If the provisioning network is disabled in the baremetal platform section of the install-config, we use the external network only to provision (using virtualmedia).

Currently, we only open firewall ports allowing IPA to connect to ironic for IPv4, regardless of the cluster network stack (which could be IPv6-primary, or even IPv6-only).

There is a way to work around this: set the bootstrapProvisioningIP address to an IPv6 address. Any address added to this field becomes effectively a second bootstrapExternalStaticIP as it is applied to the external network interface (since there is no provisioning network). It is the address family of this address that is used to determine whether to open firewall ports for IPv4 or IPv6.

The URLs provided to IPA to contact ironic uses the primary API VIP if the BMC address is IPv4, and the IPv6 API VIP if the BMC address is IPv6. The former is incorrect, because it erroneously assumes that IPv4 is always primary in a dual-stack network. We should also open the firewall for both address families at least in a dual-stack cluster, and at least for IPv6 in an IPv6-only cluster.

The address family of the IP of the provisioning interface probably shouldn't come into it when deciding which firewall ports to open, since IPA is actually using the API VIP (on the external network) to contact ironic.

See https://issues.redhat.com/browse/OCPBUGS-36869?focusedId=25524488&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-25524488 for some more history.