Merge branch 'main' of github.com:openstack-k8s-operators/data-plane-adoption into ldap-adoption

Author: afaranha

docs_user/modules/con_adoption-limitations.adoc

@@ -11,7 +11,7 @@ Technology Preview::
 The following features are Technology Previews and have not been tested within the context of the {rhos_long_noacro} adoption:
 +
 * NFS Ganesha back end for {rhos_component_storage_file_first_ref}
-* iSCSI and FC-based drivers for {block_storage_first_ref}
+* FC-based drivers for {block_storage_first_ref}
 * {block_storage} back end for the {image_service_first_ref}
 +
 The following {compute_service_first_ref} features are Technology Previews:

docs_user/modules/con_adoption-prerequisites.adoc

@@ -20,20 +20,6 @@ endif::[]
 ** link:{defaultOCPURL}/nodes/overview-of-nodes[Overview of nodes]
 ** link:{defaultOCPURL}/nodes/index#nodes-scheduler-node-selectors-about_nodes-scheduler-node-selectors[About node selectors]
 ** link:{defaultOCPURL}/machine_configuration/index[Machine configuration overview]
-* Make sure to set the correct {rhos_acro} project namespace in which to run commands.
-ifeval::["{build_variant}" == "ospdo"]
-* In director Operator adoption, the source {rhos_prev_long} {rhos_prev_ver} namespace is `openstack`. In order to successfully adopt the {OpenStackShort} {rhos_prev_ver} environment, the destination {rhos_acro} {rhos_curr_ver} namespace must be different, for example, `rhoso`.
-endif::[]
-+
-[source, shell]
-----
-ifeval::["{build_variant}" == "ospdo"]
-$ oc project rhoso
-endif::[]
-ifeval::["{build_variant}" != "ospdo"]
-$ oc project openstack
-endif::[]
-----
 * Familiarize yourself with mapping RHOSO versions to OpenStack Operators and OpenStackVersion custom resources (CRs). For more information, see the Red Hat Knowledgebase article link:https://access.redhat.com/articles/7125383[How RHOSO versions map to OpenStack Operators and OpenStackVersion CRs].
 
 Back-up information::
@@ -47,21 +33,33 @@ Back-up information::
 Compute::
 +
 * Upgrade your Compute nodes to Red Hat Enterprise Linux {rhel_prev_ver}. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html-single/framework_for_upgrades_16.2_to_17.1/index#upgrading-compute-nodes_upgrading-the-compute-node-operating-system[Upgrading all Compute nodes to RHEL 9.2] in _Framework for upgrades (16.2 to 17.1)_.
-* Perform a minor update to the latest {OpenStackShort} version. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/performing_a_minor_update_of_red_hat_openstack_platform/index[Performing a minor update of Red Hat OpenStack Platform].
-* Install the `systemd-container` package on your Compute hosts. For more information, see xref:installing-the-systemd-container-package-on-compute-hosts_{context}[Installing the `systemd-container` package on Compute hosts].
+* On your Compute hosts, the `systemd-container` package must be installed and the `systemd-machined` service must be running. For more information about how to verify that the package is installed and that the service is running, see xref:installing-the-systemd-container-package-on-compute-hosts_{context}[Installing the `systemd-container` package on Compute hosts].
 
 ML2/OVS::
 +
 * If you use the Modular Layer 2 plug-in with Open vSwitch mechanism driver (ML2/OVS), migrate it to the Modular Layer 2 plug-in with Open Virtual Networking (ML2/OVN) mechanism driver. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/migrating_to_the_ovn_mechanism_driver/index[Migrating to the OVN mechanism driver].
 
 Tools::
 +
-* Install the `oc` command line tool on your workstation.
-* Install the `podman` command line tool on your workstation.
+* The oc and podman command line tools are installed on your workstation.
+* Make sure to set the correct {rhos_acro} project namespace in which to run commands.
+ifeval::["{build_variant}" == "ospdo"]
+* In director Operator adoption, the source {rhos_prev_long} {rhos_prev_ver} namespace is `openstack`. In order to successfully adopt the {OpenStackShort} {rhos_prev_ver} environment, the destination {rhos_acro} {rhos_curr_ver} namespace must be different, for example, `rhoso`.
+endif::[]
++
+[source, shell]
+----
+ifeval::["{build_variant}" == "ospdo"]
+$ oc project rhoso
+endif::[]
+ifeval::["{build_variant}" != "ospdo"]
+$ oc project openstack
+endif::[]
+----
 
 {OpenStackShort} {rhos_prev_ver} release::
 +
-* The {OpenStackShort} {rhos_prev_ver} cloud is updated to the latest minor version of the {rhos_prev_ver} release.
+* The {OpenStackShort} {rhos_prev_ver} cloud is updated to the 17.1.4 release or later. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/performing_a_minor_update_of_red_hat_openstack_platform/index[Performing a minor update of Red Hat OpenStack Platform].
 
 {OpenStackShort} {rhos_prev_ver} hosts::
 +

docs_user/modules/con_identity-service-authentication.adoc

@@ -4,12 +4,15 @@
 = {identity_service} authentication
 
 [role="_abstract"]
-If you have custom policies enabled, contact Red Hat Support before adopting a {OpenStackPreviousInstaller} OpenStack deployment. You must complete the following steps for adoption:
+If you have custom policies enabled, complete the following steps for adoption:
 
 . Remove custom policies.
 . Run the adoption.
 . Re-add custom policies by using the new SRBAC syntax.
 
+[IMPORTANT]
+Red Hat does not support customized roles or policies. Syntax errors or misapplied authorization can negatively impact security or usability. If you need customized roles or policies in your production environment, contact Red Hat support for a support exception before you begin the adoption.
+
 After you adopt a {OpenStackPreviousInstaller}-based OpenStack deployment to a {rhos_long_noacro} deployment, the {identity_service} performs user authentication and authorization by using Secure RBAC (SRBAC). If SRBAC is already enabled, then there is no change to how you perform operations. If SRBAC is disabled, then adopting a {OpenStackPreviousInstaller}-based OpenStack deployment might change how you perform operations due to changes in API access policies.
 
 For more information on SRBAC, see link:{defaultURL}/performing_security_operations/assembly_srbac-in-rhoso_performing-security-services#assembly_srbac-in-rhoso_performing-security-services[Secure role based access control in Red Hat OpenStack Services on OpenShift] in _Performing security operations_.

docs_user/modules/proc_adopting-the-block-storage-service.adoc

@@ -168,9 +168,8 @@ Ensure that you use the same configuration group name for the driver that you us
 ====
 +
 . Configure the NetApp NFS Block Storage volume service:
-.. Create secrets that include sensitive information such as hostnames, passwords, and usernames to access the third-party NetApp NFS storage. You can find the credentials in the `cinder.conf` file that was generated from the {OpenStackPreviousInstaller} deployment.
+.. Create a secret that includes sensitive information such as hostnames, passwords, and usernames to access the third-party NetApp NFS storage. You can find the credentials in the `cinder.conf` file that was generated from the {OpenStackPreviousInstaller} deployment:
 +
-[source,yaml]
 ----
 $ oc apply -f - <<EOF
 apiVersion: v1
@@ -198,7 +197,9 @@ EOF
 $ oc patch openstackcontrolplane openstack --type=merge --patch-file=<cinder_netappNFS.patch>
 ----
 +
-* The following example shows a `cinder_netappNFS.patch` file that configures a NetApp NFS Block Storage volume service:
+* Replace `<cinder_netappNFS.patch>` with the name of the patch file for your NetApp NFS Block Storage volume back end.
++
+The following example shows a `cinder_netappNFS.patch` file that configures a NetApp NFS Block Storage volume service:
 +
 [source,yaml]
 ----
@@ -224,6 +225,59 @@ spec:
           customServiceConfigSecrets:
           - cinder-volume-ontap-secrets
 ----
++
+. Configure the NetApp iSCSI Block Storage volume service:
+.. Create a secret that includes sensitive information such as hostnames, passwords, and usernames to access the third-party NetApp iSCSI storage. You can find the credentials in the `cinder.conf` file that was generated from the {OpenStackPreviousInstaller} deployment:
++
+----
+$ oc apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    service: cinder
+    component: cinder-volume
+  name: cinder-volume-ontap-secrets
+type: Opaque
+stringData:
+  ontap-cinder-secrets: |
+    [tripleo_netapp]
+    netapp_server_hostname = netapp_host
+    netapp_login = netapp_username
+    netapp_password = netapp_password
+    netapp_vserver = netapp_vserver
+    netapp_pool_name_search_pattern=(netapp_poolpattern)
+EOF
+----
+. Patch the `OpenStackControlPlane` custom resource (CR) to deploy the NetApp iSCSI Block Storage volume back end:
++
+----
+$ oc patch openstackcontrolplane openstack --type=merge --patch-file=<cinder_netappISCSI.patch>
+----
++
+* Replace `<cinder_netappISCSI.patch>` with the name of the patch file for your NetApp iSCSI Block Storage volume back end.
++
+The following example shows a `cinder_netappISCSI.patch` file that configures a NetApp iSCSI Block Storage volume service:
++
+----
+spec:
+  cinder:
+    enabled: true
+    template:
+      cinderVolumes:
+        ontap-iscsi:
+          networkAttachments:
+            - storage
+          customServiceConfig: |
+            [tripleo_netapp]
+            volume_backend_name=ontap-iscsi
+            volume_driver=cinder.volume.drivers.netapp.common.NetAppDriver
+            netapp_storage_protocol=iscsi
+            netapp_storage_family=ontap_cluster
+            consistencygroup_support=True
+          customServiceConfigSecrets:
+            - cinder-volume-ontap-secrets
+----
 . Check if all the services are up and running:
 +
 ----

docs_user/modules/proc_installing-the-systemd-container-package-on-compute-hosts.adoc

@@ -4,11 +4,60 @@
 = Installing the `systemd-container` package on Compute hosts
 
 [role="_abstract"]
-Before you adopt the {rhos_long} data plane, you must install the `systemd-container` package on all the hypervisors on your Compute hosts. This procedure must be performed on one Compute host at a time.
+Before you adopt the {rhos_long} data plane, you must verify that the `systemd-container` package is installed and that `systemd-machined` is running on all the Compute hosts. You must install the `systemd-container` package on each Compute host that does not have this package.
 
 .Procedure
 
-. If your Compute host is running a virtual machine, live migrate the virtual machine from the host. For more information about live migration, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/performing_a_minor_update_of_red_hat_openstack_platform/assembly_rebooting-the-overcloud_keeping-updated#proc_rebooting-compute-nodes_rebooting-the-overcloud[Rebooting Compute nodes] in _Performing a minor update of Red Hat OpenStack Platform_.
+. Log in to the Compute node host as a user with the appropriate permissions.
+
+. List the instances that are running on the host:
++
+----
+$ sudo machinectl list
+----
++
+Sample output::
++
+----
+MACHINE                  CLASS SERVICE      OS VERSION ADDRESSES
+qemu-1-instance-000000b9 vm    libvirt-qemu -  -       -
+qemu-2-instance-000000c2 vm    libvirt-qemu -  -       -
+
+2 machines listed.
+----
+
+. Verify that the `systemd-machined` service is running:
++
+----
+$ sudo systemctl status systemd-machined.service
+----
++
+Sample output::
++
+----
+systemd-machined.service - Virtual Machine and Container Registration Service
+     Loaded: loaded (/usr/lib/systemd/system/systemd-machined.service; static)
+     Active: active (running) since Mon 2025-06-16 11:42:07 EDT; 2min 48s ago
+       Docs: man:systemd-machined.service(8)
+             man:org.freedesktop.machine1(5)
+   Main PID: 136614 (systemd-machine)
+     Status: "Processing requests..."
+      Tasks: 1 (limit: 838860)
+     Memory: 1.4M
+        CPU: 33ms
+     CGroup: /system.slice/systemd-machined.service
+             └─136614 /usr/lib/systemd/systemd-machined
+
+Jun 16 11:42:07 computehost001 systemd[1]: Starting Virtual Machine and Container Registration Service...
+Jun 16 11:42:07 computehost001 systemd[1]: Started Virtual Machine and Container Registration Service.
+Jun 16 11:43:44 computehost001 systemd-machined[136614]: New machine qemu-1-instance-000000b9.
+Jun 16 11:43:51 computehost001 systemd-machined[136614]: New machine qemu-2-instance-000000c2.
+----
++
+[IMPORTANT]
+If the `systemd-machined` service is running, skip the rest of this procedure. Ensure that you verify that the `systemd-machined` service is running each Compute node host in the cluster.
+
+. If the `systemd-machined` service is not running, before you can install the `systemd-container` package, live migrate all virtual machines from the host. For more information about live migration, see link:https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html/performing_a_minor_update_of_red_hat_openstack_platform/assembly_rebooting-the-overcloud_keeping-updated#proc_rebooting-compute-nodes_rebooting-the-overcloud[Rebooting Compute nodes] in _Performing a minor update of Red Hat OpenStack Platform_.
 
 . Install the `systemd-container` on the host:
 ** If you upgraded your environment from an earlier version of {rhos_prev_long}, reboot the Compute host to automatically install the `systemd-container`.
@@ -20,4 +69,4 @@ $ sudo dnf -y install systemd-container
 [NOTE]
 If your Compute host is not running a virtual machine, you can install the `systemd-container` automatically or manually.
 
-. Repeat this procedure on each hypervisor one by one.
+. Repeat this procedure on each Compute host in the cluster where the `systemd-machined` service is not running.

docs_user/modules/proc_retrieving-topology-specific-service-configuration.adoc

@@ -35,9 +35,7 @@ $ for CELL in $(echo $CELLS); do
 >    TRIPLEO_PASSWORDS[$CELL]="$PASSWORD_FILE"
 > done
 ifeval::["{build_variant}" == "ospdo"]
-$ for CELL in $(echo $CELLS); do
->     oc get secret tripleo-passwords -o json | jq -r '.data["tripleo-overcloud-passwords.yaml"]' | base64 -d >"${TRIPLEO_PASSWORDS[$CELL]}"
-> done
+$ oc get secret tripleo-passwords -o json | jq -r '.data["tripleo-overcloud-passwords.yaml"]' | base64 -d >"${TRIPLEO_PASSWORDS[$CELLS]}"
 endif::[]
 $ declare -A SOURCE_DB_ROOT_PASSWORD
 $ for CELL in $(echo $CELLS); do

scenarios/uni02beta.yaml

@@ -38,7 +38,7 @@ stacks:
       - "--override-ansible-cfg /home/zuul/ansible_config.cfg"
       - "--templates /usr/share/openstack-tripleo-heat-templates"
       - "--libvirt-type qemu"
-      - "--timeout 90"
+      - "--timeout 120"
       - "--overcloud-ssh-user zuul"
       - "--deployed-server"
       - "--validation-warnings-fatal"

scenarios/uni04delta-ipv6.yaml

@@ -59,6 +59,8 @@ stacks:
       - "/usr/share/openstack-tripleo-heat-templates/environments/low-memory-usage.yaml"
       - "/usr/share/openstack-tripleo-heat-templates/environments/debug.yaml"
       - "/usr/share/openstack-tripleo-heat-templates/environments/enable-legacy-telemetry.yaml"
+      - "/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-overcloud.yaml"
+      - "/usr/share/openstack-tripleo-heat-templates/environments/services/ironic-inspector.yaml"
       - "/usr/share/openstack-tripleo-heat-templates/environments/services/barbican.yaml"
       - "/usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml"
     network_data_file: "uni04delta-ipv6/network_data.yaml.j2"
@@ -68,3 +70,15 @@ stacks:
     stack_nodes:
       - osp-computes
       - osp-controllers
+    post_oc_run:
+      - name: Ironic post overcloud deploy
+        type: playbook
+        source: adoption_ironic_post_oc.yml
+        extra_vars:
+          _subnet_ip_version: 6
+          _subnet_ipv6_address_mode: dhcpv6-stateful
+          _subnet_ipv6_ra_mode: dhcpv6-stateful
+          _subnet_range: 2620:cf:cf:ffff::0/64
+          _subnet_gateway: 2620:cf:cf:ffff::1
+          _subnet_alloc_pool_start: 2620:cf:cf:ffff::300
+          _subnet_alloc_pool_end: 2620:cf:cf:ffff::399

scenarios/uni04delta-ipv6/config_download.yaml

@@ -10,6 +10,7 @@ resource_registry:
   OS::TripleO::Controller::Ports::InternalApiPort: /usr/share/openstack-tripleo-heat-templates/network/ports/deployed_internal_api.yaml
   OS::TripleO::Controller::Ports::StoragePort: /usr/share/openstack-tripleo-heat-templates/network/ports/deployed_storage.yaml
   OS::TripleO::Controller::Ports::TenantPort: /usr/share/openstack-tripleo-heat-templates/network/ports/deployed_tenant.yaml
+  OS::TripleO::Controller::Ports::IronicPort: /usr/share/openstack-tripleo-heat-templates/network/ports/deployed_ironic.yaml
   OS::TripleO::Services::CeilometerAgentCentral: /usr/share/openstack-tripleo-heat-templates/deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
   OS::TripleO::Services::CeilometerAgentNotification: /usr/share/openstack-tripleo-heat-templates/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
   OS::TripleO::Services::CeilometerAgentIpmi: /usr/share/openstack-tripleo-heat-templates/deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml
@@ -88,5 +89,25 @@ parameter_defaults:
         host_routes: []
         name: ctlplane-subnet
         ip_version: 6
+  NeutronFlatNetworks:
+    - datacentre
+    - ironic
+  ControllerParameters:
+    NeutronBridgeMappings:
+      - datacentre:br-ex
+      - ironic:br-baremetal
   NeutronBridgeMappings:
     - datacentre:br-ex
+  IronicInspectorInterface: br-baremetal
+  IronicInspectorSubnets:
+    osp-controller-uni04delta-ipv6-0:
+      - ip_range: 2620:cf:cf:ffff::210,2620:cf:cf:ffff::219
+    osp-controller-uni04delta-ipv6-1:
+      - ip_range: 2620:cf:cf:ffff::220,2620:cf:cf:ffff::229
+    osp-controller-uni04delta-ipv6-2:
+      - ip_range: 2620:cf:cf:ffff::230,2620:cf:cf:ffff::239
+  ServiceNetMap:
+    IronicApiNetwork: ironic
+    IronicNetwork: ironic
+    IronicInspectorNetwork: ironic
+  IronicCleaningDiskErase: metadata

scenarios/uni04delta-ipv6/network_data.yaml.j2

@@ -59,7 +59,7 @@
   subnets:
     ironic_subnet:
       ipv6_subnet: 2620:cf:cf:ffff::/64
-      ipv6_allocation_pools: [{'start': '2620:cf:cf:ffff::30', 'end': '2620:cf:cf:ffff::70'}]
+      ipv6_allocation_pools: [{'start': '2620:cf:cf:ffff::100', 'end': '2620:cf:cf:ffff::250'}]
 
 - name: StorageMgmt
   mtu: 1500