feat(infra): automate UM760 provisioning link mode

compute/incusos/Justfile

@@ -30,6 +30,66 @@ apply host="um760":
 delete host="um760":
     @proto run cue -- export . -e kubernetesYAML --out text -t host={{host}} | kubectl delete --ignore-not-found=true -f -
 
+# Report the UM760 link mode, bridge membership, listener ownership, and Tinkerbell state.
+um760-status:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    link_mode="../../network/vyos/scripts/um760_link_mode.py"
+    ssh_key="${VYOS_SSH_KEY:-$HOME/.ssh/vyos-gateway}"
+    ssh_target="${VYOS_USER:-vyos}@${VYOS_HOST:-10.0.0.2}"
+    ssh_base=(ssh -i "$ssh_key" -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new "$ssh_target")
+    kubectl="sudo podman exec bootstrap-k0s k0s kubectl"
+
+    python3 "$link_mode" status
+    echo
+    "${ssh_base[@]}" "$kubectl -n tinkerbell get deployment,pod,workflow,hardware,template -o wide"
+
+# Preflight the bootstrap stack and move the UM760-facing link to untagged LAB_PROV.
+um760-provision host="um760":
+    #!/usr/bin/env bash
+    set -euo pipefail
+    link_mode="../../network/vyos/scripts/um760_link_mode.py"
+    ssh_key="${VYOS_SSH_KEY:-$HOME/.ssh/vyos-gateway}"
+    ssh_target="${VYOS_USER:-vyos}@${VYOS_HOST:-10.0.0.2}"
+    ssh_base=(ssh -i "$ssh_key" -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=accept-new "$ssh_target")
+    kubectl="sudo podman exec bootstrap-k0s k0s kubectl"
+    artifact_url="$(proto run cue -- export . -e imageBuildConfig.image.artifactURL --out text -t host={{host}})"
+
+    "${ssh_base[@]}" "$kubectl -n tinkerbell rollout status deployment/tinkerbell --timeout=120s"
+    "${ssh_base[@]}" "$kubectl -n tinkerbell rollout status deployment/hookos --timeout=120s"
+
+    workflow_state="$("${ssh_base[@]}" "$kubectl -n tinkerbell get workflow incusos-operation-{{host}} -o jsonpath='{.status.state}'")"
+    case "$workflow_state" in
+      PENDING|RUNNING) ;;
+      *)
+        echo "workflow incusos-operation-{{host}} is not ready to provision: state=$workflow_state" >&2
+        exit 1
+        ;;
+    esac
+
+    "${ssh_base[@]}" "curl -fsSI --max-time 10 '$artifact_url' >/dev/null"
+    python3 "$link_mode" provision
+    echo
+    status_output="$(python3 "$link_mode" status)"
+    printf '%s\n' "$status_output"
+    grep -Eq '^br20 members:.*eth2' <<<"$status_output"
+    ! grep -Eq '^br10 members:.*eth2\.10' <<<"$status_output"
+
+# Restore the UM760-facing link to tagged LAB_MGMT and report current reachability evidence.
+um760-mgmt:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    link_mode="../../network/vyos/scripts/um760_link_mode.py"
+    python3 "$link_mode" mgmt
+    echo
+    status_output="$(python3 "$link_mode" status)"
+    printf '%s\n' "$status_output"
+    grep -Eq '^br10 members:.*eth2\.10' <<<"$status_output"
+    ! grep -Eq '^br20 members:.*eth2(,|$)' <<<"$status_output"
+    if ! grep -qi '38:05:25:34:25:d0' <<<"$status_output"; then
+      echo "UM760 MAC is not observed yet; it may still be off, booting, or not using LAB_MGMT." >&2
+    fi
+
 # Remove disposable local build state.
 clean:
     @rm -rf .state

network/vyos/ansible/templates/bootstrap-k0s.env.j2

@@ -1,5 +1,6 @@
 TINKERBELL_PUBLIC_IP={{ bootstrap_k0s_provisioning_ip }}
 TINKERBELL_ARTIFACTS_FILE_SERVER={{ bootstrap_k0s_artifacts_file_server }}
+TINKERBELL_DHCP_BIND_ADDR={{ bootstrap_k0s_dhcp_bind_addr }}
 TINKERBELL_DHCP_BIND_INTERFACE={{ bootstrap_k0s_dhcp_bind_interface }}
 TINKERBELL_TRUSTED_PROXIES={{ bootstrap_k0s_trusted_proxies }}
 K0S_POD_CIDR={{ bootstrap_k0s_pod_cidr }}

network/vyos/ansible/vars/bootstrap_k0s.yml

@@ -1,8 +1,9 @@
 ---
-bootstrap_k0s_image: ghcr.io/gilmanlab/platform/bootstrap-k0s:0.2.1
+bootstrap_k0s_image: ghcr.io/gilmanlab/platform/bootstrap-k0s:0.2.2
 bootstrap_k0s_provisioning_ip: 10.10.20.1
 bootstrap_k0s_artifacts_file_server: http://10.10.20.1:7173
-bootstrap_k0s_dhcp_bind_interface: eth1.20
+bootstrap_k0s_dhcp_bind_addr: 10.10.20.1
+bootstrap_k0s_dhcp_bind_interface: br20
 bootstrap_k0s_pod_cidr: 10.244.0.0/16
 bootstrap_k0s_service_cidr: 10.96.0.0/12
 bootstrap_k0s_trusted_proxies: 10.244.0.0/16,10.96.0.0/12

network/vyos/configs/gateway.conf

@@ -24,8 +24,9 @@
  *
  * Bridge Architecture:
  *   br10 - Bridges eth1.10 (switch trunk) and eth2.10 (UM760 direct connect)
- *          This allows the UM760 to participate in VLAN 10 via eth2
- *          while other devices access VLAN 10 via the switch trunk
+ *          for steady-state UM760 management/platform access.
+ *   br20 - Bridges eth1.20 (switch trunk) and, temporarily, physical eth2
+ *          while provisioning the UM760 via untagged PXE/Tinkerbell.
  */
 
 firewall {
@@ -446,6 +447,17 @@ interfaces {
             }
         }
     }
+    /* Bridge for VLAN 20 - Tinkerbell provisioning anchor.
+     * eth1.20 is permanent; physical eth2 is added only during UM760 PXE.
+     */
+    bridge br20 {
+        address 10.10.20.1/24
+        description "LAB_PROV - Provisioning (PXE)"
+        member {
+            interface eth1.20 {
+            }
+        }
+    }
     ethernet eth0 {
         address 10.0.0.2/30
         description "WAN - Transit to Home (CCR2004)"
@@ -456,8 +468,7 @@ interfaces {
             description "LAB_MGMT - Bridge member (br10)"
         }
         vif 20 {
-            address 10.10.20.1/24
-            description "LAB_PROV - Provisioning (PXE)"
+            description "LAB_PROV - Bridge member (br20)"
         }
         vif 40 {
             address 10.10.40.1/24
@@ -551,6 +562,8 @@ protocols {
 }
 service {
     dhcp-server {
+        listen-address 10.10.10.1
+        listen-address 10.10.70.1
         dynamic-dns-update {
             enable
             conflict-resolution enable

network/vyos/moon.yml

@@ -32,10 +32,20 @@ tasks:
       cache: false
       runInCI: true
 
+  check-scripts:
+    command: 'python3 -m py_compile scripts/um760_link_mode.py'
+    toolchains: 'system'
+    inputs:
+      - 'scripts/um760_link_mode.py'
+    options:
+      cache: false
+      runInCI: true
+
   check:
     deps:
       - 'check-init'
       - 'check-playbook'
+      - 'check-scripts'
     command: 'true'
     toolchains: 'system'
     inputs: []