Filter out AI zones when discovering zones in the region. AI zones
do not have quota for general compute resources, so we should not provision
nodes there by default.
** While the regional support is valid, we will not be using this in openshift. Regional support
requires that each api have its own endpoint. Only one api is associated with an endpoint, and managing
this access will be difficult and unnessary at this time.
The agent-ui service was previously updated to 'Type=notify' to improve startup ordering and reliability.
However, the lack of container monitor '--sdnotify=conmon' flag, resulted in UI URL to be not displayed on the TUI.
Without this flag, agent-ui systemd waits for a readiness signal which never comes and the service remains in 'activating' state.
This causes the TUI availability check to fail, making the user only see "Waiting for services" instead of UI URL
( even though the UI is already avaialble via the usual URL)
This commit adds the missing flag, ensuring the notification handshake between the container running UI and the agent-ui systemd completes successfully and unblocking the TUI. This commit also fixes the stale dependency in agent-register-infraenv related to agent-ui systemd naming.
Control plane machines were intermittently being created in different
availability zones than specified in their machine specs. This occurred
because the zone list returned from FilterZonesBasedOnInstanceType used
a set's UnsortedList() func, which has a non-deterministic order.
When CAPI and MAPI manifest generation independently called this func,
they could receive zones in different orders, causing a mismatch in
machine zone placements between CAPI and MAPI manifests.
This commit ensures that we sort the zone slices before further
processing.
The changes done here will update the RHCOS 4.21 bootimage metadata and
address the following issues:
OCPBUGS-61669: [4.21] coreos-boot-disk link not working with multipath on early boot
OCPBUGS-65669: Cannot use auto-forward kargs (like ip=) with coreos-installer (iso|pxe) customize
OCPBUGS-65684: Ignition fails with crypto/ecdh: invalid random source in FIPS 140-only mode
OCPBUGS-68354: Using multipath on the sysroot will fail to boot if less than 2 paths are present
This change was generated using:
plume cosa2stream \
--target data/data/coreos/rhcos.json \
--distro rhcos \
--no-signatures \
--name rhel-9.6 \
--url https://rhcos.mirror.openshift.com/art/storage/prod/streams \
x86_64=9.6.20251212-1 \
aarch64=9.6.20251212-1 \
s390x=9.6.20251212-1 \
ppc64le=9.6.20251212-1
Signed-off-by: Tiago Bueno <tiago.bueno@gmail.com>
** Ensure that the feature is backwards compatible for original XPN cases. The new field
firewallRulesManagement is an explicit setting of whether the user has the firewall rules
or not. In old versions this did not exist but XPN installs did not need firewall rules.
Now we will default to checking permissions when no field value is provided. If the rules
do not exist, the rules management is set to unmanaged.
A change to CAPZ[0], creates an SSH rule if one is not specified in
the cluster spec. Prior to this commit, we had been creating the
SSH rule with installer SDK hooks, which is still somewhat necessary
to add the inbound NAT rules, because we are not yet using CAPZ
to provision a public load balancer.
But we can use CAPZ to just create the rule, which will stop CAPZ
from preventing a redundant SSH rule which we were leaking during
bootstrap destroy.
This change will also result in creating an SSH rule for private clusters
which is fine, and something we do on other providers.
0: https://github.com/kubernetes-sigs/cluster-api-provider-azure/pull/5525
hive does not know the rhcos image value and will pass an empty
string for azure machines. In this case, we can leave the image
empty so that it will use the default from MAPI.
Remove the interactive disconnected workflow type. The appliance
embeds registries.conf and CA certificates directly in the system ignition
for bootstrap, eliminating the need for a separate workflow type.
Key changes:
Command-line interface:
- Remove --interactive flag from unconfigured-ignition command
- Remove ContextWrapper and workflow context management
Workflow handling:
- Simplify to always use AgentWorkflowTypeInstall for unconfigured ignition
- Remove AgentWorkflowTypeInstallInteractiveDisconnected constant
- Remove workflow type switching logic in UnconfiguredIgnition
- Remove workflow dependency from UnconfiguredIgnition asset
Mirror configuration:
- Remove RegistriesConf and CaBundle dependencies from UnconfiguredIgnition
- Remove addMirrorData() call (appliance provides this)
- Remove early returns for interactive workflow in mirror assets
Testing:
- Remove interactive-disconnected-workflow test case
- Remove with-mirror-configs test case from unconfigured ignition tests
- Update default dependencies in test helpers
Rationale:
The OVE appliance provides a more robust solution for disconnected
installations by embedding all necessary configuration (registries,
certificates, UI) directly in the appliance image. This approach:
- Eliminates workflow type complexity
- Decouples installer and appliance repositories
- Simplifies the codebase by removing conditional logic
- Aligns with the architecture where MCO manages post-bootstrap config
After first node reboot, the Machine Config Operator manages registry
configuration and trust bundles via IDMS/IDMT resources.
Commit message text generated by: Claude AI <noreply@anthropic.com>
Added cleanup for bootstrap VM FIP in the insatller as part of the
PostDestroyer to streamline FIP creation and deletion to be done by the
installer avoiding orphan FIPs.
Fixes the issue of bootstrap machine logs cannot be collected when installation fails because
the bootstrap VM uses the master security group, which doesn't allow SSH
access from the installation source address. This prevents gathering
diagnostic information needed to troubleshoot failed installations.
- Created dedicated bootstrap security group with SSH access from anywhere
- Tagged with `openshiftRole=bootstrap` for lifecycle management
- Enables SSH access to bootstrap VM for log collection on failure
- Implement PostDestroyer for openstack bootstrap vm
