mirror of
https://opendev.org/openstack/ironic.git
synced 2026-01-11 19:57:20 +00:00
28168c4168
A new ``ironic.console.container`` provider is added called ``kubernetes`` which allows Ironic conductor to manage console containers as Kubernetes pods. The kubernetes resources are defined in the template file configured by ``[vnc]kubernetes_container_template`` and the default template creates one secret to store the app info, and one pod to run the console container. It is expected that Ironic conductor is deployed inside the kubernetes cluster. The associated service account will need roles and bindings which allow it to manage the required resources (with the default template this will be secrets and pods). This provider holds the assumption that ironic-novnc will be deployed in the same kubernetes cluster, and so can connect to the VNC servers via the pod's ``status.hostIP``. Assisted-By: gemini Change-Id: Ib91f7d7c15be51d68ebf886e44efaf191a14437b Signed-off-by: Steve Baker <sbaker@redhat.com>
171 lines
7 KiB
Python
171 lines
7 KiB
Python
# Copyright 2025 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import os
|
|
|
|
from oslo_config import cfg
|
|
from oslo_config import types
|
|
|
|
|
|
opts = [
|
|
cfg.BoolOpt(
|
|
'enabled',
|
|
default=False,
|
|
help='Enable VNC related features. '
|
|
'Guests will get created with graphical devices to support '
|
|
'this. Clients (for example Horizon) can then establish a '
|
|
'VNC connection to the guest.'),
|
|
cfg.HostAddressOpt(
|
|
'host_ip',
|
|
default='0.0.0.0',
|
|
help='The IP address or hostname on which ironic-novncproxy '
|
|
'listens.'),
|
|
cfg.PortOpt(
|
|
'port',
|
|
default=6090,
|
|
help='The TCP port on which ironic-novncproxy listens.'),
|
|
cfg.StrOpt(
|
|
'public_url',
|
|
mutable=True,
|
|
help='Public URL to use when building the links to the noVNC client '
|
|
'browser page '
|
|
'(for example, "http://127.0.0.1:6090/vnc_auto.html"). '
|
|
'If the API is operating behind a proxy, you '
|
|
'will want to change this to represent the proxy\'s URL.'),
|
|
cfg.BoolOpt(
|
|
'enable_ssl',
|
|
default=False,
|
|
help='Enable the integrated stand-alone noVNC to service '
|
|
'requests via HTTPS instead of HTTP. If there is a '
|
|
'front-end service performing HTTPS offloading from '
|
|
'the service, this option should be False; note, you '
|
|
'will want to configure [vnc]public_endpoint option '
|
|
'to set URLs in responses to the SSL terminated one.'),
|
|
cfg.StrOpt(
|
|
'novnc_web',
|
|
default='/usr/share/novnc',
|
|
help='Path to directory with content which will be served by a web '
|
|
'server.'),
|
|
cfg.StrOpt(
|
|
'novnc_record',
|
|
help='Filename that will be used for storing websocket frames '
|
|
'received and sent by a VNC proxy service running on this host. '
|
|
'If this is not set, no recording will be done.'),
|
|
cfg.ListOpt(
|
|
'novnc_auth_schemes',
|
|
item_type=types.String(choices=(
|
|
('none', 'Allow connection without authentication'),
|
|
)),
|
|
default=['none'],
|
|
help='The allowed authentication schemes to use with proxied '
|
|
'VNC connections'),
|
|
cfg.BoolOpt(
|
|
'read_only',
|
|
default=False,
|
|
help='When True, keyboard and mouse events will not be passed '
|
|
'to the console.'
|
|
),
|
|
cfg.IntOpt(
|
|
'token_timeout',
|
|
default=600,
|
|
min=10,
|
|
help='The lifetime of a console auth token (in seconds).'),
|
|
cfg.IntOpt(
|
|
'expire_console_session_interval',
|
|
default=120,
|
|
min=1,
|
|
help='Interval (in seconds) between periodic checks to determine '
|
|
'whether active console sessions have expired and need to be '
|
|
'closed.'),
|
|
cfg.StrOpt(
|
|
'container_provider',
|
|
default='fake',
|
|
help='Console container provider which manages the containers that '
|
|
'expose a VNC service to ironic-novncproxy or nova-novncproxy. '
|
|
'Each container runs an X11 session and a browser showing the '
|
|
'actual BMC console. '
|
|
'"systemd" manages containers as systemd units via podman '
|
|
'Quadlet support. The default is "fake" which returns an '
|
|
'unusable VNC host and port. This needs to be changed if enabled '
|
|
'is True. '
|
|
'"kubernetes" manages containers as pods using template driven '
|
|
'resource creation.'),
|
|
cfg.StrOpt(
|
|
'console_image',
|
|
mutable=True,
|
|
help='Container image reference for the "systemd" and '
|
|
'"kubernetes" console container '
|
|
'provider, and any other out-of-tree provider which requires a '
|
|
'configurable image reference.'),
|
|
cfg.StrOpt(
|
|
'systemd_container_template',
|
|
default=os.path.join(
|
|
'$pybasedir',
|
|
'console/container/ironic-console.container.template'),
|
|
mutable=True,
|
|
help='For the systemd provider, path to the template for defining a '
|
|
'console container. The default template requires that '
|
|
'"console_image" be set.'),
|
|
cfg.StrOpt(
|
|
'systemd_container_publish_port',
|
|
default='$my_ip::5900',
|
|
help='Equivalent to the podman run --port argument for the '
|
|
'mapping of VNC port 5900 to the host. An IP address is '
|
|
'required to bind to, defaulting to $my_ip. The VNC port '
|
|
'exposed on the host will be a randomly allocated high port. '
|
|
'These containers expose VNC servers which must be accessible '
|
|
'by ironic-novncproxy and/or nova-novncproxy. The VNC servers '
|
|
'have no authentication or encryption so they also should not '
|
|
'be exposed to public access. Additionally, the containers '
|
|
'need to be able to access BMC management endpoints. '),
|
|
cfg.StrOpt(
|
|
'kubernetes_container_template',
|
|
default=os.path.join(
|
|
'$pybasedir',
|
|
'console/container/ironic-console-pod.yaml.template'),
|
|
mutable=True,
|
|
help='For the kubernetes provider, path to the template for defining '
|
|
'the console resources. The default template creates one Secret '
|
|
'to store the app info, and one Pod to run a console '
|
|
'container. A custom template must include namespace metadata, '
|
|
'and must define labels which can be used as a delete-all '
|
|
'selector.'),
|
|
cfg.IntOpt('kubernetes_pod_timeout',
|
|
default=120,
|
|
help='For the kubernetes provider, the time (in seconds) to '
|
|
'wait for the console pod to start.'),
|
|
cfg.StrOpt(
|
|
'ssl_cert_file',
|
|
help="Certificate file to use when starting the server securely."),
|
|
cfg.StrOpt(
|
|
'ssl_key_file',
|
|
help="Private key file to use when starting the server securely."),
|
|
cfg.StrOpt(
|
|
'ssl_minimum_version',
|
|
help="The minimum SSL version to use."),
|
|
cfg.StrOpt(
|
|
'ssl_ciphers',
|
|
help="Sets the list of available ciphers. value should be a "
|
|
"string in the OpenSSL cipher list format."),
|
|
cfg.IntOpt(
|
|
'wait_for_ready_timeout',
|
|
default=10,
|
|
min=1,
|
|
help='Maximum number of seconds to wait for a console container '
|
|
'to be ready to accept VNC connections after starting.'),
|
|
]
|
|
|
|
|
|
def register_opts(conf):
|
|
conf.register_opts(opts, group='vnc')
|