Add KEA DHCP provider feature for foreman-proxy

[archanaserver]

Why are you introducing these changes? (Problem description, related links)

ISC DHCP reached end-of-life in October 2022 and has been removed from RHEL 10. This adds support for KEA DHCP as the replacement.

What are the changes introduced in this pull request?

• Add dhcp-kea-external feature definition to src/features.yaml
• Create Smart Proxy configuration template dhcp_kea_api.yml.j2
• Add default Ansible variables for KEA server connection (localhost:8000, default subnet)
• Add integration tests for DHCP KEA feature validation

How to test this pull request

Steps to reproduce:

1. Verify feature is available: ./foremanctl features | grep dhcp-kea-external
2. Deploy with KEA DHCP feature enabled: ./foremanctl deploy --add-feature dhcp-kea-external
3. Verify feature is enabled: ./foremanctl features --list-enabled | grep dhcp-kea-external
4. Check configuration file was created: podman exec foreman-proxy ls -la /etc/foreman-proxy/settings.d/dhcp_kea_api.yml
5. Run tests python -m pytest tests/foreman_proxy_test.py::test_dhcp_kea_feature_present -v

Checklist

• Tests added/updated (if applicable)
• Documentation updated (if applicable)

[evgeni]

I think the feature should be "dhcp" and then you add a parameter to select which provider to use, with kea being one of the answers

[archanaserver]

makes way more sense to have a single dhcp feature with a provider parameter

[evgeni]

I played with that thought in #532 for the DNS side of things, would love to hear your opinion on the approach I took

[evgeni]

What are the chances that localhost is a place where a Kea will actually run (outside of development setups)?

I think we should leave that undef (like in https://github.com/theforeman/foremanctl/pull/523/changes) and force the user to set a sensible value.

[evgeni]

where does this come from? I don't see such an option in https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api/

[archanaserver]

yeah, i was just playing around with few things, needed to look again, the reason i added that in draft but thanks for reviews, also i tryna fix few things with the updated changes.

[evgeni]

shouldn't this be kea_api_url?

[evgeni]

also, we need kea_api_username and kea_api_password

[archanaserver]

yes def

[evgeni]

where does this come from? I don't see such an option in https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api/

[evgeni]

Shall we package https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api until we figure out whether we want to merge it into core or not?

[archanaserver]

Shall we package https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api until we figure out whether we want to merge it into core or not?

Yeah, I was thinking we can package it for now, that will be independent of our decision about potentially merging it into the core later.

[stejskalleos]

Why not just:

Suggested change

	foreman_proxy_dhcp_provider: dhcp_kea_api
	foreman_proxy_dhcp_provider: dhcp_kea

[stejskalleos]

There is a definition of subnets in DHCP as well: https://github.com/theforeman/smart-proxy/blob/develop/config/settings.d/dhcp.yml.example

[stejskalleos]

I think this should be:

Suggested change

	foreman_proxy_dhcp_kea_managed_subnets: []
	foreman_proxy_dhcp_subnets: []

as in https://github.com/theforeman/smart-proxy/blob/develop/config/settings.d/dhcp.yml.example

[evgeni]

Shall we package https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api until we figure out whether we want to merge it into core or not?

Yeah, I was thinking we can package it for now, that will be independent of our decision about potentially merging it into the core later.

Do you want to do it, or shall I?

[archanaserver]

Shall we package https://gitlab.surrey.ac.uk/sm0049/smart-proxy-dhcp-kea-api until we figure out whether we want to merge it into core or not?

Yeah, I was thinking we can package it for now, that will be independent of our decision about potentially merging it into the core later.

Do you want to do it, or shall I?

I'll do it

[archanaserver]

Update: Following the refinement session, we decided to integrate the KEA DHCP provider directly into smart-proxy core rather than packaging it as an external gem. I'm on it. So keeping this into draft till then.

Also looking at the current CI test failures, I believe they are coming from IOP tests failures and are unrelated to the DHCP feature changes in this PR.

[stejskalleos]

Nit: https example

Suggested change

	help: KEA Control Agent API URL (e.g., http://kea-server:8000/)
	help: KEA Control Agent API URL (e.g., https://kea-server)

[stejskalleos]

(foreman_proxy_dhcp_kea_verify_ssl) is true by default, so this should be https

[stejskalleos]

Do we want to make it optional? It's not really secure IMO

[archanaserver]

I have updated it but auth is genuinely optional for kea control agent (many deployments run without auth on internal networks), but i agree we should encourage it for security. so fixed it

[stejskalleos]

If the parameter is optional, why raise an error when no value is provided?

[archanaserver]

So I removed optional from the hint text to reduce any confusion but the undef() is never actually raised because the template checks if you see

{% if foreman_proxy_dhcp_kea_api_username is defined and foreman_proxy_dhcp_kea_api_username %}
:dhcp_kea_api_username: {{ foreman_proxy_dhcp_kea_api_username }}
{% else %}
:dhcp_kea_api_username: ~
{% endif %}

is defined before using it. I added just to satisfy the linter earlier. do you have any other suggestons?

[stejskalleos]

Mention the default value (true)

[stejskalleos]

same as above

[stejskalleos]

I don't see a parameter for DHCP subnets.

[archanaserver]

yes, now we can specify this

[stejskalleos]

The default value should be set in the src/roles/foreman_proxy/defaults/main.yaml

[stejskalleos]

Question: Do we want to give users a chance to edit this value via foremanctl? If yes, then we need another parameter for it.

[archanaserver]

Yes, both values are exposed as CLI parameters

[stejskalleos]

Is this needed when the default value is already set in src/roles/foreman_proxy/defaults/main.yaml?

Suggested change

	:dhcp_kea_verify_ssl: {{ foreman_proxy_dhcp_kea_verify_ssl | default(true) | lower }}
	:dhcp_kea_verify_ssl: {{ foreman_proxy_dhcp_kea_verify_ssl }}

[stejskalleos]

Can we make it a file/template?

[stejskalleos]

This is failing for me, repeatedly.

TASK [Wait for Kea Control Agent to be ready] ****************************************************************************************************
[ERROR]: Task failed: Module failed: Timeout when waiting for 127.0.0.1:8000
Origin: /home/lstejska/projects/foremanctl/development/playbooks/kea/kea.yaml:115:7

113         state: started
114
115     - name: Wait for Kea Control Agent to be ready
          ^ column 7

fatal: [quadlet]: FAILED! => {
    "changed": false,
    "elapsed": 30
}

MSG:

Timeout when waiting for 127.0.0.1:8000

PLAY RECAP ***************************************************************************************************************************************
quadlet                    : ok=12   changed=9    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

before I ran:

./foremanctl deploy --initial-admin-password=changeme --tuning development --add-feature foreman-proxy --add-feature dhcp --foreman-proxy-dhcp-kea-url http://127.0.0.1:8000

[archanaserver]

I see it for me as well, taking a look on it

[archanaserver]

Also you don't need to include --add-feature foreman-proxy, I have added it as a dependency in the dhcp with expand_features that automatically includes all dependencies.

[stejskalleos]

Why is this needed?

For me it's failing with:

forge: error: argument action: invalid choice: 'installer-certs' (choose from 'custom-certs', 'deploy-dev', 'kea', 'lock', 'mock-installer', 'remote-database', 'security', 'setup-repositories', 'smoker', 'sos', 'test', 'vms'

[archanaserver]

I see that's a leftover dead code. I should have dropped earlier. Let's see now