Skip to content

Add cifmw_registry_pullsecret role for credential extraction#3754

Open
mnietoji wants to merge 2 commits intoopenstack-k8s-operators:mainfrom
mnietoji:edpm_pullsecret_sync
Open

Add cifmw_registry_pullsecret role for credential extraction#3754
mnietoji wants to merge 2 commits intoopenstack-k8s-operators:mainfrom
mnietoji:edpm_pullsecret_sync

Conversation

@mnietoji
Copy link
Contributor

@mnietoji mnietoji commented Mar 10, 2026

Extracts registry credentials from OpenShift pull-secret during EDPM deployment.

Runs after edpm_prepare, before EDPM nodesets are created. Updates cifmw_registry_token variable and optionally writes credentials to file.

Configuration:

  • cifmw_registry_pullsecret_enabled: Enable extraction (default: false)
  • cifmw_registry_pullsecret_registry_url: Registry URL to extract for

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 10, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign danpawlik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mnietoji mnietoji force-pushed the edpm_pullsecret_sync branch 3 times, most recently from a206f08 to 7438f4b Compare March 10, 2026 15:13
@mnietoji @claude
[multiple] Co-locate provisionserver with metal3 to prevent DHCP fail…
08a2b2b 
…ures II

When metal3-dnsmasq pod restarts during a node's DHCP lease renewal on the
provisioning network (172.23.0.0/24), NetworkManager fails to renew and sets
ipv4.method=disabled. NMState operator then preserves this disabled state,
causing permanent loss of provisioning network connectivity on that node.

The issue occurs when OpenStackProvisionServer and metal3 pods run on
different nodes. If metal3 restarts while a node is attempting DHCP renewal,
the temporary unavailability of metal3-dnsmasq causes the renewal to fail.

Solution:
Automatically detect the node running metal3 pod (via k8s-app=metal3 label)
and configure provisionServerNodeSelector in baremetalSetTemplate to schedule
OpenStackProvisionServer on the same node. This ensures provisioning network
connectivity is maintained because metal3-static-ip-manager maintains a static
IP (172.23.0.3) on the metal3 node regardless of dnsmasq restarts.

Signed-off-by: Miguel Angel Nieto Jimenez <mnietoji@redhat.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mnietoji mnietoji force-pushed the edpm_pullsecret_sync branch 2 times, most recently from 9424f79 to 401ed23 Compare March 10, 2026 15:15
tosky
tosky reviewed Mar 10, 2026
View reviewed changes
roles/cifmw_registry_pullsecret/README.md Outdated

It extracts credentials from the OpenShift pull-secret in the `openshift-config` namespace and updates the `cifmw_registry_token` variable and optionally the registry token file.

### Example configuration in ci-framework-jobs
Copy link
Contributor

@tosky tosky Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please just "Example configuration which can be used in the zuul jobs

roles/cifmw_registry_pullsecret/README.md Outdated
```yaml
vars:
cifmw_registry_pullsecret_enabled: true
cifmw_registry_pullsecret_registry_url: registry.stage.redhat.io
Copy link
Contributor

@tosky tosky Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please make it generic and not use a specific registry as example

danpawlik
danpawlik reviewed Mar 10, 2026
View reviewed changes
playbooks/06-deploy-architecture.yml
---
#
# NOTE: Playbook migrated to: roles/cifmw_setup/tasks/deploy_architecture.yml
# DO NOT EDIT THIS PLAYBOOK. IT WILL BE REMOVED IN NEAR FUTURE.
Copy link
Contributor

@danpawlik danpawlik Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change in this file can be skipped, as it is mentioned in L4.

@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Mar 10, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3065905edb6646c483c1561923a4af89

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 14m 46s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 19m 10s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 31m 15s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 1h 50m 56s
cifmw-pod-zuul-files FAILURE in 4m 45s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 01m 04s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 9m 10s
✔️ cifmw-pod-k8s-snippets-source SUCCESS in 5m 12s
✔️ cifmw-pod-pre-commit SUCCESS in 8m 36s
✔️ cifmw-architecture-validate-hci SUCCESS in 4m 05s
✔️ cifmw-molecule-ci_gen_kustomize_values SUCCESS in 5m 51s
✔️ cifmw-molecule-cifmw_setup SUCCESS in 2m 02s
✔️ cifmw-molecule-kustomize_deploy SUCCESS in 4m 10s

@mnietoji mnietoji force-pushed the edpm_pullsecret_sync branch 6 times, most recently from 44f85e5 to c598c95 Compare March 11, 2026 00:32
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Mar 11, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/5672d047a97549cb897d3bfe373c0d7f

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 16m 10s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 25m 27s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 29m 32s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 04m 00s
cifmw-pod-zuul-files FAILURE in 5m 25s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 3h 01m 41s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 44s
✔️ cifmw-pod-k8s-snippets-source SUCCESS in 5m 04s
✔️ cifmw-pod-pre-commit SUCCESS in 9m 04s
✔️ cifmw-architecture-validate-hci SUCCESS in 3m 53s
✔️ cifmw-molecule-ci_gen_kustomize_values SUCCESS in 5m 39s
✔️ cifmw-molecule-cifmw_setup SUCCESS in 2m 00s
✔️ cifmw-molecule-kustomize_deploy SUCCESS in 4m 17s

@mnietoji mnietoji force-pushed the edpm_pullsecret_sync branch 3 times, most recently from 12e085d to fd82ae9 Compare March 11, 2026 08:36
@mnietoji @claude
[multiple] Add cifmw_registry_pullsecret role for credential extraction
942fd36 
Extracts registry credentials from OpenShift pull-secret during EDPM
deployment. Runs after edpm_prepare, before EDPM nodesets are created.

New role updates cifmw_registry_token variable and optionally writes
credentials to file. Only executes when cifmw_registry_pullsecret_enabled
is true (opt-in, backwards compatible).

Configuration:
- cifmw_registry_pullsecret_enabled: Enable extraction (default: false)
- cifmw_registry_pullsecret_registry_url: Registry URL to extract for

Modified roles/cifmw_setup/tasks/deploy_edpm.yml to integrate role.

Signed-off-by: Miguel Angel Nieto Jimenez <mnietoji@redhat.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@mnietoji mnietoji force-pushed the edpm_pullsecret_sync branch from fd82ae9 to 942fd36 Compare March 11, 2026 08:56
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Mar 11, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/23864d530c7e4edf83c9d001b7966586

✔️ openstack-k8s-operators-content-provider SUCCESS in 3h 09m 11s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 22m 58s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 27m 22s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 1h 48m 43s
cifmw-pod-zuul-files FAILURE in 4m 42s
✔️ adoption-standalone-to-crc-ceph-provider SUCCESS in 2h 56m 41s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 10m 33s
✔️ cifmw-pod-k8s-snippets-source SUCCESS in 4m 52s
✔️ cifmw-pod-pre-commit SUCCESS in 8m 43s
✔️ cifmw-architecture-validate-hci SUCCESS in 3m 49s
✔️ cifmw-molecule-ci_gen_kustomize_values SUCCESS in 5m 32s
✔️ cifmw-molecule-cifmw_setup SUCCESS in 2m 06s
✔️ cifmw-molecule-kustomize_deploy SUCCESS in 4m 28s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tosky tosky tosky left review comments

@danpawlik danpawlik danpawlik requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mnietoji @danpawlik @tosky