Make metal3 helm chart compatible with the Sylva project

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-baremetalhosts.yaml

@@ -5,6 +5,8 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: baremetal-operator-system/baremetal-operator-serving-cert
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: baremetalhosts.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-bmceventsubscriptions.yaml

@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: bmceventsubscriptions.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-firmwareschemas.yaml

@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: firmwareschemas.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-hardwaredata.yaml

@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: hardwaredata.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-hostfirmwaresettings.yaml

@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: hostfirmwaresettings.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/crds/customresource-preprovisioningimages.yaml

@@ -4,6 +4,8 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.12.1
+  labels:
+    clusterctl.cluster.x-k8s.io: ""
   name: preprovisioningimages.metal3.io
 spec:
   group: metal3.io

charts/metal3/0.2.0/charts/baremetal-operator/templates/configmap-ironic.yaml

@@ -14,15 +14,9 @@ data:
   CACHEURL: "http://{{ $ironicCacheHost }}/images"
   DEPLOY_KERNEL_URL: "http://{{ $ironicBootHost }}/images/ironic-python-agent.kernel"
   DEPLOY_RAMDISK_URL: "http://{{ $ironicBootHost }}/images/ironic-python-agent.initramfs"
-  HTTP_PORT: {{ .httpPort | quote }}
   IRONIC_ENDPOINT: "http://{{ $ironicApiHost }}/v1/"
   IRONIC_INSPECTOR_ENDPOINT: "http://{{ $ironicInspectorHost }}/v1/"
-  DHCP_RANGE: {{ .Values.global.dhcpRange }}
-  PROVISIONING_INTERFACE: {{ .Values.global.provisioningInterface }}
-  PROVISIONING_IP: {{ .Values.global.provisioningIP }}
-  IRONIC_FAST_TRACK: "true"
   RESTART_CONTAINER_CERTIFICATE_UPDATED: "false"
-  IRONIC_INSECURE: "true"
 kind: ConfigMap
 metadata:
   name: baremetal-operator-ironic

charts/metal3/0.2.0/charts/baremetal-operator/templates/deployment.yaml

@@ -38,6 +38,8 @@ spec:
             name: {{ include "baremetal-operator.fullname" . }}-ironic
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
         livenessProbe:
           failureThreshold: 10
           httpGet:
@@ -61,8 +63,6 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
-        securityContext:
-          allowPrivilegeEscalation: false
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert

charts/metal3/0.2.0/charts/baremetal-operator/values.yaml

@@ -47,7 +47,8 @@ podAnnotations: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext: 
+  allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
   #   - ALL

charts/metal3/0.2.0/charts/ironic/templates/_helpers.tpl

@@ -60,3 +60,190 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Shared directory volumeMount
+*/}}
+{{- define "ironic.sharedVolumeMount" -}}
+- mountPath: /shared
+  name: ironic-data-volume
+{{- end }}
+
+
+{{/*
+Get certificate volumeMounts
+*/}}
+{{- define "ironic.certVolumeMounts" -}}
+- mountPath: /certs/ironic/tls.crt
+  name: ironic-certs
+  subPath: tls.crt
+- mountPath: /certs/ironic/tls.key
+  name: ironic-certs
+  subPath: tls.key
+- mountPath: /certs/ironic-inspector/tls.crt
+  name: ironic-insp-certs
+  subPath: tls.crt
+- mountPath: /certs/ironic-inspector/tls.key
+  name: ironic-insp-certs
+  subPath: tls.key
+- mountPath: /certs/ca/ironic/tls.crt
+  name: ironic-cacerts
+  subPath: tls.crt
+- mountPath: /certs/ca/ironic-inspector/tls.crt
+  name: ironic-insp-cacerts
+  subPath: tls.crt
+{{- end }}
+
+
+{{/*
+Get secret volumeMounts
+*/}}
+{{- define "ironic.secretVolMounts" -}}
+- name: ironic-certs
+  mountPath: "/certs/ironic"
+  readOnly: true
+- name: ironic-insp-certs
+  mountPath: "/certs/ironic-inspector"
+  readOnly: true
+- name: vmedia-certs
+  mountPath: "/certs/vmedia"
+  readOnly: true
+- name: vmedia-ca-certs
+  mountPath: "/certs/ca/vmedia"
+  readOnly: true
+{{- end }}
+
+{{/*
+Get cacert volumeMounts
+*/}}
+{{- define "ironic.cacertVolumeMounts" -}}
+- mountPath: /etc/pki/trust/anchors/ca.crt
+  name: ironic-trustca
+  subPath: tls.cacert
+- mountPath: /shared/html/tstcerts/ca.crt
+  name: ironicipa-trustca
+  subPath: tls.cacert
+{{- end }}
+
+{{/*
+Get trust cert volumeMounts
+*/}}
+{{- define "ironic.trustVolMounts" -}}
+- name: ironic-trustcerts
+  mountPath: "/etc/pki/trust/anchors"
+  readOnly: true
+- name: ironicipa-trustcerts
+  mountPath: "/shared/html/tstcerts"
+  readOnly: true
+{{- end }}
+
+{{/*
+Get letsEncrypt volumeMounts
+*/}}
+{{- define "ironic.letsEncryptVolMounts" -}}
+- mountPath: /etc/pki/trust/anchors/ca.crt
+  name: ironic-le-trustca
+  subPath: tls.lecacert
+- mountPath: /shared/html/tstcerts/ca.crt
+  name: ironicipa-le-trustca
+  subPath: tls.lecacert
+{{- end }}
+
+
+{{/*
+Get ironic volumes
+*/}}
+{{- define "ironic.volumes" -}}
+{{- if .Values.global.enable_ironic }}
+- name: ironic-data-volume
+  persistentVolumeClaim:
+    claimName: ironic-shared-volume
+{{- end }}
+{{- if .Values.global.enable_ironic }}
+{{- if .Values.global.enable_tls }}
+{{- if eq .Values.ingress.tlsSource "secrets" }}
+- name: ironic-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironicipa-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs    
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "self") }}
+- name: ironic-trustcerts
+  secret:
+    secretName: ironic-cacert
+- name: ironicipa-trustcerts
+  secret:
+    secretName: ironic-cacert    
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "letsEncrypt") }}
+- name: ironic-le-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironicipa-le-trustca
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+{{- end }}    
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (eq .Values.ingress.tlsSource "secrets") (eq .Values.tls "ironic") }}
+- name: ironic-certs
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-insp-certs
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-cacerts
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+- name: ironic-insp-cacerts
+  configMap:
+    defaultMode: 493
+    name: ironic-certs
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (or (eq .Values.ingress.tlsSource "self") (eq .Values.ingress.tlsSource "letsEncrypt")) (eq .Values.tls "ironic") }}
+- name: ironic-certs
+  secret:
+    secretName: ironic-cacert
+- name: ironic-insp-certs
+  secret:
+    secretName: ironic-cacert
+- name: vmedia-certs
+  secret:
+    secretName: ironic-cacert    
+- name: vmedia-ca-certs
+  secret:
+    secretName: ironic-cacert    
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Get ironic tls volumeMounts
+*/}}
+{{- define "ironic.tlsVolumeMounts" -}}
+{{- if (eq .Values.ingress.tlsSource "secrets") }}
+  {{- include "ironic.cacertVolumeMounts" . }}
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "self") }}
+  {{- include "ironic.trustVolMounts" . }}
+{{- end }}
+{{- if (eq .Values.ingress.tlsSource "letsEncrypt") }}
+  {{- include "ironic.letsEncryptVolMounts" . }}
+{{- end }}
+{{- end }}
+{{- if and ($.Values.global.enable_tls) (eq .Values.tls "ironic") }}
+{{- if (eq .Values.ingress.tlsSource "secrets") }}
+  {{- include "ironic.certVolumeMounts" . }}
+{{- end }}
+{{- if or (eq .Values.ingress.tlsSource "self") (eq .Values.ingress.tlsSource "letsEncrypt") }}
+  {{- include "ironic.secretVolMounts" . }}
+{{- end }}
+{{- end }}

charts/metal3/0.2.0/charts/ironic/templates/configmap.yaml

@@ -73,4 +73,4 @@ data:
   IRONIC_KERNEL_PARAMS: console=ttyS0
   IPA_INSECURE: "1"
   {{- end }}
-  DATABASE_HOST: {{ .Values.global.database_clusterIP }}
+  DATABASE_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local