Merge "Fix ingress_disable_gui handling for region_api"

.zuul.yaml

@@ -200,7 +200,7 @@
       - "^images/.*"
     vars:
       publish: true
-      distro: ubuntu_jammy
+      distro: ubuntu_noble
       tags:
         dynamic:
           branch: true

charts/maas/templates/ingress-region.yaml

@@ -35,6 +35,27 @@ spec:
       http:
         paths:
 {{- if .Values.conf.maas.ingress_disable_gui }}
+          - path: /MAAS/version
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
+          - path: /MAAS
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
+          - path: /MAAS/
+            pathType: Exact
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
           - path: /MAAS/api
             pathType: Prefix
             backend:
@@ -63,6 +84,13 @@ spec:
                 name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
                 port:
                   name: region-api
+          - path: /MAAS/ws
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ tuple "maas_region" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+                port:
+                  name: region-api
 {{- else if (and .Values.conf.maas.ingress_disable_gui .Values.conf.maas.tls.enabled) }}
           - path: /MAAS/api
             pathType: Prefix

charts/maas/values.yaml

@@ -439,6 +439,7 @@ pod:
             add:
               - "DAC_READ_SEARCH"
               - "NET_ADMIN"
+              - "NET_BIND_SERVICE"
               - "SYS_ADMIN"
               - "SYS_PTRACE"
               - "SYS_RESOURCE"
@@ -455,6 +456,7 @@ pod:
             add:
               - "SYS_ADMIN"
               - "NET_ADMIN"
+              - "NET_BIND_SERVICE"
               - "SYS_PTRACE"
               - "SYS_TIME"
               - "SYS_RESOURCE"

images/maas-rack-controller-noble/Dockerfile

@@ -34,6 +34,7 @@ RUN apt-get -qq update \
         sudo \
         systemd \
         ca-certificates \
+        chrony \
 # Don't start any optional services except for the few we need.
 # (specifically, don't start avahi-daemon, isc-dhcp-server, or libvirtd)
  && find /etc/systemd/system \

images/maas-region-controller-noble/Dockerfile

@@ -33,6 +33,7 @@ RUN apt-get -qq update \
         cron \
         ca-certificates \
         bind9-dnsutils \
+        chrony \
 # Don't start any optional services except for the few we need.
 # (specifically, don't start avahi-daemon)
  && find /etc/systemd/system \

images/maas-region-controller-noble/override.chrony.conf

@@ -1,3 +1,16 @@
 [Service]
-ExecStartPre=-mkdir -p /var/log/chrony
-ExecStartPre=-chown root /var/run/chrony
+# Run chrony as the package user on Noble
+User=_chrony
+Group=avahi
+
+# Let systemd create writable runtime dir for that user
+RuntimeDirectory=chrony
+RuntimeDirectoryMode=0777
+RuntimeDirectoryPreserve=yes
+
+# Defensive: ensure dir exists with correct owner (no-op if already created)
+ExecStartPre=-/usr/bin/install -d -o _chrony -g avahi -m 0777 /run/chrony
+
+# Caps needed inside container (matches your pod securityContext)
+CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_SYS_TIME CAP_NET_BIND_SERVICE