Align quadlet templates with ephemeral HTTPS/file-ISO changes

The ironic-https branch added HTTPS vmedia support and file:// boot ISO
sourcing to the ephemeral container path but the quadlet templates (used
by the persistent phase-7 path) were not updated.

- metal3-ironic-api.container.j2: add /iso volume bind-mount,
  OS_CONDUCTOR__FILE_URL_ALLOWED_PATHS=/iso, and conditional
  ironic-vmedia-cert/key secrets + VMEDIA_TLS_PORT/IRONIC_EXTERNAL_IP
  env vars when ironic_https_configured is true
- metal3-httpd.container.j2: add unconditional VMEDIA_TLS_PORT=6183
  and conditional ironic-vmedia-cert/key secrets
- deploy_ironic.yaml: add become: metal3_persistent to the two vmedia
  secret creation tasks so they land in the root podman secret store
  when running the persistent/quadlet path

Signed-off-by: Rafa Porres Molina <rporresm@redhat.com>
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: rporres

playbooks/tasks/deploy_ironic.yaml

@@ -97,6 +97,7 @@
 
 - name: Create podman secret for Ironic vmedia TLS certificate
   when: ironic_https_configured | bool
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_secret:
     name: ironic-vmedia-cert
     data: "{{ ironicHTTPSCertificate }}\n"
@@ -107,6 +108,7 @@
 
 - name: Create podman secret for Ironic vmedia TLS key
   when: ironic_https_configured | bool
+  become: "{{ metal3_persistent | default(false) | bool }}"
   containers.podman.podman_secret:
     name: ironic-vmedia-key
     data: "{{ ironicHTTPSKey }}\n"

playbooks/templates/quadlets/metal3-httpd.container.j2

@@ -9,8 +9,13 @@ Pod=metal3-ironic.pod
 User=1002:1003
 DropCapability=ALL
 Volume=metal3-ironic-shared:/shared
+{% if ironic_https_configured | default(false) | bool %}
+Secret=ironic-vmedia-cert,type=mount,target=/certs/vmedia/tls.crt,uid=1002,gid=1003,mode=0400
+Secret=ironic-vmedia-key,type=mount,target=/certs/vmedia/tls.key,uid=1002,gid=1003,mode=0400
+{% endif %}
 Environment=IRONIC_LISTEN_PORT=6385
 Environment=HTTP_PORT=6180
+Environment=VMEDIA_TLS_PORT=6183
 Environment=LISTEN_ALL_INTERFACES=true
 Environment=USE_IRONIC_INSPECTOR=false
 Environment=PROVISIONING_IP={{ lzBmcIP }}

playbooks/templates/quadlets/metal3-ironic-api.container.j2

@@ -11,10 +11,15 @@ DropCapability=ALL
 Volume=metal3-ironic-conf:/conf
 Volume=metal3-ironic-data:/data
 Volume=metal3-ironic-shared:/shared
+Volume={{ workingDir }}/ocp-cluster/abi-iso:/iso:ro
 Secret=metal3-ironic-htpasswd,type=env,target=IRONIC_HTPASSWD
 {% if ssl_certs_configured | bool %}
 Secret=metal3-ca-bundle,type=mount,target=/certs/ca-bundle.crt,uid=1002,gid=1003,mode=0400
 {% endif %}
+{% if ironic_https_configured | default(false) | bool %}
+Secret=ironic-vmedia-cert,type=mount,target=/certs/vmedia/tls.crt,uid=1002,gid=1003,mode=0400
+Secret=ironic-vmedia-key,type=mount,target=/certs/vmedia/tls.key,uid=1002,gid=1003,mode=0400
+{% endif %}
 Environment=IRONIC_LISTEN_PORT=6385
 Environment=HTTP_PORT=6180
 Environment=LISTEN_ALL_INTERFACES=true
@@ -23,9 +28,14 @@ Environment=PROVISIONING_IP={{ lzBmcIP }}
 Environment=IRONIC_USE_MARIADB=false
 Environment=IRONIC_EXPOSE_JSON_RPC=false
 Environment=OS_JSON_RPC__PORT=6189
+Environment=OS_CONDUCTOR__FILE_URL_ALLOWED_PATHS=/iso
 {% if ssl_certs_configured | bool %}
 Environment=WEBSERVER_CACERT_FILE=/certs/ca-bundle.crt
 {% endif %}
+{% if ironic_https_configured | default(false) | bool %}
+Environment=VMEDIA_TLS_PORT=6183
+Environment=IRONIC_EXTERNAL_IP={{ lzBmcIP }}
+{% endif %}
 Exec=/bin/runironic
 
 [Service]