Update metal3 packages

suse-edge · Oct 19, 2023 · b12c9e1 · b12c9e1
1 parent 3074290
commit b12c9e1
Show file tree

Hide file tree

Showing 19 changed files with 496 additions and 406 deletions.
diff --git a/assets/metal3/metal3-0.2.0.tgz b/assets/metal3/metal3-0.2.0.tgz
diff --git a/index.yaml b/index.yaml
@@ -55,7 +55,7 @@ entries:
   metal3:
   - apiVersion: v2
     appVersion: 1.16.0
-    created: "2023-10-19T13:53:26.130642135+03:00"
+    created: "2023-10-19T15:31:51.464427+03:00"
     dependencies:
     - alias: metal3-baremetal-operator
       name: baremetal-operator
@@ -75,7 +75,7 @@ entries:
       repository: file://./charts/media
       version: 0.2.0
     description: A Helm chart that installs all of the dependencies needed for Metal3
-    digest: fba6593b9c9cf4ec79338930a00af6c0d4c59db7946f8357a1d547bdd25a61dc
+    digest: 56429cf06e4b37915e916084105f03ddf3e188d135b57468721ab45094490547
     icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
     name: metal3
     type: application

diff --git a/packages/baremetal-operator/charts/crds/customresource-baremetalhosts.yaml b/packages/baremetal-operator/charts/crds/customresource-baremetalhosts.yaml
@@ -5,6 +5,8 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: baremetal-operator-system/baremetal-operator-serving-cert
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: baremetalhosts.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/crds/customresource-bmceventsubscriptions.yaml b/packages/baremetal-operator/charts/crds/customresource-bmceventsubscriptions.yaml
@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: bmceventsubscriptions.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/crds/customresource-firmwareschemas.yaml b/packages/baremetal-operator/charts/crds/customresource-firmwareschemas.yaml
@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: firmwareschemas.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/crds/customresource-hardwaredata.yaml b/packages/baremetal-operator/charts/crds/customresource-hardwaredata.yaml
@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: hardwaredata.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/crds/customresource-hostfirmwaresettings.yaml b/packages/baremetal-operator/charts/crds/customresource-hostfirmwaresettings.yaml
@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: hostfirmwaresettings.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/crds/customresource-preprovisioningimages.yaml b/packages/baremetal-operator/charts/crds/customresource-preprovisioningimages.yaml
@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: preprovisioningimages.metal3.io
 spec:
   group: metal3.io

diff --git a/packages/baremetal-operator/charts/templates/configmap-ironic.yaml b/packages/baremetal-operator/charts/templates/configmap-ironic.yaml
@@ -14,15 +14,9 @@ data:
   CACHEURL: "http://{{ $ironicCacheHost }}/images"
   DEPLOY_KERNEL_URL: "http://{{ $ironicBootHost }}/images/ironic-python-agent.kernel"
   DEPLOY_RAMDISK_URL: "http://{{ $ironicBootHost }}/images/ironic-python-agent.initramfs"
-  HTTP_PORT: {{ .httpPort | quote }}
   IRONIC_ENDPOINT: "http://{{ $ironicApiHost }}/v1/"
   IRONIC_INSPECTOR_ENDPOINT: "http://{{ $ironicInspectorHost }}/v1/"
-  DHCP_RANGE: {{ .Values.global.dhcpRange }}
-  PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
-  PROVISIONING_IP: {{ .Values.global.provisioningIP }}
-  IRONIC_FAST_TRACK: "true"
   RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
-  IRONIC_INSECURE: "true"
 kind: ConfigMap
 metadata:
   name: baremetal-operator-ironic

diff --git a/packages/baremetal-operator/charts/templates/deployment.yaml b/packages/baremetal-operator/charts/templates/deployment.yaml
@@ -38,6 +38,8 @@ spec:
             name: {{ include "baremetal-operator.fullname" . }}-ironic
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
         livenessProbe:
           failureThreshold: 10
           httpGet:
@@ -61,8 +63,6 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
-        securityContext:
-          allowPrivilegeEscalation: false
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert

diff --git a/packages/baremetal-operator/charts/values.yaml b/packages/baremetal-operator/charts/values.yaml
@@ -47,7 +47,8 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext: 
+  allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
   #   - ALL

diff --git a/packages/ironic/charts/templates/_helpers.tpl b/packages/ironic/charts/templates/_helpers.tpl
@@ -60,3 +60,190 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Shared directory volumeMount
+*/}}
+{{- define "ironic.sharedVolumeMount" -}}
+- mountPath: /shared
+  name: ironic-data-volume
+{{- end }}
+
+
+{{/*
+Get certificate volumeMounts
+*/}}
+{{- define "ironic.certVolumeMounts" -}}
+- mountPath: /certs/ironic/tls.crt
+  name: ironic-certs
+  subPath: tls.crt
+- mountPath: /certs/ironic/tls.key
+  name: ironic-certs
+  subPath: tls.key
+- mountPath: /certs/ironic-inspector/tls.crt
+  name: ironic-insp-certs
+  subPath: tls.crt
+- mountPath: /certs/ironic-inspector/tls.key
+  name: ironic-insp-certs
+  subPath: tls.key
+- mountPath: /certs/ca/ironic/tls.crt
+  name: ironic-cacerts
+  subPath: tls.crt
+- mountPath: /certs/ca/ironic-inspector/tls.crt
+  name: ironic-insp-cacerts
+  subPath: tls.crt
+{{- end }}
+
+
+{{/*
+Get secret volumeMounts
+*/}}
+{{- define "ironic.secretVolMounts" -}}
+- name: ironic-certs
+  mountPath: "/certs/ironic"
+  readOnly: true
+- name: ironic-insp-certs
+  mountPath: "/certs/ironic-inspector"
+  readOnly: true
+- name: vmedia-certs
+  mountPath: "/certs/vmedia"
+  readOnly: true
+- name: vmedia-ca-certs
+  mountPath: "/certs/ca/vmedia"
+  readOnly: true
+{{- end }}
+
+{{/*
+Get cacert volumeMounts
+*/}}
+{{- define "ironic.cacertVolumeMounts" -}}
+- mountPath: /etc/pki/trust/anchors/ca.crt
+  name: ironic-trustca
+  subPath: tls.cacert
+- mountPath: /shared/html/tstcerts/ca.crt
+  name: ironicipa-trustca
+  subPath: tls.cacert
+{{- end }}
+
+{{/*
+Get trust cert volumeMounts
+*/}}
+{{- define "ironic.trustVolMounts" -}}
+- name: ironic-trustcerts
+  mountPath: "/etc/pki/trust/anchors"
+  readOnly: true
+- name: ironicipa-trustcerts
+  mountPath: "/shared/html/tstcerts"
+  readOnly: true
+{{- end }}
+
+{{/*
+Get letsEncrypt volumeMounts
+*/}}
+{{- define "ironic.letsEncryptVolMounts" -}}
+- mountPath: /etc/pki/trust/anchors/ca.crt
+  name: ironic-le-trustca
+  subPath: tls.lecacert
+- mountPath: /shared/html/tstcerts/ca.crt
+  name: ironicipa-le-trustca
+  subPath: tls.lecacert
+{{- end }}
+
+
+{{/*
+Get ironic volumes
+*/}}
+{{- define "ironic.volumes" -}}
+{{- if .Values.global.enable_ironic }}
+- name: ironic-data-volume
+  persistentVolumeClaim:
+    claimName: ironic-shared-volume
+{{- end }}
+{{- if .Values.global.enable_ironic }}
+{{- if .Values.global.enable_tls }}
+{{- if eq .Values.ingress.tlsSource "secrets" }}
+- name: ironic-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironicipa-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs    
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "self") }}
+- name: ironic-trustcerts
+  secret:
+    secretName: ironic-cacert
+- name: ironicipa-trustcerts
+  secret:
+    secretName: ironic-cacert    
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "letsEncrypt") }}
+- name: ironic-le-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironicipa-le-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+{{- end }}    
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (eq .Values.ingress.tlsSource "secrets") (eq .Values.tls "ironic") }}
+- name: ironic-certs
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-insp-certs
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-cacerts
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-insp-cacerts
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (or (eq .Values.ingress.tlsSource "self") (eq .Values.ingress.tlsSource "letsEncrypt")) (eq .Values.tls "ironic") }}
+- name: ironic-certs
+  secret:
+    secretName: ironic-cacert
+- name: ironic-insp-certs
+  secret:
+    secretName: ironic-cacert
+- name: vmedia-certs
+  secret:
+    secretName: ironic-cacert    
+- name: vmedia-ca-certs
+  secret:
+    secretName: ironic-cacert    
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Get ironic tls volumeMounts
+*/}}
+{{- define "ironic.tlsVolumeMounts" -}}
+{{- if (eq .Values.ingress.tlsSource "secrets") }}
+  {{- include "ironic.cacertVolumeMounts" . }}
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "self") }}
+  {{- include "ironic.trustVolMounts" . }}
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "letsEncrypt") }}
+  {{- include "ironic.letsEncryptVolMounts" . }}
+{{- end }}
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (eq .Values.tls "ironic") }}
+{{- if (eq .Values.ingress.tlsSource "secrets") }}
+  {{- include "ironic.certVolumeMounts" . }}
+{{- end }}
+{{- if or (eq .Values.ingress.tlsSource "self") (eq .Values.ingress.tlsSource "letsEncrypt") }}
+  {{- include "ironic.secretVolMounts" . }}
+{{- end }}
+{{- end }}
diff --git a/packages/ironic/charts/templates/configmap.yaml b/packages/ironic/charts/templates/configmap.yaml
@@ -73,4 +73,8 @@ data:
   IRONIC_KERNEL_PARAMS: console=ttyS0
   IPA_INSECURE: "1"
   {{- end }}
-  DATABASE_HOST: {{ .Values.global.database_clusterIP }}
+  {{- if .Values.databaseHost }}
+  DATABASE_HOST: {{ .Values.databaseHost }}
+  {{- else }}
+  DATABASE_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local
+  {{- end }}