[ATMOSPHERE-386] chore: sync vendor charts (#1767)



Reviewed-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/.charts.yml b/.charts.yml
index 75dd2c2..01d122b 100644
--- a/.charts.yml
+++ b/.charts.yml
@@ -86,9 +86,13 @@
     repository:
       url: https://kubernetes.github.io/ingress-nginx
   - name: ironic
-    version: 0.2.14
+    version: 0.2.17
     repository: *openstack_helm_repository
     dependencies: *openstack_helm_dependencies
+    patches:
+      gerrit:
+        review.opendev.org:
+          - 925931
   - name: keycloak
     version: 21.4.1
     repository:
diff --git a/charts/ironic/Chart.yaml b/charts/ironic/Chart.yaml
index 9a1a847..d5a1192 100644
--- a/charts/ironic/Chart.yaml
+++ b/charts/ironic/Chart.yaml
@@ -9,4 +9,4 @@
 sources:
 - https://opendev.org/openstack/ironic
 - https://opendev.org/openstack/openstack-helm
-version: 0.2.14
+version: 0.2.17
diff --git a/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl
deleted file mode 100644
index 7acce1a..0000000
--- a/charts/ironic/templates/bin/_ironic-conductor-http-init.sh.tpl
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-if [ "x" == "x${PROVISIONER_INTERFACE}" ]; then
-  echo "Provisioner interface is not set"
-  exit 1
-fi
-
-function net_pxe_addr {
- ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }"
-}
-function net_pxe_ip {
- echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }'
-}
-PXE_IP=$(net_pxe_ip)
-
-if [ "x" == "x${PXE_IP}" ]; then
-  echo "Could not find IP for pxe to bind to"
-  exit 1
-fi
-
-sed "s|OSH_PXE_IP|${PXE_IP}|g" /etc/nginx/nginx.conf > /tmp/pod-shared/nginx.conf
diff --git a/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl
deleted file mode 100644
index 6a97b41..0000000
--- a/charts/ironic/templates/bin/_ironic-conductor-http.sh.tpl
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-mkdir -p /var/lib/openstack-helm/httpboot
-cp -v /tmp/pod-shared/nginx.conf /etc/nginx/nginx.conf
-exec nginx -g 'daemon off;'
diff --git a/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl
deleted file mode 100644
index c70a2f0..0000000
--- a/charts/ironic/templates/bin/_ironic-conductor-pxe-init.sh.tpl
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-
-. /etc/os-release
-HOST_OS=${HOST_OS:="${ID}"}
-FILEPATH=${FILEPATH:-/usr/lib/ipxe}
-
-if [ "x$ID" == "xubuntu" ]; then
-  #NOTE(portdirect): this works around a limitation in Kolla images
-  if ! dpkg -l ipxe; then
-    apt-get update
-    apt-get install ipxe -y
-  fi
-
-  FILEPATH=/usr/lib/ipxe
-
-elif [ "x$ID" == "xcentos" ]; then
-
-  if ! yum list installed ipxe-bootimgs >/dev/null 2>&1; then
-    yum update --nogpgcheck -y
-    yum install ipxe-bootimgs syslinux-tftpboot --nogpgcheck -y
-  fi
-
-  FILEPATH=/usr/share/ipxe
-
-fi
-
-mkdir -p /var/lib/openstack-helm/tftpboot
-mkdir -p /var/lib/openstack-helm/tftpboot/master_images
-
-for FILE in undionly.kpxe ipxe.efi pxelinux.0 snponly.efi; do
-  if [ -f /usr/lib/ipxe/$FILE ]; then
-    cp -v /usr/lib/ipxe/$FILE /var/lib/openstack-helm/tftpboot
-  fi
-
-  # ipxe and pxe support for CentOS
-  if [ "x$ID" == "xcentos" ]; then
-    if [ -f /var/lib/tftpboot/$FILE ]; then
-      cp -v /var/lib/tftpboot/$FILE /var/lib/openstack-helm/tftpboot
-    fi
-    if [ -f /usr/share/ipxe/$FILE ]; then
-      cp -v /usr/share/ipxe/$FILE /var/lib/openstack-helm/tftpboot
-    fi
-  fi
-done
diff --git a/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl b/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl
deleted file mode 100644
index 19451ab..0000000
--- a/charts/ironic/templates/bin/_ironic-conductor-pxe.sh.tpl
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-{{/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -ex
-function net_pxe_addr {
- ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }"
-}
-function net_pxe_ip {
- echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }'
-}
-PXE_IP=$(net_pxe_ip)
-
-if [ "x" == "x${PXE_IP}" ]; then
-  echo "Could not find IP for pxe to bind to"
-  exit 1
-fi
-
-ln -s /var/lib/openstack-helm/tftpboot /tftpboot
-exec /usr/sbin/in.tftpd \
-  --verbose \
-  --foreground \
-  --user root \
-  --address ${PXE_IP}:69 \
-  --map-file /tftp-map-file /tftpboot
diff --git a/charts/ironic/templates/configmap-bin.yaml b/charts/ironic/templates/configmap-bin.yaml
index e2c6de2..9666803 100644
--- a/charts/ironic/templates/configmap-bin.yaml
+++ b/charts/ironic/templates/configmap-bin.yaml
@@ -52,14 +52,14 @@
 {{ tuple "bin/_ironic-conductor.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   ironic-conductor-init.sh: |
 {{ tuple "bin/_ironic-conductor-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  ironic-conductor-pxe.sh: |
-{{ tuple "bin/_ironic-conductor-pxe.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  ironic-conductor-pxe-init.sh: |
-{{ tuple "bin/_ironic-conductor-pxe-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  ironic-conductor-http.sh: |
-{{ tuple "bin/_ironic-conductor-http.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
-  ironic-conductor-http-init.sh: |
-{{ tuple "bin/_ironic-conductor-http-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- if .Values.conductor.pxe.enabled }}
+{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conductor.pxe.script "key" "ironic-conductor-pxe.sh") | indent 2 }}
+{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conductor.pxe.init_script "key" "ironic-conductor-pxe-init.sh") | indent 2 }}
+{{ end }}
+{{- if .Values.conductor.http.enabled }}
+{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conductor.http.script "key" "ironic-conductor-http.sh") | indent 2 }}
+{{ include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conductor.http.init_script "key" "ironic-conductor-http-init.sh") | indent 2 }}
+{{ end }}
   rabbit-init.sh: |
 {{- include "helm-toolkit.scripts.rabbit_init" . | indent 4 }}
 {{- end }}
diff --git a/charts/ironic/templates/configmap-etc.yaml b/charts/ironic/templates/configmap-etc.yaml
index 395a2a4..8b25336 100644
--- a/charts/ironic/templates/configmap-etc.yaml
+++ b/charts/ironic/templates/configmap-etc.yaml
@@ -47,6 +47,32 @@
 {{- $_ := set .Values.conf.ironic.keystone_authtoken "memcache_secret_key" ( default ( randAlphaNum 64 ) .Values.endpoints.oslo_cache.auth.memcache_secret_key ) -}}
 {{- end -}}
 
+{{- if .Values.conf.ironic.service_user.send_service_user_token -}}
+
+{{- if empty .Values.conf.ironic.service_user.auth_url -}}
+{{- $_ := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.ironic.service_user "auth_url" -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.region_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "region_name" .Values.endpoints.identity.auth.ironic.region_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.project_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "project_name" .Values.endpoints.identity.auth.ironic.project_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.project_domain_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.user_domain_name -}}
+{{- $_ := set .Values.conf.ironic.service_user "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.username -}}
+{{- $_ := set .Values.conf.ironic.service_user "username" .Values.endpoints.identity.auth.ironic.username -}}
+{{- end -}}
+{{- if empty .Values.conf.ironic.service_user.password -}}
+{{- $_ := set .Values.conf.ironic.service_user "password" .Values.endpoints.identity.auth.ironic.password -}}
+{{- end -}}
+
+{{- end -}}
+
 {{- if empty .Values.conf.ironic.database.connection -}}
 {{- $_ := tuple "oslo_db" "internal" "ironic" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup"| set .Values.conf.ironic.database "connection" -}}
 {{- end -}}
diff --git a/charts/ironic/templates/statefulset-conductor.yaml b/charts/ironic/templates/statefulset-conductor.yaml
index 43be977..bcf6238 100644
--- a/charts/ironic/templates/statefulset-conductor.yaml
+++ b/charts/ironic/templates/statefulset-conductor.yaml
@@ -54,11 +54,16 @@
 {{ end }}
       securityContext:
         runAsUser: 0
+{{ if .Values.pod.useHostNetwork.conductor }}
       hostNetwork: True
-      hostIPC: True
       dnsPolicy: ClusterFirstWithHostNet
+{{ end }}
+{{ if .Values.pod.useHostIPC.conductor }}
+      hostIPC: True
+{{ end }}
       initContainers:
 {{ tuple $envAll "conductor" $mounts_ironic_conductor_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{- if $envAll.Values.conductor.pxe.enabled }}
         - name: ironic-conductor-pxe-init
 {{ tuple $envAll "ironic_pxe_init" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -73,6 +78,7 @@
               readOnly: true
             - name: pod-data
               mountPath: /var/lib/openstack-helm
+{{- end }}
         - name: ironic-conductor-init
 {{ tuple $envAll "ironic_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -90,6 +96,7 @@
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{- if $envAll.Values.conductor.http.enabled }}
         - name: ironic-conductor-http-init
 {{ tuple $envAll "ironic_conductor" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -111,6 +118,7 @@
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+{{- end }}
 {{- if and (.Values.bootstrap.object_store.enabled) (.Values.bootstrap.object_store.openstack.enabled) }}
         - name: ironic-retrive-swift-config
 {{ tuple $envAll "ironic_retrive_swift_config" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -198,6 +206,7 @@
             - name: pod-data
               mountPath: /var/lib/openstack-helm
 {{ if $mounts_ironic_conductor.volumeMounts }}{{ toYaml $mounts_ironic_conductor.volumeMounts | indent 12 }}{{ end }}
+{{- if $envAll.Values.conductor.pxe.enabled }}
         - name: ironic-conductor-pxe
 {{ tuple $envAll "ironic_pxe" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -221,6 +230,8 @@
               readOnly: true
             - name: pod-data
               mountPath: /var/lib/openstack-helm
+{{- end }}
+{{- if $envAll.Values.conductor.http.enabled }}
         - name: ironic-conductor-http
 {{ tuple $envAll "ironic_pxe_http" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
@@ -239,6 +250,7 @@
             - name: pod-data
               mountPath: /var/lib/openstack-helm
 {{ if $mounts_ironic_conductor.volumeMounts }}{{ toYaml $mounts_ironic_conductor.volumeMounts | indent 12 }}{{ end }}
+{{- end }}
       volumes:
         - name: pod-tmp
           emptyDir: {}
diff --git a/charts/ironic/values.yaml b/charts/ironic/values.yaml
index 07f5c0a..a94bc3f 100644
--- a/charts/ironic/values.yaml
+++ b/charts/ironic/values.yaml
@@ -50,7 +50,7 @@
     ironic_pxe: docker.io/openstackhelm/ironic:2024.1-ubuntu_jammy
     ironic_pxe_init: docker.io/openstackhelm/ironic:2024.1-ubuntu_jammy
     ironic_pxe_http: docker.io/nginx:1.13.3
-    dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
+    dep_check: quay.io/airshipit/kubernetes-entrypoint:latest-ubuntu_focal
     image_repo_sync: docker.io/docker:17.07.0
   pull_policy: "IfNotPresent"
   local_registry:
@@ -119,6 +119,8 @@
     inspector:
       auth_type: password
     keystone_authtoken:
+      service_token_roles: service
+      service_token_roles_required: true
       auth_type: password
       auth_version: v3
     neutron:
@@ -136,6 +138,9 @@
       ipxe_enabled: true
     service_catalog:
       auth_type: password
+    service_user:
+      auth_type: password
+      send_service_user_token: true
     swift:
       auth_url: null
     oslo_policy:
@@ -201,6 +206,79 @@
       format: "%(message)s"
       datefmt: "%Y-%m-%d %H:%M:%S"
 
+conductor:
+  http:
+    enabled: true
+    init_script: |
+      #!/bin/bash
+      set -ex
+      if [ "x" == "x${PROVISIONER_INTERFACE}" ]; then
+        echo "Provisioner interface is not set"
+        exit 1
+      fi
+
+      function net_pxe_addr {
+       ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }"
+      }
+      function net_pxe_ip {
+       echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }'
+      }
+      PXE_IP=$(net_pxe_ip)
+
+      if [ "x" == "x${PXE_IP}" ]; then
+        echo "Could not find IP for pxe to bind to"
+        exit 1
+      fi
+
+      sed "s|OSH_PXE_IP|${PXE_IP}|g" /etc/nginx/nginx.conf > /tmp/pod-shared/nginx.conf
+    script: |
+      #!/bin/bash
+      set -ex
+      mkdir -p /var/lib/openstack-helm/httpboot
+      cp -v /tmp/pod-shared/nginx.conf /etc/nginx/nginx.conf
+      exec nginx -g 'daemon off;'
+  pxe:
+    enabled: true
+    init_script: |
+      #!/bin/bash
+      set -ex
+      # default to Ubuntu path
+      FILEPATH=${FILEPATH:-/usr/lib/ipxe}
+
+      mkdir -p /var/lib/openstack-helm/tftpboot
+      mkdir -p /var/lib/openstack-helm/tftpboot/master_images
+
+      for FILE in undionly.kpxe ipxe.efi pxelinux.0 snponly.efi; do
+        # copy in default file
+        if [ -f $FILEPATH/$FILE ]; then
+          cp -v $FILEPATH/$FILE /var/lib/openstack-helm/tftpboot
+        fi
+
+      done
+    script: |
+      #!/bin/bash
+      set -ex
+      function net_pxe_addr {
+       ip addr | awk "/inet / && /${PROVISIONER_INTERFACE}/{print \$2; exit }"
+      }
+      function net_pxe_ip {
+       echo $(net_pxe_addr) | awk -F '/' '{ print $1; exit }'
+      }
+      PXE_IP=$(net_pxe_ip)
+
+      if [ "x" == "x${PXE_IP}" ]; then
+        echo "Could not find IP for pxe to bind to"
+        exit 1
+      fi
+
+      ln -s /var/lib/openstack-helm/tftpboot /tftpboot
+      exec /usr/sbin/in.tftpd \
+        --verbose \
+        --foreground \
+        --user root \
+        --address ${PXE_IP}:69 \
+        --map-file /tftp-map-file /tftpboot
+
 network:
   pxe:
     device: ironic-pxe
@@ -398,7 +476,7 @@
         user_domain_name: default
         project_domain_name: default
       glance:
-        role: admin
+        role: admin,service
         region_name: RegionOne
         username: glance
         password: password
@@ -703,6 +781,10 @@
         limits:
           memory: "1024Mi"
           cpu: "2000m"
+  useHostNetwork:
+    conductor: true
+  useHostIPC:
+    conductor: true
 
 network_policy:
   ironic:
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index 34aebed..325f061 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -281,6 +281,8 @@
 {{ tuple $envAll "libvirt_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.libvirt_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+          args:
+            - "--libvirt.nova"
           ports:
             - name: metrics
               protocol: TCP
@@ -299,8 +301,6 @@
               {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
               mountPropagation: Bidirectional
               {{- end }}
-          args:
-            - "--libvirt.nova"
         {{- end }}
       volumes:
         - name: etc-pki-qemu
diff --git a/charts/patches/libvirt/0002-enable-nova-metadata-parser.patch b/charts/patches/libvirt/0002-enable-nova-metadata-parser.patch
new file mode 100644
index 0000000..7a66aff
--- /dev/null
+++ b/charts/patches/libvirt/0002-enable-nova-metadata-parser.patch
@@ -0,0 +1,13 @@
+diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml
+index 4a0b128..f8686d1 100644
+--- a/libvirt/templates/daemonset-libvirt.yaml
++++ b/libvirt/templates/daemonset-libvirt.yaml
+@@ -281,6 +281,8 @@
+ {{ tuple $envAll "libvirt_exporter" | include "helm-toolkit.snippets.image" | indent 10 }}
+ {{ tuple $envAll $envAll.Values.pod.resources.libvirt_exporter | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+ {{ dict "envAll" $envAll "application" "libvirt" "container" "libvirt_exporter" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
++          args:
++            - "--libvirt.nova"
+           ports:
+             - name: metrics
+               protocol: TCP