openshift-metal3 · eggfoobar · Sep 22, 2025 · jaypoulz · Oct 8, 2025 · jaypoulz
diff --git a/agent/roles/manifests/templates/install-config_baremetal_yaml.j2 b/agent/roles/manifests/templates/install-config_baremetal_yaml.j2
@@ -1,4 +1,9 @@
 {% import 'net_macros.yaml' as net %}
+{% set hostnames = agent_nodes_hostnames.split(',') %}
+{% set bmc_addresses = agent_nodes_bmc_addresses.split(',') %}
+{% set bmc_passwords = agent_nodes_bmc_passwords.split(',') %}
+{% set bmc_usernames = agent_nodes_bmc_usernames.split(',') %}
+{% set bmc_verify_cas = agent_nodes_bmc_verify_cas.split(',') %}
 apiVersion: v1
 baseDomain: {{ base_domain }}
 compute:
@@ -21,6 +26,17 @@ controlPlane:
   hyperthreading: Enabled
   name: master
   replicas: {{ num_masters }} 
+{% if enable_two_node_fencing %}
+  fencing:
+    credentials:
+{% for hostname in hostnames %}
+    - hostname: {{hostname}}
+      address: {{ bmc_addresses[loop.index0] }}
+      username: {{ bmc_usernames[loop.index0] }}
+      password: {{ bmc_passwords[loop.index0] }}
+      certificateVerification: {{ 'Enabled' if bmc_verify_cas[loop.index0] else 'Disabled' }}
+{% endfor %}
+{% endif %}
 fips: {{ fips_mode }}
 metadata:
   name: {{ cluster_name }} 
@@ -60,7 +76,6 @@ networking:
   networkType: {{ network_type }} 
 platform:
 {% set macs = agent_nodes_macs.split(',') %}
-{% set hostnames = agent_nodes_hostnames.split(',') %}
 {% set ips = agent_nodes_ips.split(',') %}
 {% set ipsv6 = agent_nodes_ipsv6.split(',') %}
   baremetal:
@@ -75,10 +90,6 @@ platform:
       - {{ ingress_vip }}
 {% endfor %}
 {% if agent_install_config_bm_hosts == "true" %}
-{% set bmc_addresses = agent_nodes_bmc_addresses.split(',') %}
-{% set bmc_passwords = agent_nodes_bmc_passwords.split(',') %}
-{% set bmc_usernames = agent_nodes_bmc_usernames.split(',') %}
-{% set bmc_verify_cas = agent_nodes_bmc_verify_cas.split(',') %}
     provisioningHostIP: {{ cluster_provisioning_ip }}
     provisioningNetworkInterface: {{ cluster_provisioning_interface }}
     provisioningNetworkCIDR: {{ provisioning_network }}

diff --git a/agent/roles/manifests/vars/main.yml b/agent/roles/manifests/vars/main.yml
@@ -30,6 +30,7 @@ cluster_provisioning_interface: "{{ lookup('env', 'CLUSTER_PRO_IF') }}"
 cluster_subnet_v4: "{{ lookup('env', 'CLUSTER_SUBNET_V4') }}"
 cluster_subnet_v6: "{{ lookup('env', 'CLUSTER_SUBNET_V6') }}"
 enable_local_registry: "{{ lookup('env', 'ENABLE_LOCAL_REGISTRY') != '' }}"
+enable_two_node_fencing: "{{ lookup('env', 'ENABLE_TWO_NODE_FENCING', default='') == 'true' }}"
 external_subnet_v4: "{{ lookup('env', 'EXTERNAL_SUBNET_V4') }}"
 external_subnet_v6: "{{ lookup('env', 'EXTERNAL_SUBNET_V6') }}"
 external_subnet_v4_prefixlen: "{{ lookup('env', 'EXTERNAL_SUBNET_V4') | ansible.utils.ipaddr('prefix') }}"

diff --git a/common.sh b/common.sh
@@ -397,6 +397,22 @@ fi
 
 export ENABLE_LOCAL_REGISTRY=${ENABLE_LOCAL_REGISTRY:-}
 
+# Helper variable for TNF, normally not meant to be configurable by user.
+# When two node fencing is detected we set this variable because the installer
+# validation will fail if fencing credentials are not present when two masters
+# and no arbiter are set.
+# Skip on agent scenarios to avoid accidental overrides.
+export ENABLE_TWO_NODE_FENCING=${ENABLE_TWO_NODE_FENCING:-false}
+if [[ -z ${AGENT_E2E_TEST_SCENARIO:-} ]] && [[ ${NUM_ARBITERS} -eq 0 ]] && [[ ${NUM_MASTERS} -eq 2 ]]; then
+  export ENABLE_TWO_NODE_FENCING="true"
+fi
+
+# Only redfish BMC driver is supported for two node fencing
+if [[ "${BMC_DRIVER}" != "redfish" ]] && [[ "${ENABLE_TWO_NODE_FENCING:-}" == "true" ]]; then
+  printf "Only redfish BMC driver is supported for Two Node Fencing deployments: BMC_DRIVER=${BMC_DRIVER}, ENABLE_TWO_NODE_FENCING=${ENABLE_TWO_NODE_FENCING}"
+  exit 1
+fi
+
 # Defaults the DISABLE_MULTICAST variable
 export DISABLE_MULTICAST=${DISABLE_MULTICAST:-false}
 
@@ -479,6 +495,14 @@ if [[ ! -z ${AGENT_E2E_TEST_SCENARIO} ]]; then
           export ARBITER_DISK=50
           export NUM_WORKERS=0
           ;;
+      "TNF" )
+          export NUM_MASTERS=2
+          export MASTER_VCPU=8
+          export MASTER_DISK=100
+          export MASTER_MEMORY=32768
+          export NUM_WORKERS=0
+          export ENABLE_TWO_NODE_FENCING="true"
+          ;;
       "HA" )
           export NUM_MASTERS=3
           export MASTER_VCPU=4

diff --git a/config_example.sh b/config_example.sh
@@ -812,6 +812,10 @@ set -x
 # - TNA_IPV6
 # - TNA_IPV4_DHCP
 # - TNA_IPV6_DHCP
+# - TNF_IPV4
+# - TNF_IPV6
+# - TNF_IPV4_DHCP
+# - TNA_IPV6_DHCP
 # - HA_IPV4
 # - HA_IPV6
 # - HA_IPV4_DHCP

diff --git a/utils.sh b/utils.sh
@@ -312,7 +312,7 @@ function node_map_to_install_config_fencing_credentials() {
     return 0
   fi
 
-  if  [[ ${NUM_ARBITERS} -eq 0 ]] && [[ "${NUM_MASTERS}" -eq 2 ]]; then
+  if  [ "${ENABLE_TWO_NODE_FENCING:-}" == "true" ]; then
 	cat <<EOF
   fencing:
     credentials: