[multiple] Co-locate provisionserver with metal3 to prevent DHCP failures II

When metal3-dnsmasq pod restarts during a node's DHCP lease renewal on the
provisioning network (172.23.0.0/24), NetworkManager fails to renew and sets
ipv4.method=disabled. NMState operator then preserves this disabled state,
causing permanent loss of provisioning network connectivity on that node.

The issue occurs when OpenStackProvisionServer and metal3 pods run on
different nodes. If metal3 restarts while a node is attempting DHCP renewal,
the temporary unavailability of metal3-dnsmasq causes the renewal to fail.

Solution:
Automatically detect the node running metal3 pod (via k8s-app=metal3 label)
and configure provisionServerNodeSelector in baremetalSetTemplate to schedule
OpenStackProvisionServer on the same node. This ensures provisioning network
connectivity is maintained because metal3-static-ip-manager maintains a static
IP (172.23.0.3) on the metal3 node regardless of dnsmasq restarts.

Signed-off-by: Miguel Angel Nieto Jimenez <mnietoji@redhat.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: mnietoji

playbooks/06-deploy-architecture.yml

@@ -163,6 +163,43 @@
                 msg: >-
                   Error detected. Check debugging output above.
 
+    - name: Extract registry credentials from OpenShift pull-secret
+      tags:
+        - always
+      when:
+        - cifmw_sync_pullsecret_credentials | default(true) | bool
+      block:
+        - name: Extract credentials for each configured registry
+          loop: "{{ cifmw_reproducer_registry_list | default(['registry.stage.redhat.io']) }}"
+          loop_control:
+            loop_var: registry
+          ansible.builtin.include_role:
+            name: edpm_pullsecret_sync
+          vars:
+            cifmw_edpm_pullsecret_sync_registry: "{{ registry }}"
+            cifmw_edpm_pullsecret_sync_fact_name: "cifmw_reproducer_registry_{{ registry | replace('.', '_') | replace('-', '_') }}_creds"
+
+        - name: Build registry credentials dictionary for templates
+          ansible.builtin.set_fact:
+            cifmw_ci_gen_kustomize_values_registry_logins: >-
+              {%- set result = {} -%}
+              {%- for registry in (cifmw_reproducer_registry_list | default(['registry.stage.redhat.io'])) -%}
+                {%- set fact_name = 'cifmw_reproducer_registry_' + (registry | replace('.', '_') | replace('-', '_')) + '_creds_dict' -%}
+                {%- if vars[fact_name] is defined -%}
+                  {%- set _ = result.update({registry: vars[fact_name]}) -%}
+                {%- endif -%}
+              {%- endfor -%}
+              {{ result }}
+
+        - name: Log extracted registry credentials
+          ansible.builtin.debug:
+            msg: "Registry credentials extracted for: {{ cifmw_ci_gen_kustomize_values_registry_logins.keys() | list }}"
+
+      rescue:
+        - name: Log pull-secret extraction failure
+          ansible.builtin.debug:
+            msg: "Failed to extract credentials from pull-secret, templates will not include registry credentials"
+
     - name: Set cifmw_architecture_automation_file if not set before
       when: cifmw_architecture_automation_file is not defined
       ansible.builtin.set_fact:

roles/ci_gen_kustomize_values/templates/common/edpm-nodeset-values/values.yaml.j2

@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset-values/values.yaml.j2

@@ -37,6 +37,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/multi-namespace/edpm-nodeset2-values/values.yaml.j2

@@ -39,6 +39,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                               %}
 {% endif                                                                                  %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                        %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/nfv-ovs-dpdk-sriov-hci/edpm-nodeset-values/values.yaml.j2

@@ -4,6 +4,7 @@
 {% set _original_nodeset = (original_content.data | default({})).nodeset | default({}) %}
 {% set _original_nodes = _original_nodeset.nodes | default({})                         %}
 {% set _original_services = _original_nodeset['services'] | default([])                %}
+{% set _original_baremetal_template = (original_content.data | default({})).baremetalSetTemplate | default({}) %}
 {% for _inst in cifmw_baremetal_hosts.keys()                                           %}
 {%   set _ = instances_names.append(_inst)                                             %}
 {% endfor                                                                              %}
@@ -29,6 +30,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in instances_names                                                     %}
       edpm-{{ instance }}:
@@ -43,3 +66,11 @@ data:
       - "{{ svc }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% if cifmw_kustomize_deploy_metal3_node is defined                                    %}
+  baremetalSetTemplate:
+{%   for key, value in _original_baremetal_template.items()                            %}
+    {{ key }}: {{ value }}
+{%   endfor                                                                            %}
+    provisionServerNodeSelector:
+      kubernetes.io/hostname: "{{ cifmw_kustomize_deploy_metal3_node }}"
+{% endif                                                                               %}

roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset-values/values.yaml.j2

@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_one_instances                                               %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/nova-three-cells/edpm-nodeset2-values/values.yaml.j2

@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_two_instances                                               %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset-values/values.yaml.j2

@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_one_instances                                               %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/nova02beta/edpm-nodeset2-values/values.yaml.j2

@@ -43,6 +43,28 @@ data:
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% set _original_ansible_vars = (_original_nodeset.ansible | default({})).ansibleVars | default({}) %}
+{% set _original_bootstrap = _original_ansible_vars.edpm_bootstrap_command | default('') %}
+{% set _needs_policy_json = cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool and 'policy.json' not in _original_bootstrap %}
+{% if _needs_policy_json or _original_bootstrap %}
+        edpm_bootstrap_command: |
+{%   if _original_bootstrap %}
+          {{ _original_bootstrap }}
+
+{%   endif %}
+{%   if _needs_policy_json %}
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{%   endif %}
+{% endif %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
     nodes:
 {% for instance in nodeset_two_instances                                               %}
       edpm-{{ instance }}:

roles/ci_gen_kustomize_values/templates/nova04delta/edpm-nodeset-values/values.yaml.j2

@@ -38,12 +38,26 @@ data:
 
           # see https://access.redhat.com/solutions/253273
           dnf -y install conntrack-tools
+{% if cifmw_ci_gen_kustomize_values_add_policy_json | default(true) | bool %}
+
+          # Container policy.json
+          mkdir -p /root/.config/containers/ && echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /root/.config/containers/policy.json
+{% endif %}
 {% if cifmw_ci_gen_kustomize_values_sshd_ranges | default([]) | length > 0             %}
         edpm_sshd_allowed_ranges:
 {%   for range in cifmw_ci_gen_kustomize_values_sshd_ranges                            %}
           - "{{ range }}"
 {%   endfor                                                                            %}
 {% endif                                                                               %}
+{% if cifmw_ci_gen_kustomize_values_registry_logins is defined and cifmw_ci_gen_kustomize_values_registry_logins | length > 0 %}
+        edpm_container_registry_logins:
+{%   for registry, creds in cifmw_ci_gen_kustomize_values_registry_logins.items() %}
+          {{ registry }}:
+{%     for username, password in creds.items() %}
+            {{ username }}: {{ password }}
+{%     endfor %}
+{%   endfor %}
+{% endif %}
 
 {% if cifmw_baremetal_hosts | default({}) | length > 0                                 %}
   # source roles/deploy_bmh/template/bmh.yml.j2, but it patches kustomize built outputs