERFACE}
+PROVISIONING_INTERFACE=${_INTERFACE}
 DHCP_RANGE=${CLUSTER_DHCP_RANGE}
 DEPLOY_KERNEL_URL=${DEPLOY_KERNEL_URL}
 DEPLOY_RAMDISK_URL=${DEPLOY_RAMDISK_URL}
@@ -159,6 +157,9 @@ CACHEURL=http://${BARE_METAL_PROVISIONER_URL_HOST}/images
 RESTART_CONTAINER_CERTIFICATE_UPDATED="${RESTART_CONTAINER_CERTIFICATE_UPDATED}"
 IRONIC_RAMDISK_SSH_KEY=${SSH_PUB_KEY_CONTENT}
 IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
+IRONIC_EXTERNAL_IP=172.22.0.2
+IRONIC_EXTERNAL_CALLBACK_URL=https://172.22.0.2:30085
+IRONIC_BASE_URL=https://172.22.0.2:30085
 ${inspector_default}
 IPA_BASEURI=${IPA_BASEURI}
 IPA_BRANCH=${IPA_BRANCH}
@@ -182,7 +183,7 @@ EOF
   fi
 
   # Copy the generated configmap for ironic deployment
-  cp "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"  "${BMOPATH}/ironic-deployment/components/keepalived/ironic_bmo_configmap.env"
+  cp "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"  "${BMOPATH}/ironic-deployment/default/ironic_bmo_configmap.env"
 
   # Update manifests to use the correct images.
   # Note: Even though the manifests are not used for local deployment we need
@@ -470,6 +471,7 @@ function start_management_cluster () {
       sudo su -l -c "minikube ssh sudo ip link set $BARE_METAL_PROVISIONER_INTERFACE up" "${USER}"
       sudo su -l -c "minikube ssh sudo brctl addif $BARE_METAL_PROVISIONER_INTERFACE eth2" "${USER}"
       sudo su -l -c "minikube ssh sudo ip addr add $INITIAL_BARE_METAL_PROVISIONER_BRIDGE_IP/$BARE_METAL_PROVISIONER_CIDR dev $BARE_METAL_PROVISIONER_INTERFACE" "${USER}"
+      minikube ssh sudo ip addr add 172.22.0.2/24 dev ironicendpoint
     fi
   fi
 }

config_example.sh

@@ -79,7 +79,7 @@
 #
 # Force deletion of the BMO and CAPM3 repositories before cloning them again
 #
-#export FORCE_REPO_UPDATE="${FORCE_REPO_UPDATE:-false}"
+export FORCE_REPO_UPDATE=false
 
 #
 # Run a local baremetal operator instead of deploying in Kubernetes
@@ -113,8 +113,11 @@
 # Set the driver. The default value is 'mixed' (alternate nodes between ipmi
 # and redfish). Can also be set explicitly to ipmi/redfish/redfish-virtualmedia.
 #
-#export BMC_DRIVER="mixed"
-
+export BMC_DRIVER="redfish-virtualmedia"
+# Ports
+export HTTP_PORT="${HTTP_PORT:-30080}"
+export IRONIC_INSPECTOR_PORT="${IRONIC_INSPECTOR_PORT:-30050}"
+export IRONIC_API_PORT="${IRONIC_API_PORT:-30085}"
 #
 # Set libvirt firmware and BMC bootMode
 # Choose "legacy" (bios), "UEFI", or "UEFISecureBoot"
@@ -179,7 +182,7 @@
 #export CLUSTER_APIENDPOINT_IP="192.168.111.249"
 
 # Cluster provisioning Interface
-#export BARE_METAL_PROVISIONER_INTERFACE="ironicendpoint"
+# export BARE_METAL_PROVISIONER_INTERFACE="eth0"
 
 # POD CIDR
 #export POD_CIDR=${POD_CIDR:-"192.168.0.0/18"}

ironic.yaml

@@ -0,0 +1,112 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ironic
+spec:
+  replicas: 1
+  minReadySeconds: 10
+  strategy:
+    # We cannot run Ironic with more than one replica at a time. The recreate
+    # strategy makes sure that the old pod is gone before a new is started.
+    type: Recreate
+  selector:
+    matchLabels:
+      name: ironic
+  template:
+    metadata:
+      labels:
+        name: ironic
+    spec:
+      containers:
+      - name: ironic
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runironic
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      - name: ironic-log-watch
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runlogwatch.sh
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      - name: ironic-httpd
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runhttpd
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      initContainers:
+      - name: ironic-ipa-downloader
+        image: quay.io/metal3-io/ironic-ipa-downloader
+        imagePullPolicy: Always
+        command:
+        - /usr/local/bin/get-resource.sh
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      volumes:
+      - name: ironic-data-volume
+        emptyDir: {}
+      securityContext:
+        runAsNonRoot: false
+        seccompProfile:
+          type: RuntimeDefault
+        fsGroup: 0
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: expose-ironic-to-provisioning-network
+spec:
+  type: NodePort
+  selector:
+    name: ironic
+  ports:
+    - name: ironic
+      port: 6385
+      targetPort: 6385
+      nodePort: 30085
+    - name: inspector
+      port: 5050
+      targetPort: 5050
+      nodePort: 30050
+    - name: httpd
+      port: 30080
+      targetPort: 30080
+      nodePort: 30080

lib/common.sh

@@ -303,7 +303,7 @@ export IRONIC_TLS_SETUP=${IRONIC_TLS_SETUP:-"true"}
 export IRONIC_BASIC_AUTH=${IRONIC_BASIC_AUTH:-"true"}
 export IPA_DOWNLOADER_IMAGE=${IPA_DOWNLOADER_IMAGE:-"${CONTAINER_REGISTRY}/metal3-io/ironic-ipa-downloader"}
 export IRONIC_IMAGE=${IRONIC_IMAGE:-"${CONTAINER_REGISTRY}/metal3-io/ironic:${IRONIC_TAG}"}
-export IRONIC_CLIENT_IMAGE=${IRONIC_CLIENT_IMAGE:-"${CONTAINER_REGISTRY}/metal3-io/ironic-client"}
+export IRONIC_CLIENT_IMAGE=${IRONIC_CLIENT_IMAGE:-"${CONTAINER_REGISTRY}/metal3-io/ironic-client:main_20240124_4de85c1"}
 export IRONIC_DATA_DIR="$WORKING_DIR/ironic"
 export IRONIC_IMAGE_DIR="$IRONIC_DATA_DIR/html/images"
 export IRONIC_NAMESPACE="${IRONIC_NAMESPACE:-baremetal-operator-system}"

tests/roles/run_tests/tasks/move.yml

@@ -64,7 +64,10 @@
       state: absent
       namespace: "{{ IRONIC_NAMESPACE }}"
     when: EPHEMERAL_CLUSTER == "minikube"
-
+
+  - name: delete ironic ip 
+    shell: "minikube ssh sudo ip addr del 172.22.0.2/24 dev ironicendpoint"
+
   - name: Label baremetalhost CRD to pivot.
     shell: "kubectl label --overwrite crds baremetalhosts.metal3.io {{ item }}"
     with_items:
@@ -122,6 +125,8 @@
     args:
       chdir: "{{ BMOPATH }}"
 
+  - name: add ironic ip 
+    shell: "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [email protected] sudo ip addr add 172.22.0.2/24 dev ironicendpoint"
   # Install Ironic
   - name: Install Ironic
     shell: "{{ BMOPATH }}/tools/deploy.sh -i {{ BMO_IRONIC_ARGS }}"

tests/roles/run_tests/tasks/move_back.yml

@@ -9,6 +9,10 @@
       namespace: "{{ IRONIC_NAMESPACE }}"
       kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
 
+  - name: delete ironic ip 
+    shell: "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no [email protected] sudo ip addr del 172.22.0.2/24 dev ironicendpoint"
+  - name: add ironic ip 
+    shell: "minikube ssh sudo ip addr add 172.22.0.2/24 dev ironicendpoint"
   # Install BMO in Source cluster
   - name: Install Baremetal Operator in Source cluster
     shell: "{{ BMOPATH }}/tools/deploy.sh -b  {{ BMO_IRONIC_ARGS }}"

tests/roles/run_tests/vars/main.yml

@@ -94,7 +94,7 @@ IPAM_INSECURE_DIAGNOSTICS: "true"
 
 # Args to pass to the deploy.sh script when deploying Ironic and BMO
 # [k]eepalived [t]ls [n]o basic auth or [m]ariadb
-BMO_IRONIC_ARGS: "-k {{ (IRONIC_TLS_SETUP == 'true') | ternary('-t', '') }} {{ (IRONIC_BASIC_AUTH == 'true') | ternary('', '-n') }} {{ (IRONIC_USE_MARIADB == 'true') | ternary('-m', '') }}"
+BMO_IRONIC_ARGS: "{{ (IRONIC_TLS_SETUP == 'true') | ternary('-t', '') }} {{ (IRONIC_BASIC_AUTH == 'true') | ternary('', '-n') }} {{ (IRONIC_USE_MARIADB == 'true') | ternary('-m', '') }}"
 
 provision_cluster_actions:
 - "ci_test_provision"