stackhpc · seunghun1ee · Jun 11, 2025 · May 14, 2025 · May 14, 2025 · May 14, 2025
@@ -7,11 +7,10 @@ name: All in one
 on:
   workflow_call:
     inputs:
-      runner:
-        required: false
+      runner_env:
+        description: Which cloud to run on?
         type: string
-        description: 'Runner name'
-        default: 'arc-skc-aio-runner'
+        default: SMS Lab
       kayobe_image:
         description: Kayobe container image
         type: string
@@ -40,18 +39,6 @@ on:
         description: Default network interface name
         type: string
         default: ens3
-      vm_flavor:
-        description: Flavor for the all-in-one VM
-        type: string
-        default: en1.medium
-      vm_network:
-        description: Network for the all-in-one VM
-        type: string
-        default: stackhpc-ci
-      vm_subnet:
-        description: Subnet for the all-in-one VM
-        type: string
-        default: stackhpc-ci
       OS_CLOUD:
         description: Name of cloud in clouds.yaml
         type: string
@@ -87,11 +74,18 @@ on:
         required: true
 
 jobs:
+  runner-selection:
+    uses: ./.github/workflows/runner-selector.yml
+    with:
+      runner_env: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }}
   # NOTE: Runner needs unzip and nodejs packages.
   all-in-one:
     name: All in one
     if: ${{ inputs.if && !cancelled() }}
-    runs-on: ${{ inputs.runner }}
+    environment: ${{ inputs.upgrade == true && 'Leafcloud' || inputs.runner_env }}
+    runs-on: ${{ needs.runner-selection.outputs.runner_name_aio }}
+    needs:
+      - runner-selection
     permissions: {}
     env:
       KAYOBE_ENVIRONMENT: ci-aio
@@ -170,9 +164,9 @@ jobs:
           aio_vm_interface = "${{ env.VM_INTERFACE }}"
           aio_vm_name = "${{ env.VM_NAME }}"
           aio_vm_image = "${{ env.VM_IMAGE }}"
-          aio_vm_flavor = "${{ env.VM_FLAVOR }}"
-          aio_vm_network = "${{ env.VM_NETWORK }}"
-          aio_vm_subnet = "${{ env.VM_SUBNET }}"
+          aio_vm_flavor = "${{ vars.HOST_IMAGE_BUILD_FLAVOR }}"
+          aio_vm_network = "${{ vars.HOST_IMAGE_BUILD_NETWORK }}"
+          aio_vm_subnet = "${{ vars.HOST_IMAGE_BUILD_SUBNET }}"
           aio_vm_volume_size = "${{ env.VM_VOLUME_SIZE }}"
           aio_vm_tags = ${{ env.VM_TAGS }}
           EOF
@@ -181,9 +175,6 @@ jobs:
           SSH_USERNAME: "${{ inputs.ssh_username }}"
           VM_NAME: "skc-ci-aio-${{ inputs.neutron_plugin }}-${{ github.run_id }}"
           VM_IMAGE: ${{ steps.image_name.outputs.image_name }}
-          VM_FLAVOR: ${{ inputs.vm_flavor }}
-          VM_NETWORK: ${{ inputs.vm_network }}
-          VM_SUBNET: ${{ inputs.vm_subnet }}
           VM_INTERFACE: ${{ inputs.vm_interface }}
           VM_VOLUME_SIZE: ${{ inputs.upgrade && '65' || '50' }}
           VM_TAGS: '["skc-ci-aio", "PR=${{ github.event.number }}"]'
@@ -192,7 +183,7 @@ jobs:
         run: terraform plan
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
 
@@ -213,7 +204,7 @@ jobs:
           exit 1
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
 
@@ -471,7 +462,7 @@ jobs:
         run: terraform destroy -auto-approve
         working-directory: ${{ github.workspace }}/terraform/aio
         env:
-          OS_CLOUD: ${{ inputs.OS_CLOUD }}
+          OS_CLOUD: ${{ vars.OS_CLOUD }}
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
         if: always()
@@ -14,6 +14,7 @@ on:
 
 jobs:
   propose_github_release_updates:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
     runs-on: ubuntu-22.04
     strategy:
       matrix:

@@ -0,0 +1,38 @@
+---
+name: Upstream Sync
+'on':
+  schedule:
+    - cron: "15 8 * * 1"
+  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  synchronise-2023-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2023.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2023.1
+      upstream: openstack/kayobe-config
+  synchronise-2024-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2024.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2024.1
+      upstream: openstack/kayobe-config
+  synchronise-2025-1:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise 2025.1
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: 2025.1
+      upstream: openstack/kayobe-config
+  synchronise-master:
+    if: github.repository == 'stackhpc/stackhpc-kayobe-config'
+    name: Synchronise master
+    uses: stackhpc/.github/.github/workflows/upstream-sync.yml@main
+    with:
+      release_series: master
+      upstream: openstack/kayobe-config
@@ -11,7 +11,7 @@ StackHPC provides prebuilt Ironic Python Agent (IPA) images in Release Train
 through Ark.
 
 These images are built in CI using a GitHub workflow and are configured in this
-repository. See  :kayobe-doc: `Kayobe documentation
+repository. See :kayobe-doc:`Kayobe documentation
 <configuration/reference/ironic-python-agent.html>` for more details on IPA.
 
 Release Train IPA images are used by Bifrost and Overcloud Ironic by default in

@@ -169,12 +169,18 @@ for the exporter.
 If you are deploying in a cloud with internal TLS, you may be required
 to provide a CA certificate for the OpenStack Capacity exporter if your
 certificate is not signed by a trusted CA. For example, to use a CA certificate
-named ``vault.crt`` that is also added to the Kolla containers:
+named ``vault.crt`` or ``openbao.crt`` that is also added to the Kolla containers:
 
 .. code-block:: yaml
 
     stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/vault.crt"
 
+or
+
+.. code-block:: yaml
+
+    stackhpc_os_capacity_openstack_cacert: "{{ kayobe_env_config_path }}/kolla/certificates/ca/openbao.crt"
+
 Alternatively, to disable certificate verification for the OpenStack Capacity
 exporter:
 

@@ -52,16 +52,29 @@ The Pulp container is deployed on the seed by default, but may be disabled by
 setting ``seed_pulp_container_enabled`` to ``false`` in
 ``etc/kayobe/seed.yml``.
 
-The URL and credentials of the local Pulp server are configured in
-``etc/kayobe/pulp.yml`` via ``pulp_url``, ``pulp_username`` and
-``pulp_password``. In most cases, the default values should be sufficient.
-An admin password must be generated and set as the value of a
-``secrets_pulp_password`` variable, typically in an Ansible Vault encrypted
-``etc/kayobe/secrets.yml`` file. This password will be automatically set on
-Pulp startup.
-
-If a proxy is required to access the Internet from the seed, ``pulp_proxy_url``
-may be used.
+The URL for the local Pulp server is configured by ``pulp_url`` within
+``etc/kayobe/pulp.yml``.
+
+The Pulp service can be configured with two sets of credentials; one for
+administrator operations and another read-only for overcloud hosts
+to use.
+The administrator credentials can be configured ``pulp_username``,
+``pulp_password``
+The basic user account credentials can be configured with ``pulp_stack_username``
+and ``pulp_stack_password``.
+Both sets of credentials can be found within ``etc/kayobe/pulp.yml``.
+
+Both the ``pulp_password`` and ``pulp_stack_password`` are intended to be
+configured via their ``secrets_*`` counterparts, i.e.
+``secrets_pulp_password`` and ``secrets_pulp_stack_password``. These variables
+are expected to be set in an Ansible Vault encrypted
+``etc/kayobe/secrets.yml`` file.
+
+Passwords can be generated using ``OpenSSL``
+
+.. code-block:: console
+
+  openssl rand -base64 32
 
 Host images are not synchronised to the local Pulp server, since they should
 only be pulled to the seed node once. More information on host images can be

@@ -68,6 +68,7 @@
         # Kolla Ansible's merge_configs module does not like the leading tabs in ceph.conf.
         content: |
           {{ cephadm_ceph_conf.stdout | regex_replace('\t') }}
+          {{ kolla_ceph_conf_append if kolla_ceph_conf_append is defined }}
         dest: "{{ kayobe_env_config_path }}/kolla/config/{{ kolla_service_to_conf_dir[item.0.name] }}/ceph.conf"
       loop: "{{ query('subelements', kolla_ceph_services | selectattr('required'), 'keys') }}"
       loop_control:

@@ -8,6 +8,7 @@
   tasks:
     - name: Check version
       when: stackhpc_enable_kayobe_check
+      check_mode: false
       block:
         - name: Get package info
           community.general.pip_package_info:

@@ -6,6 +6,7 @@
   tasks:
     - name: Check version
       when: stackhpc_enable_kolla_ansible_check
+      check_mode: false
       block:
         - name: Get current Kolla-Ansible tag
           ansible.builtin.command:

@@ -21,7 +21,12 @@
   gather_facts: true
   hosts: controllers
   vars:
-    openbao_bind_address: "{{ internal_net_name | net_ip }}"
+    openbao_bind_addr: "{{ internal_net_name | net_ip }}"
+    # This is the IP address of the first controller and therefore the leader within
+    # OpenBao. This could be replaced with the VIP address of the internal network if
+    # HAProxy has been configured to load balance the OpenBao API.
+    openbao_raft_leaders:
+      - "{{ internal_net_name | net_ip(inventory_hostname=groups['controllers'][0]) }}"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:
@@ -46,7 +51,7 @@
 
     - name: Template out TLS key and cert
       ansible.builtin.copy:
-        # Within the OpenBao container these uids & gids map to the vault user
+        # Within the OpenBao container these uids & gids map to the openbao user
         src: "{{ kayobe_env_config_path }}/openbao/{{ item }}"
         dest: /opt/kayobe/openbao/{{ item }}
         owner: 100
@@ -55,6 +60,7 @@
       loop:
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         - "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        - "OS-TLS-INT.crt"
       become: true
 
     - name: Apply OpenBao role
@@ -71,6 +77,7 @@
         openbao_docker_tag: "{{ overcloud_openbao_docker_tag }}"
         openbao_tls_cert: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.crt"
         openbao_tls_key: "{% if kolla_internal_fqdn != kolla_internal_vip_address %}{{ kolla_internal_fqdn }}{% else %}overcloud{% endif %}.key"
+        openbao_tls_ca: "OS-TLS-INT.crt"
         copy_self_signed_ca: true
         openbao_api_addr: https://{{ internal_net_name | net_ip }}:8200
         openbao_write_keys_file: true
@@ -91,6 +98,28 @@
         vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
       environment:
         https_proxy: ""
+      run_once: true
+
+      # As the first instance is now unsealed the other instances will now need some
+      # time to connect before we can proceed.
+    - name: Wait for OpenBao Raft peers to connect
+      ansible.builtin.wait_for:
+        timeout: 30
+      delegate_to: localhost
+
+      # Raft peers take few seconds before they report an unsealed state therefore
+      # we must wait.
+    - name: Unseal OpenBao
+      ansible.builtin.import_role:
+        name: stackhpc.hashicorp.vault_unseal
+      vars:
+        vault_api_addr: https://{{ internal_net_name | net_ip }}:8200
+        vault_unseal_token: "{{ openbao_keys.root_token }}"
+        vault_unseal_ca_cert: "{{ '/etc/pki/tls/certs/ca-bundle.crt' if ansible_facts.os_family == 'RedHat' else '/usr/local/share/ca-certificates/OS-TLS-ROOT.crt' }}"
+        vault_unseal_keys: "{{ openbao_keys.keys_base64 }}"
+        vault_unseal_timeout: 10
+      environment:
+        https_proxy: ""
 
 - name: Configure PKI
   any_errors_fatal: true

@@ -4,8 +4,8 @@
   gather_facts: true
   hosts: seed
   vars:
-    openbao_bind_address: "{{ ansible_facts['lo'].ipv4.address }}"
-    openbao_api_addr: "http://{{ openbao_bind_address }}:8200"
+    openbao_bind_addr: "{{ ansible_facts['lo'].ipv4.address }}"
+    openbao_api_addr: "http://{{ openbao_bind_addr }}:8200"
   tasks:
     - name: Set a fact about the virtualenv on the remote system
       ansible.builtin.set_fact:

@@ -11,7 +11,7 @@
     vfio_pci_ids: |-
       {% set gpu_list = [] %}
       {% set output = [] %}
-      {% for gpu_group in gpu_group_map | dict2items | default([]) %}
+      {% for gpu_group in (gpu_group_map | default({})) | dict2items %}
       {% if gpu_group.key in group_names %}
       {% set _ = gpu_list.append(gpu_group.value) %}
       {% endif %}

@@ -7,18 +7,15 @@
     # password in the get_url task of this playbook
     stackhpc_overcloud_host_image_url_no_auth: "{{ stackhpc_release_pulp_content_url }}/kayobe-images/\
       {{ openstack_release }}/{{ os_distribution }}/{{ os_release }}/\
-      {{ 'ofed/' if stackhpc_overcloud_host_image_is_ofed else '' }}\
       {{ stackhpc_overcloud_host_image_version }}/\
-      overcloud-{{ os_distribution }}-{{ os_release }}\
-      {{ '-ofed' if stackhpc_overcloud_host_image_is_ofed else '' }}.qcow2"
+      overcloud-{{ os_distribution }}-{{ os_release }}.qcow2"
   tasks:
     - name: Print image information
       ansible.builtin.debug:
         msg: |
           OS Distribution: {{ os_distribution }}
           OS Release: {{ os_release }}
           Image tag: {{ stackhpc_overcloud_host_image_version }}
-          OFED: {{ stackhpc_overcloud_host_image_is_ofed }}
 
     # TODO: Add checksum support
     - name: Download image artifact

@@ -9,7 +9,7 @@ collections:
   - name: stackhpc.pulp
     version: 0.5.5
   - name: stackhpc.hashicorp
-    version: 2.6.1
+    version: 2.7.1
   - name: stackhpc.kayobe_workflows
     version: 1.1.0
 roles:

@@ -15,10 +15,8 @@
 
     - name: Ensure Python 3, venv, and pip are installed
       ansible.builtin.package:
-        name:
-          - python3
-          - python3-venv
-          - python3-pip
+        name: >
+          {{ ['python3', 'python3-pip'] + (['python3-venv'] if ansible_facts['distribution'] == 'Ubuntu' else []) }}
         state: present
       become: true
 

@@ -133,3 +133,6 @@ kolla_ceph_manila_required: "{{ kolla_enable_manila | bool }}"
 
 # Whether to generate Ceph configuration for Nova.
 kolla_ceph_nova_required: "{{ kolla_enable_nova | bool }}"
+
+# A (multiline) string to append to all Ceph configuration files.
+#kolla_ceph_conf_append:
@@ -28,6 +28,18 @@
     - stackhpc_pulp_sync_for_local_container_build | bool
     - pulp_settings.changed
 
+- name: Ensure Pulp stack user exists
+  ansible.builtin.include_role:
+    name: stackhpc.pulp.pulp_user
+  vars:
+    pulp_users:
+      - username: "{{ pulp_stack_username }}"
+        password: "{{ pulp_stack_password }}"
+        is_staff: false
+  when:
+    - pulp_stack_username is defined and pulp_stack_username | length > 0
+    - pulp_stack_password is defined and pulp_stack_password | length > 0
+
 - name: Login to docker registry
   docker_login:
     registry_url: "{{ kolla_docker_registry or omit }}"