Fix review findings and restrict ODF to disconnected mode

- Pass shell variables to inline Python via os.environ instead of
  string interpolation to prevent injection risks
- Redact credentials from setup_ceph.sh stdout output
- Use if/else for prometheus module enable instead of unconditional
  success after || true
- Quote quayBackendRGWConfiguration values in odf.sh for YAML safety
- Add language identifiers to fenced code blocks in ODF_CEPH_CI.md
- Fix generate_enclave_vars.sh summary to reflect ODF/RadosGWStorage
  when storage plugin is odf
- Download cephadm from official download.ceph.com with GitHub fallback
- Remove connected ODF job (ODF only runs in disconnected mode)
- When ODF is selected, skip LVMS disconnected to avoid parallel runs
- Reduce master VM extra disk to 60G for ODF (storage is on LZ)

Author: eliorerz

.github/workflows/e2e-deployment.yml

@@ -60,6 +60,7 @@ jobs:
     outputs:
       should_run: ${{ steps.decision.outputs.should_run }}
       storage_plugins: ${{ steps.decision.outputs.storage_plugins }}
+      storage_plugins_connected: ${{ steps.decision.outputs.storage_plugins_connected }}
 
     steps:
       - name: Checkout code
@@ -101,31 +102,41 @@ jobs:
         run: |
           # Determine whether to run and which storage plugins to test.
           # storage_plugins is a JSON array consumed by the job matrix.
+          # ODF only runs in disconnected mode. Connected always uses lvms.
           if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
             PLUGIN="${{ inputs.storage-plugin || 'lvms' }}"
             echo "storage_plugins=[\"${PLUGIN}\"]" >> $GITHUB_OUTPUT
+            if [[ "$PLUGIN" == "odf" ]]; then
+              echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
+            else
+              echo "storage_plugins_connected=[\"${PLUGIN}\"]" >> $GITHUB_OUTPUT
+            fi
             echo "Manual trigger - E2E will run (${PLUGIN})" | tee -a $GITHUB_STEP_SUMMARY
           elif [[ "${{ github.event_name }}" == "schedule" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
             echo "storage_plugins=[\"lvms\"]" >> $GITHUB_OUTPUT
+            echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
             echo "Scheduled trigger - E2E will run" | tee -a $GITHUB_STEP_SUMMARY
           elif [[ "${{ github.event_name }}" == "merge_group" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
             echo "storage_plugins=[\"lvms\"]" >> $GITHUB_OUTPUT
+            echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
             echo "Merge queue - E2E will run" | tee -a $GITHUB_STEP_SUMMARY
           elif [[ "${{ steps.filter.outputs.e2e }}" == "true" ]]; then
             echo "should_run=true" >> $GITHUB_OUTPUT
+            echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
             if [[ "${{ steps.filter.outputs.odf }}" == "true" ]]; then
-              echo "storage_plugins=[\"lvms\",\"odf\"]" >> $GITHUB_OUTPUT
-              echo "E2E-relevant files changed (including ODF) - both LVMS and ODF will run" | tee -a $GITHUB_STEP_SUMMARY
+              echo "storage_plugins=[\"odf\"]" >> $GITHUB_OUTPUT
+              echo "E2E-relevant files changed (including ODF) - ODF disconnected will run" | tee -a $GITHUB_STEP_SUMMARY
             else
               echo "storage_plugins=[\"lvms\"]" >> $GITHUB_OUTPUT
               echo "E2E-relevant files changed - E2E will run" | tee -a $GITHUB_STEP_SUMMARY
             fi
           else
             echo "should_run=false" >> $GITHUB_OUTPUT
             echo "storage_plugins=[\"lvms\"]" >> $GITHUB_OUTPUT
+            echo "storage_plugins_connected=[\"lvms\"]" >> $GITHUB_OUTPUT
             echo "Only documentation/config files changed - E2E will be skipped" | tee -a $GITHUB_STEP_SUMMARY
             echo "To run E2E anyway, use manual workflow_dispatch" | tee -a $GITHUB_STEP_SUMMARY
           fi
@@ -145,7 +156,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        storage-plugin: ${{ fromJSON(needs.check-e2e-needed.outputs.storage_plugins) }}
+        storage-plugin: ${{ fromJSON(needs.check-e2e-needed.outputs.storage_plugins_connected) }}
 
     concurrency:
       group: enclave-ci-connected-${{ matrix.storage-plugin }}-${{ github.run_id }}
@@ -552,7 +563,7 @@ jobs:
     if: >-
       needs.check-e2e-needed.outputs.should_run == 'true' &&
       (github.event_name != 'workflow_dispatch' || inputs.run-disconnected == true)
-    runs-on: [self-hosted, enclave-large]
+    runs-on: ${{ matrix.storage-plugin == 'odf' && fromJSON('["self-hosted", "enclave-large", "odf"]') || fromJSON('["self-hosted", "enclave-large"]') }}
     timeout-minutes: ${{ github.event_name == 'schedule' && 600 || 360 }}
 
     strategy:

.github/workflows/e2e-odf-schedule.yml

@@ -23,8 +23,8 @@ jobs:
         run: |
           gh workflow run e2e-deployment.yml \
             --ref "${{ github.ref }}" \
-            -f run-connected=true \
+            -f run-connected=false \
             -f run-disconnected=true \
             -f storage-plugin=odf \
             -R "${{ github.repository }}"
-          echo "Dispatched E2E Deployment with ODF storage plugin" | tee -a $GITHUB_STEP_SUMMARY
+          echo "Dispatched E2E Disconnected with ODF storage plugin" | tee -a $GITHUB_STEP_SUMMARY

.github/workflows/slash-command.yml

@@ -100,7 +100,6 @@ jobs:
           | `/test tarball` | Build and push tarball | pr-validation |
           | `/test infra` | Infrastructure verification | enclave-small |
           | `/test e2e-connected` | Dispatch E2E (connected only) | enclave-large |
-          | `/test e2e-connected-odf` | Dispatch E2E connected with ODF storage | enclave-large |
           | `/test e2e-disconnected` | Dispatch E2E (disconnected only) | enclave-large |
           | `/test e2e-disconnected-odf` | Dispatch E2E disconnected with ODF storage | enclave-large |
           | `/test cleanup` | Run cleanup workflow | enclave-small |
@@ -211,13 +210,6 @@ jobs:
                 -f run-disconnected=false
               track_result "E2E Connected" $?
               ;;
-            e2e-connected-odf)
-              dispatch_workflow e2e-deployment.yml \
-                -f run-connected=true \
-                -f run-disconnected=false \
-                -f storage-plugin=odf
-              track_result "E2E Connected ODF" $?
-              ;;
             e2e-disconnected)
               dispatch_workflow e2e-deployment.yml \
                 -f run-connected=false \
@@ -339,7 +331,6 @@ jobs:
               tarball)              echo "build-push-tarball.yml" ;;
               infra)                echo "infra-verify.yml" ;;
               e2e-connected)        echo "e2e-deployment.yml" ;;
-              e2e-connected-odf)    echo "e2e-deployment.yml" ;;
               e2e-disconnected)     echo "e2e-deployment.yml" ;;
               e2e-disconnected-odf) echo "e2e-deployment.yml" ;;
               cleanup)              echo "cleanup.yml" ;;

docs/ODF_CEPH_CI.md

@@ -6,7 +6,7 @@ This document describes the containerized Ceph cluster used to provide external
 
 ODF in external mode connects to a pre-existing Ceph cluster rather than deploying its own. For CI, we run a single-node Ceph cluster on the Landing Zone VM using cephadm. All Ceph daemons run as podman containers on the LZ, which shares the same libvirt network as the OpenShift nodes.
 
-```
+```text
 CI Runner Machine (runs: [self-hosted, enclave-large])
 ├── libvirt VMs
 │   ├── Landing Zone VM (192.168.X.2)
@@ -32,7 +32,7 @@ CI Runner Machine (runs: [self-hosted, enclave-large])
 
 Cephadm filters out raw loop devices, so each OSD uses an LVM stack:
 
-```
+```text
 Sparse file (20GB)          Loop device          LVM
 osd-0.img  ──────────>  /dev/loop0  ──────>  ceph-vg0/ceph-lv0  ──> OSD.0
 osd-1.img  ──────────>  /dev/loop1  ──────>  ceph-vg1/ceph-lv1  ──> OSD.1
@@ -69,15 +69,15 @@ osd-2.img  ──────────>  /dev/loop2  ──────>  cep
 
 Ceph runs on the Landing Zone VM, which is on the same libvirt cluster network as the OpenShift master nodes. All communication is direct:
 
-```
+```text
 Master node (192.168.X.10) -> Landing Zone (192.168.X.2:9283/7480) -- same L2 network
 ```
 
 No firewall configuration is needed. No gateway routing. No SDN workarounds.
 
 ## How ODF Config Flows to the Cluster
 
-```
+```text
 setup_ceph.sh runs on LZ (via SSH from CI runner)
   ↓ writes files to ~/ceph-config/
   ├── odf_external_config.json
@@ -104,7 +104,7 @@ The `ODF_EXTERNAL_CONFIG` and `QUAY_BACKEND_RGW_CONFIG` environment variables ar
 
 ### Runner Labels
 
-ODF runs use the same runner labels as LVMS: `[self-hosted, enclave-large]`. No special `odf` runner label is required since Ceph is deployed dynamically on the Landing Zone.
+ODF runs use the runner labels `[self-hosted, enclave-large, odf]`. The `odf` label ensures ODF jobs are routed to runners with sufficient disk space for Ceph loopback OSDs.
 
 ### Ceph Setup Step
 
@@ -121,7 +121,6 @@ This step is conditional on `STORAGE_PLUGIN == 'odf'` and is skipped for LVMS ru
 
 | Command | Description |
 |---------|-------------|
-| `/test e2e-connected-odf` | Connected mode E2E with ODF storage |
 | `/test e2e-disconnected-odf` | Disconnected mode E2E with ODF storage |
 
 ## Setup

scripts/deployment/deploy_cluster.sh

@@ -192,8 +192,10 @@ if [ -n "${ENABLED_PLUGINS:-}" ]; then
 fi
 
 # Load ODF external config and Quay RGW config (from env vars or LZ files)
-source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
-append_odf_extra_vars
+if [ "${STORAGE_PLUGIN:-}" = "odf" ]; then
+    source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
+    append_odf_extra_vars
+fi
 
 # Create the extra vars file on Landing Zone
 ssh_exec "mkdir -p $LZ_ENCLAVE_DIR/config"

scripts/deployment/deploy_phase.sh

@@ -124,8 +124,10 @@ if [ "${ENCLAVE_MIRROR_DRY_RUN:-}" = "true" ]; then
 fi
 
 # Load ODF external config and Quay RGW config (from env vars or LZ files)
-source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
-append_odf_extra_vars
+if [ "${STORAGE_PLUGIN:-}" = "odf" ]; then
+    source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
+    append_odf_extra_vars
+fi
 
 # Create the extra vars file on Landing Zone
 # shellcheck disable=SC2087,SC2086  # We want client-side expansion of $EXTRA_VARS_CONTENT

scripts/deployment/deploy_plugin.sh

@@ -132,8 +132,10 @@ if [ -n "${ENABLED_PLUGINS:-}" ]; then
 fi
 
 # Load ODF external config and Quay RGW config (from env vars or LZ files)
-source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
-append_odf_extra_vars
+if [ "${STORAGE_PLUGIN:-}" = "odf" ]; then
+    source "${ENCLAVE_DIR}/scripts/lib/odf.sh"
+    append_odf_extra_vars
+fi
 
 # Create the extra vars file on Landing Zone
 # shellcheck disable=SC2087,SC2086  # We want client-side expansion of $EXTRA_VARS_CONTENT

scripts/infrastructure/generate_enclave_vars.sh

@@ -321,10 +321,15 @@ echo ""
 # Calculate worker IP range for informational message
 WORKER_IP_START=$(echo "$CLUSTER_NETWORK" | awk -F. '{print $1"."$2"."$3".20"}')
 WORKER_IP_END=$(echo "$CLUSTER_NETWORK" | awk -F. -v count=$MASTER_COUNT '{print $1"."$2"."$3"."20+count-1}')
+ACTIVE_STORAGE="${STORAGE_PLUGIN:-lvms}"
+ACTIVE_REGISTRY="LocalStorage"
+if [ "$ACTIVE_STORAGE" = "odf" ]; then
+    ACTIVE_REGISTRY="RadosGWStorage"
+fi
 info "Generated configuration uses:"
 info "  - Worker IPs: ${WORKER_IP_START}-${WORKER_IP_END} (will be assigned during deployment)"
-info "  - Storage: LVMS with /dev/vda root disk"
-info "  - Registry: LocalStorage"
+info "  - Storage: ${ACTIVE_STORAGE} with /dev/vda root disk"
+info "  - Registry: ${ACTIVE_REGISTRY}"
 info "  - Pull secret: Embedded in config/global.yaml (written to pullSecretPath at runtime)"
 info "  - SSL certificates: Self-signed (generated for CI/testing)"
 echo ""

scripts/infrastructure/setup_ceph.sh

@@ -137,10 +137,15 @@ info "Step 1: Installing cephadm and ceph-common (release: $CEPH_RELEASE)..."
 if command -v cephadm &>/dev/null; then
     info "cephadm already installed"
 else
-    # Download cephadm directly from the Ceph project
-    info "Downloading cephadm from Ceph project..."
-    curl --silent --remote-name --location \
-        "https://raw.githubusercontent.com/ceph/ceph/${CEPH_RELEASE}/src/cephadm/cephadm.py"
+    # Download cephadm from the official Ceph download server
+    info "Downloading cephadm from download.ceph.com..."
+    curl --silent --location -o cephadm.py \
+        "https://download.ceph.com/rpm-${CEPH_RELEASE}/el9/noarch/cephadm" || {
+        # Fallback to GitHub if the official server doesn't have this release
+        warn "Official download server failed, falling back to GitHub..."
+        curl --silent --remote-name --location \
+            "https://raw.githubusercontent.com/ceph/ceph/${CEPH_RELEASE}/src/cephadm/cephadm.py"
+    }
 
     # Try to add repo and install via package manager
     if python3 cephadm.py add-repo --release "$CEPH_RELEASE" 2>/dev/null; then
@@ -320,8 +325,11 @@ wait_for_rgw
 
 # Enable MGR prometheus module for monitoring endpoint (port 9283, required by ODF)
 info "Enabling MGR prometheus module for monitoring metrics..."
-cephadm shell -- ceph mgr module enable prometheus 2>/dev/null || true
-success "MGR prometheus module enabled (port 9283)"
+if cephadm shell -- ceph mgr module enable prometheus 2>/dev/null; then
+    success "MGR prometheus module enabled (port 9283)"
+else
+    warn "MGR prometheus module enable failed - monitoring metrics may be unavailable"
+fi
 
 # Step 8: Create S3 user and bucket
 info "Step 8: Creating S3 user and bucket..."
@@ -345,21 +353,28 @@ S3_SECRET_KEY=$(cephadm shell -- radosgw-admin user info --uid="$S3_USER" 2>/dev
 if cephadm shell -- radosgw-admin bucket stats --bucket="$S3_BUCKET" &>/dev/null; then
     info "Bucket '$S3_BUCKET' already exists"
 else
+    S3_ACCESS_KEY="$S3_ACCESS_KEY" \
+    S3_SECRET_KEY="$S3_SECRET_KEY" \
+    CEPH_HOST_IP="$CEPH_HOST_IP" \
+    RGW_PORT="$RGW_PORT" \
+    S3_BUCKET="$S3_BUCKET" \
     python3 -c "
-import urllib.request, hmac, hashlib, base64, datetime
-host = '${CEPH_HOST_IP}:${RGW_PORT}'
-bucket = '${S3_BUCKET}'
+import os, urllib.request, hmac, hashlib, base64, datetime
+host = os.environ['CEPH_HOST_IP'] + ':' + os.environ['RGW_PORT']
+bucket = os.environ['S3_BUCKET']
+access_key = os.environ['S3_ACCESS_KEY']
+secret_key = os.environ['S3_SECRET_KEY']
 date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S +0000')
 string_to_sign = 'PUT\n\n\n' + date + '\n/' + bucket
 sig = base64.b64encode(hmac.new(
-    '${S3_SECRET_KEY}'.encode(), string_to_sign.encode(), hashlib.sha1
+    secret_key.encode(), string_to_sign.encode(), hashlib.sha1
 ).digest()).decode()
 req = urllib.request.Request(
     'http://' + host + '/' + bucket,
     method='PUT',
     headers={
         'Date': date,
-        'Authorization': 'AWS ${S3_ACCESS_KEY}:' + sig,
+        'Authorization': 'AWS ' + access_key + ':' + sig,
     }
 )
 urllib.request.urlopen(req)
@@ -434,16 +449,26 @@ print(','.join(addrs))
     # Note: rook-csi-rbd-node and rook-csi-rbd-provisioner are NOT included here.
     # Rook creates these secrets itself using the admin credentials. Including them
     # causes a type conflict: ODF creates them as Opaque, rook expects kubernetes.io/rook.
-    ODF_EXTERNAL_CONFIG=$(python3 -c "
-import json
+    ODF_EXTERNAL_CONFIG=$(
+        FSID="$FSID" \
+        MON_HOSTS="$MON_HOSTS" \
+        ADMIN_KEY="$ADMIN_KEY" \
+        CEPH_HOST_IP="$CEPH_HOST_IP" \
+        RGW_PORT="$RGW_PORT" \
+        RBD_POOL="$RBD_POOL" \
+        RGW_ACCESS_KEY="$RGW_ACCESS_KEY" \
+        RGW_SECRET_KEY="$RGW_SECRET_KEY" \
+        python3 -c "
+import os, json
+e = os.environ
 data = [
-    {'name': 'rook-ceph-mon-endpoints', 'kind': 'ConfigMap', 'data': {'data': '${FSID}=${MON_HOSTS}', 'maxMonId': '0', 'mapping': '{}'}},
-    {'name': 'rook-ceph-mon', 'kind': 'Secret', 'data': {'admin-secret': 'admin-secret', 'fsid': '${FSID}', 'mon-secret': 'mon-secret'}},
-    {'name': 'rook-ceph-operator-creds', 'kind': 'Secret', 'data': {'userID': 'client.admin', 'userKey': '${ADMIN_KEY}'}},
-    {'name': 'monitoring-endpoint', 'kind': 'CephCluster', 'data': {'MonitoringEndpoint': '${CEPH_HOST_IP}', 'MonitoringPort': '9283'}},
-    {'name': 'ceph-rbd', 'kind': 'StorageClass', 'data': {'pool': '${RBD_POOL}'}},
-    {'name': 'ceph-rgw', 'kind': 'StorageClass', 'data': {'endpoint': '${CEPH_HOST_IP}:${RGW_PORT}', 'poolPrefix': 'default'}},
-    {'name': 'rgw-admin-ops-user', 'kind': 'Secret', 'data': {'accessKey': '${RGW_ACCESS_KEY}', 'secretKey': '${RGW_SECRET_KEY}'}}
+    {'name': 'rook-ceph-mon-endpoints', 'kind': 'ConfigMap', 'data': {'data': e['FSID']+'='+e['MON_HOSTS'], 'maxMonId': '0', 'mapping': '{}'}},
+    {'name': 'rook-ceph-mon', 'kind': 'Secret', 'data': {'admin-secret': 'admin-secret', 'fsid': e['FSID'], 'mon-secret': 'mon-secret'}},
+    {'name': 'rook-ceph-operator-creds', 'kind': 'Secret', 'data': {'userID': 'client.admin', 'userKey': e['ADMIN_KEY']}},
+    {'name': 'monitoring-endpoint', 'kind': 'CephCluster', 'data': {'MonitoringEndpoint': e['CEPH_HOST_IP'], 'MonitoringPort': '9283'}},
+    {'name': 'ceph-rbd', 'kind': 'StorageClass', 'data': {'pool': e['RBD_POOL']}},
+    {'name': 'ceph-rgw', 'kind': 'StorageClass', 'data': {'endpoint': e['CEPH_HOST_IP']+':'+e['RGW_PORT'], 'poolPrefix': 'default'}},
+    {'name': 'rgw-admin-ops-user', 'kind': 'Secret', 'data': {'accessKey': e['RGW_ACCESS_KEY'], 'secretKey': e['RGW_SECRET_KEY']}}
 ]
 print(json.dumps(data))
 ")
@@ -522,7 +547,7 @@ else
 fi
 
 # ============================================================================
-# Output GitHub Secrets
+# Output Summary (credentials redacted)
 # ============================================================================
 echo ""
 echo "============================================================================"
@@ -531,28 +556,24 @@ echo "==========================================================================
 echo ""
 echo "Ceph cluster is running on $CEPH_HOST_IP"
 echo ""
-echo "--- GitHub Actions Variable ---"
-echo ""
-echo "  CEPH_HOST_IP=$CEPH_HOST_IP"
-echo ""
-echo "--- GitHub Actions Secrets ---"
-echo ""
-echo "Set the following as repository secrets:"
-echo ""
-echo "1) ODF_EXTERNAL_CONFIG:"
-echo ""
-echo "$ODF_EXTERNAL_CONFIG"
-echo ""
-echo "2) QUAY_BACKEND_RGW_CONFIG:"
+echo "  FSID:       $(cephadm shell -- ceph fsid 2>/dev/null || echo 'unknown')"
+echo "  MON:        $CEPH_HOST_IP:3300,6789"
+echo "  RGW:        http://$CEPH_HOST_IP:$RGW_PORT"
+echo "  Metrics:    http://$CEPH_HOST_IP:9283"
+echo "  RBD pool:   $RBD_POOL"
+echo "  S3 bucket:  $S3_BUCKET"
+echo "  S3 user:    $S3_USER"
 echo ""
-
-# Build YAML object for Quay RGW configuration
-cat <<EOF
-{access_key: ${S3_ACCESS_KEY}, secret_key: ${S3_SECRET_KEY}, bucket_name: ${S3_BUCKET}, hostname: ${CEPH_HOST_IP}, port: ${RGW_PORT}, is_secure: false}
-EOF
-
+if [ -n "$CEPH_CONFIG_DIR" ]; then
+    echo "Config files: $CEPH_CONFIG_DIR/"
+    echo "  - odf_external_config.json"
+    echo "  - quay_backend_rgw_config.yaml"
+else
+    echo "Credentials (set as GitHub secrets for manual use):"
+    echo "  ODF_EXTERNAL_CONFIG:     <use CEPH_CONFIG_DIR to write to file>"
+    echo "  QUAY_BACKEND_RGW_CONFIG: <use CEPH_CONFIG_DIR to write to file>"
+fi
 echo ""
-echo "============================================================================"
 echo "To verify:"
 echo "  ceph health"
 echo "  curl http://${CEPH_HOST_IP}:${RGW_PORT}/"

scripts/setup/configure_devscripts.sh

@@ -84,13 +84,16 @@ else
     MASTER_MEMORY_VAL=32768    # 32 GB for disconnected
 fi
 
-# ODF requires additional resources for Ceph/Rook operators, noobaa, and CSI daemons
+# ODF requires additional resources for Ceph/Rook operators, noobaa, and CSI daemons.
+# With ODF, storage is provided by Ceph on the LZ -- not local LVMS disks on masters --
+# so masters need smaller extra disks while the LZ needs a larger disk for Ceph OSDs.
 STORAGE_PLUGIN="${STORAGE_PLUGIN:-lvms}"
 MASTER_VCPU_VAL=12
 LANDINGZONE_DISK_VAL=60
 if [ "$STORAGE_PLUGIN" = "odf" ]; then
     MASTER_VCPU_VAL=16              # 16 vCPUs (up from 12)
-    MASTER_MEMORY_VAL=$((MASTER_MEMORY_VAL + 8192))  # +8 GB RAM
+    MASTER_MEMORY_VAL=$((MASTER_MEMORY_VAL + 16384)) # +16 GB RAM (ODF/rook/noobaa + Quay)
+    VM_EXTRADISKS_SIZE_VAL="60G"    # Masters don't need large LVMS disks with ODF
     LANDINGZONE_DISK_VAL=500        # Ceph OSDs store mirrored images on the LZ disk
 fi