[WIP] PoC Hostnetworkless Ironic with VirtualMedia Using MetalLB LoadBalancer

02_configure_host.sh

@@ -310,7 +310,8 @@ mkdir -p "${M3PATH}"
 # of the path
 detect_mismatch "${BMO_LOCAL_IMAGE:-}" "${BMOPATH}"
 clone_repo "${BMOREPO}" "${BMOBRANCH}" "${BMOPATH}" "${BMOCOMMIT}"
-
+# edit cloned bmo to run ironic without hostnetwork access
+cp -f ironic.yaml "${BMOPATH}/ironic-deployment/base/ironic.yaml"
 detect_mismatch "${CAPM3_LOCAL_IMAGE:-}" "${CAPM3PATH}"
 clone_repo "${CAPM3REPO}" "${CAPM3BRANCH}" "${CAPM3PATH}" "${CAPM3COMMIT}"
 

03_launch_mgmt_cluster.sh

@@ -16,7 +16,7 @@ export REPO_IMAGE_PREFIX="quay.io"
 
 declare -a BMO_IRONIC_ARGS
 # -k is for keepalived
-BMO_IRONIC_ARGS=(-k)
+BMO_IRONIC_ARGS=()
 if [ "${IRONIC_TLS_SETUP}" == "true" ]; then
   BMO_IRONIC_ARGS+=("-t")
 fi
@@ -137,7 +137,28 @@ function update_images(){
 # Launch Ironic locally for Kind and Tilt, in cluster for Minikube
 #
 function launch_ironic() {
+METALLB_IP=172.22.0.2
+
+minikube addons enable metallb
+sleep 10
+
+# Patch MetalLB config with updated IP address range
+kubectl apply -f - -n metallb-system << EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config
+  namespace: metallb-system
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses:
+      - ${METALLB_IP}-${METALLB_IP}
+EOF
   pushd "${BMOPATH}"
+  _INTERFACE="eth0"
 
   inspector_default=$(grep USE_IRONIC_INSPECTOR "${BMOPATH}/ironic-deployment/default/ironic_bmo_configmap.env" || true)
 
@@ -147,9 +168,7 @@ function launch_ironic() {
     # called PROVISIONER_IP and CIDR in dev-env
     cat << EOF | sudo tee "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"
 HTTP_PORT=${HTTP_PORT}
-PROVISIONING_IP=${CLUSTER_BARE_METAL_PROVISIONER_IP}
-PROVISIONING_CIDR=${BARE_METAL_PROVISIONER_CIDR}
-PROVISIONING_INTERFACE=${BARE_METAL_PROVISIONER_INTERFACE}
+PROVISIONING_INTERFACE=${_INTERFACE}
 DHCP_RANGE=${CLUSTER_DHCP_RANGE}
 DEPLOY_KERNEL_URL=${DEPLOY_KERNEL_URL}
 DEPLOY_RAMDISK_URL=${DEPLOY_RAMDISK_URL}
@@ -159,6 +178,9 @@ CACHEURL=http://${BARE_METAL_PROVISIONER_URL_HOST}/images
 RESTART_CONTAINER_CERTIFICATE_UPDATED="${RESTART_CONTAINER_CERTIFICATE_UPDATED}"
 IRONIC_RAMDISK_SSH_KEY=${SSH_PUB_KEY_CONTENT}
 IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
+IRONIC_EXTERNAL_IP=172.22.0.2
+IRONIC_EXTERNAL_CALLBACK_URL=https://172.22.0.2:6385
+IRONIC_BASE_URL=https://172.22.0.2:6385
 ${inspector_default}
 IPA_BASEURI=${IPA_BASEURI}
 IPA_BRANCH=${IPA_BRANCH}
@@ -182,7 +204,7 @@ EOF
   fi
 
   # Copy the generated configmap for ironic deployment
-  cp "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"  "${BMOPATH}/ironic-deployment/components/keepalived/ironic_bmo_configmap.env"
+  cp "${IRONIC_DATA_DIR}/ironic_bmo_configmap.env"  "${BMOPATH}/ironic-deployment/default/ironic_bmo_configmap.env"
 
   # Update manifests to use the correct images.
   # Note: Even though the manifests are not used for local deployment we need
@@ -217,6 +239,28 @@ EOF
     "${BMOPATH}/tools/deploy.sh" -i "${BMO_IRONIC_ARGS[@]}"
   fi
   popd
+kubectl apply -f - -n baremetal-operator-system << EOF
+apiVersion: v1
+kind: Service
+metadata:
+  name: ironic
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 172.22.0.2
+spec:
+  ports:
+    - name: ironic
+      port: 6385
+      targetPort: 6385
+    - name: inspector
+      port: 5050
+      targetPort: 5050
+    - name: httpd
+      port: 6180
+      targetPort: 6180
+  selector:
+    name: ironic
+  type: LoadBalancer
+EOF
 }
 
 # ------------

config_example.sh

@@ -79,7 +79,7 @@
 #
 # Force deletion of the BMO and CAPM3 repositories before cloning them again
 #
-#export FORCE_REPO_UPDATE="${FORCE_REPO_UPDATE:-false}"
+export FORCE_REPO_UPDATE=false
 
 #
 # Run a local baremetal operator instead of deploying in Kubernetes
@@ -113,7 +113,7 @@
 # Set the driver. The default value is 'mixed' (alternate nodes between ipmi
 # and redfish). Can also be set explicitly to ipmi/redfish/redfish-virtualmedia.
 #
-#export BMC_DRIVER="mixed"
+export BMC_DRIVER="redfish-virtualmedia"
 
 #
 # Set libvirt firmware and BMC bootMode

ironic.yaml

@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ironic
+spec:
+  replicas: 1
+  minReadySeconds: 10
+  strategy:
+    # We cannot run Ironic with more than one replica at a time. The recreate
+    # strategy makes sure that the old pod is gone before a new is started.
+    type: Recreate
+  selector:
+    matchLabels:
+      name: ironic
+  template:
+    metadata:
+      labels:
+        name: ironic
+    spec:
+      containers:
+      - name: ironic
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runironic
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      - name: ironic-log-watch
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runlogwatch.sh
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      - name: ironic-httpd
+        image: quay.io/metal3-io/ironic
+        imagePullPolicy: Always
+        command:
+        - /bin/runhttpd
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      initContainers:
+      - name: ironic-ipa-downloader
+        image: quay.io/metal3-io/ironic-ipa-downloader
+        imagePullPolicy: Always
+        command:
+        - /usr/local/bin/get-resource.sh
+        envFrom:
+        - configMapRef:
+            name: ironic-bmo-configmap
+        volumeMounts:
+        - mountPath: /shared
+          name: ironic-data-volume
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+          runAsUser: 0 # ironic
+          runAsGroup: 0 # ironic
+      volumes:
+      - name: ironic-data-volume
+        emptyDir: {}
+      securityContext:
+        runAsNonRoot: false
+        seccompProfile:
+          type: RuntimeDefault
+        fsGroup: 0

tests/roles/run_tests/tasks/move.yml

@@ -132,6 +132,88 @@
     args:
       chdir: "{{ BMOPATH }}"
 
+  # Download and apply MetalLB manifest
+  - name: Download metrics-server manifest to the cluster.
+    ansible.builtin.get_url:
+      url: https://raw.githubusercontent.com/metallb/metallb/v0.14.5/config/manifests/metallb-native.yaml
+      dest: ~/metallb-native.yaml
+      mode: '0664'
+
+  - name: Apply MetalLB manifest to the cluster.
+    kubernetes.core.k8s:
+      state: present
+      src: ~/metallb-native.yaml
+      kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
+
+  # Check for MetalLB pods on the target cluster
+  - name: Check if MetalLB  pods in running state
+    kubernetes.core.k8s_info:
+      kind: pods
+      namespace: metallb-system
+      kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
+      field_selectors:
+        - status.phase!=Running
+    register: target_running_pods
+    retries: 20
+    delay: 20
+    until: (target_running_pods is succeeded) and
+           (target_running_pods.resources | length == 0)
+  - name: Pause for 1 minutes to avoid failure with the next steps
+    ansible.builtin.pause:
+      minutes: 1
+  - name: Create the IPAddressPool
+    kubernetes.core.k8s:
+      state: present
+      kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
+      definition:
+        apiVersion: metallb.io/v1beta1
+        kind: IPAddressPool
+        metadata:
+          name: ironic-pool
+          namespace: metallb-system
+        spec:
+          addresses:
+          - 172.22.0.2-172.22.0.2
+  - name: Create the L2Advertisement
+    kubernetes.core.k8s:
+      state: present
+      kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
+      definition:
+        apiVersion: metallb.io/v1beta1
+        kind: L2Advertisement
+        metadata:
+          name: ironic
+          namespace: metallb-system
+        spec:
+          ipAddressPools:
+          - ironic-pool
+  - name: Create the loadbalancer service
+    kubernetes.core.k8s:
+      state: present
+      kubeconfig: "/tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml"
+      definition:
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: ironic
+          namespace: baremetal-operator-system
+          annotations:
+            metallb.universe.tf/loadBalancerIPs: 172.22.0.2
+        spec:
+          ports:
+            - name: ironic
+              port: 6385
+              targetPort: 6385
+            - name: inspector
+              port: 5050
+              targetPort: 5050
+            - name: httpd
+              port: 6180
+              targetPort: 6180
+          selector:
+            name: ironic
+          type: LoadBalancer
+
   - name: Label baremetalhost CRD in target cluster to pivot back.
     shell: "kubectl --kubeconfig /tmp/kubeconfig-{{ CLUSTER_NAME }}.yaml label crds baremetalhosts.metal3.io {{ item }} --overwrite "
     with_items:

tests/roles/run_tests/vars/main.yml

@@ -94,7 +94,7 @@ IPAM_INSECURE_DIAGNOSTICS: "true"
 
 # Args to pass to the deploy.sh script when deploying Ironic and BMO
 # [k]eepalived [t]ls [n]o basic auth or [m]ariadb
-BMO_IRONIC_ARGS: "-k {{ (IRONIC_TLS_SETUP == 'true') | ternary('-t', '') }} {{ (IRONIC_BASIC_AUTH == 'true') | ternary('', '-n') }} {{ (IRONIC_USE_MARIADB == 'true') | ternary('-m', '') }}"
+BMO_IRONIC_ARGS: "{{ (IRONIC_TLS_SETUP == 'true') | ternary('-t', '') }} {{ (IRONIC_BASIC_AUTH == 'true') | ternary('', '-n') }} {{ (IRONIC_USE_MARIADB == 'true') | ternary('-m', '') }}"
 
 provision_cluster_actions:
 - "ci_test_provision"