airship
/
maas
Code Issues Proposed changes

Upgrade MAAS to v3.2 

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
Anselme, Schubert (sa246v) 2023-04-03 09:54:18 -04:00 committed by Schubert Anselme
parent 962db46114
commit 14cf53fb7b
37 changed files with 563 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
# Distribution / packaging
build/
*.tgz
charts/deps/
!charts/deps/.gitkeep

1
charts/maas/Chart.yaml
View File

@ -16,6 +16,7 @@ apiVersion: v1
description: Chart to run Canonical MaaS
name: maas
version: 0.1.5
appVersion: 3.2.7
home: https://docs.ubuntu.com/maas
sources:
- https://git.launchpad.net/maas

6
charts/maas/requirements.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit
version: 0.2.54
digest: sha256:ffbfe5c88704dc3f39eaea0b97f2355de43e9667bec2385bd1a0bc5771ff32f3
generated: "2023-08-11T09:29:34.123882-04:00"

19
charts/maas/templates/bin/_enable-tls.sh.tpl Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
maas config-tls enable --yes --port 5240 --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt

246
charts/maas/templates/bin/_import-boot-resources.sh.tpl
View File

@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900}
RETRY_TIMER=${RETRY_TIMER:-30}
function timer {
retry_wait=$1
shift
retry_wait=$1
shift
while [[ ${JOB_TIMEOUT} -gt 0 ]]
do
"$@"
rc=$?
if [ $rc -eq 0 ]
then
return $rc
else
JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait))
sleep $retry_wait
fi
done
while [[ ${JOB_TIMEOUT} -gt 0 ]]; do
"$@"
rc=$?
if [ $rc -eq 0 ]; then
return $rc
else
JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait))
sleep $retry_wait
fi
done
return 124
return 124
}
function import_resources {
check_for_download
rc=$?
check_for_download
rc=$?
if [ $rc -ne 0 ]
then
echo "Starting image import try ${import_tries}..."
maas ${ADMIN_USERNAME} boot-resources import
sleep 30
check_for_download
rc=$?
fi
if [ $rc -ne 0 ]; then
echo "Starting image import try ${import_tries}..."
maas ${ADMIN_USERNAME} boot-resources import
sleep 30
check_for_download
rc=$?
fi
return $rc
return $rc
}
function start_import {
timer "$RETRY_TIMER" import_resources
timer "$RETRY_TIMER" import_resources
}
function check_for_download {
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true';
then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO)
if [[ $synced_imgs -gt 0 ]]
then
echo 'Boot resources have completed importing'
return 0
else
echo 'Import failed!'
return 1
fi
fi
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO)
if [[ $synced_imgs -gt 0 ]]; then
echo 'Boot resources have completed importing'
return 0
else
echo 'Import failed!'
return 1
fi
fi
}
function check_then_set_single {
option="$1"
value="$2"
option="$1"
value="$2"
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"')
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"')
if [[ $cur_val != $desired_val ]]
then
echo "Setting MAAS option ${option} to ${desired_val}"
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
return $?
else
echo "MAAS option ${option} already set to ${cur_val}"
return 0
fi
if [[ $cur_val != $desired_val ]]; then
echo "Setting MAAS option ${option} to ${desired_val}"
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
return $?
else
echo "MAAS option ${option} already set to ${cur_val}"
return 0
fi
}
function check_then_set {
option=$1
value=$2
option=$1
value=$2
timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
}
# Get rack controllers reporting a healthy rackd
function get_active_rack_controllers {
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
}
function check_for_rack_sync_single {
sync_list=""
sync_list=""
rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list}
do
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]]
then
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
else
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
fi
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]
then
return 0
fi
done
rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list}; do
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
else
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
fi
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then
return 0
fi
done
return 1
return 1
}
function check_for_rack_sync {
timer "$RETRY_TIMER" check_for_rack_sync_single
timer "$RETRY_TIMER" check_for_rack_sync_single
}
function configure_proxy {
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
}
function configure_ntp {
check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
}
function configure_dns {
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS}
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS}
}
function configure_syslog {
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
}
function configure_images {
check_for_rack_sync
check_for_rack_sync
if [[ $? -eq 124 ]]
then
echo "Timed out waiting for rack controller sync."
return 1
fi
if [[ $? -eq 124 ]]; then
echo "Timed out waiting for rack controller sync."
return 1
fi
check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
}
function configure_boot_sources {
if [[ $USE_IMAGE_CACHE == 'true' ]]
then
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
fi
if [[ $USE_IMAGE_CACHE == 'true' ]]; then
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
fi
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"
then
# Need to start an import to get the availability data
maas "$ADMIN_USERNAME" boot-resources import
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
return 1
fi
fi
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then
# Need to start an import to get the availability data
maas "$ADMIN_USERNAME" boot-resources import
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
return 1
fi
fi
}
function create_extra_commissioning_script {
@ -215,21 +203,24 @@ EOF
}
function configure_extra_settings {
{{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}}
{{- else }}
: No additional MAAS config
{{- end }}
{{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}}
{{- else }}
: No additional MAAS config
{{- end }}
}
function maas_login {
KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ]
then
return 1
fi
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
return $?
KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ]; then
return 1
fi
{{- if .Values.conf.maas.tls.enabled }}
maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- else }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- end }}
return $?
}
timer "$RETRY_TIMER" maas_login
@ -245,10 +236,9 @@ create_extra_commissioning_script
timer "$RETRY_TIMER" configure_boot_sources
start_import
if [[ $? -eq 0 ]]
then
configure_images
if [[ $? -eq 0 ]]; then
configure_images
else
echo "Image import FAILED!"
exit 1
echo "Image import FAILED!"
exit 1
fi

90
charts/maas/templates/bin/_maas-test.sh.tpl
View File

@ -18,78 +18,74 @@
set -ex
function check_boot_images {
if maas local boot-resources is-importing | grep -q 'true';
then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
if [[ $synced_imgs -gt 0 ]]
then
echo 'Boot resources have completed importing'
return 0
else
return 1
fi
fi
if maas local boot-resources is-importing | grep -q 'true'; then
echo -e '\nBoot resources currently importing\n'
return 1
else
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
if [[ $synced_imgs -gt 0 ]]; then
echo 'Boot resources have completed importing'
return 0
else
return 1
fi
fi
}
function check_rack_controllers {
rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]]
then
echo "Found $rack_cnt rack controllers."
return 0
else
return 1
fi
rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]]; then
echo "Found $rack_cnt rack controllers."
return 0
else
return 1
fi
}
function check_admin_api {
if maas local version read;
then
echo 'Admin API is responding'
return 0
else
return 1
fi
if maas local version read; then
echo 'Admin API is responding'
return 0
else
return 1
fi
}
function establish_session {
maas login local ${MAAS_URL} ${MAAS_API_KEY}
return $?
{{- if .Values.conf.maas.tls.enabled }}
maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt local ${MAAS_URL} ${MAAS_API_KEY}
{{- else }}
maas login local ${MAAS_URL} ${MAAS_API_KEY}
{{- end }}
return $?
}
establish_session
if [[ $? -ne 0 ]]
then
echo "MAAS API login FAILED!"
exit 1
if [[ $? -ne 0 ]]; then
echo "MAAS API login FAILED!"
exit 1
fi
check_boot_images
if [[ $? -eq 1 ]]
then
echo "Image import test FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Image import test FAILED!"
exit 1
fi
check_rack_controllers
if [[ $? -eq 1 ]]
then
echo "Rack controller query FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Rack controller query FAILED!"
exit 1
fi
check_admin_api
if [[ $? -eq 1 ]]
then
echo "Admin API response FAILED!"
exit 1
if [[ $? -eq 1 ]]; then
echo "Admin API response FAILED!"
exit 1
fi
echo "MAAS Validation SUCCESS!"

32
charts/maas/templates/certificate-maas-ingress.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_ingress_cert }}
spec:
secretName: {{ .Values.secrets.maas_ingress_cert }}
commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}

35
charts/maas/templates/certificate-maas.yaml Normal file
View File

@ -0,0 +1,35 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_cert }}
spec:
secretName: {{ .Values.secrets.maas_cert }}
commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
{{ end }}

4
charts/maas/templates/configmap-bin.yaml
View File

@ -49,3 +49,7 @@ data:
{{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start-syslog.sh: |
{{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.conf.maas.tls.enabled }}
enable-tls.sh: |
{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{ end }}

2
charts/maas/templates/deployment-ingress-errors.yaml
View File

@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.rack_statefulset }}
{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }}
{{- $envAll := . }}
{{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
{{- $serviceAccountName := "maas-ingress-errors" }}

9
charts/maas/templates/ingress-region.yaml
View File

@ -20,8 +20,17 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: maas-region-api
metadata:
annotations:
{{ toYaml .Values.network.region_api.ingress.annotations | indent 8 }}
spec:
ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
{{- if .Values.conf.maas.tls.enabled }}
tls:
- secretName: maas-region-api-tls
hosts:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}
rules:
- host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
http:

79
charts/maas/templates/job-enable-tls.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.tls.enabled }}
{{- $envAll := . }}
{{- $serviceAccountName := "maas-enable-tls" }}
{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: maas-enable-tls
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
initContainers:
{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: maas-enable-tls
image: {{ .Values.images.tags.enable_tls }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/enable-tls.sh
volumeMounts:
- name: maas-bin
mountPath: /tmp/enable-tls.sh
subPath: enable-tls.sh
readOnly: true
- name: maas-etc
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
- name: maas-tls
mountPath: /etc/maas/ssl
readOnly: true
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-etc
configMap:
name: maas-etc
defaultMode: 0444
- name: maas-tls
secret:
secretName: {{ .Values.secrets.maas_cert }}
defaultMode: 0444
{{ end }}

14
charts/maas/templates/job-import.yaml
View File

@ -116,6 +116,12 @@ spec:
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
volumes:
- name: maas-bin
configMap:
@ -125,3 +131,11 @@ spec:
configMap:
name: maas-etc
defaultMode: 0444
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}

29
charts/maas/templates/secret-maas-tls.yaml Normal file
View File

@ -0,0 +1,29 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.secrets.certificate }}
type: kubernetes/tls
data:
ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }}
tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }}
tls.key: {{ .Values.conf.maas.tls.key | b64enc }}
{{ end }}

4
charts/maas/templates/service-ingress-headless.yaml
View File

@ -24,6 +24,10 @@ spec:
ports:
- name: http
port: 80
{{- if .Values.conf.maas.tls.enabled }}
- name: https
port: 443
{{- end }}
selector:
{{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
...

14
charts/maas/templates/statefulset-rack.yaml
View File

@ -155,6 +155,12 @@ spec:
mountPath: /etc/bind/named.conf.options
subPath: named.conf.options
readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
{{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
volumes:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }}
@ -185,6 +191,14 @@ spec:
configMap:
name: maas-etc
defaultMode: 0444
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
{{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }}
volumeClaimTemplates:
- metadata:

14
charts/maas/templates/statefulset-region.yaml
View File

@ -179,6 +179,12 @@ spec:
mountPath: /etc/default/bind9
subPath: named
readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
{{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
volumes:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_region }}
@ -203,6 +209,14 @@ spec:
- name: maas-region-secret
secret:
secretName: {{ .Values.secrets.maas_region.name }}
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
{{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }}
{{- if .Values.manifests.maas_syslog }}
volumeClaimTemplates:

20
charts/maas/templates/tests/test-maas-init.yaml
View File

@ -38,7 +38,11 @@ spec:
- name: maas-api-test
env:
- name: 'MAAS_URL'
value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- if empty .Values.conf.maas.url.maas_url }}
value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- else }}
value: {{ .Values.conf.maas.url.maas_url }}
{{- end }}
- name: 'MAAS_API_KEY'
valueFrom:
secretKeyRef:
@ -54,10 +58,24 @@ spec:
mountPath: /tmp/maas-test.sh
subPath: maas-test.sh
readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
...
{{- end }}

27
charts/maas/values.yaml
View File

@ -74,6 +74,12 @@ dependencies:
endpoint: internal
- service: maas_ingress
endpoint: monitor
enable_tls:
jobs:
- maas-bootstrap-admin-user
services:
- service: maas_region
endpoint: internal
network_policy:
maas:
@ -108,6 +114,7 @@ images:
ingress_vip: docker.io/busybox:latest
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
maas_syslog: quay.io/airshipit/maas-region-controller:latest
enable_tls: quay.io/airshipit/maas-region-controller:latest
pull_policy: IfNotPresent
local_registry:
# TODO(portdirect): this chart does not yet support local image cacheing
@ -263,8 +270,8 @@ conf:
proxy_server: null
images:
default_os: 'ubuntu'
default_image: 'bionic'
default_kernel: 'ga-18.04'
default_image: 'focal'
default_kernel: 'ga-20.04'
credentials:
secret:
namespace: maas
@ -294,6 +301,12 @@ conf:
# system user for console login/recovery in early phases of deployment
system_user: 'root'
system_passwd: 'password'
tls:
enabled: false
create: false
ca: ""
cert: ""
key: ""
drivers: null
#### If you populates drivers, it will replace the 3rd party driver
#### info that comes with MaaS. see structure below if it is needed
@ -341,6 +354,8 @@ secrets:
name: maas-region-secret
value: 3858f62230ac3c915f300c664312c63f
ssh_key: ssh-private-key
maas_cert: maas-region-api-tls
maas_ingress_cert: maas-region-api-ingress-tls
pod:
mandatory_access_control:
@ -659,7 +674,6 @@ endpoints:
syslog:
public: 514
podport: 514
maas_db:
auth:
admin:
@ -722,3 +736,10 @@ endpoints:
default: http
host_fqdn_override:
default: null
cert_manager:
enabled: false
create: false
issuer:
kind: ClusterIssuer
name: ca-issuer

2
images/maas-rack-controller-focal/3.0_allow_query.patch → images/maas-rack-controller-focal/3.2_allow_query.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644
index d76fcfa..d198e90 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no;

6
images/maas-rack-controller-focal/3.0_ipmi_error.patch → images/maas-rack-controller-focal/3.2_ipmi_error.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
index acf284e9d..edcaf9e41 100644
index 70201e8..26625e2 100644
--- a/src/provisioningserver/drivers/power/ipmi.py
+++ b/src/provisioningserver/drivers/power/ipmi.py
@@ -155,6 +155,13 @@ IPMI_ERRORS = {
@ -16,12 +16,12 @@ index acf284e9d..edcaf9e41 100644
"could not find inband device": {
"message": (
"An inband device could not be found."
@@ -283,7 +290,7 @@ class IPMIPowerDriver(PowerDriver):
@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver):
),
]
ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"):

4
images/maas-rack-controller-focal/3.0_nic_filter.patch → images/maas-rack-controller-focal/3.2_nic_filter.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
index d8c781e38..3d2e6264c 100644
index 7895227..0f665ad 100644
--- a/src/provisioningserver/utils/network.py
+++ b/src/provisioningserver/utils/network.py
@@ -1129,6 +1129,8 @@ def get_all_interfaces_definition(
@@ -1128,6 +1128,8 @@ def get_all_interfaces_definition(
# interfaces for guests. By themselves, they're not useful for MAAS to
# manage.
"tunnel",

6
images/maas-rack-controller-focal/3.0_redfish_retries.patch → images/maas-rack-controller-focal/3.2_redfish_retries.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
index 334ea2ca8..f38b05b8c 100644
index 19d9ecd..0075997 100644
--- a/src/provisioningserver/drivers/power/redfish.py
+++ b/src/provisioningserver/drivers/power/redfish.py
@@ -151,6 +151,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
]
ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32)
def detect_missing_packages(self):
# no required packages

6
images/maas-rack-controller-focal/3.0_secure_headers.patch → images/maas-rack-controller-focal/3.2_secure_headers.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index 23e3e408e..8e3e5b772 100644
index 23e3e40..8e3e5b7 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString())
# Resource Identification

24
images/maas-rack-controller-focal/Dockerfile
View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
RUN apt-get -qq update \
&& apt-get install -y \
@ -43,7 +43,7 @@ RUN apt-get -qq update \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \
&& add-apt-repository -yu ppa:maas/3.2 \
&& apt-get install -y \
maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/*
@ -56,20 +56,20 @@ COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-
RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored
COPY 3.0_nic_filter.patch /tmp/3.0_nic_filter.patch
COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
COPY 3.2_nic_filter.patch /tmp/3.2_nic_filter.patch
COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
# Patch so maas knows that "BMC error" is retriable
COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch
COPY 3.2_ipmi_error.patch /tmp/3.2_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
COPY 3.2_redfish_retries.patch /tmp/3.2_redfish_retries.patch
# Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.2_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.2_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.2_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
# echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

13
images/maas-region-controller-focal/3.0_bios_grub_partition.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
index 62895f83b..832b1db4c 100644
--- a/src/maasserver/models/partition.py
+++ b/src/maasserver/models/partition.py
@@ -248,7 +248,7 @@ class Partition(CleanSave, TimestampedModel):
return idx + 1
elif arch == "ppc64el" and block_device.id == boot_disk.id:
return idx + 2
- elif arch == "amd64" and bios_boot_method != "uefi":
+ elif arch == "amd64" and bios_boot_method != "uefi" and block_device.id == boot_disk.id:
if block_device.type == "physical":
# Delay the `type` check because it can cause a query. Only
# physical block devices get the bios_grub partition.

2
images/maas-region-controller-focal/3.0_allow_query.patch → images/maas-region-controller-focal/3.2_allow_query.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644
index d76fcfa..d198e90 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no;

12
images/maas-region-controller-focal/3.2_bios_grub_partition.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
index 84a8fba..c62f25f 100644
--- a/src/maasserver/models/partition.py
+++ b/src/maasserver/models/partition.py
@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel):
arch == "amd64"
and bios_boot_method != "uefi"
and block_device.type == "physical"
+ and block_device.id == boot_disk.id
)
if need_prep_partition or need_bios_grub:
index = 2

16
images/maas-region-controller-focal/3.0_configure_ipmi_user.patch → images/maas-region-controller-focal/3.2_configure_ipmi_user.patch
View File

@ -1,10 +1,10 @@
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 42e4c79e4..11df96313 100755
index 02e900d..411832a 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -396,6 +396,29 @@ class IPMI(BMCConfig):
@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig):
return first_unused
def add_bmc_user(self):
+ """Create/configure an IPMI user, but with several tries"""
+ attempt = 1
@ -32,7 +32,7 @@ index 42e4c79e4..11df96313 100755
if not self.username:
self.username = "maas"
user_number = self._pick_user_number(self.username)
@@ -417,7 +440,7 @@ class IPMI(BMCConfig):
@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig):
if self._bmc_config[user_number].get(key) != value:
self._bmc_set(user_number, key, value)
except Exception:
@ -41,12 +41,12 @@ index 42e4c79e4..11df96313 100755
else:
self.password = password
# Not all user settings are available on all BMC keys, its
@@ -432,8 +455,6 @@ class IPMI(BMCConfig):
@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig):
"Yes",
)
return
- print("ERROR: Unable to add BMC user!", file=sys.stderr)
- sys.exit(1)
def _config_ipmi_lan_channel_settings(self):
"""Enable IPMI-over-Lan (Lan_Channel) if it is disabled"""
def _bmc_get_config(self, section=None):
"""Fetch and cache all BMC settings."""

13
images/maas-region-controller-focal/3.0_kernel_package.patch → images/maas-region-controller-focal/3.2_kernel_package.patch
View File

@ -1,16 +1,15 @@
diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
index f9ba34a18..a9f41b9c2 100644
index c692969..c20facf 100644
--- a/src/maasserver/preseed.py
+++ b/src/maasserver/preseed.py
@@ -232,7 +232,27 @@ def compose_curtin_kernel_preseed(node):
The BootResourceFile table contains a mapping between hwe kernels and
Ubuntu package names. If this mapping is missing we fall back to letting
Curtin figure out which kernel should be installed"""
+
@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node):
if node.get_osystem() == "custom":
return []
+ # previous logic to retrieve kpackage parameter
kpackage = BootResource.objects.get_kpackage_for_node(node)
+
+ # determine if this node has kernel parameters applied by drydock
+ # determine if thie node has kernel parameters applied by drydock
+ # and override kpackage if we discover the right properties
+ kernel_opt_tag = "%s_kp" % (node.hostname)
+ if kernel_opt_tag in node.tag_names():

2
images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch → images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
index 5a413fb3b..6a5ad8b47 100644
index dd1b431..235c03f 100644
--- a/src/maasserver/api/partitions.py
+++ b/src/maasserver/api/partitions.py
@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):

0
images/maas-region-controller-focal/3.0_proxy_acl.patch → images/maas-region-controller-focal/3.2_proxy_acl.patch
View File

16
images/maas-region-controller-focal/3.0_regex_tags.patch → images/maas-region-controller-focal/3.2_regex_tags.patch
View File

@ -1,17 +1,17 @@
diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
index 5d26041ca..0e208f264 100644
index 2cbaa9d..14eeb69 100644
--- a/src/maasserver/models/ownerdata.py
+++ b/src/maasserver/models/ownerdata.py
@@ -18,7 +18,7 @@ from django.db.models import (
from maasserver import DefaultMeta
@@ -17,7 +17,7 @@ from django.db.models import (
from maasserver.models.cleansave import CleanSave
-DATA_KEY_RE = re.compile(r"[\w.-]+$")
+#DATA_KEY_RE = re.compile(r"[\w.-]+$")
class OwnerDataManager(Manager):
@@ -33,8 +33,8 @@ class OwnerDataManager(Manager):
@@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
if value is None:
to_remove.add(key)
else:
@ -19,6 +19,6 @@ index 5d26041ca..0e208f264 100644
- raise ValueError("Invalid character in key name")
+ # if not DATA_KEY_RE.match(key):
+ # raise ValueError("Invalid character in key name")
self.update_or_create(
node=node, key=key, defaults={"value": value}

5
images/maas-region-controller-focal/3.0_region_secret_rotate.patch → images/maas-region-controller-focal/3.2_region_secret_rotate.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/maasserver/security.py b/src/maasserver/security.py
index a9420e504..61c6f00c6 100644
index a9420e5..7973120 100644
--- a/src/maasserver/security.py
+++ b/src/maasserver/security.py
@@ -96,11 +96,11 @@ def get_shared_secret_txn():
@ -16,6 +16,5 @@ index a9420e504..61c6f00c6 100644
+ # secret and set it in the database (set_config function)
+ secret = secret_on_fs
+ Config.objects.set_config("rpc_shared_secret", to_hex(secret))
return secret

14
images/maas-region-controller-focal/3.0_route.patch → images/maas-region-controller-focal/3.2_route.patch
View File

@ -1,13 +1,17 @@
diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
index 3851424fc..8bfa90e7d 100644
index 7660feb..dae412d 100644
--- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py
@@ -309,7 +309,7 @@ class InterfaceConfiguration:
@@ -308,7 +308,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source):
"""Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source}
+ return {route for route in self.routes if str(route.source.cidr) == str(source.cidr)}
+ return {
+ route
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self, version=1):
"""Generate the various addresses needed for this interface."""

6
images/maas-region-controller-focal/3.0_secure_headers.patch → images/maas-region-controller-focal/3.2_secure_headers.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index 23e3e408e..8e3e5b772 100644
index 23e3e40..8e3e5b7 100644
--- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py
@@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site
# set various default headers
- self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString())
# Resource Identification

44
images/maas-region-controller-focal/Dockerfile
View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive
ENV container docker
ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
RUN apt-get -qq update \
&& apt-get install -y \
@ -41,7 +41,7 @@ RUN apt-get -qq update \
-exec rm \{} \; \
&& systemctl set-default multi-user.target \
# Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \
&& add-apt-repository -yu ppa:maas/3.2 \
&& apt-get install -y \
maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor
@ -52,32 +52,32 @@ RUN apt-get -qq update \
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds
COPY 3.0_route.patch /tmp/3.0_route.patch
COPY 3.0_kernel_package.patch /tmp/3.0_kernel_package.patch
COPY 3.0_bios_grub_partition.patch /tmp/3.0_bios_grub_partition.patch
COPY 3.2_route.patch /tmp/3.2_route.patch
COPY 3.2_kernel_package.patch /tmp/3.2_kernel_package.patch
COPY 3.2_bios_grub_partition.patch /tmp/3.2_bios_grub_partition.patch
# sh8121att: allow all requests via the proxy to allow it to work
# behind ingress
COPY 3.0_proxy_acl.patch /tmp/3.0_proxy_acl.patch
COPY 3.2_proxy_acl.patch /tmp/3.2_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 3.0_configure_ipmi_user.patch /tmp/3.0_configure_ipmi_user.patch
COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch
COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch
COPY 3.2_configure_ipmi_user.patch /tmp/3.2_configure_ipmi_user.patch
COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
COPY 3.2_region_secret_rotate.patch /tmp/3.2_region_secret_rotate.patch
COPY 3.2_partitiontable_does_not_exist.patch /tmp/3.2_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
COPY 3.2_regex_tags.patch /tmp/3.2_regex_tags.patch
# Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.0_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.0_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.0_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.0_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.2_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.2_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.2_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.2_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.2_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.2_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.2_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.2_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
# echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service