Add control plane deployment

K8s control plane is deployed by KubeadmControlPlane controller. This
controller creates CAPI machines and infrastructure objects
(Metal3Machine). Metal3Machine objects are created based on a template
which contins host selector label. Control plane label is assigned to a
particular BareMetalHots object defined inside of the shared
kustomization.

Relates-To: #149
Closes: #221
Change-Id: I3be1750aacf9736ece2944045c036f405e404561

manifests/function/baremetal-operator/config-file/ironic.conf

@@ -55,3 +55,5 @@ tftp_root = /shared/tftpboot
 uefi_pxe_config_template = $pybasedir/drivers/modules/ipxe_config.template
 [redfish]
 use_swift = false
+[service_catalog]
+endpoint_override = http://$(PROVISIONING_IP):6385

manifests/function/k8scontrol/cluster.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: cluster.x-k8s.io/v1alpha3
+kind: Cluster
+metadata:
+  name: target-cluster
+spec:
+  clusterNetwork:
+    services:
+      cidrBlocks: ["10.96.0.0/12"]
+    pods:
+      cidrBlocks: ["192.168.0.0/18"]
+    serviceDomain: "cluster.local"
+  infrastructureRef:
+    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+    kind: Metal3Cluster
+    name: target-cluster
+  controlPlaneRef:
+    kind: KubeadmControlPlane
+    apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
+    name: cluster-controlplane
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+kind: Metal3Cluster
+metadata:
+  name: target-cluster
+spec:
+  controlPlaneEndpoint:
+    host: 10.23.25.102
+    port: 6443
+  noCloudProvider: true

manifests/function/k8scontrol/controlplane.yaml

@@ -0,0 +1,52 @@
+kind: KubeadmControlPlane
+apiVersion: controlplane.cluster.x-k8s.io/v1alpha3
+metadata:
+  name: cluster-controlplane
+spec:
+  replicas: 1
+  version: v1.17.0
+  infrastructureTemplate:
+    kind: Metal3MachineTemplate
+    apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+    name: cluster-controlplane
+  kubeadmConfigSpec:
+    preKubeadmCommands:
+      - wget -O "/usr/bin/konfigadm" https://github.com/flanksource/konfigadm/releases/download/v0.5.3/konfigadm && chmod +x "/usr/bin/konfigadm"
+      - konfigadm apply --config=/konfigadm.yml
+    initConfiguration:
+      nodeRegistration:
+        name: '{{ ds.meta_data.local_hostname }}'
+        kubeletExtraArgs:
+          node-labels: 'metal3.io/uuid={{ ds.meta_data.uuid }}'
+    joinConfiguration:
+      controlPlane: {}
+      nodeRegistration:
+        name: '{{ ds.meta_data.local_hostname }}'
+        kubeletExtraArgs:
+          node-labels: 'metal3.io/uuid={{ ds.meta_data.uuid }}'
+    postKubeadmCommands:
+      - kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml
+    files:
+      - path: /konfigadm.yml
+        owner: root:root
+        permissions: "0640"
+        content: |
+          kubernetes:
+            version: 1.17.3
+          container_runtime:
+            type: docker
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+kind: Metal3MachineTemplate
+metadata:
+  name: cluster-controlplane
+spec:
+  template:
+    spec:
+      image:
+        # NOTE (dukov) this should be overridden on lower levels
+        url: https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img
+        checksum: 4a6909d1480ac30d676accd7b37ec711
+      hostSelector:
+        matchLabels:
+          airshipit.org/k8s-role: controlplane-host

manifests/function/k8scontrol/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - cluster.yaml
+  - controlplane.yaml

manifests/site/test-site/ephemeral/controlplane/control-machine-template-patch.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha3
+kind: Metal3MachineTemplate
+metadata:
+  name: cluster-controlplane
+spec:
+  template:
+    spec:
+      image:
+        url: http://10.23.24.1:8099/target-image.qcow2
+        checksum: http://10.23.24.1:8099/target-image.qcow2.md5sum

manifests/site/test-site/ephemeral/controlplane/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # TODO (dukov) It's recocommended to upload BareMetalHost objects separately
+  # otherwise nodes will hang in 'registering' state for quite a long time
+  - nodes
+  - ../../../../function/k8scontrol
+patchesStrategicMerge:
+  - control-machine-template-patch.yaml

manifests/site/test-site/ephemeral/controlplane/nodes/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../shared/baremetalhost/node01
+commonLabels:
+  airshipit.org/k8s-role: controlplane-host

manifests/site/test-site/shared/baremetalhost/node01/baremetalhost.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: metal3.io/v1alpha1
+kind: BareMetalHost
+metadata:
+  name: node01
+spec:
+  bmc:
+    address: redfish+http://10.23.25.1:8000/redfish/v1/Systems/air-target-1
+    credentialsName: node01-bmc
+  online: false
+  bootMACAddress: 52:54:00:b6:ed:31
+  networkData:
+    name: node01-netdata
+    namespace: default

manifests/site/test-site/shared/baremetalhost/node01/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - baremetalhost.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+secretGenerator:
+  - name: node01-netdata
+    files:
+      - networkData
+  - name: node01-bmc
+    literals:
+      - username=root
+      - password=r00tme

manifests/site/test-site/shared/baremetalhost/node01/networkData

@@ -0,0 +1,31 @@
+links:
+- id: oam0
+  name: oam0
+  type: phy
+  ethernet_mac_address: 52:54:00:9b:27:4c
+  mtu: "1500"
+- id: pxe0
+  name: pxe0
+  type: phy
+  ethernet_mac_address: 52:54:00:b6:ed:31
+  mtu: "1500"
+networks:
+- id: private-ipv4
+  type: ipv4
+  link: oam0
+  ip_address: 10.23.25.102
+  netmask: 255.255.255.0
+  routes:
+    - network: 0.0.0.0
+      netmask: 0.0.0.0
+      gateway: 10.23.25.1
+- id: private-ipv4
+  type: ipv4
+  link: pxe0
+  ip_address: 10.23.24.102
+  netmask: 255.255.255.0
+services:
+- address: 8.8.8.8
+  type: dns
+- address: 8.8.4.4
+  type: dns

playbooks/airship-airshipctl-build-gate.yaml

@@ -15,14 +15,27 @@
     LIBVIRT_DEFAULT_URI: qemu:///system
 
   tasks:
-    - name: read ip map
+    - name: set default vars
+      set_fact:
+        var_files_default:
+          - airship-ipam.yaml
+          - test-config.yaml
+
+    - name: read test variables
       include_vars:
-        file: vars/airship-ipam.yaml
+        file: "vars/{{ var_file }}"
+      with_items: "{{ var_files | default(var_files_default) }}"
+      loop_control:
+        loop_var: var_file
 
     - name: docker install
       include_role:
         name: docker-install
 
+    - name: install kustomize
+      include_role:
+        name: install-kustomize
+
     - name: make sure serve directory exists
       file:
         dest: "{{ serve_dir }}"
@@ -31,6 +44,60 @@
         owner: "{{ ansible_user }}"
       become: yes
 
+    - name: get BareMetalHost from model
+      block:
+        - name: clone document model
+          command: git clone -q {{ airship_config_primary_repo_url }} {{ remote_work_dir }}/airshipctl
+          when: remote_work_dir is defined
+        - name: get BareMetalHost objects
+          shell: |
+            set -e
+            kustomize build {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/ephemeral/controlplane |
+            kustomize config grep  "kind=BareMetalHost"
+          register: bmh_command
+          failed_when: "bmh_command.stdout == ''"
+          environment:
+            KUSTOMIZE_ENABLE_ALPHA_COMMANDS: "true"
+        - set_fact:
+            bmh: "{{ bmh_command.stdout | from_yaml_all | list }}"
+        - name: get network configuration for BareMetalHost objects
+          shell: |
+            set -e
+            kustomize build {{ airship_config_manifest_directory }}/{{ airship_config_site_path }}/ephemeral/controlplane |
+            kustomize config grep  "metadata.name={{ item.spec.networkData.name }}"
+          register: netdata_command
+          failed_when: "bmh_command.stdout == ''"
+          environment:
+            KUSTOMIZE_ENABLE_ALPHA_COMMANDS: "true"
+          with_items: "{{ bmh }}"
+        - name: get links from network data per BareMetalHost object
+          set_fact:
+            links: |
+              {{
+                netdata_command.results |
+                  map(attribute='stdout')| map('from_yaml') |
+                  map(attribute='data.networkData') | map('b64decode') | map('from_yaml') |
+                  map(attribute='links') | list
+              }}
+        - name: define list of VM mac addresses
+          set_fact:
+            vm_nic: "{{ dict(['nat_mac', 'provision_mac'] | zip([nat_mac_list[0], item.spec.bootMACAddress])) }}"
+          vars:
+            nat_mac_list: |
+              {{
+                links[idx] |
+                  rejectattr('ethernet_mac_address', 'undefined') |
+                  selectattr('ethernet_mac_address', '!=', item.spec.bootMACAddress) |
+                  map(attribute='ethernet_mac_address') | list
+              }}
+          failed_when: nat_mac_list | length == 0
+          loop: "{{ bmh }}"
+          loop_control:
+            index_var: idx
+          register: vm_nic_fact
+        - set_fact:
+            target_vm_nics: "{{ vm_nic_fact.results | map(attribute='ansible_facts.vm_nic') | list }}"
+
     - name: deploy-gate
       include_role:
         name: airship-libvirt-gate
@@ -44,19 +111,21 @@
             name: "default"
         airship_gate_flavors:
           medium:
-            target_vm_memory_mb: 1024
-            target_vm_vcpus: 1
+            target_vm_memory_mb: 4096
+            target_vm_vcpus: 2
             ephemeral_vm_memory_mb: 6124
             ephemeral_vm_vcpus: 4
             ephemeral_disk_size: 20G
             target_disk_size: 10G
             disk_format: qcow2
             target_vms_count: 1
+            target_vm_nics: "{{ target_vm_nics }}"
         airship_gate_file_exchanger:
-          servername: "loacalhost"
+          servername: "localhost"
           ip:
           - "127.0.0.1"
           - "::1"
+          - "{{ airship_gate_ipam.provision_network.bridge_ip }}"
           http_port: "{{ serve_port }}"
           path: "{{ serve_dir }}"
           user:
@@ -74,4 +143,3 @@
               - writers
             default:
               all: granted
-

playbooks/airship-airshipctl-test-runner.yaml

@@ -24,6 +24,7 @@
           - airshipctl-deploy-ephemeral-node
           - airshipctl-cluster-init-ephemeral
           - airshipctl-phase-apply-initinfra
+          - airshipctl-phase-controlplane
         var_files_default:
           - local-dev.yaml
           - airship-ipam.yaml

playbooks/vars/test-config.yaml

@@ -12,9 +12,11 @@
 
 airship_config_action: generate
 airship_config_iso_gen_target_path: "{{ serve_dir }}"
+airship_config_primary_repo_url: "https://review.opendev.org/airship/airshipctl"
 airship_config_manifest_directory: "{{ remote_work_dir | default(zuul.project.src_dir) | default(local_src_dir) }}"
 airship_config_ephemeral_ip: "{{ airship_gate_ipam.nat_network.ephemeral_ip }}"
 airship_config_iso_builder_docker_image: "quay.io/airshipit/isogen:latest-debian_stable"
+airship_config_site_path: manifests/site/test-site
 airship_config_ca_data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1USXlOakE0TWpneU5Gb1hEVEk1TVRJeU16QTRNamd5TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTFSClM0d3lnajNpU0JBZjlCR0JUS1p5VTFwYmdDaGQ2WTdJektaZWRoakM2K3k1ZEJpWm81ZUx6Z2tEc2gzOC9YQ1MKenFPS2V5cE5RcDN5QVlLdmJKSHg3ODZxSFZZNjg1ZDVYVDNaOHNyVVRzVDR5WmNzZHAzV3lHdDM0eXYzNi9BSQoxK1NlUFErdU5JemN6bzNEdWhXR0ZoQjk3VjZwRitFUTBlVWN5bk05c2hkL3AwWVFzWDR1ZlhxaENENVpzZnZUCnBka3UvTWkyWnVGUldUUUtNeGpqczV3Z2RBWnBsNnN0L2ZkbmZwd1Q5cC9WTjRuaXJnMEsxOURTSFFJTHVrU2MKb013bXNBeDJrZmxITWhPazg5S3FpMEloL2cyczRFYTRvWURZemt0Y2JRZ24wd0lqZ2dmdnVzM3pRbEczN2lwYQo4cVRzS2VmVGdkUjhnZkJDNUZNQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJek9BL00xWmRGUElzd2VoWjFuemJ0VFNURG4KRHMyVnhSV0VnclFFYzNSYmV3a1NkbTlBS3MwVGR0ZHdEbnBEL2tRYkNyS2xEeFF3RWg3NFZNSFZYYkFadDdsVwpCSm90T21xdXgxYThKYklDRTljR0FHRzFvS0g5R29jWERZY0JzOTA3ckxIdStpVzFnL0xVdG5hN1dSampqZnBLCnFGelFmOGdJUHZIM09BZ3B1RVVncUx5QU8ya0VnelZwTjZwQVJxSnZVRks2TUQ0YzFmMnlxWGxwNXhrN2dFSnIKUzQ4WmF6d0RmWUVmV3Jrdld1YWdvZ1M2SktvbjVEZ0Z1ZHhINXM2Snl6R3lPVnZ0eG1TY2FvOHNxaCs3UXkybgoyLzFVcU5ZK0hlN0x4d04rYkhwYkIxNUtIMTU5ZHNuS3BRbjRORG1jSTZrVnJ3MDVJMUg5ZGRBbGF0bz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 airship_config_client_cert_data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQwRENDQXJnQ0ZFdFBveEZYSjVrVFNWTXQ0OVlqcHBQL3hCYnlNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CVXgKRXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd0hoY05NakF3TVRJME1Ua3hOVEV3V2hjTk1qa3hNakF5TVRreApOVEV3V2pBME1Sa3dGd1lEVlFRRERCQnJkV0psY201bGRHVnpMV0ZrYldsdU1SY3dGUVlEVlFRS0RBNXplWE4wClpXMDZiV0Z6ZEdWeWN6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1iaFhUUmsKVjZiZXdsUjBhZlpBdTBGYWVsOXRtRThaSFEvaGtaSHhuTjc2bDZUUFltcGJvaDRvRjNGMFFqbzROS1o5NVRuWgo0OWNoV240eFJiZVlPU25EcDBpV0Qzd0pXUlZ5aVFvVUFyYTlNcHVPNkVFU1FpbFVGNXNxc0VXUVdVMjBETStBCkdxK1k0Z2c3eDJ1Q0hTdk1GUmkrNEw5RWlXR2xnRDIvb1hXUm5NWEswNExQajZPb3Vkb2Zid2RmT3J6dTBPVkUKUzR0eGtuS1BCY1BUU3YxMWVaWVhja0JEVjNPbExENEZ3dTB3NTcwcnczNzAraEpYdlZxd3Zjb2RjZjZEL1BXWQowamlnd2ppeUJuZ2dXYW04UVFjd1Nud3o0d05sV3hKOVMyWUJFb1ptdWxVUlFaWVk5ZXRBcEpBdFMzTjlUNlQ2ClovSlJRdEdhZDJmTldTYkxEck5qdU1OTGhBYWRMQnhJUHpBNXZWWk5aalJkdEMwU25pMlFUMTVpSFp4d1RxcjQKakRQQ0pYRXU3KytxcWpQVldUaUZLK3JqcVNhS1pqVWZVaUpHQkJWcm5RZkJENHNtRnNkTjB5cm9tYTZOYzRMNQpKS21RV1NHdmd1aG0zbW5sYjFRaVRZanVyZFJQRFNmdmwrQ0NHbnA1QkkvZ1pwMkF1SHMvNUpKVTJlc1ZvL0xsCkVPdHdSOXdXd3dXcTAvZjhXS3R4bVRrMTUyOUp2dFBGQXQweW1CVjhQbHZlYnVwYmJqeW5pL2xWbTJOYmV6dWUKeCtlMEpNbGtWWnFmYkRSS243SjZZSnJHWW1CUFV0QldoSVkzb1pJVTFEUXI4SUlIbkdmYlZoWlR5ME1IMkFCQQp1dlVQcUtSVk80UGkxRTF4OEE2eWVPeVRDcnB4L0pBazVyR2RBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFECmdnRUJBSWNFM1BxZHZDTVBIMnJzMXJESk9ESHY3QWk4S01PVXZPRi90RjlqR2EvSFBJbkh3RlVFNEltbldQeDYKVUdBMlE1bjFsRDFGQlU0T0M4eElZc3VvS1VQVHk1T0t6SVNMNEZnL0lEcG54STlrTXlmNStMR043aG8rblJmawpCZkpJblVYb0tERW1neHZzSWFGd1h6bGtSTDJzL1lKYUZRRzE1Uis1YzFyckJmd2dJOFA5Tkd6aEM1cXhnSmovCm04K3hPMGhXUmJIYklrQ21NekRib2pCSWhaL00rb3VYR1doei9TakpodXhZTVBnek5MZkFGcy9PMTVaSjd3YXcKZ3ZoSGc3L2E5UzRvUCtEYytPa3VrMkV1MUZjL0E5WHpWMzc5aWhNWW5ub3RQMldWeFZ3b0ZZQUg0NUdQcDZsUApCQmwyNnkxc2JMbjl6aGZYUUJIMVpFN0EwZVE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
 airship_config_client_key_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBeHVGZE5HUlhwdDdDVkhScDlrQzdRVnA2WDIyWVR4a2REK0dSa2ZHYzN2cVhwTTlpCmFsdWlIaWdYY1hSQ09qZzBwbjNsT2RuajF5RmFmakZGdDVnNUtjT25TSllQZkFsWkZYS0pDaFFDdHIweW00N28KUVJKQ0tWUVhteXF3UlpCWlRiUU16NEFhcjVqaUNEdkhhNElkSzh3VkdMN2d2MFNKWWFXQVBiK2hkWkdjeGNyVApncytQbzZpNTJoOXZCMTg2dk83UTVVUkxpM0dTY284Rnc5TksvWFY1bGhkeVFFTlhjNlVzUGdYQzdURG52U3ZECmZ2VDZFbGU5V3JDOXloMXgvb1A4OVpqU09LRENPTElHZUNCWnFieEJCekJLZkRQakEyVmJFbjFMWmdFU2htYTYKVlJGQmxoajE2MENra0MxTGMzMVBwUHBuOGxGQzBacDNaODFaSnNzT3MyTzR3MHVFQnAwc0hFZy9NRG05VmsxbQpORjIwTFJLZUxaQlBYbUlkbkhCT3F2aU1NOElsY1M3djc2cXFNOVZaT0lVcjZ1T3BKb3BtTlI5U0lrWUVGV3VkCkI4RVBpeVlXeDAzVEt1aVpybzF6Z3Zra3FaQlpJYStDNkdiZWFlVnZWQ0pOaU82dDFFOE5KKytYNElJYWVua0UKaitCbW5ZQzRlei9ra2xUWjZ4V2o4dVVRNjNCSDNCYkRCYXJUOS94WXEzR1pPVFhuYjBtKzA4VUMzVEtZRlh3KwpXOTV1Nmx0dVBLZUwrVldiWTF0N081N0g1N1FreVdSVm1wOXNORXFmc25wZ21zWmlZRTlTMEZhRWhqZWhraFRVCk5DdndnZ2VjWjl0V0ZsUExRd2ZZQUVDNjlRK29wRlU3ZytMVVRYSHdEcko0N0pNS3VuSDhrQ1Rtc1owQ0F3RUEKQVFLQ0FnQUJ2U1N3ZVpRZW5HSDhsUXY4SURMQzdvU1ZZd0xxNWlCUDdEdjJsN00wYStKNWlXcWwzV2s4ZEVOSQpOYWtDazAwNmkyMCtwVDROdW5mdEZJYzBoTHN6TjBlMkpjRzY1dVlGZnZ2ZHY3RUtZZnNZU3hhU3d4TWJBMlkxCmNCa2NjcGVsUzBhMVpieFYvck16T1RxVUlRNGFQTzJPU3RUeU55b3dWVjhhcXh0QlNPV2pBUlA2VjlBOHNSUDIKNlVGeVFnM2thdjRla3d0S0M5TW85MEVvcGlkSXNnYy9IYk5kQm5tMFJDUnY0bU1DNmVPTXp0NGx0UVNldG0rcwpaRkUwZkM5cjkwRjE4RUVlUjZHTEYxdGhIMzlKTWFFcjYrc3F6TlZXU1VPVGxNN2M5SE55QTJIcnJudnhVUVNOCmF3SkZWSEFOY1hJSjBqcW9icmR6MTdMbGtIRVFGczNLdjRlcDR3REJKMlF0eisxdUFvY1JoV3ZSaWJxWEQ3THgKVmpPdGRyT1h3ZFQxY2ZrKzZRc1RMWUFKR3ptdDdsY1M2QjNnYzJHWmNJWGwyNVlqTUQ1ZVhpa1dEc3hYWmt1UAorb3MzVGhxeGZIS25ITmxtYk9SSVpDMW92Q1NkSTRWZVpzalk0MUs5K0dNaXdXSk1kektpRkp3NlR2blRSUldTCkxod2EzUTlBVmMvTEg0SC9PbU9qWDc0QTNZSWwrRDFVUHd3VzAvMmw4S3BNM0VWZ21XalJMV1ZIRnBNTGJNSlcKZVZKd3dKUmF3bWZLdHZ6bU9KRHlhTXJJblhqTDMvSE1EaWtwU3JhRzFyTnc1SUozOXJZdEFIUUQ1L1VuZlRkSApLNXVjakVucTdPdDMyR1ozcHJvRTU1ZGFBY0hQbktuOGpYZ1ZKTUQyOWh5cEZvL2ZRUUtDQVFFQStBbjRoSDFFCm9GK3FlcWlvYXR3N2cwaVdQUDNCeklxOEZWbWtsRlZBYVF5U28wU2QxWFBybmErR0RFQVd0cHlsVjF5ZkZkR2oKSHc4YXU5NnpUZnRuNWZCRkQxWG1NTkNZeTcrM293V3ArK1NwYUMvMTYzN1dvb3lLRjBjVFNvcWEzZEVuRUtSSwp4TGF2a0lFUTI3OXRBNFVUK0dVK3pTb0NPUFBNNE1JS3poR0FDczZ1anRySzFNcXpwK0JhYldzRlBuN2J1bStVCkRHSFIrNCtab2tBL1Q2N2luYlRxZUwwVzJCNjRMckFURHpZL3Y4NlRGbW1aallEaHRKR1JIWVZUOU9XSXR0RVkKNnZtUDN0a1dOTWt0R2w4bTFiQ0FHQ1JlcGtycUhxWXNMWG5GQ2ZZSFFtOXNpaGgvM3JFVjZ1MUYxZCt0U3JFMgprU1ZVOHhVWDUwbHFNUUtDQVFFQXpVTjZaS0lRNldkT09FR3ZyMExRL1hVczI0bUczN3lGMjhJUDJEcWFBWWVzCnJza2xTdjdlSU9TZWV3MW1CRHVCRkl2bkZvcTVsRlA3cXhWcEIyWjNNSGlDMVNaclZSZjlQTjdCNGFzcmNyMCsKdDB2S0NXWFFIaTVQQXhucXdYb2E2N0Q1bnkwdnlvV0lVUXAyZEZMdkIwQmp0b3MvajJFaHpJZk5WMm1UOW15bgpWQXZOWEdtZnc4SVJCL1diMGkzQ3c0Wityb1l1dTJkRHo2UUwzUFVvN1hLS3ljZzR1UzU1eksvcWZPc09lYm5mCnpsd3ZqbGxNSitmVFFHNzMrQnpINE5IWGs2akZZQzU4eXBrdXd0cmJmYk1pSkZOWThyV1ptL01Nd1VDWlZDQ3kKeUlxQ3FHQVB6b2kyU05zSEtaTlJqN3ZZQ3dQQVd6TzFidjFGcC9hM0xRS0NBUUVBeG0zTGw4cFROVzF6QjgrWApkRzJkV3FpZU1FcmRXRklBcDUvZ1R4NW9lZUdxQ2QxaDJ4cHlldUtwZlhGaitsRVU0Ty9qQU9TRjk5bndqQzFjCkNsMit2Ni9ZdjZ6N2l6L0ZqUEpoNlpRbGFiT0RaeXMvTkZkelEvVGtvRHluRFRJWE5LOFc3blJRc0ZCcDRWT3YKZGUwTlBBeWhiazBvMFo3eXlqY1lSeEpVN0lnSmhCdldmOGcvRGI3ZnZNUjU4eUR6d0F4aW9pS1RNTmlzMFBBUAplMEtrbzQySUU1eGhHNWhDQjBHRUhTMlZBYzFuY0gzRkk5LzFETVAzVEtwTGltOVlQQW5JdG1CTzYrUWNtYTNYCjJ3QzZDV2ZudkhvSDc4aGd3KzRZbjg1V2QwYjhQN3pJRC9qdHZ3aGNlMzMxeDh4cjJ1Nm5ScUxBd1pzNCs0SjcKYmZkSWNRS0NBUUFDL2JlNzNheTNhZnoyenVZN2ZKTEZEcjhQbCtweU9qSU5LTC9JVzlwQXFYUjN1NUNpamlJNApnbnhZdUxKQzM0Y2JBSXJtaGpEOEcxa3dmZ2hneGpwNFoxa290LzJhYU5ZVTIvNGhScmhFWE1PY01pdUloWVpKCjJrem1jNnM3RklkdDVjOU5aWUFyeUZSYk1mYlY3UnQwbEppZllWb1V3Y3FYUzJkUG5jYzlNUW9qTEdUYXN1TlUKRy9EWmw5ZWtjV3hFSXlLWGNuY2QzZnhiK3p6OUJFbUxaRDduZjlacnhHU2IrZmhGeDdzWFJRRWc1YkQvdHdkbwpFWFcvbTU1YmJEZnhhNzFqZG5NaDJxdVEzRGlWT0ZFNGZMTERxcjlDRWlsaDMySFJNeHJJNGcwWTVRUFFaazMwCnFZTldmbktWUllOTHYrWC9DeGZ6ZkVacGpxRkVPRkVsQW9JQkFRQ0t6R2JGdmx6d1BaUmh4czd2VXYxOXlIUXAKQzFmR3gwb0tpRDFSNWZwWVBrT0VRQWVudEFKRHNyYVRsNy9rSDY5V09VbUQ1T3gxbWpyRFB0a1M4WnhXYlJXeApGYjJLK3JxYzRtcGFacGROV09OTkszK3RNZmsrb0FRcWUySU1JV253NUhmbVpjNE1QY0t0bkZQYlJTTkF0aktwCkQ2aG9oL3BXMmdjRFA0cVpNWVZvRW04MVZYZEZDUGhOYitNYnUvU3gyaFB4U0dXYTVGaTczeEtwWWp5M3BISlQKWFoyY2lHN0VNQ3NKZW9HS2FRdmNCY1kvNGlSRGFoV0hWcmlsSVhJQXJQdXdmVUIybzZCZFR0allHeU5sZ2NmeApxWEt4aXBTaEE2VlNienVnR3pkdEdNeEUyekRHVEkxOXFSQy96OUNEREM1ZTJTQUZqbEJUV0QyUHJjcU4KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K

roles/airship-libvirt-gate/defaults/main.yaml

@@ -35,6 +35,7 @@ airship_gate_redfish_noauth:
   ip:
   - "127.0.0.1"
   - "::1"
+  - "{{ airship_gate_ipam.nat_network.bridge_ip }}"
   http_port: 8000
 
 airship_gate_redfish_auth:
@@ -42,6 +43,7 @@ airship_gate_redfish_auth:
   ip:
   - "127.0.0.1"
   - "::1"
+  - "{{ airship_gate_ipam.nat_network.bridge_ip }}"
   https_port: 8443
   user:
   - username: "username"
@@ -52,6 +54,7 @@ airship_gate_file_exchanger:
   ip:
     - "127.0.0.1"
     - "::1"
+    - "{{ airship_gate_ipam.nat_network.bridge_ip }}"
   http_port: 8100
   path: "/srv"
   user:

roles/airship-libvirt-gate/tasks/build-infra.yaml

@@ -70,18 +70,26 @@
     name: libvirt-domain
   vars:
     libvirt_domain:
+      enable_vnc: true
+      console_log_enabled: true
       state: shutdown
       name: "{{ airship_gate_names.target_vm_prefix }}-{{ vm_index }}"
       memory_mb: "{{ chosen_flavor.target_vm_memory_mb }}"
       vcpus: "{{ chosen_flavor.target_vm_vcpus }}"
+      controllers:
+        - "sata"
       volumes:
         - name: "{{ airship_gate_names.target_volume_prefix }}-{{ vm_index }}"
           device: "disk"
+          target: sda
+          bus: sata
           format: "{{ chosen_flavor.disk_format }}"
           pool: "{{ airship_gate_names.pool }}"
       interfaces:
         - network: "{{ airship_gate_names.nat_network }}"
+          mac: "{{ chosen_flavor.target_vm_nics[vm_index|int - 1].nat_mac | default('')}}"
         - network: "{{ airship_gate_names.provision_network }}"
+          mac: "{{ chosen_flavor.target_vm_nics[vm_index|int - 1].provision_mac | default('')}}"
   loop_control:
     loop_var: vm_index
   with_sequence: "start=1 end={{ chosen_flavor.target_vms_count }}"
@@ -130,6 +138,7 @@
     name: apache-file-exchanger
   vars:
     file_exchanger_name: airship_gate_file_exchanger
+    file_exchanger_ip: "{{ airship_gate_file_exchanger.ip }}"
     file_exchanger_http_port: "{{ airship_gate_file_exchanger.http_port | default(0) }}"
     file_exchanger_https_port: "{{ airship_gate_file_exchanger.https_port | default(0) }}"
     file_exchanger_path: "{{ airship_gate_file_exchanger.path }}"

roles/airshipctl-phase-controlplane/defaults/main.yaml

@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+sushy_host: "{{ airship_gate_ipam.nat_network.bridge_ip | default(ansible_default_ipv4.address) }}"
+sushy_port: 8000
+target_image_dir: "{{ serve_dir | default('/srv/iso') }}"
+airship_site_name: "{{ 'airshipctl/' if remote_work_dir is defined else '' }}{{ airship_config_site_path | default('manifests/site/test-site') }}"
+ephemeral_domain_name: air-ephemeral
+target_image_url: "https://cloud-images.ubuntu.com/xenial/current/xenial-server-cloudimg-amd64-disk1.img"

roles/airshipctl-phase-controlplane/tasks/main.yaml

@@ -0,0 +1,79 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# TODO (dukov) this is needed dute to sushy tools inserts cdrom image to
+# all vms. This can be removed once sushy tool is fixed
+- name: ensure all cdrom images are ejected
+  shell: |-
+    set -x
+    for vm in $(virsh list --all --name |grep -v {{ ephemeral_domain_name }})
+    do
+        virsh domblklist $vm |
+            awk 'NF==2 {print $1}' |
+            grep -v Target |
+            xargs -I{} virsh change-media $vm {} --eject || :
+    done
+  become: yes
+
+- name: download target image
+  shell: |
+    set -e
+    DOWNLOAD="200"
+    if [ -e {{ target_image_dir }}/target-image.qcow2 ]
+    then
+        MTIME=$(date -d @$(stat -c %Y {{ target_image_dir }}/target-image.qcow2) +"%a, %d %b %Y %T %Z")
+        DOWNLOAD=$(curl -sSLI \
+            --write-out '%{http_code}' \
+            -H "If-Modified-Since: ${MTIME}" \
+            {{ target_image_url }} | tail -1)
+    fi
+    if [ "${DOWNLOAD}" != "304" ]
+    then
+        curl -sSLo {{ target_image_dir }}/target-image.qcow2 {{ target_image_url }}
+    fi
+    md5sum /srv/iso/target-image.qcow2 | cut -d ' ' -f 1 > {{ target_image_dir }}/target-image.qcow2.md5sum
+
+- name: create target k8s cluster resources
+  command: >-
+    airshipctl phase apply controlplane
+
+- name: get kubeconfig from secret
+  command: >-
+    kubectl \
+    --kubeconfig {{ airshipctl_config_dir_default | default(ansible_env.HOME) }}/.airship/kubeconfig \
+    get secret target-cluster-kubeconfig -o jsonpath='{.data.value}'
+  register: kubeconfig
+  failed_when: "kubeconfig.stdout == ''"
+  retries: 6
+  delay: 10
+  until: kubeconfig.rc == 0
+
+- name: create kubeconfig
+  copy:
+    content: "{{ kubeconfig.stdout | b64decode }}"
+    dest: /tmp/targetkubeconfig
+
+- name: check kubectl version
+  command: >-
+    timeout 20 kubectl --kubeconfig /tmp/targetkubeconfig version
+  register: airship_kubecofig_version
+  retries: 30
+  delay: 60
+  until: airship_kubecofig_version.rc == 0
+
+- name: check nodes status
+  command: kubectl --kubeconfig /tmp/targetkubeconfig wait node --for=condition=Ready --all --timeout 900s
+
+- name: get cluster state
+  command: >-
+    kubectl --kubeconfig {{ airshipctl_config_dir_default | default(ansible_env.HOME) }}/.airship/kubeconfig \
+    get cluster

roles/airshipctl-test-configs/defaults/main.yaml

@@ -20,7 +20,7 @@ airship_config_iso_builder_docker_image: quay.io/airshipit/isogen:latest-debian_
 airship_config_iso_port: 8099
 airship_config_iso_serve_host: localhost
 airship_config_iso_name: debian-custom.iso
-airship_site_name: manifests/site/test-site
+airship_site_name: "{{ airship_config_site_path | default('manifests/site/test-site') }}"
 remote_type: redfish
 remote_insecure: true
 remote_proxy: false

roles/apache-file-exchanger/tasks/main.yaml

@@ -78,6 +78,17 @@
     - name: Enable file-exchanger virtual host
       command: "a2ensite {{ file_exchanger_name }}"
 
+    - name: Insert a accept rule for non-SSL port
+      iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ file_exchanger_http_port }}"
+        destination: "{{ item }}"
+        jump: ACCEPT
+        action: insert
+      with_items: "{{ file_exchanger_ip }}"
+      when: "item | ipv4"
+
   - name: Create file-exchanger HTTPS virtual host config
     when: file_exchanger_https_port is defined and file_exchanger_https_port != "0"
     block:
@@ -110,6 +121,17 @@
     - name: Enable file-exchanger virtual host
       command: "a2ensite {{ file_exchanger_name }}-ssl"
 
+    - name: Insert a accept rule for SSL port
+      iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ file_exchanger_https_port }}"
+        destination: "{{ item }}"
+        jump: ACCEPT
+        action: insert
+      with_items: "{{ file_exchanger_ip }}"
+      when: "item | ipv4"
+
   - name: Restart Apache to apply all changes
     include_role:
       name: apache-server

roles/apache-wsgi-sushy-emulator/tasks/backend.yaml

@@ -32,8 +32,9 @@
 
   - name: Install sushy-tools
     pip:
-      name: sushy-tools
-      version: 0.9.0
+      # TODO (dukov) Replace this with upstream sushy-tools once
+      # https://storyboard.openstack.org/#!/story/2007689 has fixed
+      name: git+https://github.com/dukov/sushy-tools.git@0.9.1
       executable: pip3
 
   - name: Create a used wsgi will run with

roles/apache-wsgi-sushy-emulator/tasks/frontend.yaml

@@ -45,6 +45,17 @@
     - name: Enable sushy-emulator virtual host
       command: "a2ensite {{ sushy_emulator_frontend_name }}"
 
+    - name: Insert a accept rule for non-SSL port
+      iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ sushy_emulator_frontend_http_port }}"
+        destination: "{{ item }}"
+        jump: ACCEPT
+        action: insert
+      with_items: "{{ sushy_emulator_frontend_ip }}"
+      when: "item | ipv4"
+
   - name: Create sushy-emulator HTTPS virtual host config
     when: sushy_emulator_frontend_https_port is defined
     block:
@@ -77,6 +88,17 @@
     - name: Enable sushy-emulator virtual host
       command: "a2ensite {{ sushy_emulator_frontend_name }}-ssl"
 
+    - name: Insert a accept rule for SSL port
+      iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ sushy_emulator_frontend_https_port }}"
+        destination: "{{ item }}"
+        jump: ACCEPT
+        action: insert
+      with_items: "{{ sushy_emulator_frontend_ip }}"
+      when: "item | ipv4"
+
   - name: Restart Apache to apply all changes
     include_role:
       name: apache-server

roles/gather-system-logs/tasks/main.yaml

@@ -26,6 +26,9 @@
           mount > {{ logs_dir }}/system/mount.txt
           docker images > {{ logs_dir }}/system/docker-images.txt
           ps aux --sort=-%mem > {{ logs_dir }}/system/ps.txt
+          netstat -plantu > {{ logs_dir }}/system/netstat.txt
+          iptables -vxnL > {{ logs_dir }}/system/iptables_filter.txt
+          iptables -t nat -vxnL > {{ logs_dir }}/system/iptables_nat.txt
   args:
     executable: /bin/bash
   ignore_errors: True

roles/install-kustomize/defaults/main.yml

@@ -0,0 +1,17 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kustomize_version: v3.5.5
+kustomize_download_url: "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/{{ kustomize_version }}/kustomize_{{ kustomize_version }}_linux_amd64.tar.gz"
+proxy:
+  http:
+  noproxy:

roles/install-kustomize/tasks/main.yaml

@@ -0,0 +1,24 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: install kustomize binary
+  shell: |
+    set -e
+    curl -sSL {{ kustomize_download_url }} | tar -C /tmp -xzf -
+    install /tmp/kustomize /usr/local/bin
+  become: yes
+  args:
+    warn: false
+  environment:
+    http_proxy: "{{ proxy.http }}"
+    https_proxy: "{{ proxy.http }}"
+    no_proxy: "{{ proxy.noproxy }}"

roles/libvirt-domain/defaults/main.yaml

@@ -135,10 +135,15 @@ libvirt_domain_template_default: |
       {% if volume.target is undefined %}
       <target dev='vd{{ 'abcdefghijklmnopqrstuvwxyz'[loop.index - 1] }}'/>
       {% else %}
-      <target dev='{{ volume.target }}' />
+      <target dev='{{ volume.target }}' bus='{{ volume.bus if volume.bus is defined else 'virtio' }}'/>
       {% endif %}
       </disk>
       {% endfor %}
+      {% for controller in controllers | default([]) %}
+      <controller type='{{ controller }}'>
+      <address type='pci'/>
+      </controller>
+      {% endfor %}
       {% for interface in interfaces %}
       {% if interface.type is defined and interface.type == 'direct' %}
       <interface type='direct'>
@@ -150,7 +155,7 @@ libvirt_domain_template_default: |
       <interface type='network'>
       <source network='{{ interface.network }}'/>
       {% endif %}
-      {% if interface.mac is defined %}
+      {% if interface.mac | default("") != "" %}
       <mac address='{{ interface.mac }}'/>
       {% endif %}
       {# if the network configuration is invalid this can still appear in the xml #}

roles/libvirt-domain/templates/domain.xml.j2

@@ -41,10 +41,15 @@
       {% if volume.target is undefined %}
       <target dev='vd{{ 'abcdefghijklmnopqrstuvwxyz'[loop.index - 1] }}'/>
       {% else %}
-      <target dev='{{ volume.target }}' />
+      <target dev='{{ volume.target }}' bus='{{ volume.bus if volume.bus is defined else 'virtio' }}'/>
       {% endif %}
     </disk>
 {% endfor %}
+{% if sata_controller %}
+    <controller type='sata'>
+      <address type='pci'/>
+    </controller>
+{% endif %}
 {% for interface in interfaces %}
 {% if interface.type is defined and interface.type == 'direct' %}
     <interface type='direct'>
@@ -56,7 +61,7 @@
     <interface type='network'>
       <source network='{{ interface.network }}'/>
 {% endif %}
-      {% if interface.mac is defined %}
+      {% if interface.mac | default("") != "" %}
       <mac address='{{ interface.mac }}'/>
       {% endif %}
       {# if the network configuration is invalid this can still appear in the xml #}

tools/gate/30_phase_controlplane.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+set -xe
+
+TMP_DIR=${TMP_DIR:-"$(dirname $(mktemp -u))"}
+ANSIBLE_HOSTS=${ANSIBLE_HOSTS:-"${TMP_DIR}/ansible_hosts"}
+PLAYBOOK_CONFIG=${PLAYBOOK_CONFIG:-"${TMP_DIR}/config.yaml"}
+
+sudo ansible-playbook -i "$ANSIBLE_HOSTS" \
+        playbooks/airship-airshipctl-test-runner.yaml \
+        -e @tools/gate/config_phase_controlplane.yaml \
+        -e @"$PLAYBOOK_CONFIG"

tools/gate/config_phase_controlplane.yaml

@@ -0,0 +1,15 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+test_roles:
+  - airshipctl-phase-controlplane

zuul.d/jobs.yaml

@@ -96,6 +96,7 @@
         - airshipctl-deploy-ephemeral-node
         - airshipctl-phase-apply-initinfra
         - airshipctl-cluster-init-ephemeral
+        - airshipctl-phase-controlplane
       serve_dir: /srv/iso
       serve_port: 8099
 
@@ -121,6 +122,7 @@
         - airshipctl-deploy-ephemeral-node
         - airshipctl-phase-apply-initinfra
         - airshipctl-cluster-init-ephemeral
+        - airshipctl-phase-controlplane
       serve_dir: /srv/iso
       serve_port: 8099
     voting: false