Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.22
Component/s: Bare Metal Hardware Provisioning / baremetal-operator
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
Metal Platform 283
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    When ProvisioningNetwork=Disabled or VirtualMediaViaExternalNetwork=true, the Ironic API on port 6385 is not properly exposed via a Kubernetes service. The metal3-state service adds port 6385, but the service selector (baremetal.openshift.io/cluster-baremetal-operator: metal3-state) only matches metal3 pods that listen on port 6388, not 6385. This results in service endpoints that don't route to any listening backend, causing connection failures when clients try to access Ironic via the service.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

Expected results:

Port 6385 should be accessible via Kubernetes service and route to pods that actually listen on that port. Clients should be able to reach the Ironic API via metal3-state.openshift-machine-api.svc:6385

Proposed fix

func newIronicProxyService(info *ProvisioningInfo) *corev1.Service {    return &corev1.Service{        ObjectMeta: metav1.ObjectMeta{            Name:      ironicProxyService,            Namespace: info.Namespace,            Labels: map[string]string{                cboLabelName: ironicProxyService,            },        },        Spec: corev1.ServiceSpec{            ClusterIP: corev1.ClusterIPNone, // Headless service            Selector: map[string]string{                cboLabelName: ironicProxyService,            },            Ports: []corev1.ServicePort{                {                    Name: "ironic-api",                    Port: int32(baremetalIronicPort),                },            },        },    }}

      // Ensure the headless service for ironic-proxy    ironicProxySvc := newIronicProxyService(info)    err = controllerutil.SetControllerReference(info.ProvConfig, ironicProxySvc, info.Scheme)    if err != nil {        err = fmt.Errorf("unable to set controllerReference on ironic-proxy service: %w", err)        return    }    _, svcUpdated, err := resourceapply.ApplyService(context.Background(),        info.Client.CoreV1(), info.EventRecorder, ironicProxySvc)    if err != nil {        err = fmt.Errorf("unable to apply ironic-proxy service: %w", err)        return    }    if svcUpdated {        updated = true    }

Detected in component readiness by mkowalsk@redhat.com

[sig-network][Feature:commatrix][apigroup:config.openshift.io][Serial] should validate the communication matrix ports match the node's listening ports [Suite:openshift/conformance/serial]

See the sippy test details for additional context.

Assignee:: Riccardo Pittau

Reporter:: amal abu gosh

Need Info From:: None

Contributors:: None

QA Contact:: Jad Haj Yahya

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2026/01/09 3:01 PM

Updated:: 2026/01/14 3:41 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates