From df71afd59e7b2189b4b6b37ac964fa557a74323f Mon Sep 17 00:00:00 2001
From: Sergiy Markin <smarkin@mirantis.com>
Date: Fri, 17 Oct 2025 00:53:22 +0000
Subject: [PATCH] Fix ingress_disable_gui handling for region_api

When ingress_disable_gui is set to true, the
/MAAS/ws path was not being routed to the
region_api service, which is necessary for MAAS
CLI and other non-GUI interactions. This change
adds the required path routing to ensure that the
/MAAS/ws endpoint is correctly directed to the
region_api service.

Also include a minor fix or noble images
publishing.

Change-Id: I76bcc2513dc1d6f42c1fbac53535d7ed34328ca7
Signed-off-by: Sergiy Markin <smarkin@mirantis.com>
---
 .zuul.yaml                                    |  2 +-
 charts/maas/templates/ingress-region.yaml     | 28 +++++++++++++++++++
 charts/maas/values.yaml                       |  2 ++
 images/maas-rack-controller-noble/Dockerfile  |  1 +
 .../maas-region-controller-noble/Dockerfile   |  1 +
 .../override.chrony.conf                      | 17 +++++++++--
 6 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/.zuul.yaml b/.zuul.yaml
index bf16258..e1b2a14 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -200,7 +200,7 @@
       - "^images/.*"
     vars:
       publish: true
-      distro: ubuntu_jammy
+      distro: ubuntu_noble
       tags:
         dynamic:
           branch: true
diff --git a/charts/maas/templates/ingress-region.yaml b/charts/maas/templates/ingress-region.yaml
index 57ef220..c548948 100644
--- a/charts/maas/templates/ingress-region.yaml
+++ b/charts/maas/templates/ingress-region.yaml
@@ -35,6 +35,27 @@ spec:
       http:
         paths:
 {{- if .Values.conf.maas.ingress_disable_gui }}
+          - path: /MAAS/version
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
+          - path: /MAAS
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
+          - path: /MAAS/
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
           - path: /MAAS/api
             pathType: Prefix
             backend:
@@ -63,6 +84,13 @@ spec:
                 name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
                 port:
                   name: region-api
+          - path: /MAAS/ws
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
 {{- else if (and .Values.conf.maas.ingress_disable_gui .Values.conf.maas.tls.enabled) }}
           - path: /MAAS/api
             pathType: Prefix
diff --git a/charts/maas/values.yaml b/charts/maas/values.yaml
index d85c502..617e3df 100644
--- a/charts/maas/values.yaml
+++ b/charts/maas/values.yaml
@@ -437,6 +437,7 @@ pod:
             add:
               - "DAC_READ_SEARCH"
               - "NET_ADMIN"
+              - "NET_BIND_SERVICE"
               - "SYS_ADMIN"
               - "SYS_PTRACE"
               - "SYS_RESOURCE"
@@ -453,6 +454,7 @@ pod:
             add:
               - "SYS_ADMIN"
               - "NET_ADMIN"
+              - "NET_BIND_SERVICE"
               - "SYS_PTRACE"
               - "SYS_TIME"
               - "SYS_RESOURCE"
diff --git a/images/maas-rack-controller-noble/Dockerfile b/images/maas-rack-controller-noble/Dockerfile
index 86ae3fe..fb2a648 100644
--- a/images/maas-rack-controller-noble/Dockerfile
+++ b/images/maas-rack-controller-noble/Dockerfile
@@ -34,6 +34,7 @@ RUN apt-get -qq update \
         sudo \
         systemd \
         ca-certificates \
+        chrony \
 # Don't start any optional services except for the few we need.
 # (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
  && find /etc/systemd/system \
diff --git a/images/maas-region-controller-noble/Dockerfile b/images/maas-region-controller-noble/Dockerfile
index 9a98617..198c80f 100644
--- a/images/maas-region-controller-noble/Dockerfile
+++ b/images/maas-region-controller-noble/Dockerfile
@@ -33,6 +33,7 @@ RUN apt-get -qq update \
         cron \
         ca-certificates \
         bind9-dnsutils \
+        chrony \
 # Don't start any optional services except for the few we need.
 # (specifically, don't start avahi-daemon)
  && find /etc/systemd/system \
diff --git a/images/maas-region-controller-noble/override.chrony.conf b/images/maas-region-controller-noble/override.chrony.conf
index 6f3cd41..53f0a43 100644
--- a/images/maas-region-controller-noble/override.chrony.conf
+++ b/images/maas-region-controller-noble/override.chrony.conf
@@ -1,3 +1,16 @@
 [Service]
-ExecStartPre=-mkdir -p /var/log/chrony
-ExecStartPre=-chown root /var/run/chrony
+# Run chrony as the package user on Noble
+User=_chrony
+Group=avahi
+
+# Let systemd create writable runtime dir for that user
+RuntimeDirectory=chrony
+RuntimeDirectoryMode=0777
+RuntimeDirectoryPreserve=yes
+
+# Defensive: ensure dir exists with correct owner (no-op if already created)
+ExecStartPre=-/usr/bin/install -d -o _chrony -g avahi -m 0777 /run/chrony
+
+# Caps needed inside container (matches your pod securityContext)
+CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_SYS_TIME CAP_NET_BIND_SERVICE