Upgrade MAAS to v3.2

Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com>
Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952

.gitignore

@@ -1,3 +1,5 @@
 # Distribution / packaging
 build/
 *.tgz
+charts/deps/
+!charts/deps/.gitkeep

charts/maas/Chart.yaml

@@ -15,7 +15,8 @@
 apiVersion: v1
 description: Chart to run Canonical MaaS
 name: maas
-version: 0.1.5
+version: 0.1.6
+appVersion: 3.2.9
 home: https://docs.ubuntu.com/maas
 sources:
   - https://git.launchpad.net/maas

charts/maas/requirements.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-toolkit
+  repository: file://../deps/helm-toolkit
+  version: 0.2.54
+digest: sha256:ffbfe5c88704dc3f39eaea0b97f2355de43e9667bec2385bd1a0bc5771ff32f3
+generated: "2023-08-11T09:29:34.123882-04:00"

charts/maas/templates/bin/_enable-tls.sh.tpl

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+maas config-tls enable --yes --port 5240 --cacert /etc/maas/ssl/ca.crt /etc/maas/ssl/tls.key /etc/maas/ssl/tls.crt

charts/maas/templates/bin/_import-boot-resources.sh.tpl

@@ -26,15 +26,13 @@ function timer {
 	retry_wait=$1
 	shift
 
-  while [[ ${JOB_TIMEOUT} -gt 0 ]]
-  do
+	while [[ ${JOB_TIMEOUT} -gt 0 ]]; do
 		"$@"
 		rc=$?
-    if [ $rc -eq 0 ]
-    then
+		if [ $rc -eq 0 ]; then
 			return $rc
 		else
-      JOB_TIMEOUT=$(($JOB_TIMEOUT - $retry_wait))
+			JOB_TIMEOUT=$((JOB_TIMEOUT - retry_wait))
 			sleep $retry_wait
 		fi
 	done
@@ -46,8 +44,7 @@ function import_resources {
 	check_for_download
 	rc=$?
 
-  if [ $rc -ne 0 ]
-  then
+	if [ $rc -ne 0 ]; then
 		echo "Starting image import try ${import_tries}..."
 		maas ${ADMIN_USERNAME} boot-resources import
 		sleep 30
@@ -63,14 +60,12 @@ function start_import {
 }
 
 function check_for_download {
-  if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true';
-  then
+	if maas ${ADMIN_USERNAME} boot-resources is-importing | grep -q 'true'; then
 		echo -e '\nBoot resources currently importing\n'
 		return 1
 	else
-    synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq ".[] | select( .type | contains(\"Synced\")) | .name " | grep -c $MAAS_DEFAULT_DISTRO)
-    if [[ $synced_imgs -gt 0 ]]
-    then
+		synced_imgs=$(maas ${ADMIN_USERNAME} boot-resources read | tail -n +1 | jq '.[] | select( .type | contains("Synced")) | .name ' | grep -c $MAAS_DEFAULT_DISTRO)
+		if [[ $synced_imgs -gt 0 ]]; then
 			echo 'Boot resources have completed importing'
 			return 0
 		else
@@ -87,8 +82,7 @@ function check_then_set_single {
 	cur_val=$(maas ${ADMIN_USERNAME} maas get-config name=${option} | tail -1 | tr -d '"')
 	desired_val=$(echo ${value} | tr -d '"')
 
-  if [[ $cur_val != $desired_val ]]
-  then
+	if [[ $cur_val != $desired_val ]]; then
 		echo "Setting MAAS option ${option} to ${desired_val}"
 		maas ${ADMIN_USERNAME} maas set-config name=${option} value=${desired_val}
 		return $?
@@ -114,18 +108,15 @@ function check_for_rack_sync_single {
 	sync_list=""
 
 	rack_list=$(get_active_rack_controllers)
-  for rack_id in ${rack_list}
-  do
+	for rack_id in ${rack_list}; do
 		selected_imgs=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq ".images[] | select( .name | contains(\"${MAAS_DEFAULT_DISTRO}\")) | .name")
 		synced_ctlr=$(maas ${ADMIN_USERNAME} rack-controller list-boot-images ${rack_id} | tail -n +1 | jq '.status == "synced"')
-    if [[ $synced_ctlr == "true" && ! -z ${selected_imgs} ]]
-    then
+		if [[ $synced_ctlr == "true" && -n ${selected_imgs} ]]; then
 			sync_list=$(echo -e "${sync_list}\n${rack_id}" | sort | uniq)
 		else
 			maas ${ADMIN_USERNAME} rack-controller import-boot-images ${rack_id}
 		fi
-    if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$' ) == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]
-    then
+		if [[ $(echo -e "${rack_list}" | sort | uniq | grep -v '^$') == $(echo -e "${sync_list}" | sort | uniq | grep -v '^$') ]]; then
 			return 0
 		fi
 	done
@@ -161,8 +152,7 @@ function configure_syslog {
 function configure_images {
 	check_for_rack_sync
 
-  if [[ $? -eq 124 ]]
-  then
+	if [[ $? -eq 124 ]]; then
 		echo "Timed out waiting for rack controller sync."
 		return 1
 	fi
@@ -174,15 +164,13 @@ function configure_images {
 }
 
 function configure_boot_sources {
-  if [[ $USE_IMAGE_CACHE == 'true' ]]
-  then
+	if [[ $USE_IMAGE_CACHE == 'true' ]]; then
 		maas ${ADMIN_USERNAME} boot-source update 1 url=http://localhost:8888/maas/images/ephemeral-v3/daily/
 	fi
 
 	selected_releases="$(maas ${ADMIN_USERNAME} boot-source-selections read 1 | jq -r '.[] | .release')"
 
-  if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"
-  then
+	if ! echo "${selected_releases}" | grep -q "${MAAS_DEFAULT_DISTRO}"; then
 		# Need to start an import to get the availability data
 		maas "$ADMIN_USERNAME" boot-resources import
 		if ! maas ${ADMIN_USERNAME} boot-source-selections create 1 os="${MAAS_DEFAULT_OS}" \
@@ -224,11 +212,14 @@ function configure_extra_settings {
 
 function maas_login {
 	KEY=$(maas-region apikey --username=${ADMIN_USERNAME})
-  if [ -z "$KEY" ]
-  then
+	if [ -z "$KEY" ]; then
 		return 1
 	fi
+	{{- if .Values.conf.maas.tls.enabled }}
+	maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
+	{{- else }}
 	maas login ${ADMIN_USERNAME} ${MAAS_ENDPOINT} $KEY
+	{{- end }}
 	return $?
 }
 
@@ -245,8 +236,7 @@ create_extra_commissioning_script
 timer "$RETRY_TIMER" configure_boot_sources
 start_import
 
-if [[ $? -eq 0 ]]
-then
+if [[ $? -eq 0 ]]; then
 	configure_images
 else
 	echo "Image import FAILED!"

charts/maas/templates/bin/_maas-test.sh.tpl

@@ -18,14 +18,12 @@
 set -ex
 
 function check_boot_images {
-    if maas local boot-resources is-importing | grep -q 'true';
-    then
+	if maas local boot-resources is-importing | grep -q 'true'; then
 		echo -e '\nBoot resources currently importing\n'
 		return 1
 	else
 		synced_imgs=$(maas local boot-resources read | tr -d '\n' | grep -oE '{[^}]+}' | grep ubuntu | grep -c Synced)
-        if [[ $synced_imgs -gt 0 ]]
-        then
+		if [[ $synced_imgs -gt 0 ]]; then
 			echo 'Boot resources have completed importing'
 			return 0
 		else
@@ -36,8 +34,7 @@ function check_boot_images {
 
 function check_rack_controllers {
 	rack_cnt=$(maas local rack-controllers read | grep -c hostname)
-    if [[ $rack_cnt -gt 0 ]]
-    then
+	if [[ $rack_cnt -gt 0 ]]; then
 		echo "Found $rack_cnt rack controllers."
 		return 0
 	else
@@ -46,8 +43,7 @@ function check_rack_controllers {
 }
 
 function check_admin_api {
-    if maas local version read;
-    then
+	if maas local version read; then
 		echo 'Admin API is responding'
 		return 0
 	else
@@ -56,38 +52,38 @@ function check_admin_api {
 }
 
 function establish_session {
+	{{- if .Values.conf.maas.tls.enabled }}
+	maas login --cacerts /usr/local/share/ca-certificates/maas-ca.crt local ${MAAS_URL} ${MAAS_API_KEY}
+	{{- else }}
 	maas login local ${MAAS_URL} ${MAAS_API_KEY}
+	{{- end }}
 	return $?
 }
 
 establish_session
 
-if [[ $? -ne 0 ]]
-then
+if [[ $? -ne 0 ]]; then
 	echo "MAAS API login FAILED!"
 	exit 1
 fi
 
 check_boot_images
 
-if [[ $? -eq 1 ]]
-then
+if [[ $? -eq 1 ]]; then
 	echo "Image import test FAILED!"
 	exit 1
 fi
 
 check_rack_controllers
 
-if [[ $? -eq 1 ]]
-then
+if [[ $? -eq 1 ]]; then
 	echo "Rack controller query FAILED!"
 	exit 1
 fi
 
 check_admin_api
 
-if [[ $? -eq 1 ]]
-then
+if [[ $? -eq 1 ]]; then
 	echo "Admin API response FAILED!"
 	exit 1
 fi

charts/maas/templates/certificate-maas-ingress.yaml

@@ -0,0 +1,32 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled .Values.cert_manager.create }}
+{{- $envAll := . }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.secrets.maas_ingress_cert }}
+spec:
+  secretName: {{ .Values.secrets.maas_ingress_cert }}
+  commonName: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+  issuerRef:
+    kind: {{ .Values.cert_manager.issuer.kind }}
+    name: {{ .Values.cert_manager.issuer.name }}
+  dnsNames:
+    - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{ end }}

charts/maas/templates/certificate-maas.yaml

@@ -0,0 +1,35 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create .Values.cert_manager.enabled }}
+{{- $envAll := . }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.secrets.maas_cert }}
+spec:
+  secretName: {{ .Values.secrets.maas_cert }}
+  commonName: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+  issuerRef:
+    kind: {{ .Values.cert_manager.issuer.kind }}
+    name: {{ .Values.cert_manager.issuer.name }}
+  dnsNames:
+    - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+    - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}
+    - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc
+    - {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}.{{ .Release.Namespace }}.svc.cluster.local
+{{ end }}

charts/maas/templates/configmap-bin.yaml

@@ -49,3 +49,7 @@ data:
 {{ tuple "bin/_maas-vip-configure.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   start-syslog.sh: |
 {{ tuple "bin/_start-syslog.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.conf.maas.tls.enabled }}
+  enable-tls.sh: |
+{{ tuple "bin/_enable-tls.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{ end }}

charts/maas/templates/deployment-ingress-errors.yaml

@@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-{{- if .Values.manifests.rack_statefulset }}
+{{- if and .Values.manifests.maas_ingress .Values.manifests.rack_statefulset }}
 {{- $envAll := . }}
 {{- $labels := tuple $envAll "maas" "ingress-errors" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
 {{- $serviceAccountName := "maas-ingress-errors" }}

charts/maas/templates/ingress-region.yaml

@@ -20,8 +20,17 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: maas-region-api
+  metadata:
+    annotations:
+{{ toYaml .Values.network.region_api.ingress.annotations | indent 8 }}
 spec:
   ingressClassName: {{ .Values.network.region_api.ingress.classes.cluster | quote }}
+{{- if .Values.conf.maas.tls.enabled }}
+  tls:
+    - secretName: maas-region-api-tls
+      hosts:
+        - {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{ end }}
   rules:
     - host: {{ tuple "maas_region" "public" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
       http:

charts/maas/templates/job-enable-tls.yaml

@@ -0,0 +1,79 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.conf.maas.tls.enabled }}
+{{- $envAll := . }}
+{{- $serviceAccountName := "maas-enable-tls" }}
+{{ tuple $envAll "enable_tls" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: maas-enable-tls
+  labels:
+{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+  annotations:
+    {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "maas" "enable-tls" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+{{ dict "envAll" $envAll "podName" "maas-enable-tls" "containerNames" (list "init" "maas-enable-tls") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
+    spec:
+{{ dict "envAll" $envAll "application" "enable_tls" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
+      serviceAccountName: {{ $serviceAccountName }}
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
+      initContainers:
+{{ tuple $envAll "enable_tls" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: maas-enable-tls
+          image: {{ .Values.images.tags.enable_tls }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.enable_tls | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "enable_tls" "container" "maas_enable_tls" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          command:
+            - /tmp/enable-tls.sh
+          volumeMounts:
+            - name: maas-bin
+              mountPath: /tmp/enable-tls.sh
+              subPath: enable-tls.sh
+              readOnly: true
+            - name: maas-etc
+              mountPath: /etc/maas/regiond.conf
+              subPath: regiond.conf
+              readOnly: true
+            - name: maas-tls
+              mountPath: /etc/maas/ssl
+              readOnly: true
+      volumes:
+        - name: maas-bin
+          configMap:
+            name: maas-bin
+            defaultMode: 0555
+        - name: maas-etc
+          configMap:
+            name: maas-etc
+            defaultMode: 0444
+        - name: maas-tls
+          secret:
+            secretName: {{ .Values.secrets.maas_cert }}
+            defaultMode: 0444
+{{ end }}

charts/maas/templates/job-import.yaml

@@ -116,6 +116,12 @@ spec:
               mountPath: /etc/maas/regiond.conf
               subPath: regiond.conf
               readOnly: true
+{{- if .Values.conf.maas.tls.enabled }}
+            - name: ca-cert
+              mountPath: /usr/local/share/ca-certificates/maas-ca.crt
+              subPath: maas-ca.crt
+              readOnly: true
+{{ end }}
       volumes:
         - name: maas-bin
           configMap:
@@ -125,3 +131,11 @@ spec:
           configMap:
             name: maas-etc
             defaultMode: 0444
+{{- if .Values.conf.maas.tls.enabled }}
+        - name: ca-cert
+          secret:
+            secretName: {{ .Values.secrets.maas_cert }}
+            items:
+              - key: ca.crt
+                path: maas-ca.crt
+{{ end }}

charts/maas/templates/secret-maas-tls.yaml

@@ -0,0 +1,29 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.conf.maas.tls.enabled .Values.conf.maas.tls.create (eq .Values.cert_manager.enabled false) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.certificate }}
+type: kubernetes/tls
+data:
+  ca.crt: {{ .Values.conf.maas.tls.ca | b64enc }}
+  tls.crt: {{ .Values.conf.maas.tls.cert | b64enc }}
+  tls.key: {{ .Values.conf.maas.tls.key | b64enc }}
+{{ end }}

charts/maas/templates/service-ingress-headless.yaml

@@ -24,6 +24,10 @@ spec:
   ports:
     - name: http
       port: 80
+{{- if .Values.conf.maas.tls.enabled }}
+    - name: https
+      port: 443
+{{- end }}
   selector:
 {{ tuple . "maas" "ingress" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
 ...

charts/maas/templates/statefulset-rack.yaml

@@ -155,6 +155,12 @@ spec:
               mountPath: /etc/bind/named.conf.options
               subPath: named.conf.options
               readOnly: true
+{{- if .Values.conf.maas.tls.enabled }}
+            - name: ca-cert
+              mountPath: /usr/local/share/ca-certificates/maas-ca.crt
+              subPath: maas-ca.crt
+              readOnly: true
+{{ end }}
 {{ if $mounts_maas_rack.volumeMounts }}{{ toYaml $mounts_maas_rack.volumeMounts | indent 12 }}{{ end }}
       volumes:
 {{- if not .Values.conf.maas.cgroups.disable_cgroups_rack }}
@@ -185,6 +191,14 @@ spec:
           configMap:
             name: maas-etc
             defaultMode: 0444
+{{- if .Values.conf.maas.tls.enabled }}
+        - name: ca-cert
+          secret:
+            secretName: {{ .Values.secrets.maas_cert }}
+            items:
+              - key: ca.crt
+                path: maas-ca.crt
+{{ end }}
 {{ if $mounts_maas_rack.volumes }}{{ toYaml $mounts_maas_rack.volumes | indent 8 }}{{ end }}
   volumeClaimTemplates:
     - metadata:

charts/maas/templates/statefulset-region.yaml

@@ -179,6 +179,12 @@ spec:
               mountPath: /etc/default/bind9
               subPath: named
               readOnly: true
+{{- if .Values.conf.maas.tls.enabled }}
+            - name: ca-cert
+              mountPath: /usr/local/share/ca-certificates/maas-ca.crt
+              subPath: maas-ca.crt
+              readOnly: true
+{{ end }}
 {{- if $mounts_maas_region.volumeMounts }}{{ toYaml $mounts_maas_region.volumeMounts | indent 12 }}{{ end }}
       volumes:
 {{- if not .Values.conf.maas.cgroups.disable_cgroups_region }}
@@ -203,6 +209,14 @@ spec:
         - name: maas-region-secret
           secret:
             secretName: {{ .Values.secrets.maas_region.name }}
+{{- if .Values.conf.maas.tls.enabled }}
+        - name: ca-cert
+          secret:
+            secretName: {{ .Values.secrets.maas_cert }}
+            items:
+              - key: ca.crt
+                path: maas-ca.crt
+{{ end }}
 {{- if $mounts_maas_region.volumes }}{{ toYaml $mounts_maas_region.volumes | indent 8 }}{{ end }}
 {{- if .Values.manifests.maas_syslog }}
   volumeClaimTemplates:

charts/maas/templates/tests/test-maas-init.yaml

@@ -38,7 +38,11 @@ spec:
     - name: maas-api-test
       env:
         - name: 'MAAS_URL'
-          value: {{ tuple "maas_region" "internal" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- if empty .Values.conf.maas.url.maas_url }}
+          value: {{ tuple "maas_region" "public" "region_api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- else }}
+          value: {{ .Values.conf.maas.url.maas_url }}
+{{- end }}
         - name: 'MAAS_API_KEY'
           valueFrom:
             secretKeyRef:
@@ -54,10 +58,24 @@ spec:
           mountPath: /tmp/maas-test.sh
           subPath: maas-test.sh
           readOnly: true
+{{- if .Values.conf.maas.tls.enabled }}
+        - name: ca-cert
+          mountPath: /usr/local/share/ca-certificates/maas-ca.crt
+          subPath: maas-ca.crt
+          readOnly: true
+{{ end }}
   volumes:
     - name: maas-bin
       configMap:
         name: maas-bin
         defaultMode: 0555
+{{- if .Values.conf.maas.tls.enabled }}
+    - name: ca-cert
+      secret:
+        secretName: {{ .Values.secrets.maas_cert }}
+        items:
+          - key: ca.crt
+            path: maas-ca.crt
+{{ end }}
 ...
 {{- end }}

charts/maas/values.yaml

@@ -74,6 +74,12 @@ dependencies:
           endpoint: internal
         - service: maas_ingress
           endpoint: monitor
+    enable_tls:
+      jobs:
+        - maas-bootstrap-admin-user
+      services:
+        - service: maas_region
+          endpoint: internal
 
 network_policy:
   maas:
@@ -108,6 +114,7 @@ images:
     ingress_vip: docker.io/busybox:latest
     error_pages: gcr.io/google_containers/ingress-gce-404-server-with-metrics-amd64:v1.6.0
     maas_syslog: quay.io/airshipit/maas-region-controller:latest
+    enable_tls: quay.io/airshipit/maas-region-controller:latest
   pull_policy: IfNotPresent
   local_registry:
     # TODO(portdirect): this chart does not yet support local image cacheing
@@ -263,8 +270,8 @@ conf:
       proxy_server: null
     images:
       default_os: 'ubuntu'
-      default_image: 'bionic'
-      default_kernel: 'ga-18.04'
+      default_image: 'focal'
+      default_kernel: 'ga-20.04'
     credentials:
       secret:
         namespace: maas
@@ -294,6 +301,12 @@ conf:
     # system user for console login/recovery in early phases of deployment
     system_user: 'root'
     system_passwd: 'password'
+    tls:
+      enabled: false
+      create: false
+      ca: ""
+      cert: ""
+      key: ""
   drivers: null
   #### If you populates drivers, it will replace the 3rd party driver
   #### info that comes with MaaS. see structure below if it is needed
@@ -341,6 +354,8 @@ secrets:
     name: maas-region-secret
     value: 3858f62230ac3c915f300c664312c63f
   ssh_key: ssh-private-key
+  maas_cert: maas-region-api-tls
+  maas_ingress_cert: maas-region-api-ingress-tls
 
 pod:
   mandatory_access_control:
@@ -659,7 +674,6 @@ endpoints:
       syslog:
         public: 514
         podport: 514
-
   maas_db:
     auth:
       admin:
@@ -722,3 +736,10 @@ endpoints:
       default: http
     host_fqdn_override:
       default: null
+
+cert_manager:
+  enabled: false
+  create: false
+  issuer:
+    kind: ClusterIssuer
+    name: ca-issuer

images/maas-rack-controller-focal/3.2_allow_query.patch

@@ -1,5 +1,5 @@
 diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
-index d76fcfa9a..d198e90b9 100644
+index d76fcfa..d198e90 100644
 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
 +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
 @@ -13,8 +13,8 @@ empty-zones-enable no;

images/maas-rack-controller-focal/3.2_ipmi_error.patch

@@ -1,5 +1,5 @@
 diff --git a/src/provisioningserver/drivers/power/ipmi.py b/src/provisioningserver/drivers/power/ipmi.py
-index acf284e9d..edcaf9e41 100644
+index 70201e8..26625e2 100644
 --- a/src/provisioningserver/drivers/power/ipmi.py
 +++ b/src/provisioningserver/drivers/power/ipmi.py
 @@ -155,6 +155,13 @@ IPMI_ERRORS = {
@@ -16,7 +16,7 @@ index acf284e9d..edcaf9e41 100644
      "could not find inband device": {
          "message": (
              "An inband device could not be found."
-@@ -283,7 +290,7 @@ class IPMIPowerDriver(PowerDriver):
+@@ -308,7 +315,7 @@ class IPMIPowerDriver(PowerDriver):
          ),
      ]
      ip_extractor = make_ip_extractor("power_address")

images/maas-rack-controller-focal/3.2_nic_filter.patch

@@ -1,8 +1,8 @@
 diff --git a/src/provisioningserver/utils/network.py b/src/provisioningserver/utils/network.py
-index d8c781e38..3d2e6264c 100644
+index 7895227..0f665ad 100644
 --- a/src/provisioningserver/utils/network.py
 +++ b/src/provisioningserver/utils/network.py
-@@ -1129,6 +1129,8 @@ def get_all_interfaces_definition(
+@@ -1128,6 +1128,8 @@ def get_all_interfaces_definition(
          # interfaces for guests. By themselves, they're not useful for MAAS to
          # manage.
          "tunnel",

images/maas-rack-controller-focal/3.2_redfish_retries.patch

@@ -1,8 +1,8 @@
 diff --git a/src/provisioningserver/drivers/power/redfish.py b/src/provisioningserver/drivers/power/redfish.py
-index 334ea2ca8..f38b05b8c 100644
+index 19d9ecd..0075997 100644
 --- a/src/provisioningserver/drivers/power/redfish.py
 +++ b/src/provisioningserver/drivers/power/redfish.py
-@@ -151,6 +151,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
+@@ -170,6 +170,7 @@ class RedfishPowerDriver(RedfishPowerDriverBase):
          make_setting_field("node_id", "Node ID", scope=SETTING_SCOPE.NODE),
      ]
      ip_extractor = make_ip_extractor("power_address")

images/maas-rack-controller-focal/3.2_secure_headers.patch

@@ -1,5 +1,5 @@
 diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
-index 23e3e408e..8e3e5b772 100644
+index 23e3e40..8e3e5b7 100644
 --- a/src/twisted/web/server.py
 +++ b/src/twisted/web/server.py
 @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):

images/maas-rack-controller-focal/Dockerfile

@@ -18,7 +18,7 @@ ARG no_proxy
 ENV DEBIAN_FRONTEND noninteractive
 ENV container docker
 
-ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
+ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
 
 RUN apt-get -qq update \
  && apt-get install -y \
@@ -43,7 +43,7 @@ RUN apt-get -qq update \
          -exec rm \{} \; \
  && systemctl set-default multi-user.target \
 # Install maas from the ppa
- && add-apt-repository -yu ppa:maas/3.0 \
+ && add-apt-repository -yu ppa:maas/3.2 \
  && apt-get install -y \
         maas-rack-controller=$MAAS_VERSION \
  && rm -rf /var/lib/apt/lists/*
@@ -56,20 +56,20 @@ COPY scripts/register-rack-controller.service /lib/systemd/system/register-rack-
 RUN systemctl enable register-rack-controller.service
 
 # Patch so that Calico interfaces are ignored
-COPY 3.0_nic_filter.patch /tmp/3.0_nic_filter.patch
-COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
+COPY 3.2_nic_filter.patch /tmp/3.2_nic_filter.patch
+COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
 # Patch so maas knows that "BMC error" is retriable
-COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch
+COPY 3.2_ipmi_error.patch /tmp/3.2_ipmi_error.patch
 # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
-COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
+COPY 3.2_redfish_retries.patch /tmp/3.2_redfish_retries.patch
 # Patch to allow any recursion and cache queries
-COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
+COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
 
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
-RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.2_nic_filter.patch
+RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.2_ipmi_error.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.2_redfish_retries.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
 
 # echo journalctl logs to the container's stdout
 COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

images/maas-region-controller-focal/3.0_bios_grub_partition.patch

@@ -1,13 +0,0 @@
-diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
-index 62895f83b..832b1db4c 100644
---- a/src/maasserver/models/partition.py
-+++ b/src/maasserver/models/partition.py
-@@ -248,7 +248,7 @@ class Partition(CleanSave, TimestampedModel):
-                     return idx + 1
-             elif arch == "ppc64el" and block_device.id == boot_disk.id:
-                 return idx + 2
--            elif arch == "amd64" and bios_boot_method != "uefi":
-+            elif arch == "amd64" and bios_boot_method != "uefi" and block_device.id == boot_disk.id:
-                 if block_device.type == "physical":
-                     # Delay the `type` check because it can cause a query. Only
-                     # physical block devices get the bios_grub partition.

images/maas-region-controller-focal/3.2_allow_query.patch

@@ -1,5 +1,5 @@
 diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
-index d76fcfa9a..d198e90b9 100644
+index d76fcfa..d198e90 100644
 --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
 +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
 @@ -13,8 +13,8 @@ empty-zones-enable no;

images/maas-region-controller-focal/3.2_bios_grub_partition.patch

@@ -0,0 +1,12 @@
+diff --git a/src/maasserver/models/partition.py b/src/maasserver/models/partition.py
+index 84a8fba..c62f25f 100644
+--- a/src/maasserver/models/partition.py
++++ b/src/maasserver/models/partition.py
+@@ -211,6 +211,7 @@ class Partition(CleanSave, TimestampedModel):
+                 arch == "amd64"
+                 and bios_boot_method != "uefi"
+                 and block_device.type == "physical"
++                and block_device.id == boot_disk.id
+             )
+             if need_prep_partition or need_bios_grub:
+                 index = 2

images/maas-region-controller-focal/3.2_configure_ipmi_user.patch

@@ -1,8 +1,8 @@
 diff --git a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
-index 42e4c79e4..11df96313 100755
+index 02e900d..411832a 100755
 --- a/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
 +++ b/src/metadataserver/builtin_scripts/commissioning_scripts/bmc_config.py
-@@ -396,6 +396,29 @@ class IPMI(BMCConfig):
+@@ -184,6 +184,29 @@ class IPMIBase(BMCConfig):
          return first_unused
 
      def add_bmc_user(self):
@@ -32,7 +32,7 @@ index 42e4c79e4..11df96313 100755
          if not self.username:
              self.username = "maas"
          user_number = self._pick_user_number(self.username)
-@@ -417,7 +440,7 @@ class IPMI(BMCConfig):
+@@ -205,7 +228,7 @@ class IPMIBase(BMCConfig):
                      if self._bmc_config[user_number].get(key) != value:
                          self._bmc_set(user_number, key, value)
              except Exception:
@@ -41,12 +41,12 @@ index 42e4c79e4..11df96313 100755
              else:
                  self.password = password
                  # Not all user settings are available on all BMC keys, its
-@@ -432,8 +455,6 @@ class IPMI(BMCConfig):
+@@ -220,8 +243,6 @@ class IPMIBase(BMCConfig):
                      "Yes",
                  )
                  return
 -        print("ERROR: Unable to add BMC user!", file=sys.stderr)
 -        sys.exit(1)
 
-     def _config_ipmi_lan_channel_settings(self):
-         """Enable IPMI-over-Lan (Lan_Channel) if it is disabled"""
+     def _bmc_get_config(self, section=None):
+         """Fetch and cache all BMC settings."""

images/maas-region-controller-focal/3.2_kernel_package.patch

@@ -1,16 +1,15 @@
 diff --git a/src/maasserver/preseed.py b/src/maasserver/preseed.py
-index f9ba34a18..a9f41b9c2 100644
+index c692969..c20facf 100644
 --- a/src/maasserver/preseed.py
 +++ b/src/maasserver/preseed.py
-@@ -232,7 +232,27 @@ def compose_curtin_kernel_preseed(node):
-     The BootResourceFile table contains a mapping between hwe kernels and
-     Ubuntu package names. If this mapping is missing we fall back to letting
-     Curtin figure out which kernel should be installed"""
-+
+@@ -250,7 +250,26 @@ def compose_curtin_kernel_preseed(node):
+     if node.get_osystem() == "custom":
+         return []
+
 +    # previous logic to retrieve kpackage parameter
      kpackage = BootResource.objects.get_kpackage_for_node(node)
 +
-+    # determine if this node has kernel parameters applied by drydock
++    # determine if thie node has kernel parameters applied by drydock
 +    # and override kpackage if we discover the right properties
 +    kernel_opt_tag = "%s_kp" % (node.hostname)
 +    if kernel_opt_tag in node.tag_names():

images/maas-region-controller-focal/3.2_partitiontable_does_not_exist.patch

@@ -1,5 +1,5 @@
 diff --git a/src/maasserver/api/partitions.py b/src/maasserver/api/partitions.py
-index 5a413fb3b..6a5ad8b47 100644
+index dd1b431..235c03f 100644
 --- a/src/maasserver/api/partitions.py
 +++ b/src/maasserver/api/partitions.py
 @@ -99,7 +99,7 @@ class PartitionsHandler(OperationsHandler):

images/maas-region-controller-focal/3.2_regex_tags.patch

@@ -1,9 +1,9 @@
 diff --git a/src/maasserver/models/ownerdata.py b/src/maasserver/models/ownerdata.py
-index 5d26041ca..0e208f264 100644
+index 2cbaa9d..14eeb69 100644
 --- a/src/maasserver/models/ownerdata.py
 +++ b/src/maasserver/models/ownerdata.py
-@@ -18,7 +18,7 @@ from django.db.models import (
- from maasserver import DefaultMeta
+@@ -17,7 +17,7 @@ from django.db.models import (
+
  from maasserver.models.cleansave import CleanSave
 
 -DATA_KEY_RE = re.compile(r"[\w.-]+$")
@@ -11,7 +11,7 @@ index 5d26041ca..0e208f264 100644
 
 
  class OwnerDataManager(Manager):
-@@ -33,8 +33,8 @@ class OwnerDataManager(Manager):
+@@ -32,8 +32,8 @@ class OwnerDataManager(Manager):
              if value is None:
                  to_remove.add(key)
              else:

images/maas-region-controller-focal/3.2_region_secret_rotate.patch

@@ -1,5 +1,5 @@
 diff --git a/src/maasserver/security.py b/src/maasserver/security.py
-index a9420e504..61c6f00c6 100644
+index a9420e5..7973120 100644
 --- a/src/maasserver/security.py
 +++ b/src/maasserver/security.py
 @@ -96,11 +96,11 @@ def get_shared_secret_txn():
@@ -18,4 +18,3 @@ index a9420e504..61c6f00c6 100644
 +        Config.objects.set_config("rpc_shared_secret", to_hex(secret))
 
      return secret
- 

images/maas-region-controller-focal/3.2_route.patch

@@ -1,13 +1,17 @@
 diff --git a/src/maasserver/preseed_network.py b/src/maasserver/preseed_network.py
-index 3851424fc..8bfa90e7d 100644
+index 7660feb..dae412d 100644
 --- a/src/maasserver/preseed_network.py
 +++ b/src/maasserver/preseed_network.py
-@@ -309,7 +309,7 @@ class InterfaceConfiguration:
+@@ -308,7 +308,11 @@ class InterfaceConfiguration:
 
      def _get_matching_routes(self, source):
          """Return all route objects matching `source`."""
 -        return {route for route in self.routes if route.source == source}
-+        return {route for route in self.routes if str(route.source.cidr) == str(source.cidr)}
++        return {
++            route
++            for route in self.routes
++            if str(route.source.cidr) == str(source.cidr)
++        }
 
      def _generate_addresses(self, version=1):
          """Generate the various addresses needed for this interface."""

images/maas-region-controller-focal/3.2_secure_headers.patch

@@ -1,5 +1,5 @@
 diff --git a/src/twisted/web/server.py b/src/twisted/web/server.py
-index 23e3e408e..8e3e5b772 100644
+index 23e3e40..8e3e5b7 100644
 --- a/src/twisted/web/server.py
 +++ b/src/twisted/web/server.py
 @@ -178,7 +178,6 @@ class Request(Copyable, http.Request, components.Componentized):

images/maas-region-controller-focal/Dockerfile

@@ -18,7 +18,7 @@ ARG no_proxy
 ENV DEBIAN_FRONTEND noninteractive
 ENV container docker
 
-ENV MAAS_VERSION 1:3.0.1-10052-g.82c730c57-0ubuntu1~20.04.1
+ENV MAAS_VERSION 1:3.2.9-12055-g.c3d5597a7-0ubuntu1~20.04.1
 
 RUN apt-get -qq update \
  && apt-get install -y \
@@ -41,7 +41,7 @@ RUN apt-get -qq update \
          -exec rm \{} \; \
  && systemctl set-default multi-user.target \
 # Install maas from the ppa
- && add-apt-repository -yu ppa:maas/3.0 \
+ && add-apt-repository -yu ppa:maas/3.2 \
  && apt-get install -y \
         maas-region-api=$MAAS_VERSION \
         # tcpdump is required by /usr/lib/maas/beacon-monitor
@@ -52,32 +52,32 @@ RUN apt-get -qq update \
 RUN mkdir -p /opt/maas/ && tar -cvzf /opt/maas/var-lib-maas.tgz /var/lib/maas
 
 # MAAS workarounds
-COPY 3.0_route.patch /tmp/3.0_route.patch
-COPY 3.0_kernel_package.patch /tmp/3.0_kernel_package.patch
-COPY 3.0_bios_grub_partition.patch /tmp/3.0_bios_grub_partition.patch
+COPY 3.2_route.patch /tmp/3.2_route.patch
+COPY 3.2_kernel_package.patch /tmp/3.2_kernel_package.patch
+COPY 3.2_bios_grub_partition.patch /tmp/3.2_bios_grub_partition.patch
 # sh8121att: allow all requests via the proxy to allow it to work
 # behind ingress
-COPY 3.0_proxy_acl.patch /tmp/3.0_proxy_acl.patch
+COPY 3.2_proxy_acl.patch /tmp/3.2_proxy_acl.patch
 # Patch to add retrying to MaaS BMC user setup, and improve exception handling
-COPY 3.0_configure_ipmi_user.patch /tmp/3.0_configure_ipmi_user.patch
-COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
-COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch
-COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch
+COPY 3.2_configure_ipmi_user.patch /tmp/3.2_configure_ipmi_user.patch
+COPY 3.2_secure_headers.patch /tmp/3.2_secure_headers.patch
+COPY 3.2_region_secret_rotate.patch /tmp/3.2_region_secret_rotate.patch
+COPY 3.2_partitiontable_does_not_exist.patch /tmp/3.2_partitiontable_does_not_exist.patch
 # Allow tags with '/' symbols
-COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
+COPY 3.2_regex_tags.patch /tmp/3.2_regex_tags.patch
 # Patch to allow any recursion and cache queries
-COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch
+COPY 3.2_allow_query.patch /tmp/3.2_allow_query.patch
 
-RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
-RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
-RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.0_bios_grub_partition.patch
-RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.0_region_secret_rotate.patch
-RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.0_configure_ipmi_user.patch
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.0_proxy_acl.patch
-RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
-RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
-RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
-RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.2_route.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.2_kernel_package.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch partition.py < /tmp/3.2_bios_grub_partition.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver && patch security.py < /tmp/3.2_region_secret_rotate.patch
+RUN cd /usr/lib/python3/dist-packages/metadataserver/builtin_scripts/commissioning_scripts && patch bmc_config.py < /tmp/3.2_configure_ipmi_user.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patch maas-proxy.conf.template < /tmp/3.2_proxy_acl.patch
+RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.2_secure_headers.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.2_partitiontable_does_not_exist.patch
+RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.2_regex_tags.patch
+RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.2_allow_query.patch
 
 # echo journalctl logs to the container's stdout
 COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service