Add default deployment values

Add default values (in defaults/deployment.yaml) for:
 - disconnected: true
 - diskEncryption: false
 - ocMirrorLogLevel: info
 - pullSecretPath: "{{ workingDir }}/config/pull-secret.json"

The variables have been removed from config/global.example.yaml
but the defaults values can be overridden in config/global.yaml.

Author: eurijon

config/global.example.yaml

@@ -77,31 +77,31 @@ blockStorageBackend: lvms
 #     "kind": "ConfigMap", "data": ..}]'
 
 # ============================================================================
-# OpenShift Configuration
+# OpenShift Deployment Configuration (optional)
+# All settings below have defaults. Uncomment only to override.
 # ============================================================================
-# Disconnected mode
-disconnected: true
+# Disconnected mode (default: true, set to false for connected deployments)
+# disconnected: false
 
-# Encrypt installation partition with TPM v2
-diskEncryption: false
+# Encrypt installation partition with TPM v2 (default: false, set to true to enable)
+# diskEncryption: true
 
-# SSH public key path for cluster nodes
-sshPubPath: "YOUR_SSH_PUB_KEY_PATH"
-
-# Variables for oc-mirror
-ocMirrorLogLevel: debug
+# Log level for oc-mirror (default: info, options: trace, debug, info, error)
+# ocMirrorLogLevel: debug
 
-# Additional NTP sources for cluster nodes (optional)
+# Additional NTP sources for cluster nodes (no additional servers by default)
 # defaultNtpServers:
 #  - YOUR_NTP_SERVER_1
 #  - YOUR_NTP_SERVER_2
 
 # ============================================================================
-# Pull Secret Configuration
+# Pull Secret and SSH Public Key Configuration
 # ============================================================================
 # Obtain from: https://console.redhat.com/openshift/install/pull-secret
 pullSecret: '{"auths":{"YOUR_PULL_SECRET"}}'
-pullSecretPath: "{{ workingDir }}/config/pull-secret.json"
+
+# SSH public key path for cluster nodes
+sshPubPath: "YOUR_SSH_PUB_KEY_PATH"
 
 # ============================================================================
 # Cluster Hosts Configuration (Agent Hosts)

defaults/deployment.yaml

@@ -0,0 +1,12 @@
+---
+# Default deployment mode. Override in config/global.yaml to deploy in connected mode.
+disconnected: true
+
+# Default disk encryption setting. Override in config/global.yaml to enable TPM v2 encryption.
+diskEncryption: false
+
+# Default oc-mirror log level. Override in config/global.yaml for more verbosity.
+ocMirrorLogLevel: info
+
+# Default pull secret path. Override in config/global.yaml if stored elsewhere.
+pullSecretPath: "{{ workingDir }}/config/pull-secret.json"

docs/CONFIGURATION_REFERENCE.md

@@ -748,13 +748,15 @@ pullSecret: |
 
 #### `pullSecretPath`
 
-**Description**: Path to pull secret file (alternative to inline `pullSecret`).
+**Description**: Path to pull secret JSON file. Defaults to `{{ workingDir }}/config/pull-secret.json`. Override in `config/global.yaml` if your pull secret is stored elsewhere.
 
 **Type**: String (file path)
 
+**Default**: `{{ workingDir }}/config/pull-secret.json`
+
 **Example**:
 ```yaml
-pullSecretPath: "{{ workingDir }}/config/pull-secret.json"
+pullSecretPath: "{{ workingDir }}/.config/pull-secret.json"
 ```
 
 ## Storage Configuration
@@ -1144,11 +1146,18 @@ defaultPrefix: 24
 rendezvousIP: 192.168.2.24
 lzBmcIP: 100.64.1.10
 
-# OpenShift Configuration
-disconnected: true
-diskEncryption: false
+# OpenShift Deployment Configuration (optional — uncomment only to override defaults)
+# disconnected: false  # Default: true (set to false for connected deployments)
+# diskEncryption: true  # Default: false (set to true to enable TPM v2 encryption)
+# ocMirrorLogLevel: debug  # Default: info
+# defaultNtpServers:  # No additional servers by default
+#  - YOUR_NTP_SERVER_1
+#  - YOUR_NTP_SERVER_2
+
+# Pull Secret and SSH Public Key
+pullSecret: '{"auths":{"cloud.openshift.com":{...},"quay.io":{...}}}'
+# pullSecretPath: "{{ workingDir }}/config/pull-secret.json"  # Default
 sshPubPath: "{{ workingDir }}/.ssh/id_rsa.pub"
-ocMirrorLogLevel: debug
 
 # Storage Backend
 blockStorageBackend: lvms
@@ -1187,9 +1196,6 @@ quayBackendRGWConfiguration:
   bucket_name: quay-bucket-name
   hostname: ocs-storagecluster-cephobjectstore-openshift-storage.apps.store.enclave-test.nodns.in
 
-# Pull Secret
-pullSecret: '{"auths":{"cloud.openshift.com":{...},"quay.io":{...}}}'
-pullSecretPath: "{{ workingDir }}/config/pull-secret.json"
 ```
 
 ### `config/certificates.yaml`

playbooks/common/load-vars.yaml

@@ -1,5 +1,8 @@
 ---
 
+- name: Include deployment defaults
+  ansible.builtin.include_vars: ../../defaults/deployment.yaml
+
 - name: Include global deployment vars
   ansible.builtin.include_vars: "{{ vars_file | default('../../config/global.yaml') }}"
 

playbooks/tasks/configure_ocp_abi.yaml

@@ -13,13 +13,6 @@
     backend: cryptography
     private_key_format: ssh
 
-- name: Copy pull secret to config directory for Ironic (connected mode)
-  when: not (disconnected | default(true))
-  ansible.builtin.copy:
-    src: "{{ pullSecretPath }}"
-    dest: "{{ workingDir }}/config/pull-secret.json"
-    remote_src: true
-
 - name: Extract openshift-install binary
   ansible.builtin.command: |
     {{ workingDir }}/bin/oc adm release extract --registry-config={{ pullSecretPath }} --command=openshift-install --to {{ workingDir }}/bin/

playbooks/tasks/deploy_bmo.yaml

@@ -3,7 +3,7 @@
 
 - name: Get baremetal-operator image from OpenShift release
   ansible.builtin.command: >
-    {{ workingDir }}/bin/oc adm release info --registry-config={{ workingDir }}/config/pull-secret.json --image-for baremetal-operator
+    {{ workingDir }}/bin/oc adm release info --registry-config={{ pullSecretPath }} --image-for baremetal-operator
     quay.io/openshift-release-dev/ocp-release:{{ mgmt_openshift_version }}-x86_64
   register: r_baremetal_operator_image
   changed_when: false
@@ -38,7 +38,7 @@
   containers.podman.podman_container:
     name: baremetal-operator
     image: "{{ metal3_baremetal_operator_image }}"
-    authfile: "{{ workingDir }}/config/pull-secret.json"
+    authfile: "{{ pullSecretPath }}"
     user: "65532:65532"
     cap_drop:
       - ALL

playbooks/tasks/deploy_ironic.yaml

@@ -3,7 +3,7 @@
 
 - name: Get ironic image from OpenShift release
   ansible.builtin.command: >
-    {{ workingDir }}/bin/oc adm release info --registry-config={{ workingDir }}/config/pull-secret.json --image-for ironic
+    {{ workingDir }}/bin/oc adm release info --registry-config={{ pullSecretPath }} --image-for ironic
     quay.io/openshift-release-dev/ocp-release:{{ mgmt_openshift_version }}-x86_64
   register: r_ironic_image
   changed_when: false
@@ -111,7 +111,7 @@
     name: ironic
     pod: metal3-ironic
     image: "{{ metal3_ironic_image }}"
-    authfile: "{{ workingDir }}/config/pull-secret.json"
+    authfile: "{{ pullSecretPath }}"
     restart_policy: always
     user: "1002:1003"
     cap_drop:
@@ -131,7 +131,7 @@
     name: httpd
     pod: metal3-ironic
     image: "{{ metal3_ironic_image }}"
-    authfile: "{{ workingDir }}/config/pull-secret.json"
+    authfile: "{{ pullSecretPath }}"
     restart_policy: always
     user: "1002:1003"
     cap_drop:

playbooks/tasks/deploy_metal3_stack.yaml

@@ -3,7 +3,7 @@
 
 - name: Get ironic image from OpenShift release
   ansible.builtin.command: >
-    {{ workingDir }}/bin/oc adm release info --registry-config={{ workingDir }}/config/pull-secret.json --image-for ironic
+    {{ workingDir }}/bin/oc adm release info --registry-config={{ pullSecretPath }} --image-for ironic
     quay.io/openshift-release-dev/ocp-release:{{ mgmt_openshift_version }}-x86_64
   register: r_ironic_image
   changed_when: false
@@ -66,7 +66,7 @@
     name: ironic
     pod: metal3-ironic
     image: "{{ metal3_ironic_image }}"
-    authfile: "{{ workingDir }}/config/pull-secret.json"
+    authfile: "{{ pullSecretPath }}"
     restart_policy: always
     user: "1002:1003"
     cap_drop:
@@ -97,7 +97,7 @@
     name: httpd
     pod: metal3-ironic
     image: "{{ metal3_ironic_image }}"
-    authfile: "{{ workingDir }}/config/pull-secret.json"
+    authfile: "{{ pullSecretPath }}"
     restart_policy: always
     user: "1002:1003"
     cap_drop:

playbooks/tasks/mirror_registry.yaml

@@ -13,7 +13,6 @@
         {{ workingDir }}/bin/mirror-registry  install --quayHostname "{{ quayHostname }}" --quayRoot {{ workingDir }}/data --initPassword "{{ quayPassword }}" --initUser "{{ quayUser }}"
       register: r_mirror_registry
 
-
 - name: Generate pull secret for internal mirror
   ansible.builtin.set_fact:
     pullSecretInternal: '{"auths":{"{{ quayHostname }}:8443":{"auth":"{{ (quayUser + ":" + quayPassword) | ansible.builtin.b64encode }}"}}}'
@@ -25,7 +24,7 @@
 - name: Create pull-secret file with the combination
   ansible.builtin.copy:
     content: "{{ pullSecretNew }}"
-    dest: "{{ workingDir }}/config/pull-secret.json"
+    dest: "{{ pullSecretPath }}"
 
 - name: Create pull-secret internal file with the combination
   ansible.builtin.copy:
@@ -42,7 +41,7 @@
 
 - name: Start oc-mirror process
   ansible.builtin.shell: |
-    {{ workingDir }}/bin/oc-mirror --v2 --log-level {{ ocMirrorLogLevel }} --authfile {{ workingDir }}/config/pull-secret.json -c {{ workingDir }}/config/imagesetconfiguration.yaml --workspace file://{{ workingDir }}/config/oc-mirror-workspace docker://{{ quayHostname }}:8443 --dest-tls-verify=false --parallel-images 10 --parallel-layers 10 --retry-times 10 --retry-delay 0 > {{ workingDir }}/logs/oc-mirror.progress.$(date +%s).log 2>&1
+    {{ workingDir }}/bin/oc-mirror --v2 --log-level {{ ocMirrorLogLevel }} --authfile "{{ pullSecretPath }}" -c {{ workingDir }}/config/imagesetconfiguration.yaml --workspace file://{{ workingDir }}/config/oc-mirror-workspace docker://{{ quayHostname }}:8443 --dest-tls-verify=false --parallel-images 10 --parallel-layers 10 --retry-times 10 --retry-delay 0 > {{ workingDir }}/logs/oc-mirror.progress.$(date +%s).log 2>&1
   retries: 5
   delay: 10
   register: r_oc_mirror

playbooks/tasks/schema_validation.yaml

@@ -1,3 +1,9 @@
+- name: validate defaults/deployment.yaml schema
+  ansible.utils.validate:
+    data: "{{ lookup('ansible.builtin.file', '../../defaults/deployment.yaml') | from_yaml | to_json }}"
+    criteria: "{{ lookup('ansible.builtin.file', '../../schemas/deployment.yaml') | from_yaml | to_json }}"
+    engine: ansible.utils.jsonschema
+
 - name: validate defaults/catalogs.yaml schema
   ansible.utils.validate:
     data: "{{ lookup('ansible.builtin.file', '../../defaults/catalogs.yaml') | from_yaml | to_json }}"