Add read_host_secret builtin and inject network_data at every lifecycle phase

 - New `read_host_secret(field)` starlark builtin that resolves BMH
   spec secret fields (`userData`, `networkData`, `metaData`,
   `preprovisioningNetworkData`) on demand from any entry point via
   `KubeHostSecretResolver` backed by `SecretManager.ObtainSecret`.

 - New `resolve_ironic_network_data()` starlark helper that fetches
   IPA network config (preprov secret first, `Spec.NetworkData`
   fallback) and ensures `network_id` is present on each network
   entry (required by Ironic schema, omitted by CAPM3).

 - Ironic `node.network_data` is now synced at six lifecycle points:
   `create_node`, `build_register_patch`, `prepare`, `provision`,
   `deprovision`, and `delete`.

Signed-off-by: s3rj1k <evasive.gyron@gmail.com>

Author: s3rj1k

main.go

@@ -343,7 +343,15 @@ func main() {
 		provisionerFactory = &demo.Demo{}
 	} else if starlarkScript != "" {
 		ctrl.Log.Info("using starlark provisioner", "script", starlarkScript)
-		provisionerFactory, err = starlarkprov.NewProvisionerFactory(starlarkScript)
+		secretResolver := &starlarkprov.KubeHostSecretResolver{
+			Client: mgr.GetClient(),
+			SecretManager: secretutils.NewSecretManager(
+				ctrl.Log.WithName("starlark-secret-resolver"),
+				mgr.GetClient(),
+				mgr.GetAPIReader(),
+			),
+		}
+		provisionerFactory, err = starlarkprov.NewProvisionerFactory(starlarkScript, secretResolver)
 		if err != nil {
 			setupLog.Error(err, "cannot start starlark provisioner")
 			os.Exit(1)

pkg/provisioner/starlark/scripts/efi-vmedia.star

@@ -343,6 +343,21 @@ def parse_bmc_address(bmc_addr):
         "redfish_system_id": system_id,
     }
 
+def resolve_ironic_network_data():
+    """Resolve Ironic node.network_data for IPA ramdisk: preprov secret first, then Spec.NetworkData."""
+    nd_raw = read_host_secret("preprovisioningNetworkData")
+    if not nd_raw:
+        nd_raw = read_host_secret("networkData")
+    if not nd_raw:
+        return None
+    nd = yaml_decode(nd_raw)
+
+    # Ironic schema requires network_id on each network entry; CAPM3 omits it.
+    for net in nd.get("networks", []):
+        if "network_id" not in net:
+            net["network_id"] = net.get("id", "")
+    return nd
+
 def create_node(bmc_addr, bmc_user, bmc_password, boot_mac, data):
     """Creates a new node in Ironic via POST /v1/nodes."""
     bmc = parse_bmc_address(bmc_addr)
@@ -373,9 +388,9 @@ def create_node(bmc_addr, bmc_user, bmc_password, boot_mac, data):
             "cpu_arch": cpu_arch,
         },
     }
-    nd_raw = data.get("PreprovisioningNetworkData", "")
-    if nd_raw:
-        body["network_data"] = yaml_decode(nd_raw)
+    nd = resolve_ironic_network_data()
+    if nd:
+        body["network_data"] = nd
     node, status = http_post("/v1/nodes", body)
     if status == 409:
         return None, status
@@ -432,11 +447,9 @@ def build_register_patch(node, data, _creds_changed):
         ops.append(patch_op("add", "/driver_info/deploy_ramdisk", DEPLOY_RAMDISK_URL))
 
     # Network data for IPA (so it can reach Ironic callback endpoint)
-    nd_raw = data.get("PreprovisioningNetworkData", "")
-    if nd_raw:
-        nd = yaml_decode(nd_raw)
-        if nd != node.get("network_data"):
-            ops.append(patch_op("add", "/network_data", nd))
+    nd = resolve_ironic_network_data()
+    if nd and nd != node.get("network_data"):
+        ops.append(patch_op("add", "/network_data", nd))
 
     return ops
 
@@ -759,9 +772,18 @@ def adopt(host, data, restart_on_failure):
     return {}
 
 def prepare(host, data, _unprepared, _restart_on_failure):
-    """Reject RAID; prepare itself is not implemented."""
+    """Reject RAID; sync network_data on the Ironic node for cleaning boots."""
     require_redfish_virtualmedia(host)
     require_no_raid(data)
+
+    prov_id = host[HOST_PROVISIONER_ID]
+    if prov_id:
+        nd = resolve_ironic_network_data()
+        if nd:
+            node, status = http_get("/v1/nodes/" + prov_id, ignore_statuses = [404])
+            if status == 200 and node and nd != node.get("network_data"):
+                http_patch("/v1/nodes/" + prov_id, [patch_op("add", "/network_data", nd)])
+
     return {"started": False}
 
 def service(host, _data, _unprepared, _restart_on_failure):
@@ -778,6 +800,11 @@ def provision(host, data, force_reboot):
     if status != 200 or not node:
         return {"dirty": True, "error": "provision: cannot get node"}
 
+    # Sync network_data so the deploy ramdisk boots with network config.
+    nd = resolve_ironic_network_data()
+    if nd and nd != node.get("network_data"):
+        http_patch("/v1/nodes/" + prov_id, [patch_op("add", "/network_data", nd)])
+
     state = node.get("provision_state", "")
 
     if state == MANAGEABLE:
@@ -926,6 +953,11 @@ def deprovision(host, restart_on_failure, automated_cleaning_mode):
     if status != 200 or not node:
         return {"dirty": True, "error": "deprovision: cannot get node"}
 
+    # Sync network_data so the cleaning ramdisk boots with network config.
+    nd = resolve_ironic_network_data()
+    if nd and nd != node.get("network_data"):
+        http_patch("/v1/nodes/" + prov_id, [patch_op("add", "/network_data", nd)])
+
     state = node.get("provision_state", "")
 
     # Sync automated_clean setting
@@ -980,6 +1012,11 @@ def delete(host):
     if status != 200 or not node:
         return {"dirty": True, "error": "delete: cannot get node"}
 
+    # Sync network_data so any cleaning triggered by delete has network config.
+    nd = resolve_ironic_network_data()
+    if nd and nd != node.get("network_data"):
+        http_patch("/v1/nodes/" + prov_id, [patch_op("add", "/network_data", nd)])
+
     state = node.get("provision_state", "")
 
     if state == VERIFYING:

pkg/provisioner/starlark/secretresolver.go

@@ -0,0 +1,86 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package starlark
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	metal3api "github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1"
+	"github.com/metal3-io/baremetal-operator/pkg/secretutils"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// KubeHostSecretResolver fetches BMH spec secret fields on demand via client.Get + SecretManager.
+type KubeHostSecretResolver struct {
+	Client        client.Client
+	SecretManager secretutils.SecretManager
+}
+
+// ReadHostSecret resolves a BMH spec secret field to its string content; "" when unset.
+func (r *KubeHostSecretResolver) ReadHostSecret(ctx context.Context, namespace, name, field string) (string, error) {
+	host := &metal3api.BareMetalHost{}
+	if err := r.Client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: name}, host); err != nil {
+		return "", fmt.Errorf("get BareMetalHost: %w", err)
+	}
+
+	var ref *corev1.SecretReference
+	var dataKey string
+
+	switch strings.ToLower(field) {
+	case "userdata":
+		ref, dataKey = host.Spec.UserData, "userData"
+	case "networkdata":
+		ref, dataKey = host.Spec.NetworkData, "networkData"
+	case "metadata":
+		ref, dataKey = host.Spec.MetaData, "metaData"
+	case "preprovisioningnetworkdata":
+		if host.Spec.PreprovisioningNetworkDataName != "" {
+			ref = &corev1.SecretReference{Name: host.Spec.PreprovisioningNetworkDataName}
+		}
+		dataKey = "networkData"
+	default:
+		return "", fmt.Errorf("unknown field %q", field)
+	}
+
+	if ref == nil {
+		return "", nil
+	}
+
+	ns := ref.Namespace
+	if ns == "" {
+		ns = namespace
+	}
+	if ns != namespace {
+		return "", fmt.Errorf("%s secret must be in BMH namespace %s", dataKey, namespace)
+	}
+
+	sec, err := r.SecretManager.ObtainSecret(ctx, types.NamespacedName{Name: ref.Name, Namespace: ns})
+	if err != nil {
+		return "", err
+	}
+
+	if v, ok := sec.Data[dataKey]; ok {
+		return string(v), nil
+	}
+	if v, ok := sec.Data["value"]; ok {
+		return string(v), nil
+	}
+	return "", nil
+}

pkg/provisioner/starlark/starlark.go

@@ -42,21 +42,23 @@ var log = logf.Log.WithName("provisioner").WithName("starlark")
 
 // Frozen script globals shared across per-host provisioner instances.
 type starlarkProvisionerFactory struct {
-	globals    starlark.StringDict
-	scriptPath string
-	log        logr.Logger
+	globals        starlark.StringDict
+	scriptPath     string
+	log            logr.Logger
+	secretResolver starlib.HostSecretResolver
 }
 
 // Per-host state shared by every provisioner.Provisioner method (defined in provisioner.go).
 type starlarkProvisioner struct {
-	globals   starlark.StringDict
-	publisher provisioner.EventPublisher
-	hostData  provisioner.HostData
-	log       logr.Logger
+	globals        starlark.StringDict
+	publisher      provisioner.EventPublisher
+	hostData       provisioner.HostData
+	log            logr.Logger
+	secretResolver starlib.HostSecretResolver
 }
 
 // NewProvisionerFactory loads the Starlark script and validates that every required function is callable.
-func NewProvisionerFactory(scriptPath string) (provisioner.Factory, error) {
+func NewProvisionerFactory(scriptPath string, secretResolver starlib.HostSecretResolver) (provisioner.Factory, error) {
 	globals, err := starscript.LoadScript(scriptPath, starlib.Builtins())
 	if err != nil {
 		return nil, fmt.Errorf("starlark provisioner: %w", err)
@@ -67,9 +69,10 @@ func NewProvisionerFactory(scriptPath string) (provisioner.Factory, error) {
 	}
 
 	return &starlarkProvisionerFactory{
-		globals:    globals,
-		scriptPath: scriptPath,
-		log:        log,
+		globals:        globals,
+		scriptPath:     scriptPath,
+		log:            log,
+		secretResolver: secretResolver,
 	}, nil
 }
 
@@ -80,10 +83,11 @@ func (f *starlarkProvisionerFactory) NewProvisioner(
 	publisher provisioner.EventPublisher,
 ) (provisioner.Provisioner, error) {
 	return &starlarkProvisioner{
-		globals:   f.globals,
-		hostData:  hostData,
-		log:       f.log.WithValues("host", hostData.ObjectMeta.Name),
-		publisher: publisher,
+		globals:        f.globals,
+		hostData:       hostData,
+		log:            f.log.WithValues("host", hostData.ObjectMeta.Name),
+		publisher:      publisher,
+		secretResolver: f.secretResolver,
 	}, nil
 }
 
@@ -94,6 +98,11 @@ func (p *starlarkProvisioner) CallScriptWithPublisher(ctx context.Context, name
 		thread.SetLocal(starlib.PublisherThreadLocal, p.publisher)
 	}
 	thread.SetLocal(starlib.LoggerThreadLocal, p.log)
+	if p.secretResolver != nil {
+		thread.SetLocal(starlib.SecretResolverThreadLocal, p.secretResolver)
+	}
+	thread.SetLocal(starlib.HostNamespaceThreadLocal, p.hostData.ObjectMeta.Namespace)
+	thread.SetLocal(starlib.HostNameThreadLocal, p.hostData.ObjectMeta.Name)
 
 	// Per-call ctx so the watcher goroutine exits whenever the call returns.
 	callCtx, cancel := context.WithCancel(ctx)

pkg/provisioner/starlark/starlib/builtins.go

@@ -59,6 +59,7 @@ func Builtins() starlark.StringDict {
 		"read_file":        starlark.NewBuiltin("read_file", builtinReadFile),
 		"yaml_decode":      starlark.NewBuiltin("yaml_decode", builtinYAMLDecode),
 		"yaml_encode":      starlark.NewBuiltin("yaml_encode", builtinYAMLEncode),
+		"read_host_secret": starlark.NewBuiltin("read_host_secret", builtinReadHostSecret),
 	}
 }
 

pkg/provisioner/starlark/starlib/secret.go

@@ -0,0 +1,66 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package starlib
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"go.starlark.net/starlark"
+)
+
+// HostSecretResolver resolves a named BMH spec secret field to its string content; "" when unset.
+type HostSecretResolver interface {
+	ReadHostSecret(ctx context.Context, namespace, name, field string) (string, error)
+}
+
+// Starlark read_host_secret(field): resolve a BMH secret ref to its string content.
+func builtinReadHostSecret(thread *starlark.Thread, _ *starlark.Builtin, args starlark.Tuple, _ []starlark.Tuple) (starlark.Value, error) {
+	var field starlark.String
+	if err := starlark.UnpackPositionalArgs("read_host_secret", args, nil, 1, &field); err != nil {
+		return starlark.None, err
+	}
+
+	switch strings.ToLower(string(field)) {
+	case "userdata", "networkdata", "metadata", "preprovisioningnetworkdata":
+	default:
+		return starlark.None, fmt.Errorf("read_host_secret: unknown field %q (want userData/networkData/metaData/preprovisioningNetworkData)", string(field))
+	}
+
+	resolver, ok := thread.Local(SecretResolverThreadLocal).(HostSecretResolver)
+	if !ok || resolver == nil {
+		return starlark.None, fmt.Errorf("read_host_secret: no HostSecretResolver configured (factory constructed without one?)")
+	}
+
+	ns, _ := thread.Local(HostNamespaceThreadLocal).(string)
+	name, _ := thread.Local(HostNameThreadLocal).(string)
+	if ns == "" || name == "" {
+		return starlark.None, fmt.Errorf("read_host_secret: BMH coordinates not set on thread")
+	}
+
+	ctx, _ := thread.Local(CtxThreadLocal).(context.Context)
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
+	s, err := resolver.ReadHostSecret(ctx, ns, name, string(field))
+	if err != nil {
+		return starlark.None, fmt.Errorf("read_host_secret(%s): %w", string(field), err)
+	}
+
+	return starlark.String(s), nil
+}

pkg/provisioner/starlark/starlib/threadlocal.go

@@ -23,4 +23,10 @@ const (
 	CtxThreadLocal = "metal3-context"
 	// Carries the per-host logr.Logger for log_info/log_debug/log_error.
 	LoggerThreadLocal = "metal3-logger"
+	// Carries the HostSecretResolver for read_host_secret.
+	SecretResolverThreadLocal = "metal3-host-secret-resolver"
+	// Carries the BMH namespace string (coordinates for read_host_secret).
+	HostNamespaceThreadLocal = "metal3-host-namespace"
+	// Carries the BMH name string (coordinates for read_host_secret).
+	HostNameThreadLocal = "metal3-host-name"
 )