metal-stack · majst01 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
@@ -64,7 +64,6 @@ Introducing a partition-local cache for machine images brings the following adva
 | image_cache_sync_max_images_per_name                                   |           | Maximum amount of images to cache for an image variant                                                                    |
 | image_cache_sync_min_images_per_name                                   |           | Minimum amount of images to keep of an image variant                                                                      |
 | image_cache_sync_metal_api_endpoint                                    | yes       | Endpoint of the metal-api                                                                                                 |
-| image_cache_sync_metal_api_view_hmac                                   | yes       | HMAC of the metal-api (requires view access)                                                                              |
 | image_cache_sync_schedule                                              |           | Cron sync schedule                                                                                                        |
 | image_cache_sync_excludes                                              |           | URL paths to exclude from the sync                                                                                        |
 | image_cache_sync_host_path                                             |           | Root path of where to store the images                                                                                    |

@@ -32,7 +32,7 @@ image_cache_sync_max_images_per_name: -1
 image_cache_sync_min_images_per_name: 4
 image_cache_sync_expiration_grace_period: 0
 image_cache_sync_metal_api_endpoint: "{{ metal_partition_metal_api_protocol }}://{{ metal_partition_metal_api_addr }}:{{ metal_partition_metal_api_port }}{{ metal_partition_metal_api_basepath }}"
-image_cache_sync_metal_api_view_hmac:
+image_cache_sync_token_expiration: 8h
 image_cache_sync_schedule: "*/10 * * * *"
 image_cache_sync_host_path: /metal-image-cache-sync
 image_cache_sync_port: 9001

@@ -13,5 +13,6 @@ galaxy_info:
         - all
 
 dependencies:
+  - role: metal-ansible-modules
   - role: metal-roles/common/roles/defaults
   - role: metal-roles/partition/roles/defaults
@@ -1,4 +1,19 @@
 ---
+- name: ensure cache directory
+  ansible.builtin.file:
+    path: "{{ image_cache_sync_host_path }}"
+    state: directory
+    mode: '0755'
+
+- name: store token in credentials file
+  ansible.builtin.copy:
+    content: "{{ _token.secret }}"
+    dest: "{{ image_cache_sync_host_path }}/metal-apiserver-token"
+    owner: root
+    group: root
+    mode: '0644'
+  when: '"secret" in _token'
+
 - name: deploy image-sync service
   include_role:
     name: ansible-common/roles/systemd-docker-service
@@ -12,8 +27,8 @@
       METAL_IMAGE_CACHE_SYNC_MAX_CACHE_SIZE: "{{ image_cache_sync_max_cache_size }}"
       METAL_IMAGE_CACHE_SYNC_MAX_IMAGES_PER_NAME: "{{ image_cache_sync_max_images_per_name }}"
       METAL_IMAGE_CACHE_SYNC_MIN_IMAGES_PER_NAME: "{{ image_cache_sync_min_images_per_name }}"
-      METAL_IMAGE_CACHE_SYNC_METAL_API_ENDPOINT: "{{ image_cache_sync_metal_api_endpoint }}"
-      METAL_IMAGE_CACHE_SYNC_METAL_API_HMAC: "{{ image_cache_sync_metal_api_view_hmac }}"
+      METAL_IMAGE_CACHE_SYNC_METAL_APISERVER_URL: "{{ image_cache_sync_metal_apiserver_url }}"
+      METAL_IMAGE_CACHE_SYNC_METAL_APISERVER_TOKEN_PATH: "/var/lib/metal-image-cache-sync/metal-apiserver-token"
       METAL_IMAGE_CACHE_SYNC_SCHEDULE: "{{ image_cache_sync_schedule }}"
       METAL_IMAGE_CACHE_SYNC_EXCLUDES: "{{ image_cache_sync_excludes | join(',') }}"
       METAL_IMAGE_CACHE_SYNC_EXPIRATION_GRACE_PERIOD: "{{ image_cache_sync_expiration_grace_period }}"

@@ -2,6 +2,13 @@
 - name: Gather release versions
   setup_yaml:
 
+- name: Check metal-deployment-token has run
+  assert:
+    fail_msg: "this role requires the metal-deployment-token role to be run before execution, check role documentation"
+    quiet: yes
+    that:
+      - "'metal_deployment_admin_token' in hostvars['localhost']"
+
 - name: Check mandatory variables for this role are set
   assert:
     fail_msg: "not all mandatory variables given, check role documentation"
@@ -13,8 +20,11 @@
       - image_cache_haproxy_image_name is defined
       - image_cache_sync_image_tag is defined
       - image_cache_sync_image_name is defined
-      - image_cache_sync_metal_api_endpoint is not none
-      - image_cache_sync_metal_api_view_hmac is not none
+      - image_cache_sync_metal_apiserver_url is not none
+      - image_cache_sync_metal_apiserver_token is not none
+
+- name: Create tokens
+  import_tasks: token.yaml
 
 - name: Setup CoreDNS
   import_tasks: coredns.yaml

@@ -0,0 +1,27 @@
+---
+- name: create api tokens for metal-image-cache-sync
+  block:
+
+    - name: create image-cache tenant
+      metal_v2_admin_tenant:
+        name: metal-image-cache-sync-{{ metal_partition_id }}-{{ inventory_hostname }}
+        description: tenant used by the metal-image-cache-sync service in the metal-stack partitions
+      register: _tenant
+
+    - name: create image-cache api token
+      metal_v2_admin_token:
+        user: "{{ _tenant.id }}"
+        description: "metal-image-cache-sync token {{ inventory_hostname }} in partition {{ metal_partition_id }}"
+        expires: "{{ image_cache_sync_token_expiration }}"
+        permissions:
+          - subject: "*"
+            methods:
+              - /metalstack.api.v2.ImageService/List
+              - /metalstack.api.v2.PartitionService/List
+              - /metalstack.api.v2.TokenService/Refresh
+      register: _token
+
+  delegate_to: localhost
+  environment:
+    METALCTLV2_API_URL: "{{ image_cache_sync_metal_apiserver_url }}"
+    METALCTLV2_API_TOKEN: "{{ hostvars['localhost'].metal_deployment_admin_token }}"