refactoring configmap to filepath

Author: asergeant01

Dockerfile

@@ -39,6 +39,7 @@ FROM gcr.io/distroless/static:nonroot AS manager
 LABEL source_repository="https://github.com/ironcore-dev/metal-operator"
 WORKDIR /
 COPY --from=manager-builder /workspace/manager .
+COPY config/manager/ignition-template.yaml /etc/metal-operator/ignition-template.yaml
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]

cmd/manager/main.go

@@ -19,14 +19,11 @@ import (
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
@@ -79,8 +76,7 @@ func main() { // nolint: gocyclo
 		webhookPort                        int
 		enforceFirstBoot                   bool
 		enforcePowerOff                    bool
-		ignitionConfigMapName              string
-		ignitionConfigMapKey               string
+		ignitionConfigPath                 string
 		serverResyncInterval               time.Duration
 		maintenanceResyncInterval          time.Duration
 		powerPollingInterval               time.Duration
@@ -119,10 +115,8 @@ func main() { // nolint: gocyclo
 		"Defines the duration which the bmc waits before reconciling again when bmc has been reset.")
 	flag.DurationVar(&maintenanceResyncInterval, "maintenance-resync-interval", 2*time.Minute,
 		"Defines the interval at which the CRD performing maintenance is polled during server maintenance task.")
-	flag.StringVar(&ignitionConfigMapName, "ignition-configmap-name", "",
-		"Name of the ConfigMap containing the ignition template. If empty, uses hardcoded template.")
-	flag.StringVar(&ignitionConfigMapKey, "ignition-configmap-key", "ignition-template.yaml",
-		"Key in the ConfigMap containing the ignition template.")
+	flag.StringVar(&ignitionConfigPath, "ignition-config-path", "/etc/metal-operator/ignition-template.yaml",
+		"Path to the ignition template file.")
 	flag.StringVar(&registryURL, "registry-url", "", "The URL of the registry.")
 	flag.StringVar(&registryProtocol, "registry-protocol", "http", "The protocol to use for the registry.")
 	flag.IntVar(&registryPort, "registry-port", 10000, "The port to use for the registry.")
@@ -289,20 +283,8 @@ func main() { // nolint: gocyclo
 		})
 	}
 
-	// Configure cache to watch ConfigMaps only in the manager namespace
-	cacheOptions := cache.Options{
-		ByObject: map[client.Object]cache.ByObject{
-			&corev1.ConfigMap{}: {
-				Namespaces: map[string]cache.Config{
-					managerNamespace: {},
-				},
-			},
-		},
-	}
-
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
-		Cache:                  cacheOptions,
 		Metrics:                metricsServerOptions,
 		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
@@ -369,8 +351,7 @@ func main() { // nolint: gocyclo
 		EnforceFirstBoot:        enforceFirstBoot,
 		EnforcePowerOff:         enforcePowerOff,
 		MaxConcurrentReconciles: serverMaxConcurrentReconciles,
-		IgnitionConfigMapName:   ignitionConfigMapName,
-		IgnitionConfigMapKey:    ignitionConfigMapKey,
+		IgnitionConfigPath:      ignitionConfigPath,
 		BMCOptions: bmc.Options{
 			BasicAuth:               true,
 			PowerPollingInterval:    powerPollingInterval,

config/manager/ignition-template.yaml

@@ -0,0 +1,44 @@
+variant: fcos
+version: "1.3.0"
+systemd:
+  units:
+    - name: docker-install.service
+      enabled: true
+      contents: |-
+        [Unit]
+        Description=Install Docker
+        Before=metalprobe.service
+        [Service]
+        Restart=on-failure
+        RestartSec=20
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/apt-get update
+        ExecStart=/usr/bin/apt-get install docker.io docker-cli -y
+        [Install]
+        WantedBy=multi-user.target
+    - name: docker.service
+      enabled: true
+    - name: metalprobe.service
+      enabled: true
+      contents: |-
+        [Unit]
+        Description=Run My Docker Container
+        [Service]
+        Restart=on-failure
+        RestartSec=20
+        ExecStartPre=-/usr/bin/docker stop metalprobe
+        ExecStartPre=-/usr/bin/docker rm metalprobe
+        ExecStartPre=/usr/bin/docker pull {{.Image}}
+        ExecStart=/usr/bin/docker run --network host --privileged --name metalprobe {{.Image}} {{.Flags}}
+        ExecStop=/usr/bin/docker stop metalprobe
+        [Install]
+        WantedBy=multi-user.target
+storage:
+  files: []
+passwd:
+  users:
+    - name: metal
+      password_hash: {{.PasswordHash}}
+      groups: [ "wheel" ]
+      ssh_authorized_keys: [ {{.SSHPublicKey}} ]

config/rbac/role.yaml

@@ -4,14 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:

dist/chart/IGNITION-CUSTOMIZATION.md

@@ -1,10 +1,10 @@
 # Metal Operator Helm Chart - Ignition Template Customization
 
-This Helm chart allows you to optionally override the default hardcoded Ignition template used by the metal-operator for bare metal server provisioning.
+This Helm chart allows you to optionally override the default Ignition template used by the metal-operator for bare metal server provisioning.
 
 ## Overview
 
-The metal-operator uses [Ignition](https://coreos.github.io/ignition/) templates to configure bare metal servers during their first boot. By default, it uses a hardcoded template. You can optionally enable ConfigMap-based template customization to meet your specific requirements.
+The metal-operator uses [Ignition](https://coreos.github.io/ignition/) templates to configure bare metal servers during their first boot. The operator includes a default template file baked into the container at `/etc/metal-operator/ignition-template.yaml`. You can optionally override this template by mounting a ConfigMap at the same location.
 
 ## Configuration
 
@@ -14,15 +14,14 @@ The ignition configuration is controlled by the `ignition` section in `values.ya
 
 ```yaml
 ignition:
-  enable: false                         # Enable/disable ignition ConfigMap override (default: false)
-  configMapName: "ignition-template"    # Name suffix for the ConfigMap
-  configMapKey: "ignition-template.yaml"  # Key in the ConfigMap containing the template
-  template: |                           # The actual Ignition template content (only used when enable: true)
+  override: false       # Enable/disable ignition ConfigMap override (default: false)
+  template: |           # The actual Ignition template content (only used when override: true)
     # Your custom Ignition template here
 ```
 
-**Default Behavior**: When `ignition.enable: false` (default), the operator uses its built-in hardcoded template.
-**Override Behavior**: When `ignition.enable: true`, the operator uses the ConfigMap template and falls back to hardcoded if ConfigMap is unavailable.
+**Default Behavior**: When `ignition.override: false` (default), the operator uses the template file baked into the container image at `/etc/metal-operator/ignition-template.yaml`.
+
+**Override Behavior**: When `ignition.override: true`, a ConfigMap is created and mounted to `/etc/metal-operator/ignition-template.yaml`, replacing the default template file.
 
 ### Template Variables
 
@@ -37,7 +36,7 @@ Your custom template must include these template variables for proper operation:
 
 ```yaml
 ignition:
-  enable: true
+  override: true
   template: |
     variant: fcos
     version: "1.3.0"
@@ -64,19 +63,19 @@ ignition:
 
 ## Deployment
 
-### Using Default Hardcoded Template (Recommended)
+### Using Default Template (Recommended)
 
 ```bash
 helm install my-metal-operator ./
 ```
 
-This uses the built-in hardcoded template. No ConfigMap is created, and the operator works immediately.
+This uses the template file baked into the container image. No ConfigMap is created, and the operator works immediately with the default configuration.
 
 ### Using Custom Template Override
 
 1. Enable ignition customization:
 ```bash
-helm install my-metal-operator ./ --set ignition.enable=true
+helm install my-metal-operator ./ --set ignition.override=true
 ```
 
 2. Or create a custom values file:
@@ -159,16 +158,22 @@ passwd:
 
 ## Troubleshooting
 
-### ConfigMap Not Found
+### Template File Not Found
+
+If you see errors about template file not being found:
 
-If you see errors about ConfigMap not being found:
+1. Verify the default file exists in the container:
+```bash
+kubectl exec -n <namespace> deployment/metal-operator-controller-manager -- ls -la /etc/metal-operator/
+```
 
-1. Verify the ConfigMap was created:
+2. If using ConfigMap override, verify it was created and mounted:
 ```bash
 kubectl get configmap -n <namespace>
+kubectl describe deployment -n <namespace> metal-operator-controller-manager
 ```
 
-2. Check the manager logs:
+3. Check the manager logs:
 ```bash
 kubectl logs -n <namespace> deployment/metal-operator-controller-manager
 ```
@@ -180,12 +185,17 @@ If ignition generation fails due to template syntax:
 1. Validate your template syntax offline
 2. Check that all required template variables are included
 3. Verify the Ignition format is valid
+4. If using a custom template, ensure the ConfigMap is properly mounted
 
-### Permission Issues
+### Volume Mount Issues
 
-If the controller cannot read the ConfigMap:
-1. Verify RBAC permissions include ConfigMap access
-2. Check that the ConfigMap is in the correct namespace
+If the ConfigMap override is not working:
+1. Verify the ConfigMap is mounted correctly:
+```bash
+kubectl describe pod -n <namespace> -l control-plane=controller-manager
+```
+2. Check that `ignition.override: true` is set in values
+3. Verify RBAC permissions include ConfigMap access
 
 ## Examples
 

dist/chart/templates/configmap/ignition-template.yaml

@@ -1,8 +1,8 @@
-{{- if .Values.ignition.enable }}
+{{- if .Values.ignition.override }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "chart.name" . }}-{{ .Values.ignition.configMapName }}
+  name: {{ include "chart.name" . }}-ignition-template
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "chart.labels" . | nindent 4 }}
@@ -12,6 +12,6 @@ data:
   # {{.Flags}} - The flags to pass to the metalprobe container, this includes --registry-url and --server-uuid
   # {{.SSHPublicKey}} - The SSH public key for the 'metal' user
   # {{.PasswordHash}} - The password hash for the 'metal' user
-  {{ .Values.ignition.configMapKey }}: |
+  ignition-template.yaml: |
 {{ .Values.ignition.template | indent 4 }}
 {{- end }}

dist/chart/templates/manager/manager.yaml

@@ -34,11 +34,6 @@ spec:
         {{- range .Values.controllerManager.manager.args }}
         - {{ . }}
         {{- end }}
-        {{- if .Values.ignition.enable }}
-        - "--manager-namespace={{ .Release.Namespace }}"
-        - "--ignition-configmap-name={{ include "chart.name" . }}-{{ .Values.ignition.configMapName }}"
-        - "--ignition-configmap-key={{ .Values.ignition.configMapKey }}"
-        {{- end }}
         command:
         - /manager
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}
@@ -66,6 +61,11 @@ spec:
         volumeMounts:
         - mountPath: /etc/macdb/
           name: macdb
+        {{- if .Values.ignition.override }}
+        - name: ignition-template
+          mountPath: /etc/metal-operator
+          readOnly: true
+        {{- end }}
         {{- if and .Values.webhook.enable .Values.certmanager.enable }}
         - name: webhook-cert
           mountPath: /tmp/k8s-webhook-server/serving-certs
@@ -92,6 +92,11 @@ spec:
       - name: macdb
         secret:
           secretName: macdb
+      {{- if .Values.ignition.override }}
+      - name: ignition-template
+        configMap:
+          name: {{ include "chart.name" . }}-ignition-template
+      {{- end }}
       {{- if and .Values.webhook.enable .Values.certmanager.enable }}
       - name: webhook-cert
         secret:

dist/chart/templates/rbac/configmap_role.yaml

@@ -7,14 +7,6 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
   name: metal-operator-manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources: