Skip to content

Commit

Permalink
Add additional volume mounts for metal-bmc metal-core and pixiecore (#…
Browse files Browse the repository at this point in the history 
…307)
  • Loading branch information
@simcod
simcod authored Aug 12, 2024
1 parent 7c97d93 commit 1697442
Show file tree
Hide file tree
Showing 11 changed files with 46 additions and 29 deletions.
43 changes: 22 additions & 21 deletions partition/roles/metal-bmc/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,25 @@ This role uses variables from [partition-defaults](/partition). So, make sure yo

You can look up all the default values of this role [here](defaults/main.yaml).

| Name | Mandatory | Description |
| ------------------------------ | --------- | ---------------------------------------------------------------------------------------------- |
| metal_bmc_image_name | yes | Image version of the metal-bmc |
| metal_bmc_image_tag | yes | Image tag of the metal-bmc |
| metal_bmc_superuser | yes | Name of the BMC superuser |
| metal_bmc_superuser_pwd | yes | Password of the BMC superuser |
| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane |
| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication |
| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic |
| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates |
| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert |
| metal_bmc_nsqd_client_cert | | The NSQ client certificate |
| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key |
| metal_bmc_console_port | | The port where to listen for incoming metal-console connections |
| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string |
| metal_bmc_console_cert | yes | The certificate for metal-console port as a string |
| metal_bmc_console_key | yes | The key for the metal-console port as a string |
| metal_bmc_console_cert_owner | | user of the created certificate files |
| metal_bmc_console_cert_group | | group of the created certificate files |
| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored |
| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored |
| Name | Mandatory | Description |
| ---------------------------------- | --------- | ---------------------------------------------------------------------------------------------- |
| metal_bmc_image_name | yes | Image version of the metal-bmc |
| metal_bmc_image_tag | yes | Image tag of the metal-bmc |
| metal_bmc_superuser | yes | Name of the BMC superuser |
| metal_bmc_superuser_pwd | yes | Password of the BMC superuser |
| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane |
| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication |
| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic |
| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates |
| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert |
| metal_bmc_nsqd_client_cert | | The NSQ client certificate |
| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key |
| metal_bmc_console_port | | The port where to listen for incoming metal-console connections |
| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string |
| metal_bmc_console_cert | yes | The certificate for metal-console port as a string |
| metal_bmc_console_key | yes | The key for the metal-console port as a string |
| metal_bmc_console_cert_owner | | user of the created certificate files |
| metal_bmc_console_cert_group | | group of the created certificate files |
| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored |
| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored |
| metal_bmc_additional_volume_mounts | | Volumes to mount into the metal-bmc, besides the default ones |
2 changes: 2 additions & 0 deletions partition/roles/metal-bmc/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,5 @@ metal_bmc_console_cert_dir: /certs/console
metal_bmc_console_ca_cert:
metal_bmc_console_cert:
metal_bmc_console_key:

metal_bmc_additional_volume_mounts: []
7 changes: 2 additions & 5 deletions partition/roles/metal-bmc/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,7 @@
systemd_docker_ports:
- host_port: "{{ metal_bmc_console_port }}"
target_port: "{{ metal_bmc_console_port }}"
systemd_docker_volumes:
- /var/lib/dhcp:/var/lib/dhcp:ro
- /certs/nsq:/certs/nsq:ro
- /certs/console:/certs/console:ro
systemd_docker_volumes: "{{ lookup('template', 'metal-bmc-volumes.j2') | from_yaml }}"
systemd_service_environment:
TZ: "{{ metal_partition_timezone }}"
METAL_BMC_LEASE_FILE: /var/lib/dhcp/dhcpd.leases
Expand All @@ -104,4 +101,4 @@
METAL_BMC_CONSOLE_PORT: "{{ metal_bmc_console_port }}"
METAL_BMC_CONSOLE_CA_CERT_FILE: "{{metal_bmc_console_cert_dir }}/ca.pem"
METAL_BMC_CONSOLE_CERT_FILE: "{{metal_bmc_console_cert_dir }}/cert.pem"
METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem"
METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem"
6 changes: 6 additions & 0 deletions partition/roles/metal-bmc/templates/metal-bmc-volumes.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- /var/lib/dhcp:/var/lib/dhcp:ro
- /certs/nsq:/certs/nsq:ro
- /certs/console:/certs/console:ro
{% for volume_mount in metal_bmc_additional_volume_mounts %}
- {{ volume_mount }}
{% endfor %}
1 change: 1 addition & 0 deletions partition/roles/metal-core/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,4 @@ You can look up all the default values of this role [here](defaults/main/main.ya
| metal_core_interfaces_tpl_file | | The golang template file to use for rendering `/etc/network/interfaces`. If this is left blank the default template shipped with metal-core will be used. |
| metal_core_frr_tpl_file | | The golang template file to use for rendering `/etc/frr/frr.conf`. If this is left blank the default template shipped with metal-core will be used. |
| metal_core_pxe_vlan_id | | The VLAN ID for the PXE machines. Defaults to `4000`. |
| metal_core_additional_volume_mounts | | Volumes to mount into the metal-core, besides the default ones |
1 change: 1 addition & 0 deletions partition/roles/metal-core/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ metal_core_grpc_client_key: "{{ metal_partition_metal_api_grpc_client_key }}"

metal_core_additional_bridge_vids: []
metal_core_additional_bridge_ports: []
metal_core_additional_volume_mounts: []

metal_core_consider_hosts_file_resolution: false

Expand Down
3 changes: 3 additions & 0 deletions partition/roles/metal-core/templates/metal-core-volumes.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,6 @@
- /etc/nsswitch.conf:/etc/nsswitch.conf
{% endif %}
- "{{ metal_core_grpc_cert_dir }}:/certs/grpc:ro"
{% for volume_mount in metal_core_additional_volume_mounts %}
- {{ volume_mount }}
{% endfor %}
3 changes: 2 additions & 1 deletion partition/roles/pixiecore/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Deploys pixiecore in a systemd-managed Docker container.
## Variables

| Name | Mandatory | Description |
|---------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------|
| ------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------- |
| pixiecore_image_name | yes | Image version of the pixiecore |
| pixiecore_image_tag | yes | Image tag of the pixiecore |
| pixiecore_debug | | Enable debugging |
Expand All @@ -26,3 +26,4 @@ Deploys pixiecore in a systemd-managed Docker container.
| pixiecore_metal_hammer_logging_cert | | set metal-hammer to send logs to a remote endpoint and authenticate with this cert for mtls auth |
| pixiecore_metal_hammer_logging_key | | set metal-hammer to send logs to a remote endpoint and authenticate with this key for mtls auth |
| pixiecore_metal_hammer_logging_tls_insecure | | set metal-hammer to send logs to a remote endpoint without verifying the tls certificate for mtls auth |
| pixiecore_additional_volume_mounts | | Volumes to mount into the pixiecore, besides the default ones |
2 changes: 2 additions & 0 deletions partition/roles/pixiecore/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,5 @@ pixiecore_metal_hammer_logging_password:
pixiecore_metal_hammer_logging_cert:
pixiecore_metal_hammer_logging_key:
pixiecore_metal_hammer_logging_tls_insecure: false

pixiecore_additional_volume_mounts: []
3 changes: 1 addition & 2 deletions partition/roles/pixiecore/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,7 @@
systemd_docker_cpu_quota: 10000
systemd_docker_memory: 256m
systemd_docker_dns: "{{ pixiecore_dns_servers }}"
systemd_docker_volumes:
- "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro"
systemd_docker_volumes: "{{ lookup('template', 'pixie-volumes.j2') | from_yaml }}"
# Because Pixiecore needs to listen for DHCP traffic,
# it has to run with access to the host's networking stack.
# Both Rkt and Docker do this with the --net=host commandline flag.
Expand Down
4 changes: 4 additions & 0 deletions partition/roles/pixiecore/templates/pixie-volumes.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
- "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro"
{% for volume_mount in pixiecore_additional_volume_mounts %}
- {{ volume_mount }}
{% endfor %}

0 comments on commit 1697442

Please sign in to comment.