diff --git a/partition/roles/metal-bmc/README.md b/partition/roles/metal-bmc/README.md index 7b31a7389..fbe14590c 100644 --- a/partition/roles/metal-bmc/README.md +++ b/partition/roles/metal-bmc/README.md @@ -8,24 +8,25 @@ This role uses variables from [partition-defaults](/partition). So, make sure yo You can look up all the default values of this role [here](defaults/main.yaml). -| Name | Mandatory | Description | -| ------------------------------ | --------- | ---------------------------------------------------------------------------------------------- | -| metal_bmc_image_name | yes | Image version of the metal-bmc | -| metal_bmc_image_tag | yes | Image tag of the metal-bmc | -| metal_bmc_superuser | yes | Name of the BMC superuser | -| metal_bmc_superuser_pwd | yes | Password of the BMC superuser | -| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane | -| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication | -| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic | -| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates | -| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert | -| metal_bmc_nsqd_client_cert | | The NSQ client certificate | -| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key | -| metal_bmc_console_port | | The port where to listen for incoming metal-console connections | -| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string | -| metal_bmc_console_cert | yes | The certificate for metal-console port as a string | -| metal_bmc_console_key | yes | The key for the metal-console port as a string | -| metal_bmc_console_cert_owner | | user of the created certificate files | -| metal_bmc_console_cert_group | | group of the created certificate files | -| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored | -| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored | +| Name | Mandatory | Description | +| ---------------------------------- | --------- | ---------------------------------------------------------------------------------------------- | +| metal_bmc_image_name | yes | Image version of the metal-bmc | +| metal_bmc_image_tag | yes | Image tag of the metal-bmc | +| metal_bmc_superuser | yes | Name of the BMC superuser | +| metal_bmc_superuser_pwd | yes | Password of the BMC superuser | +| metal_bmc_nsqd_addr | yes | The address to the nsqd that metal-bmc uses for discovering the NSQ of the metal control plane | +| metal_bmc_nsq_log_level | | The metal-core log level used on NSQ communication | +| metal_bmc_nsq_tls_enabled | | Enables tls encryption on NSQ traffic | +| metal_bmc_nsq_cert_dir | | Defines the path of the NSQ certificates | +| metal_bmc_nsqd_ca_cert | | The CA certificate that signed the NSQ client cert | +| metal_bmc_nsqd_client_cert | | The NSQ client certificate | +| metal_bmc_nsqd_client_cert_key | | The NSQ client certificate key | +| metal_bmc_console_port | | The port where to listen for incoming metal-console connections | +| metal_bmc_console_ca_cert | yes | The CA certificate for the metal-console port as a string | +| metal_bmc_console_cert | yes | The certificate for metal-console port as a string | +| metal_bmc_console_key | yes | The key for the metal-console port as a string | +| metal_bmc_console_cert_owner | | user of the created certificate files | +| metal_bmc_console_cert_group | | group of the created certificate files | +| metal_bmc_ignore_macs | | when fetching bmc reports from the dhcp lease file, the given macs are ignored | +| metal_bmc_allowed_cidrs | | when fetching bmc reports from the dhcp lease file, ips in the given cidrs are ignored | +| metal_bmc_additional_volume_mounts | | Volumes to mount into the metal-bmc, besides the default ones | diff --git a/partition/roles/metal-bmc/defaults/main/main.yaml b/partition/roles/metal-bmc/defaults/main/main.yaml index 13606d6f9..ca15c4a59 100755 --- a/partition/roles/metal-bmc/defaults/main/main.yaml +++ b/partition/roles/metal-bmc/defaults/main/main.yaml @@ -20,3 +20,5 @@ metal_bmc_console_cert_dir: /certs/console metal_bmc_console_ca_cert: metal_bmc_console_cert: metal_bmc_console_key: + +metal_bmc_additional_volume_mounts: [] diff --git a/partition/roles/metal-bmc/tasks/main.yaml b/partition/roles/metal-bmc/tasks/main.yaml index e32da2a63..ec4295da5 100755 --- a/partition/roles/metal-bmc/tasks/main.yaml +++ b/partition/roles/metal-bmc/tasks/main.yaml @@ -81,10 +81,7 @@ systemd_docker_ports: - host_port: "{{ metal_bmc_console_port }}" target_port: "{{ metal_bmc_console_port }}" - systemd_docker_volumes: - - /var/lib/dhcp:/var/lib/dhcp:ro - - /certs/nsq:/certs/nsq:ro - - /certs/console:/certs/console:ro + systemd_docker_volumes: "{{ lookup('template', 'metal-bmc-volumes.j2') | from_yaml }}" systemd_service_environment: TZ: "{{ metal_partition_timezone }}" METAL_BMC_LEASE_FILE: /var/lib/dhcp/dhcpd.leases @@ -104,4 +101,4 @@ METAL_BMC_CONSOLE_PORT: "{{ metal_bmc_console_port }}" METAL_BMC_CONSOLE_CA_CERT_FILE: "{{metal_bmc_console_cert_dir }}/ca.pem" METAL_BMC_CONSOLE_CERT_FILE: "{{metal_bmc_console_cert_dir }}/cert.pem" - METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem" + METAL_BMC_CONSOLE_KEY_FILE: "{{metal_bmc_console_cert_dir }}/key.pem" diff --git a/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 b/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 new file mode 100644 index 000000000..370a367c5 --- /dev/null +++ b/partition/roles/metal-bmc/templates/metal-bmc-volumes.j2 @@ -0,0 +1,6 @@ +- /var/lib/dhcp:/var/lib/dhcp:ro +- /certs/nsq:/certs/nsq:ro +- /certs/console:/certs/console:ro +{% for volume_mount in metal_bmc_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file diff --git a/partition/roles/metal-core/README.md b/partition/roles/metal-core/README.md index 130d0701e..2bc21c32b 100644 --- a/partition/roles/metal-core/README.md +++ b/partition/roles/metal-core/README.md @@ -32,3 +32,4 @@ You can look up all the default values of this role [here](defaults/main/main.ya | metal_core_interfaces_tpl_file | | The golang template file to use for rendering `/etc/network/interfaces`. If this is left blank the default template shipped with metal-core will be used. | | metal_core_frr_tpl_file | | The golang template file to use for rendering `/etc/frr/frr.conf`. If this is left blank the default template shipped with metal-core will be used. | | metal_core_pxe_vlan_id | | The VLAN ID for the PXE machines. Defaults to `4000`. | +| metal_core_additional_volume_mounts | | Volumes to mount into the metal-core, besides the default ones | diff --git a/partition/roles/metal-core/defaults/main/main.yaml b/partition/roles/metal-core/defaults/main/main.yaml index fb5a1ee47..8218e8935 100644 --- a/partition/roles/metal-core/defaults/main/main.yaml +++ b/partition/roles/metal-core/defaults/main/main.yaml @@ -15,6 +15,7 @@ metal_core_grpc_client_key: "{{ metal_partition_metal_api_grpc_client_key }}" metal_core_additional_bridge_vids: [] metal_core_additional_bridge_ports: [] +metal_core_additional_volume_mounts: [] metal_core_consider_hosts_file_resolution: false diff --git a/partition/roles/metal-core/templates/metal-core-volumes.j2 b/partition/roles/metal-core/templates/metal-core-volumes.j2 index aafc717fb..3f94614e6 100644 --- a/partition/roles/metal-core/templates/metal-core-volumes.j2 +++ b/partition/roles/metal-core/templates/metal-core-volumes.j2 @@ -12,3 +12,6 @@ - /etc/nsswitch.conf:/etc/nsswitch.conf {% endif %} - "{{ metal_core_grpc_cert_dir }}:/certs/grpc:ro" +{% for volume_mount in metal_core_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file diff --git a/partition/roles/pixiecore/README.md b/partition/roles/pixiecore/README.md index 8f57ef3ad..57bca4e6b 100644 --- a/partition/roles/pixiecore/README.md +++ b/partition/roles/pixiecore/README.md @@ -5,7 +5,7 @@ Deploys pixiecore in a systemd-managed Docker container. ## Variables | Name | Mandatory | Description | -|---------------------------------------------|-----------|---------------------------------------------------------------------------------------------------------------| +| ------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------- | | pixiecore_image_name | yes | Image version of the pixiecore | | pixiecore_image_tag | yes | Image tag of the pixiecore | | pixiecore_debug | | Enable debugging | @@ -26,3 +26,4 @@ Deploys pixiecore in a systemd-managed Docker container. | pixiecore_metal_hammer_logging_cert | | set metal-hammer to send logs to a remote endpoint and authenticate with this cert for mtls auth | | pixiecore_metal_hammer_logging_key | | set metal-hammer to send logs to a remote endpoint and authenticate with this key for mtls auth | | pixiecore_metal_hammer_logging_tls_insecure | | set metal-hammer to send logs to a remote endpoint without verifying the tls certificate for mtls auth | +| pixiecore_additional_volume_mounts | | Volumes to mount into the pixiecore, besides the default ones | diff --git a/partition/roles/pixiecore/defaults/main/main.yaml b/partition/roles/pixiecore/defaults/main/main.yaml index 6ef53e8c4..dfd4f0d62 100644 --- a/partition/roles/pixiecore/defaults/main/main.yaml +++ b/partition/roles/pixiecore/defaults/main/main.yaml @@ -19,3 +19,5 @@ pixiecore_metal_hammer_logging_password: pixiecore_metal_hammer_logging_cert: pixiecore_metal_hammer_logging_key: pixiecore_metal_hammer_logging_tls_insecure: false + +pixiecore_additional_volume_mounts: [] diff --git a/partition/roles/pixiecore/tasks/main.yaml b/partition/roles/pixiecore/tasks/main.yaml index 1b59497ee..48868895a 100644 --- a/partition/roles/pixiecore/tasks/main.yaml +++ b/partition/roles/pixiecore/tasks/main.yaml @@ -66,8 +66,7 @@ systemd_docker_cpu_quota: 10000 systemd_docker_memory: 256m systemd_docker_dns: "{{ pixiecore_dns_servers }}" - systemd_docker_volumes: - - "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro" + systemd_docker_volumes: "{{ lookup('template', 'pixie-volumes.j2') | from_yaml }}" # Because Pixiecore needs to listen for DHCP traffic, # it has to run with access to the host's networking stack. # Both Rkt and Docker do this with the --net=host commandline flag. diff --git a/partition/roles/pixiecore/templates/pixie-volumes.j2 b/partition/roles/pixiecore/templates/pixie-volumes.j2 new file mode 100644 index 000000000..d1d6ce55c --- /dev/null +++ b/partition/roles/pixiecore/templates/pixie-volumes.j2 @@ -0,0 +1,4 @@ +- "{{ pixiecore_grpc_cert_dir }}:/certs/grpc:ro" +{% for volume_mount in pixiecore_additional_volume_mounts %} +- {{ volume_mount }} +{% endfor %} \ No newline at end of file