airship
/
maas
Code Issues Proposed changes

Upgrade MAAS to v3.2 

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
Anselme, Schubert (sa246v) 2023-04-03 09:54:18 -04:00 committed by Schubert Anselme
parent 962db46114
commit 14cf53fb7b
37 changed files with 563 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
# Distribution / packaging # Distribution / packaging
build/ build/
*.tgz *.tgz
charts/deps/
!charts/deps/.gitkeep

1
charts/maas/Chart.yaml
View File

@ -16,6 +16,7 @@ apiVersion: v1
description: Chart to run Canonical MaaS description: Chart to run Canonical MaaS
name: maas name: maas
version: 0.1.5 version: 0.1.5
appVersion: 3.2.7
home: https://docs.ubuntu.com/maas home: https://docs.ubuntu.com/maas
sources: sources:
- https://git.launchpad.net/maas - https://git.launchpad.net/maas

6
charts/maas/requirements.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: helm-toolkit
repository: file://../deps/helm-toolkit
version: 0.2.54
digest: sha256:ffbfe5c88704dc3f39eaea0b97f2355de43e9667bec2385bd1a0bc5771ff32f3
generated: "2023-08-11T09:29:34.123882-04:00"

19
charts/maas/templates/bin/_enable-tls.sh.tpl Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
maas config-tls enable --yes --port 5240 --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt

246
charts/maas/templates/bin/_import-boot-resources.sh.tpl
View File

@ -23,173 +23,161 @@ JOB_TIMEOUT=${JOB_TIMEOUT:-900}
RETRY_TIMER=${RETRY_TIMER:-30} RETRY_TIMER=${RETRY_TIMER:-30}
function timer { function timer {
retry_wait=$1 retry_wait=$1
shift shift
while [[ ${JOB_TIMEOUT} -gt 0 ]] while [[ ${JOB_TIMEOUT} -gt 0 ]]; do
do "$@"
"$@" rc=$?
rc=$? if [ $rc -eq 0 ]; then
if [ $rc -eq 0 ] return $rc
then else
return $rc JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait))
else sleep $retry_wait
JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait)) fi
sleep $retry_wait done
fi
done
return 124 return 124
} }
function import_resources { function import_resources {
check_for_download check_for_download
rc=$? rc=$?
if [ $rc -ne 0 ] if [ $rc -ne 0 ]; then
then echo "Starting image import try ${import_tries}..."
echo "Starting image import try ${import_tries}..." maas ${ADMIN_USERNAME} boot-resources import
maas ${ADMIN_USERNAME} boot-resources import sleep 30
sleep 30 check_for_download
check_for_download rc=$?
rc=$? fi
fi
return $rc return $rc
} }
function start_import { function start_import {
timer "$RETRY_TIMER" import_resources timer "$RETRY_TIMER" import_resources
} }
function check_for_download { function check_for_download {
if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then
then echo -e '\nBoot resources currently importing\n'
echo -e '\nBoot resources currently importing\n' return 1
return 1 else
else synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO)
synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO) if [[ $synced_imgs -gt 0 ]]; then
if [[ $synced_imgs -gt 0 ]] echo 'Boot resources have completed importing'
then return 0
echo 'Boot resources have completed importing' else
return 0 echo 'Import failed!'
else return 1
echo 'Import failed!' fi
return 1 fi
fi
fi
} }
function check_then_set_single { function check_then_set_single {
option="$1" option="$1"
value="$2" value="$2"
cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"') cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
desired_val=$(echo ${value} | tr -d '"') desired_val=$(echo ${value} | tr -d '"')
if [[ $cur_val != $desired_val ]] if [[ $cur_val != $desired_val ]]; then
then echo "Setting MAAS option ${option} to ${desired_val}"
echo "Setting MAAS option ${option} to ${desired_val}" maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val} return $?
return $? else
else echo "MAAS option ${option} already set to ${cur_val}"
echo "MAAS option ${option} already set to ${cur_val}" return 0
return 0 fi
fi
} }
function check_then_set { function check_then_set {
option=$1 option=$1
value=$2 value=$2
timer "$RETRY_TIMER" check_then_set_single "$option" "$value" timer "$RETRY_TIMER" check_then_set_single "$option" "$value"
} }
# Get rack controllers reporting a healthy rackd # Get rack controllers reporting a healthy rackd
function get_active_rack_controllers { function get_active_rack_controllers {
maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id' maas ${ADMIN_USERNAME} rack-controllers read | jq -r 'map({"system_id":.system_id,"service_set":(.service_set[] | select(.name=="rackd"))}) | map(select(.service_set.status == "running")) | .[] | .system_id'
} }
function check_for_rack_sync_single { function check_for_rack_sync_single {
sync_list="" sync_list=""
rack_list=$(get_active_rack_controllers) rack_list=$(get_active_rack_controllers)
for rack_id in ${rack_list} for rack_id in ${rack_list}; do
do selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name") synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"') if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then
if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]] sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
then else
sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq) maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
else fi
maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id} if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then
fi return 0
if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]] fi
then done
return 0
fi
done
return 1 return 1
} }
function check_for_rack_sync { function check_for_rack_sync {
timer "$RETRY_TIMER" check_for_rack_sync_single timer "$RETRY_TIMER" check_for_rack_sync_single
} }
function configure_proxy { function configure_proxy {
check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED} check_then_set enable_http_proxy ${MAAS_PROXY_ENABLED}
check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED} check_then_set use_peer_proxy ${MAAS_PEER_PROXY_ENABLED}
check_then_set http_proxy ${MAAS_PROXY_SERVER} check_then_set http_proxy ${MAAS_PROXY_SERVER}
check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT} check_then_set maas_proxy_port ${MAAS_INTERNAL_PROXY_PORT}
} }
function configure_ntp { function configure_ntp {
check_then_set ntp_servers ${MAAS_NTP_SERVERS} check_then_set ntp_servers ${MAAS_NTP_SERVERS}
check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY} check_then_set ntp_external_only ${MAAS_NTP_EXTERNAL_ONLY}
} }
function configure_dns { function configure_dns {
check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED} check_then_set dnssec_validation ${MAAS_DNS_DNSSEC_REQUIRED}
check_then_set upstream_dns ${MAAS_DNS_SERVERS} check_then_set upstream_dns ${MAAS_DNS_SERVERS}
} }
function configure_syslog { function configure_syslog {
check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG} check_then_set remote_syslog ${MAAS_REMOTE_SYSLOG}
} }
function configure_images { function configure_images {
check_for_rack_sync check_for_rack_sync
if [[ $? -eq 124 ]] if [[ $? -eq 124 ]]; then
then echo "Timed out waiting for rack controller sync."
echo "Timed out waiting for rack controller sync." return 1
return 1 fi
fi
check_then_set default_osystem ${MAAS_DEFAULT_OS} check_then_set default_osystem ${MAAS_DEFAULT_OS}
check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO} check_then_set commissioning_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO} check_then_set default_distro_series ${MAAS_DEFAULT_DISTRO}
check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL} check_then_set default_min_hwe_kernel ${MAAS_DEFAULT_KERNEL}
} }
function configure_boot_sources { function configure_boot_sources {
if [[ $USE_IMAGE_CACHE == 'true' ]] if [[ $USE_IMAGE_CACHE == 'true' ]]; then
then maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/ fi
fi
selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')" selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}" if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then
then # Need to start an import to get the availability data
# Need to start an import to get the availability data maas "$ADMIN_USERNAME" boot-resources import
maas "$ADMIN_USERNAME" boot-resources import if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \ release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then
release="${MAAS_DEFAULT_DISTRO}" arches="amd64" subarches='*' labels='*' | grep -q 'Success'; then return 1
return 1 fi
fi fi
fi
} }
function create_extra_commissioning_script { function create_extra_commissioning_script {
@ -215,21 +203,24 @@ EOF
} }
function configure_extra_settings { function configure_extra_settings {
{{- range $k, $v := .Values.conf.maas.extra_settings }} {{- range $k, $v := .Values.conf.maas.extra_settings }}
check_then_set {{$k}} {{$v}} check_then_set {{$k}} {{$v}}
{{- else }} {{- else }}
: No additional MAAS config : No additional MAAS config
{{- end }} {{- end }}
} }
function maas_login { function maas_login {
KEY=$(maas-region apikey --username=${ADMIN_USERNAME}) KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
if [ -z "$KEY" ] if [ -z "$KEY" ]; then
then return 1
return 1 fi
fi {{- if .Values.conf.maas.tls.enabled }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
return $? {{- else }}
maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
{{- end }}
return $?
} }
timer "$RETRY_TIMER" maas_login timer "$RETRY_TIMER" maas_login
@ -245,10 +236,9 @@ create_extra_commissioning_script
timer "$RETRY_TIMER" configure_boot_sources timer "$RETRY_TIMER" configure_boot_sources
start_import start_import
if [[ $? -eq 0 ]] if [[ $? -eq 0 ]]; then
then configure_images
configure_images
else else
echo "Image import FAILED!" echo "Image import FAILED!"
exit 1 exit 1
fi fi

90
charts/maas/templates/bin/_maas-test.sh.tpl
View File

@ -18,78 +18,74 @@
set -ex set -ex
function check_boot_images { function check_boot_images {
if maas local boot-resources is-importing | grep -q 'true'; if maas local boot-resources is-importing | grep -q 'true'; then
then echo -e '\nBoot resources currently importing\n'
echo -e '\nBoot resources currently importing\n' return 1
return 1 else
else synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced) if [[ $synced_imgs -gt 0 ]]; then
if [[ $synced_imgs -gt 0 ]] echo 'Boot resources have completed importing'
then return 0
echo 'Boot resources have completed importing' else
return 0 return 1
else fi
return 1 fi
fi
fi
} }
function check_rack_controllers { function check_rack_controllers {
rack_cnt=$(maas local rack-controllers read | grep -c hostname) rack_cnt=$(maas local rack-controllers read | grep -c hostname)
if [[ $rack_cnt -gt 0 ]] if [[ $rack_cnt -gt 0 ]]; then
then echo "Found $rack_cnt rack controllers."
echo "Found $rack_cnt rack controllers." return 0
return 0 else
else return 1
return 1 fi
fi
} }
function check_admin_api { function check_admin_api {
if maas local version read; if maas local version read; then
then echo 'Admin API is responding'
echo 'Admin API is responding' return 0
return 0 else
else return 1
return 1 fi
fi
} }
function establish_session { function establish_session {
maas login local ${MAAS_URL} ${MAAS_API_KEY} {{- if .Values.conf.maas.tls.enabled }}
return $? maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt local ${MAAS_URL} ${MAAS_API_KEY}
{{- else }}
maas login local ${MAAS_URL} ${MAAS_API_KEY}
{{- end }}
return $?
} }
establish_session establish_session
if [[ $? -ne 0 ]] if [[ $? -ne 0 ]]; then
then echo "MAAS API login FAILED!"
echo "MAAS API login FAILED!" exit 1
exit 1
fi fi
check_boot_images check_boot_images
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Image import test FAILED!"
echo "Image import test FAILED!" exit 1
exit 1
fi fi
check_rack_controllers check_rack_controllers
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Rack controller query FAILED!"
echo "Rack controller query FAILED!" exit 1
exit 1
fi fi
check_admin_api check_admin_api
if [[ $? -eq 1 ]] if [[ $? -eq 1 ]]; then
then echo "Admin API response FAILED!"
echo "Admin API response FAILED!" exit 1
exit 1
fi fi
echo "MAAS Validation SUCCESS!" echo "MAAS Validation SUCCESS!"

32
charts/maas/templates/certificate-maas-ingress.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_ingress_cert }}
spec:
secretName: {{ .Values.secrets.maas_ingress_cert }}
commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}

35
charts/maas/templates/certificate-maas.yaml Normal file
View File

@ -0,0 +1,35 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }}
{{- $envAll := . }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.secrets.maas_cert }}
spec:
secretName: {{ .Values.secrets.maas_cert }}
commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
issuerRef:
kind: {{ .Values.cert_manager.issuer.kind }}
name: {{ .Values.cert_manager.issuer.name }}
dnsNames:
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
- {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
{{ end }}

4
charts/maas/templates/configmap-bin.yaml
View File

@ -49,3 +49,7 @@ data:
{{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
start-syslog.sh: | start-syslog.sh: |
{{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if .Values.conf.maas.tls.enabled }}
enable-tls.sh: |
{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{ end }}

2
charts/maas/templates/deployment-ingress-errors.yaml
View File

@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{- if .Values.manifests.rack_statefulset }} {{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
{{- $serviceAccountName := "maas-ingress-errors" }} {{- $serviceAccountName := "maas-ingress-errors" }}

9
charts/maas/templates/ingress-region.yaml
View File

@ -20,8 +20,17 @@ apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: maas-region-api name: maas-region-api
metadata:
annotations:
{{ toYaml .Values.network.region_api.ingress.annotations | indent 8 }}
spec: spec:
ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }} ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
{{- if .Values.conf.maas.tls.enabled }}
tls:
- secretName: maas-region-api-tls
hosts:
- {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{ end }}
rules: rules:
- host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
http: http:

79
charts/maas/templates/job-enable-tls.yaml Normal file
View File

@ -0,0 +1,79 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.conf.maas.tls.enabled }}
{{- $envAll := . }}
{{- $serviceAccountName := "maas-enable-tls" }}
{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: maas-enable-tls
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
spec:
template:
metadata:
labels:
{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
initContainers:
{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: maas-enable-tls
image: {{ .Values.images.tags.enable_tls }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/enable-tls.sh
volumeMounts:
- name: maas-bin
mountPath: /tmp/enable-tls.sh
subPath: enable-tls.sh
readOnly: true
- name: maas-etc
mountPath: /etc/maas/regiond.conf
subPath: regiond.conf
readOnly: true
- name: maas-tls
mountPath: /etc/maas/ssl
readOnly: true
volumes:
- name: maas-bin
configMap:
name: maas-bin
defaultMode: 0555
- name: maas-etc
configMap:
name: maas-etc
defaultMode: 0444
- name: maas-tls
secret:
secretName: {{ .Values.secrets.maas_cert }}
defaultMode: 0444
{{ end }}

14
charts/maas/templates/job-import.yaml
View File

@ -116,6 +116,12 @@ spec:
mountPath: /etc/maas/regiond.conf mountPath: /etc/maas/regiond.conf
subPath: regiond.conf subPath: regiond.conf
readOnly: true readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
volumes: volumes:
- name: maas-bin - name: maas-bin
configMap: configMap:
@ -125,3 +131,11 @@ spec:
configMap: configMap:
name: maas-etc name: maas-etc
defaultMode: 0444 defaultMode: 0444
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}

29
charts/maas/templates/secret-maas-tls.yaml Normal file
View File

@ -0,0 +1,29 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.secrets.certificate }}
type: kubernetes/tls
data:
ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }}
tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }}
tls.key: {{ .Values.conf.maas.tls.key | b64enc }}
{{ end }}

4
charts/maas/templates/service-ingress-headless.yaml
View File

@ -24,6 +24,10 @@ spec:
ports: ports:
- name: http - name: http
port: 80 port: 80
{{- if .Values.conf.maas.tls.enabled }}
- name: https
port: 443
{{- end }}
selector: selector:
{{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
... ...

14
charts/maas/templates/statefulset-rack.yaml
View File

@ -155,6 +155,12 @@ spec:
mountPath: /etc/bind/named.conf.options mountPath: /etc/bind/named.conf.options
subPath: named.conf.options subPath: named.conf.options
readOnly: true readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
{{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }} {{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }}
@ -185,6 +191,14 @@ spec:
configMap: configMap:
name: maas-etc name: maas-etc
defaultMode: 0444 defaultMode: 0444
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
{{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }} {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }}
volumeClaimTemplates: volumeClaimTemplates:
- metadata: - metadata:

14
charts/maas/templates/statefulset-region.yaml
View File

@ -179,6 +179,12 @@ spec:
mountPath: /etc/default/bind9 mountPath: /etc/default/bind9
subPath: named subPath: named
readOnly: true readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
{{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }} {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
{{- if not .Values.conf.maas.cgroups.disable_cgroups_region }} {{- if not .Values.conf.maas.cgroups.disable_cgroups_region }}
@ -203,6 +209,14 @@ spec:
- name: maas-region-secret - name: maas-region-secret
secret: secret:
secretName: {{ .Values.secrets.maas_region.name }} secretName: {{ .Values.secrets.maas_region.name }}
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
{{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }} {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }}
{{- if .Values.manifests.maas_syslog }} {{- if .Values.manifests.maas_syslog }}
volumeClaimTemplates: volumeClaimTemplates:

20
charts/maas/templates/tests/test-maas-init.yaml
View File

@ -38,7 +38,11 @@ spec:
- name: maas-api-test - name: maas-api-test
env: env:
- name: 'MAAS_URL' - name: 'MAAS_URL'
value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }} {{- if empty .Values.conf.maas.url.maas_url }}
value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
{{- else }}
value: {{ .Values.conf.maas.url.maas_url }}
{{- end }}
- name: 'MAAS_API_KEY' - name: 'MAAS_API_KEY'
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -54,10 +58,24 @@ spec:
mountPath: /tmp/maas-test.sh mountPath: /tmp/maas-test.sh
subPath: maas-test.sh subPath: maas-test.sh
readOnly: true readOnly: true
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
mountPath: /usr/local/share/ca-certificates/maas-ca.crt
subPath: maas-ca.crt
readOnly: true
{{ end }}
volumes: volumes:
- name: maas-bin - name: maas-bin
configMap: configMap:
name: maas-bin name: maas-bin
defaultMode: 0555 defaultMode: 0555
{{- if .Values.conf.maas.tls.enabled }}
- name: ca-cert
secret:
secretName: {{ .Values.secrets.maas_cert }}
items:
- key: ca.crt
path: maas-ca.crt
{{ end }}
... ...
{{- end }} {{- end }}

27
charts/maas/values.yaml
View File

@ -74,6 +74,12 @@ dependencies:
endpoint: internal endpoint: internal
- service: maas_ingress - service: maas_ingress
endpoint: monitor endpoint: monitor
enable_tls:
jobs:
- maas-bootstrap-admin-user
services:
- service: maas_region
endpoint: internal
network_policy: network_policy:
maas: maas:
@ -108,6 +114,7 @@ images:
ingress_vip: docker.io/busybox:latest ingress_vip: docker.io/busybox:latest
error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0 error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
maas_syslog: quay.io/airshipit/maas-region-controller:latest maas_syslog: quay.io/airshipit/maas-region-controller:latest
enable_tls: quay.io/airshipit/maas-region-controller:latest
pull_policy: IfNotPresent pull_policy: IfNotPresent
local_registry: local_registry:
# TODO(portdirect): this chart does not yet support local image cacheing # TODO(portdirect): this chart does not yet support local image cacheing
@ -263,8 +270,8 @@ conf:
proxy_server: null proxy_server: null
images: images:
default_os: 'ubuntu' default_os: 'ubuntu'
default_image: 'bionic' default_image: 'focal'
default_kernel: 'ga-18.04' default_kernel: 'ga-20.04'
credentials: credentials:
secret: secret:
namespace: maas namespace: maas
@ -294,6 +301,12 @@ conf:
# system user for console login/recovery in early phases of deployment # system user for console login/recovery in early phases of deployment
system_user: 'root' system_user: 'root'
system_passwd: 'password' system_passwd: 'password'
tls:
enabled: false
create: false
ca: ""
cert: ""
key: ""
drivers: null drivers: null
#### If you populates drivers, it will replace the 3rd party driver #### If you populates drivers, it will replace the 3rd party driver
#### info that comes with MaaS. see structure below if it is needed #### info that comes with MaaS. see structure below if it is needed
@ -341,6 +354,8 @@ secrets:
name: maas-region-secret name: maas-region-secret
value: 3858f62230ac3c915f300c664312c63f value: 3858f62230ac3c915f300c664312c63f
ssh_key: ssh-private-key ssh_key: ssh-private-key
maas_cert: maas-region-api-tls
maas_ingress_cert: maas-region-api-ingress-tls
pod: pod:
mandatory_access_control: mandatory_access_control:
@ -659,7 +674,6 @@ endpoints:
syslog: syslog:
public: 514 public: 514
podport: 514 podport: 514
maas_db: maas_db:
auth: auth:
admin: admin:
@ -722,3 +736,10 @@ endpoints:
default: http default: http
host_fqdn_override: host_fqdn_override:
default: null default: null
cert_manager:
enabled: false
create: false
issuer:
kind: ClusterIssuer
name: ca-issuer

2
images/maas-rack-controller-focal/3.0_allow_query.patch → images/maas-rack-controller-focal/3.2_allow_query.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644 index d76fcfa..d198e90 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no; @@ -13,8 +13,8 @@ empty-zones-enable no;

6
images/maas-rack-controller-focal/3.0_ipmi_error.patch → images/maas-rack-controller-focal/3.2_ipmi_error.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
index acf284e9d..edcaf9e41 100644 index 70201e8..26625e2 100644
--- a/src/provisioningserver/drivers/power/ipmi.py --- a/src/provisioningserver/drivers/power/ipmi.py
+++ b/src/provisioningserver/drivers/power/ipmi.py +++ b/src/provisioningserver/drivers/power/ipmi.py
@@ -155,6 +155,13 @@ IPMI_ERRORS = { @@ -155,6 +155,13 @@ IPMI_ERRORS = {
@ -16,12 +16,12 @@ index acf284e9d..edcaf9e41 100644
"could not find inband device": { "could not find inband device": {
"message": ( "message": (
"An inband device could not be found." "An inband device could not be found."
@@ -283,7 +290,7 @@ class IPMIPowerDriver(PowerDriver): @@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver):
), ),
] ]
ip_extractor = make_ip_extractor("power_address") ip_extractor = make_ip_extractor("power_address")
- wait_time = (4, 8, 16, 32) - wait_time = (4, 8, 16, 32)
+ wait_time = (4, 4, 8, 8, 16, 16, 32, 32) + wait_time = (4, 4, 8, 8, 16, 16, 32, 32)
def detect_missing_packages(self): def detect_missing_packages(self):
if not shell.has_command_available("ipmipower"): if not shell.has_command_available("ipmipower"):

4
images/maas-rack-controller-focal/3.0_nic_filter.patch → images/maas-rack-controller-focal/3.2_nic_filter.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
index d8c781e38..3d2e6264c 100644 index 7895227..0f665ad 100644
--- a/src/provisioningserver/utils/network.py --- a/src/provisioningserver/utils/network.py
+++ b/src/provisioningserver/utils/network.py +++ b/src/provisioningserver/utils/network.py
@@ -1129,6 +1129,8 @@ def get_all_interfaces_definition( @@ -1128,6 +1128,8 @@ def get_all_interfaces_definition(
# interfaces for guests. By themselves, they're not useful for MAAS to # interfaces for guests. By themselves, they're not useful for MAAS to
# manage. # manage.
"tunnel", "tunnel",

6
images/maas-rack-controller-focal/3.0_redfish_retries.patch → images/maas-rack-controller-focal/3.2_redfish_retries.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
index 334ea2ca8..f38b05b8c 100644 index 19d9ecd..0075997 100644
--- a/src/provisioningserver/drivers/power/redfish.py --- a/src/provisioningserver/drivers/power/redfish.py
+++ b/src/provisioningserver/drivers/power/redfish.py +++ b/src/provisioningserver/drivers/power/redfish.py
@@ -151,6 +151,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase): @@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE), make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
] ]
ip_extractor = make_ip_extractor("power_address") ip_extractor = make_ip_extractor("power_address")
+ wait_time = (4, 8, 16, 32) + wait_time = (4, 8, 16, 32)
def detect_missing_packages(self): def detect_missing_packages(self):
# no required packages # no required packages

6
images/maas-rack-controller-focal/3.0_secure_headers.patch → images/maas-rack-controller-focal/3.2_secure_headers.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index 23e3e408e..8e3e5b772 100644 index 23e3e40..8e3e5b7 100644
--- a/src/twisted/web/server.py --- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py +++ b/src/twisted/web/server.py
@@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site self.site = self.channel.site
# set various default headers # set various default headers
- self.setHeader(b'server', version) - self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString()) self.setHeader(b'date', http.datetimeToString())
# Resource Identification # Resource Identification

24
images/maas-rack-controller-focal/Dockerfile
View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
ENV container docker ENV container docker
ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
RUN apt-get -qq update \ RUN apt-get -qq update \
&& apt-get install -y \ && apt-get install -y \
@ -43,7 +43,7 @@ RUN apt-get -qq update \
-exec rm \{} \; \ -exec rm \{} \; \
&& systemctl set-default multi-user.target \ && systemctl set-default multi-user.target \
# Install maas from the ppa # Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \ && add-apt-repository -yu ppa:maas/3.2 \
&& apt-get install -y \ && apt-get install -y \
maas-rack-controller=$MAAS_VERSION \ maas-rack-controller=$MAAS_VERSION \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
@ -56,20 +56,20 @@ COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-
RUN systemctl enable register-rack-controller.service RUN systemctl enable register-rack-controller.service
# Patch so that Calico interfaces are ignored # Patch so that Calico interfaces are ignored
COPY 3.0_nic_filter.patch /tmp/3.0_nic_filter.patch COPY 3.2_nic_filter.patch /tmp/3.2_nic_filter.patch
COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
# Patch so maas knows that "BMC error" is retriable # Patch so maas knows that "BMC error" is retriable
COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch COPY 3.2_ipmi_error.patch /tmp/3.2_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch COPY 3.2_redfish_retries.patch /tmp/3.2_redfish_retries.patch
# Patch to allow any recursion and cache queries # Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.2_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.2_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.2_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

13
images/maas-region-controller-focal/3.0_bios_grub_partition.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
index 62895f83b..832b1db4c 100644
--- a/src/maasserver/models/partition.py
+++ b/src/maasserver/models/partition.py
@@ -248,7 +248,7 @@ class Partition(CleanSave, TimestampedModel):
return idx + 1
elif arch == "ppc64el" and block_device.id == boot_disk.id:
return idx + 2
- elif arch == "amd64" and bios_boot_method != "uefi":
+ elif arch == "amd64" and bios_boot_method != "uefi" and block_device.id == boot_disk.id:
if block_device.type == "physical":
# Delay the `type` check because it can cause a query. Only
# physical block devices get the bios_grub partition.

2
images/maas-region-controller-focal/3.0_allow_query.patch → images/maas-region-controller-focal/3.2_allow_query.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644 index d76fcfa..d198e90 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no; @@ -13,8 +13,8 @@ empty-zones-enable no;

12
images/maas-region-controller-focal/3.2_bios_grub_partition.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
index 84a8fba..c62f25f 100644
--- a/src/maasserver/models/partition.py
+++ b/src/maasserver/models/partition.py
@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel):
arch == "amd64"
and bios_boot_method != "uefi"
and block_device.type == "physical"
+ and block_device.id == boot_disk.id
)
if need_prep_partition or need_bios_grub:
index = 2

16
images/maas-region-controller-focal/3.0_configure_ipmi_user.patch → images/maas-region-controller-focal/3.2_configure_ipmi_user.patch
View File

@ -1,10 +1,10 @@
diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
index 42e4c79e4..11df96313 100755 index 02e900d..411832a 100755
--- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py --- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
+++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py +++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
@@ -396,6 +396,29 @@ class IPMI(BMCConfig): @@ -184,6 +184,29 @@ class IPMIBase(BMCConfig):
return first_unused return first_unused
def add_bmc_user(self): def add_bmc_user(self):
+ """Create/configure an IPMI user, but with several tries""" + """Create/configure an IPMI user, but with several tries"""
+ attempt = 1 + attempt = 1
@ -32,7 +32,7 @@ index 42e4c79e4..11df96313 100755
if not self.username: if not self.username:
self.username = "maas" self.username = "maas"
user_number = self._pick_user_number(self.username) user_number = self._pick_user_number(self.username)
@@ -417,7 +440,7 @@ class IPMI(BMCConfig): @@ -205,7 +228,7 @@ class IPMIBase(BMCConfig):
if self._bmc_config[user_number].get(key) != value: if self._bmc_config[user_number].get(key) != value:
self._bmc_set(user_number, key, value) self._bmc_set(user_number, key, value)
except Exception: except Exception:
@ -41,12 +41,12 @@ index 42e4c79e4..11df96313 100755
else: else:
self.password = password self.password = password
# Not all user settings are available on all BMC keys, its # Not all user settings are available on all BMC keys, its
@@ -432,8 +455,6 @@ class IPMI(BMCConfig): @@ -220,8 +243,6 @@ class IPMIBase(BMCConfig):
"Yes", "Yes",
) )
return return
- print("ERROR: Unable to add BMC user!", file=sys.stderr) - print("ERROR: Unable to add BMC user!", file=sys.stderr)
- sys.exit(1) - sys.exit(1)
def _config_ipmi_lan_channel_settings(self): def _bmc_get_config(self, section=None):
"""Enable IPMI-over-Lan (Lan_Channel) if it is disabled""" """Fetch and cache all BMC settings."""

13
images/maas-region-controller-focal/3.0_kernel_package.patch → images/maas-region-controller-focal/3.2_kernel_package.patch
View File

@ -1,16 +1,15 @@
diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
index f9ba34a18..a9f41b9c2 100644 index c692969..c20facf 100644
--- a/src/maasserver/preseed.py --- a/src/maasserver/preseed.py
+++ b/src/maasserver/preseed.py +++ b/src/maasserver/preseed.py
@@ -232,7 +232,27 @@ def compose_curtin_kernel_preseed(node): @@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node):
The BootResourceFile table contains a mapping between hwe kernels and if node.get_osystem() == "custom":
Ubuntu package names. If this mapping is missing we fall back to letting return []
Curtin figure out which kernel should be installed"""
+
+ # previous logic to retrieve kpackage parameter + # previous logic to retrieve kpackage parameter
kpackage = BootResource.objects.get_kpackage_for_node(node) kpackage = BootResource.objects.get_kpackage_for_node(node)
+ +
+ # determine if this node has kernel parameters applied by drydock + # determine if thie node has kernel parameters applied by drydock
+ # and override kpackage if we discover the right properties + # and override kpackage if we discover the right properties
+ kernel_opt_tag = "%s_kp" % (node.hostname) + kernel_opt_tag = "%s_kp" % (node.hostname)
+ if kernel_opt_tag in node.tag_names(): + if kernel_opt_tag in node.tag_names():

2
images/maas-region-controller-focal/3.0_partitiontable_does_not_exist.patch → images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
index 5a413fb3b..6a5ad8b47 100644 index dd1b431..235c03f 100644
--- a/src/maasserver/api/partitions.py --- a/src/maasserver/api/partitions.py
+++ b/src/maasserver/api/partitions.py +++ b/src/maasserver/api/partitions.py
@@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler): @@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):

0
images/maas-region-controller-focal/3.0_proxy_acl.patch → images/maas-region-controller-focal/3.2_proxy_acl.patch
View File

16
images/maas-region-controller-focal/3.0_regex_tags.patch → images/maas-region-controller-focal/3.2_regex_tags.patch
View File

@ -1,17 +1,17 @@
diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
index 5d26041ca..0e208f264 100644 index 2cbaa9d..14eeb69 100644
--- a/src/maasserver/models/ownerdata.py --- a/src/maasserver/models/ownerdata.py
+++ b/src/maasserver/models/ownerdata.py +++ b/src/maasserver/models/ownerdata.py
@@ -18,7 +18,7 @@ from django.db.models import ( @@ -17,7 +17,7 @@ from django.db.models import (
from maasserver import DefaultMeta
from maasserver.models.cleansave import CleanSave from maasserver.models.cleansave import CleanSave
-DATA_KEY_RE = re.compile(r"[\w.-]+$") -DATA_KEY_RE = re.compile(r"[\w.-]+$")
+#DATA_KEY_RE = re.compile(r"[\w.-]+$") +#DATA_KEY_RE = re.compile(r"[\w.-]+$")
class OwnerDataManager(Manager): class OwnerDataManager(Manager):
@@ -33,8 +33,8 @@ class OwnerDataManager(Manager): @@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
if value is None: if value is None:
to_remove.add(key) to_remove.add(key)
else: else:
@ -19,6 +19,6 @@ index 5d26041ca..0e208f264 100644
- raise ValueError("Invalid character in key name") - raise ValueError("Invalid character in key name")
+ # if not DATA_KEY_RE.match(key): + # if not DATA_KEY_RE.match(key):
+ # raise ValueError("Invalid character in key name") + # raise ValueError("Invalid character in key name")
self.update_or_create( self.update_or_create(
node=node, key=key, defaults={"value": value} node=node, key=key, defaults={"value": value}

5
images/maas-region-controller-focal/3.0_region_secret_rotate.patch → images/maas-region-controller-focal/3.2_region_secret_rotate.patch
View File

@ -1,5 +1,5 @@
diff --git a/src/maasserver/security.py b/src/maasserver/security.py diff --git a/src/maasserver/security.py b/src/maasserver/security.py
index a9420e504..61c6f00c6 100644 index a9420e5..7973120 100644
--- a/src/maasserver/security.py --- a/src/maasserver/security.py
+++ b/src/maasserver/security.py +++ b/src/maasserver/security.py
@@ -96,11 +96,11 @@ def get_shared_secret_txn(): @@ -96,11 +96,11 @@ def get_shared_secret_txn():
@ -16,6 +16,5 @@ index a9420e504..61c6f00c6 100644
+ # secret and set it in the database (set_config function) + # secret and set it in the database (set_config function)
+ secret = secret_on_fs + secret = secret_on_fs
+ Config.objects.set_config("rpc_shared_secret", to_hex(secret)) + Config.objects.set_config("rpc_shared_secret", to_hex(secret))
return secret return secret

14
images/maas-region-controller-focal/3.0_route.patch → images/maas-region-controller-focal/3.2_route.patch
View File

@ -1,13 +1,17 @@
diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
index 3851424fc..8bfa90e7d 100644 index 7660feb..dae412d 100644
--- a/src/maasserver/preseed_network.py --- a/src/maasserver/preseed_network.py
+++ b/src/maasserver/preseed_network.py +++ b/src/maasserver/preseed_network.py
@@ -309,7 +309,7 @@ class InterfaceConfiguration: @@ -308,7 +308,11 @@ class InterfaceConfiguration:
def _get_matching_routes(self, source): def _get_matching_routes(self, source):
"""Return all route objects matching `source`.""" """Return all route objects matching `source`."""
- return {route for route in self.routes if route.source == source} - return {route for route in self.routes if route.source == source}
+ return {route for route in self.routes if str(route.source.cidr) == str(source.cidr)} + return {
+ route
+ for route in self.routes
+ if str(route.source.cidr) == str(source.cidr)
+ }
def _generate_addresses(self, version=1): def _generate_addresses(self, version=1):
"""Generate the various addresses needed for this interface.""" """Generate the various addresses needed for this interface."""

6
images/maas-region-controller-focal/3.0_secure_headers.patch → images/maas-region-controller-focal/3.2_secure_headers.patch
View File

@ -1,12 +1,12 @@
diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
index 23e3e408e..8e3e5b772 100644 index 23e3e40..8e3e5b7 100644
--- a/src/twisted/web/server.py --- a/src/twisted/web/server.py
+++ b/src/twisted/web/server.py +++ b/src/twisted/web/server.py
@@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized): @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):
self.site = self.channel.site self.site = self.channel.site
# set various default headers # set various default headers
- self.setHeader(b'server', version) - self.setHeader(b'server', version)
self.setHeader(b'date', http.datetimeToString()) self.setHeader(b'date', http.datetimeToString())
# Resource Identification # Resource Identification

44
images/maas-region-controller-focal/Dockerfile
View File

@ -18,7 +18,7 @@ ARG no_proxy
ENV DEBIAN_FRONTEND noninteractive ENV DEBIAN_FRONTEND noninteractive
ENV container docker ENV container docker
ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1 ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
RUN apt-get -qq update \ RUN apt-get -qq update \
&& apt-get install -y \ && apt-get install -y \
@ -41,7 +41,7 @@ RUN apt-get -qq update \
-exec rm \{} \; \ -exec rm \{} \; \
&& systemctl set-default multi-user.target \ && systemctl set-default multi-user.target \
# Install maas from the ppa # Install maas from the ppa
&& add-apt-repository -yu ppa:maas/3.0 \ && add-apt-repository -yu ppa:maas/3.2 \
&& apt-get install -y \ && apt-get install -y \
maas-region-api=$MAAS_VERSION \ maas-region-api=$MAAS_VERSION \
# tcpdump is required by /usr/lib/maas/beacon-monitor # tcpdump is required by /usr/lib/maas/beacon-monitor
@ -52,32 +52,32 @@ RUN apt-get -qq update \
RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
# MAAS workarounds # MAAS workarounds
COPY 3.0_route.patch /tmp/3.0_route.patch COPY 3.2_route.patch /tmp/3.2_route.patch
COPY 3.0_kernel_package.patch /tmp/3.0_kernel_package.patch COPY 3.2_kernel_package.patch /tmp/3.2_kernel_package.patch
COPY 3.0_bios_grub_partition.patch /tmp/3.0_bios_grub_partition.patch COPY 3.2_bios_grub_partition.patch /tmp/3.2_bios_grub_partition.patch
# sh8121att: allow all requests via the proxy to allow it to work # sh8121att: allow all requests via the proxy to allow it to work
# behind ingress # behind ingress
COPY 3.0_proxy_acl.patch /tmp/3.0_proxy_acl.patch COPY 3.2_proxy_acl.patch /tmp/3.2_proxy_acl.patch
# Patch to add retrying to MaaS BMC user setup, and improve exception handling # Patch to add retrying to MaaS BMC user setup, and improve exception handling
COPY 3.0_configure_ipmi_user.patch /tmp/3.0_configure_ipmi_user.patch COPY 3.2_configure_ipmi_user.patch /tmp/3.2_configure_ipmi_user.patch
COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch COPY 3.2_region_secret_rotate.patch /tmp/3.2_region_secret_rotate.patch
COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch COPY 3.2_partitiontable_does_not_exist.patch /tmp/3.2_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols # Allow tags with '/' symbols
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch COPY 3.2_regex_tags.patch /tmp/3.2_regex_tags.patch
# Patch to allow any recursion and cache queries # Patch to allow any recursion and cache queries
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.2_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.2_kernel_package.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.0_bios_grub_partition.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.2_bios_grub_partition.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.0_region_secret_rotate.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.2_region_secret_rotate.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.0_configure_ipmi_user.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.2_configure_ipmi_user.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.0_proxy_acl.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.2_proxy_acl.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.2_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.2_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service