Integrate with IrSO for getting Ironic details

dtantsur · dtantsur · commit 0dc47881af08 · 2025-10-15T11:41:31.000+02:00
Add a way for BMO to use an existing IrSO Ironic object to get Ironic
service details instead of user-provided environment variables. Two new
environment variables are added IRONIC_NAME (the name of the Ironic
object) and IRONIC_NAMESPACE (defaulting to POD_NAMESPACE).

Now that DEPLOY_KERNEL/RAMDISK variables are also optional, this change
will allow us to provide a single installation manifest for BMO that
assumes a presence of Ironic object called "ironic" in the BMO's
namespace. This is not a part of this PR and will be proposed later.

The Ironic object is fetched on every reconciliation, and its Ready
condition is checked before proceeding. On a failure, the reconciliation
is retried (similarly to how errors accessing Ironic are handled).

Note that IrSO does not yet support providing a CA for TLS settings.
The certificate is used as a CA instead.

Assisted-By: Claude Code (commercial license)
Signed-off-by: Dmitry Tantsur &lt;dtantsur@protonmail.com&gt;
diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml
@@ -25,6 +25,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - ironic.metal3.io
+  resources:
+  - ironics
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - metal3.io
   resources:
diff --git a/config/render/capm3.yaml b/config/render/capm3.yaml
@@ -2396,6 +2396,14 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - ironic.metal3.io
+  resources:
+  - ironics
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - metal3.io
   resources:
diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/gophercloud/gophercloud/v2 v2.8.0
 	github.com/metal3-io/baremetal-operator/apis v0.5.1
 	github.com/metal3-io/baremetal-operator/pkg/hardwareutils v0.5.1
+	github.com/metal3-io/ironic-standalone-operator/api v0.6.0
 	github.com/onsi/gomega v1.38.2
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
diff --git a/go.sum b/go.sum
@@ -94,6 +94,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/metal3-io/ironic-standalone-operator/api v0.6.0 h1:u2BDGpGdJqzzZAr4pL4LywKcxfjHXPQNxuJ47ej/6Cc=
+github.com/metal3-io/ironic-standalone-operator/api v0.6.0/go.mod h1:V2uX3UR0gK0J8IvF8msNRcdWKviZRrvDCCFMF0uVPQY=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
diff --git a/internal/controller/metal3.io/baremetalhost_controller.go b/internal/controller/metal3.io/baremetalhost_controller.go
@@ -106,6 +106,9 @@ func (info *reconcileInfo) publishEvent(reason, message string) {
 // Allow for updating hostupdatepolicies
 // +kubebuilder:rbac:groups=metal3.io,resources=hostupdatepolicies,verbs=get;list;watch;update
 
+// Allow reading Ironic resources
+// +kubebuilder:rbac:groups=ironic.metal3.io,resources=ironics,verbs=get;list;watch
+
 // Reconcile handles changes to BareMetalHost resources.
 func (r *BareMetalHostReconciler) Reconcile(ctx context.Context, request ctrl.Request) (result ctrl.Result, err error) {
 	reconcileCounters.With(hostMetricLabels(request)).Inc()
diff --git a/main.go b/main.go
@@ -35,13 +35,15 @@ import (
 	"github.com/metal3-io/baremetal-operator/pkg/provisioner/ironic"
 	"github.com/metal3-io/baremetal-operator/pkg/secretutils"
 	"github.com/metal3-io/baremetal-operator/pkg/version"
+	ironicv1alpha1 "github.com/metal3-io/ironic-standalone-operator/api/v1alpha1"
 	"go.uber.org/zap/zapcore"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	cliflag "k8s.io/component-base/cli/flag"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
@@ -75,6 +77,7 @@ func init() {
 	_ = clientgoscheme.AddToScheme(scheme)
 
 	_ = metal3api.AddToScheme(scheme)
+	_ = ironicv1alpha1.AddToScheme(scheme)
 }
 
 func printVersion() {
@@ -215,6 +218,24 @@ func main() {
 		setupLog.Info("Manager set up with cluster scope")
 	}
 
+	// Setup cache options
+	var byObject map[client.Object]cache.ByObject
+
+	ironicName := os.Getenv("IRONIC_NAME")
+	ironicNamespace := os.Getenv("IRONIC_NAMESPACE")
+	if ironicNamespace == "" {
+		ironicNamespace = leaderElectionNamespace
+	}
+	if ironicName != "" && ironicNamespace != "" {
+		byObject = map[client.Object]cache.ByObject{
+			&ironicv1alpha1.Ironic{}: {
+				Namespaces: map[string]cache.Config{
+					ironicNamespace: {},
+				},
+			},
+		}
+	}
+
 	ctrlOpts := ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
@@ -233,7 +254,7 @@ func main() {
 		LeaderElectionReleaseOnCancel: true,
 		HealthProbeBindAddress:        healthAddr,
 		Cache: cache.Options{
-			ByObject:          secretutils.AddSecretSelector(nil),
+			ByObject:          secretutils.AddSecretSelector(byObject),
 			DefaultNamespaces: watchNamespaces,
 		},
 	}
@@ -288,7 +309,13 @@ func main() {
 		provisionerFactory = &demo.Demo{}
 	} else {
 		provLog := zap.New(zap.UseFlagOptions(&logOpts)).WithName("provisioner")
-		provisionerFactory, err = ironic.NewProvisionerFactory(provLog, preprovImgEnable)
+		// Check if we should use Ironic CR integration
+		if ironicName != "" && ironicNamespace != "" {
+			provisionerFactory, err = ironic.NewProvisionerFactoryWithClient(provLog, preprovImgEnable,
+				mgr.GetClient(), mgr.GetAPIReader(), ironicName, ironicNamespace)
+		} else {
+			provisionerFactory, err = ironic.NewProvisionerFactory(provLog, preprovImgEnable)
+		}
 		if err != nil {
 			setupLog.Error(err, "cannot start ironic provisioner")
 			os.Exit(1)
diff --git a/pkg/provisioner/ironic/factory.go b/pkg/provisioner/ironic/factory.go
@@ -13,6 +13,12 @@ import (
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/metal3-io/baremetal-operator/pkg/provisioner"
 	"github.com/metal3-io/baremetal-operator/pkg/provisioner/ironic/clients"
+	"github.com/metal3-io/baremetal-operator/pkg/secretutils"
+	ironicv1alpha1 "github.com/metal3-io/ironic-standalone-operator/api/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 type ironicProvisionerFactory struct {
@@ -22,6 +28,14 @@ type ironicProvisionerFactory struct {
 	// Keep pointers to ironic client configured with the global
 	// auth settings to reuse the connection between reconcilers.
 	clientIronic *gophercloud.ServiceClient
+
+	// Kubernetes client for reading Ironic CR
+	k8sClient client.Client
+	apiReader client.Reader
+
+	// Ironic CR configuration
+	ironicName      string
+	ironicNamespace string
 }
 
 func NewProvisionerFactory(logger logr.Logger, havePreprovImgBuilder bool) (provisioner.Factory, error) {
@@ -33,13 +47,42 @@ func NewProvisionerFactory(logger logr.Logger, havePreprovImgBuilder bool) (prov
 	return factory, err
 }
 
+func NewProvisionerFactoryWithClient(logger logr.Logger, havePreprovImgBuilder bool, k8sClient client.Client, apiReader client.Reader, ironicName, ironicNamespace string) (provisioner.Factory, error) {
+	factory := ironicProvisionerFactory{
+		log:             logger.WithName("ironic"),
+		k8sClient:       k8sClient,
+		apiReader:       apiReader,
+		ironicName:      ironicName,
+		ironicNamespace: ironicNamespace,
+	}
+
+	err := factory.init(havePreprovImgBuilder)
+	return factory, err
+}
+
 func (f *ironicProvisionerFactory) init(havePreprovImgBuilder bool) error {
-	ironicAuth, err := clients.LoadAuth()
+	var err error
+	f.config, err = loadConfigFromEnv(havePreprovImgBuilder)
 	if err != nil {
 		return err
 	}
 
-	f.config, err = loadConfigFromEnv(havePreprovImgBuilder)
+	if f.ironicName != "" && f.ironicNamespace != "" {
+		f.log.Info("will use Ironic resource configuration",
+			"ironicName", f.ironicName,
+			"ironicNamespace", f.ironicNamespace,
+			"deployKernelURL", f.config.deployKernelURL,
+			"deployRamdiskURL", f.config.deployRamdiskURL,
+			"deployISOURL", f.config.deployISOURL,
+			"liveISOForcePersistentBootDevice", f.config.liveISOForcePersistentBootDevice,
+		)
+		// NOTE(dtantsur): the Ironic object will be loaded from the client cache on each reconciliation, so exiting here.
+		return nil
+	}
+
+	f.log.V(1).Info("will use environment variables configuration")
+	// For environment variable mode, validate configuration early and create a static client
+	ironicAuth, err := clients.LoadAuth()
 	if err != nil {
 		return err
 	}
@@ -51,7 +94,7 @@ func (f *ironicProvisionerFactory) init(havePreprovImgBuilder bool) error {
 
 	tlsConf := loadTLSConfigFromEnv()
 
-	f.log.Info("ironic settings",
+	f.log.Info("ironic settings from environment variables",
 		"endpoint", ironicEndpoint,
 		"ironicAuthType", ironicAuth.Type,
 		"deployKernelURL", f.config.deployKernelURL,
@@ -65,8 +108,7 @@ func (f *ironicProvisionerFactory) init(havePreprovImgBuilder bool) error {
 		"SkipClientSANVerify", tlsConf.SkipClientSANVerify,
 	)
 
-	f.clientIronic, err = clients.IronicClient(
-		ironicEndpoint, ironicAuth, tlsConf)
+	f.clientIronic, err = clients.IronicClient(ironicEndpoint, ironicAuth, tlsConf)
 	if err != nil {
 		return err
 	}
@@ -77,6 +119,31 @@ func (f *ironicProvisionerFactory) init(havePreprovImgBuilder bool) error {
 func (f ironicProvisionerFactory) ironicProvisioner(ctx context.Context, hostData provisioner.HostData, publisher provisioner.EventPublisher) (*ironicProvisioner, error) {
 	provisionerLogger := f.log.WithValues("host", ironicNodeName(hostData.ObjectMeta))
 
+	var ironicClient *gophercloud.ServiceClient
+
+	// Check if we should use Ironic CR configuration (fetch fresh config on each provisioner creation)
+	if f.ironicName != "" && f.ironicNamespace != "" && f.k8sClient != nil {
+		ironicEndpoint, ironicAuth, tlsConf, err := f.loadConfigFromIronicCR(ctx)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load configuration from Ironic resource %s/%s: %w", f.ironicNamespace, f.ironicName, err)
+		}
+
+		provisionerLogger.Info("ironic settings from Ironic resource",
+			"ironicName", f.ironicName,
+			"ironicNamespace", f.ironicNamespace,
+			"endpoint", ironicEndpoint,
+			"CACertFile", tlsConf.TrustedCAFile,
+		)
+
+		ironicClient, err = clients.IronicClient(ironicEndpoint, ironicAuth, tlsConf)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create a client from Ironic resource %s/%s: %w", f.ironicNamespace, f.ironicName, err)
+		}
+	} else {
+		// Use the pre-configured client from environment variables
+		ironicClient = f.clientIronic
+	}
+
 	p := &ironicProvisioner{
 		config:                  f.config,
 		objectMeta:              hostData.ObjectMeta,
@@ -85,7 +152,7 @@ func (f ironicProvisionerFactory) ironicProvisioner(ctx context.Context, hostDat
 		bmcAddress:              hostData.BMCAddress,
 		disableCertVerification: hostData.DisableCertificateVerification,
 		bootMACAddress:          hostData.BootMACAddress,
-		client:                  f.clientIronic,
+		client:                  ironicClient,
 		log:                     provisionerLogger,
 		debugLog:                provisionerLogger.V(1),
 		publisher:               publisher,
@@ -192,3 +259,120 @@ func loadTLSConfigFromEnv() clients.TLSConfig {
 		SkipClientSANVerify:   skipClientSANVerify,
 	}
 }
+
+func ironicUnreadyReason(ironic *ironicv1alpha1.Ironic) string {
+	cond := meta.FindStatusCondition(ironic.Status.Conditions, string(ironicv1alpha1.IronicStatusReady))
+	if cond == nil || cond.ObservedGeneration != ironic.Generation {
+		return "reconciliation hasn't started yet"
+	}
+	if cond.Status != metav1.ConditionTrue {
+		return cond.Message
+	}
+	return ""
+}
+
+func (f *ironicProvisionerFactory) loadConfigFromIronicCR(ctx context.Context) (endpoint string, auth clients.AuthConfig, tlsConfig clients.TLSConfig, err error) {
+	sm := secretutils.NewSecretManager(ctx, f.log, f.k8sClient, f.apiReader)
+
+	// Get the Ironic CR
+	ironicCR := &ironicv1alpha1.Ironic{}
+	key := types.NamespacedName{
+		Name:      f.ironicName,
+		Namespace: f.ironicNamespace,
+	}
+
+	err = f.k8sClient.Get(ctx, key, ironicCR)
+	if err != nil {
+		return "", clients.AuthConfig{}, clients.TLSConfig{}, fmt.Errorf("failed to get Ironic resource %s/%s: %w", f.ironicNamespace, f.ironicName, err)
+	}
+
+	// Check if the Ironic CR is ready
+	if unreadyReason := ironicUnreadyReason(ironicCR); unreadyReason != "" {
+		return "", clients.AuthConfig{}, clients.TLSConfig{}, fmt.Errorf("ironic resource %s/%s is not ready: %s", f.ironicNamespace, f.ironicName, unreadyReason)
+	}
+
+	endpoint = fmt.Sprintf("http://%s.%s.svc", f.ironicName, f.ironicNamespace)
+
+	// Handle TLS
+	if ironicCR.Spec.TLS.CertificateName != "" {
+		endpoint = fmt.Sprintf("https://%s.%s.svc", f.ironicName, f.ironicNamespace)
+		tlsConfig, err = f.loadTLSConfigFromIronicCR(&sm, ironicCR)
+		if err != nil {
+			return "", clients.AuthConfig{}, clients.TLSConfig{}, err
+		}
+	}
+
+	// Handle authentication
+	auth, err = f.loadAuthConfigFromIronicCR(&sm, ironicCR)
+	if err != nil {
+		return "", clients.AuthConfig{}, clients.TLSConfig{}, err
+	}
+
+	return endpoint, auth, tlsConfig, nil
+}
+
+func (f *ironicProvisionerFactory) loadAuthConfigFromIronicCR(sm *secretutils.SecretManager, ironicCR *ironicv1alpha1.Ironic) (clients.AuthConfig, error) {
+	key := types.NamespacedName{
+		Name:      ironicCR.Spec.APICredentialsName,
+		Namespace: ironicCR.Namespace,
+	}
+
+	secret, err := sm.ObtainSecret(key)
+	if err != nil {
+		return clients.AuthConfig{}, fmt.Errorf("failed to get auth secret %s/%s: %w", key.Namespace, key.Name, err)
+	}
+
+	username, usernameExists := secret.Data["username"]
+	password, passwordExists := secret.Data["password"]
+
+	if !usernameExists || !passwordExists {
+		return clients.AuthConfig{}, fmt.Errorf("auth secret %s/%s must contain 'username' and 'password' keys", key.Namespace, key.Name)
+	}
+
+	return clients.AuthConfig{
+		Type:     clients.HTTPBasicAuth,
+		Username: string(username),
+		Password: string(password),
+	}, nil
+}
+
+func (f *ironicProvisionerFactory) loadTLSConfigFromIronicCR(sm *secretutils.SecretManager, ironicCR *ironicv1alpha1.Ironic) (clients.TLSConfig, error) {
+	// Allow client TLS configuration from the environment
+	tlsConfig := loadTLSConfigFromEnv()
+
+	key := types.NamespacedName{
+		Name:      ironicCR.Spec.TLS.CertificateName,
+		Namespace: ironicCR.Namespace,
+	}
+
+	secret, err := sm.ObtainSecret(key)
+	if err != nil {
+		return clients.TLSConfig{}, fmt.Errorf("failed to get TLS secret %s/%s: %w", ironicCR.Namespace, ironicCR.Spec.TLS.CertificateName, err)
+	}
+
+	caCert := secret.Data["tls.crt"]
+	if caCert != nil {
+		caFile, err := writeTempFile("ironic-ca-", caCert)
+		if err != nil {
+			return clients.TLSConfig{}, fmt.Errorf("failed to write CA certificate: %w", err)
+		}
+		tlsConfig.TrustedCAFile = caFile
+	}
+
+	return tlsConfig, nil
+}
+
+func writeTempFile(prefix string, data []byte) (string, error) {
+	tmpFile, err := os.CreateTemp("", prefix)
+	if err != nil {
+		return "", err
+	}
+	defer tmpFile.Close()
+
+	_, err = tmpFile.Write(data)
+	if err != nil {
+		return "", err
+	}
+
+	return tmpFile.Name(), nil
+}
