Remove ironic-inspector deployment

Ironic Inspector has been retired and its functionality has been moved to Ironic. Added a change to service-ks-register to make password optional (to able to remove user without a password being passed in). Using the opportunity - increasing CI coverage to include inspection. Change-Id: If178c23249370c7c69744843737e61a6309d6a19 Signed-off-by: Michal Nasiadka <mnasiadka@gmail.com>
2025-06-05 15:22:49 +01:00
parent 58b83afc64
commit cbe6fe7cef
44 changed files with 206 additions and 496 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -481,13 +481,6 @@ ironic_public_endpoint: "{{ ironic_external_fqdn | kolla_url(public_protocol, ir
 ironic_api_port: "6385"
 ironic_api_listen_port: "{{ ironic_api_port }}"
 ironic_api_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_api_port }}"
 ironic_inspector_internal_fqdn: "{{ kolla_internal_fqdn }}"
 ironic_inspector_external_fqdn: "{{ kolla_external_fqdn }}"
 ironic_inspector_internal_endpoint: "{{ ironic_inspector_internal_fqdn | kolla_url(internal_protocol, ironic_inspector_port) }}"
 ironic_inspector_public_endpoint: "{{ ironic_inspector_external_fqdn | kolla_url(public_protocol, ironic_inspector_public_port) }}"
 ironic_inspector_port: "5050"
 ironic_inspector_public_port: "{{ haproxy_single_external_frontend_public_port if haproxy_single_external_frontend | bool else ironic_inspector_port }}"
 ironic_inspector_listen_port: "{{ ironic_inspector_port }}"
 ironic_http_port: "8089"
 ironic_prometheus_exporter_port: "9608"
@@ -877,7 +870,6 @@ enable_horizon_zun: "{{ enable_zun | bool }}"
 enable_influxdb: "{{ enable_cloudkitty | bool and cloudkitty_storage_backend == 'influxdb' }}"
 enable_ironic: "no"
 enable_ironic_dnsmasq: "{{ enable_ironic | bool }}"
 enable_ironic_inspector: "no"
 enable_ironic_neutron_agent: "no"
 enable_ironic_prometheus_exporter: "{{ enable_ironic | bool and enable_prometheus | bool }}"
 enable_iscsid: "{{ enable_cinder | bool and enable_cinder_backend_iscsi | bool }}"
--- a/ansible/inventory/all-in-one
+++ b/ansible/inventory/all-in-one
@@ -351,7 +351,7 @@ ironic
 [ironic-conductor:children]
 ironic
-[ironic-inspector:children]
+[ironic-dnsmasq:children]
 ironic
 [ironic-tftp:children]
--- a/ansible/inventory/multinode
+++ b/ansible/inventory/multinode
@@ -359,7 +359,7 @@ ironic
 [ironic-conductor:children]
 ironic
-[ironic-inspector:children]
+[ironic-dnsmasq:children]
 ironic
 [ironic-tftp:children]
--- a/ansible/roles/bifrost/defaults/main.yml
+++ b/ansible/roles/bifrost/defaults/main.yml
@@ -11,10 +11,3 @@ bifrost_deploy_image_full: "{{ bifrost_deploy_image }}:{{ bifrost_deploy_tag }}"
 bifrost_deploy_container_proxy: "{{ container_proxy }}"
 bifrost_deploy_verbosity: "-vvvv"
 # Whether to enable the legacy ironic-inspector service
 # NOTE(wszumski): Bifrost plans to remove this option once the native in-band
 # inspection reaches feature parity. Please see:
 # https://bugs.launchpad.net/kolla/+bug/2054685 which contains links for
 # tracking the progress.
 bifrost_enable_ironic_inspector: true
--- a/ansible/roles/bifrost/tasks/bootstrap.yml
+++ b/ansible/roles/bifrost/tasks/bootstrap.yml
@@ -8,8 +8,6 @@
     {{ kolla_container_engine }} exec bifrost_deploy
     bash -c 'mkdir -p /var/log/kolla/ironic &&
     chown ironic:ironic /var/log/kolla/ironic &&
     mkdir -p /var/log/kolla/ironic-inspector &&
     chown ironic:ironic /var/log/kolla/ironic-inspector &&
     mkdir -p /var/log/kolla/nginx &&
     chown {{ nginx_user }}:{{ nginx_user }} /var/log/kolla/nginx'
--- a/ansible/roles/bifrost/tasks/stop.yml
+++ b/ansible/roles/bifrost/tasks/stop.yml
@@ -17,7 +17,6 @@
          command: "{{ kolla_container_engine }} exec bifrost_deploy systemctl stop {{ item }}.service"
          with_items:
            - ironic
            - ironic-inspector
            - mariadb
            - nginx
--- a/ansible/roles/bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/bifrost/templates/bifrost.yml.j2
@@ -2,9 +2,6 @@
 # Ironic log directory.
 ironic_log_dir: "/var/log/kolla/ironic"
 # Ironic inspector log directory.
 inspector_log_dir: "/var/log/kolla/ironic-inspector"
 # Ironic Python Agent deploy logs directory
 ironic_agent_deploy_logs_local_path: "/var/log/kolla/ironic/deploy"
@@ -34,8 +31,5 @@ generate_tls: true
 # the default /etc/bifrost is not.
 tls_root: "/etc/bifrost-certs"
 # Whether to enable the legacy ironic-inspector service.
 enable_inspector: "{{ bifrost_enable_ironic_inspector }}"
 # Disable firewalld
 use_firewalld: false
--- a/ansible/roles/common/tasks/config.yml
+++ b/ansible/roles/common/tasks/config.yml
@@ -80,7 +80,6 @@
      - { name: "horizon", enabled: "{{ enable_horizon | bool }}" }
      - { name: "influxdb", enabled: "{{ enable_influxdb | bool }}" }
      - { name: "ironic", enabled: "{{ enable_ironic | bool }}" }
      - { name: "ironic-inspector", enabled: "{{ enable_ironic | bool }}" }
      - { name: "keystone", enabled: "{{ enable_keystone | bool }}" }
      - { name: "kuryr", enabled: "{{ enable_kuryr | bool }}" }
      - { name: "magnum", enabled: "{{ enable_magnum | bool }}" }
--- a/ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2
+++ b/ansible/roles/common/templates/cron-logrotate-ironic-inspector.conf.j2
@@ -1,3 +0,0 @@
 "/var/log/kolla/ironic-inspector/*.log"
 {
 }
--- a/ansible/roles/fluentd/defaults/main.yml
+++ b/ansible/roles/fluentd/defaults/main.yml
@@ -109,8 +109,6 @@ fluentd_input_openstack_services:
    enabled: "{{ enable_horizon | bool }}"
  - name: ironic
    enabled: "{{ enable_ironic | bool }}"
  - name: ironic-inspector
    enabled: "{{ enable_ironic | bool }}"
  - name: keystone
    enabled: "{{ enable_keystone | bool }}"
  - name: kuryr
--- a/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
+++ b/ansible/roles/fluentd/templates/conf/filter/01-rewrite.conf.j2
@@ -118,7 +118,7 @@
  </rule>
  <rule>
    key     programname
-    pattern ^(ironic-api|ironic-conductor|ironic-inspector)$
+    pattern ^(ironic-api|ironic-conductor)$
    tag openstack_python
  </rule>
  <rule>
--- a/ansible/roles/ironic/defaults/main.yml
+++ b/ansible/roles/ironic/defaults/main.yml
@@ -38,33 +38,6 @@ ironic_services:
    volumes: "{{ ironic_conductor_default_volumes + ironic_conductor_extra_volumes + lookup('vars', 'run_default_volumes_' + kolla_container_engine) }}"
    dimensions: "{{ ironic_conductor_dimensions }}"
    healthcheck: "{{ ironic_conductor_healthcheck }}"
  ironic-inspector:
    container_name: ironic_inspector
    group: ironic-inspector
    enabled: "{{ enable_ironic_inspector }}"
    image: "{{ ironic_inspector_image_full }}"
    privileged: True
    volumes: "{{ ironic_inspector_default_volumes + ironic_inspector_extra_volumes }}"
    dimensions: "{{ ironic_inspector_dimensions }}"
    healthcheck: "{{ ironic_inspector_healthcheck }}"
    haproxy:
      ironic_inspector:
        enabled: "{{ enable_ironic }}"
        mode: "http"
        external: false
        port: "{{ ironic_inspector_port }}"
        listen_port: "{{ ironic_inspector_listen_port }}"
        backend_http_extra:
          - "option httpchk"
      ironic_inspector_external:
        enabled: "{{ enable_ironic }}"
        mode: "http"
        external: true
        external_fqdn: "{{ ironic_inspector_external_fqdn }}"
        port: "{{ ironic_inspector_public_port }}"
        listen_port: "{{ ironic_inspector_listen_port }}"
        backend_http_extra:
          - "option httpchk"
  ironic-tftp:
    container_name: ironic_tftp
    group: ironic-tftp
@@ -87,7 +60,7 @@ ironic_services:
    healthcheck: "{{ ironic_http_healthcheck }}"
  ironic-dnsmasq:
    container_name: ironic_dnsmasq
-    group: ironic-inspector
+    group: ironic-dnsmasq
    enabled: "{{ enable_ironic_dnsmasq }}"
    cap_add:
      - NET_ADMIN
@@ -117,34 +90,21 @@ ironic_database_name: "ironic"
 ironic_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic{% endif %}"
 ironic_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}"
 ironic_inspector_database_name: "ironic_inspector"
 ironic_inspector_database_user: "{% if use_preconfigured_databases | bool and use_common_mariadb_user | bool %}{{ database_user }}{% else %}ironic_inspector{% endif %}"
 ironic_inspector_database_address: "{{ database_address | put_address_in_context('url') }}:{{ database_port }}"
 ####################
 # Database sharding
 ####################
 ironic_database_shard_root_user: "{% if enable_proxysql | bool %}root_shard_{{ ironic_database_shard_id }}{% else %}{{ database_user }}{% endif %}"
 ironic_database_shard_id: "{{ mariadb_default_database_shard_id | int }}"
 ironic_inspector_database_shard_id: "{{ ironic_database_shard_id | int }}"
 ironic_database_shard:
  users:
    - user: "{{ ironic_database_user }}"
      password: "{{ ironic_database_password }}"
      shard_id: "{{ ironic_database_shard_id }}"
    - user: "{{ ironic_inspector_database_user }}"
      password: "{{ ironic_inspector_database_password }}"
      shard_id: "{{ ironic_inspector_database_shard_id }}"
  rules:
    - schema: "{{ ironic_database_name }}"
      shard_id: "{{ ironic_database_shard_id }}"
    - user: "{{ ironic_database_user }}"
      shard_id: "{{ ironic_database_shard_id }}"
    - schema: "{{ ironic_inspector_database_name }}"
      shard_id: "{{ ironic_inspector_database_shard_id }}"
    - user: "{{ ironic_inspector_database_user }}"
      shard_id: "{{ ironic_inspector_database_shard_id }}"
 ####################
 # Docker
@@ -163,10 +123,6 @@ ironic_pxe_image: "{{ docker_image_url }}ironic-pxe"
 ironic_pxe_tag: "{{ ironic_tag }}"
 ironic_pxe_image_full: "{{ ironic_pxe_image }}:{{ ironic_pxe_tag }}"
 ironic_inspector_image: "{{ docker_image_url }}ironic-inspector"
 ironic_inspector_tag: "{{ ironic_tag }}"
 ironic_inspector_image_full: "{{ ironic_inspector_image }}:{{ ironic_inspector_tag }}"
 ironic_dnsmasq_image: "{{ docker_image_url }}dnsmasq"
 ironic_dnsmasq_tag: "{{ ironic_tag }}"
 ironic_dnsmasq_image_full: "{{ ironic_dnsmasq_image }}:{{ ironic_dnsmasq_tag }}"
@@ -179,7 +135,6 @@ ironic_api_dimensions: "{{ default_container_dimensions }}"
 ironic_conductor_dimensions: "{{ default_container_dimensions }}"
 ironic_tftp_dimensions: "{{ default_container_dimensions }}"
 ironic_http_dimensions: "{{ default_container_dimensions }}"
 ironic_inspector_dimensions: "{{ default_container_dimensions }}"
 ironic_dnsmasq_dimensions: "{{ default_container_dimensions }}"
 ironic_prometheus_exporter_dimensions: "{{ default_container_dimensions }}"
@@ -209,19 +164,6 @@ ironic_conductor_healthcheck:
  test: "{% if ironic_conductor_enable_healthchecks | bool %}{{ ironic_conductor_healthcheck_test }}{% else %}NONE{% endif %}"
  timeout: "{{ ironic_conductor_healthcheck_timeout }}"
 ironic_inspector_enable_healthchecks: "{{ enable_container_healthchecks }}"
 ironic_inspector_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
 ironic_inspector_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
 ironic_inspector_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
 ironic_inspector_healthcheck_test: ["CMD-SHELL", "healthcheck_port ironic-inspector {{ om_rpc_port }}"]
 ironic_inspector_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
 ironic_inspector_healthcheck:
  interval: "{{ ironic_inspector_healthcheck_interval }}"
  retries: "{{ ironic_inspector_healthcheck_retries }}"
  start_period: "{{ ironic_inspector_healthcheck_start_period }}"
  test: "{% if ironic_inspector_enable_healthchecks | bool %}{{ ironic_inspector_healthcheck_test }}{% else %}NONE{% endif %}"
  timeout: "{{ ironic_inspector_healthcheck_timeout }}"
 ironic_http_enable_healthchecks: "{{ enable_container_healthchecks }}"
 ironic_http_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
 ironic_http_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
@@ -266,19 +208,12 @@ ironic_http_default_volumes:
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
  - "ironic:/var/lib/ironic"
  - "kolla_logs:/var/log/kolla"
 ironic_inspector_default_volumes:
  - "{{ node_config_directory }}/ironic-inspector/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
  - "kolla_logs:/var/log/kolla"
  - "ironic_inspector_dhcp_hosts:/var/lib/ironic-inspector/dhcp-hostsdir"
  - "{{ kolla_dev_repos_directory ~ '/ironic-inspector:/dev-mode/ironic-inspector' if ironic_inspector_dev_mode | bool else '' }}"
 ironic_dnsmasq_default_volumes:
  - "{{ node_config_directory }}/ironic-dnsmasq/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
  - "kolla_logs:/var/log/kolla"
-  - "ironic_inspector_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
+  - "ironic_dhcp_hosts:/etc/dnsmasq/dhcp-hostsdir:ro"
 ironic_prometheus_exporter_default_volumes:
  - "{{ node_config_directory }}/ironic-prometheus-exporter/:{{ container_config_directory }}/:ro"
  - "/etc/localtime:/etc/localtime:ro"
@@ -291,7 +226,6 @@ ironic_api_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_conductor_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_tftp_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_http_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_inspector_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}"
 ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}"
@@ -299,13 +233,10 @@ ironic_prometheus_exporter_extra_volumes: "{{ ironic_extra_volumes }}"
 # OpenStack
 ####################
 ironic_inspector_keystone_user: "ironic-inspector"
 ironic_logging_debug: "{{ openstack_logging_debug }}"
 openstack_ironic_auth: "{{ openstack_auth }}"
 openstack_ironic_inspector_auth: "{{ openstack_auth }}"
 ironic_api_workers: "{{ openstack_service_workers }}"
 #########
@@ -323,8 +254,8 @@ ironic_http_url: "http://{{ ironic_http_interface_address | put_address_in_conte
 ironic_tftp_listen_address: "{{ ironic_tftp_interface_address }}"
 ironic_enable_rolling_upgrade: "yes"
 ironic_upgrade_skip_wait_check: false
-ironic_inspector_kernel_cmdline_extras: []
+ironic_kernel_cmdline_extras: []
-ironic_inspector_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}"
+ironic_pxe_filter: "{% if enable_neutron | bool %}dnsmasq{% else %}noop{% endif %}"
 ironic_prometheus_exporter_data_dir: "/var/lib/ironic-prometheus-exporter/data"
 ironic_prometheus_exporter_sensor_data_interval: 30
 ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true"
@@ -333,13 +264,10 @@ ironic_prometheus_exporter_sensor_data_undeployed_nodes: "true"
 ####################
 ## Kolla
 #####################
 ironic_inspector_git_repository: "{{ kolla_dev_repos_git }}/ironic-inspector"
 ironic_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
 ironic_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
 ironic_dev_mode: "{{ kolla_dev_mode }}"
 ironic_inspector_dev_mode: "{{ ironic_dev_mode }}"
 ironic_source_version: "{{ kolla_source_version }}"
 ironic_inspector_source_version: "{{ ironic_source_version }}"
 ironic_agent_files_directory: "{{ node_custom_config }}"
@@ -363,34 +291,28 @@ ironic_ks_services:
    endpoints:
      - {'interface': 'internal', 'url': '{{ ironic_internal_endpoint }}'}
      - {'interface': 'public', 'url': '{{ ironic_public_endpoint }}'}
 # TODO(mnasiadka): Remove in Gazpacho/2026.1
  - name: "ironic-inspector"
    type: "baremetal-introspection"
    description: "Ironic Inspector baremetal introspection service"
-    endpoints:
+    state: absent
-      - {'interface': 'internal', 'url': '{{ ironic_inspector_internal_endpoint }}'}
+    endpoints: []
      - {'interface': 'public', 'url': '{{ ironic_inspector_public_endpoint }}'}
 ironic_ks_users:
  - project: "service"
    user: "{{ ironic_keystone_user }}"
    password: "{{ ironic_keystone_password }}"
    role: "admin"
 # TODO(mnasiadka): Remove in Gazpacho/2026.1
  - project: "service"
-    user: "{{ ironic_inspector_keystone_user }}"
+    user: "{{ ironic_inspector_keystone_user | default('ironic-inspector') }}"
    password: "{{ ironic_inspector_keystone_password }}"
    role: "admin"
    state: absent
 ironic_ks_user_roles:
  - project: "service"
    user: "{{ ironic_keystone_user }}"
    role: "service"
  - project: "service"
    user: "{{ ironic_inspector_keystone_user }}"
    role: "service"
    state: "absent"
  - system: "all"
    user: "{{ ironic_inspector_keystone_user }}"
    role: "service"
 ####################
 # TLS
--- a/ansible/roles/ironic/handlers/main.yml
+++ b/ansible/roles/ironic/handlers/main.yml
@@ -28,21 +28,6 @@
    dimensions: "{{ service.dimensions }}"
    healthcheck: "{{ service.healthcheck | default(omit) }}"
 - name: Restart ironic-inspector container
  vars:
    service_name: "ironic-inspector"
    service: "{{ ironic_services[service_name] }}"
  become: true
  kolla_container:
    action: "recreate_or_restart_container"
    common_options: "{{ docker_common_options }}"
    name: "{{ service.container_name }}"
    image: "{{ service.image }}"
    privileged: "{{ service.privileged | default(False) }}"
    volumes: "{{ service.volumes | reject('equalto', '') | list }}"
    dimensions: "{{ service.dimensions }}"
    healthcheck: "{{ service.healthcheck | default(omit) }}"
 - name: Restart ironic-tftp container
  vars:
    service_name: "ironic-tftp"
--- a/ansible/roles/ironic/tasks/bootstrap.yml
+++ b/ansible/roles/ironic/tasks/bootstrap.yml
@@ -16,8 +16,6 @@
  with_items:
    - database_name: "{{ ironic_database_name }}"
      group: "ironic-api"
    - database_name: "{{ ironic_inspector_database_name }}"
      group: "ironic-inspector"
  when:
    - not use_preconfigured_databases | bool
    - inventory_hostname in groups[item.group]
@@ -45,10 +43,6 @@
      database_user: "{{ ironic_database_user }}"
      database_password: "{{ ironic_database_password }}"
      group: "ironic-api"
    - database_name: "{{ ironic_inspector_database_name }}"
      database_user: "{{ ironic_inspector_database_user }}"
      database_password: "{{ ironic_inspector_database_password }}"
      group: "ironic-inspector"
  loop_control:
    label: "{{ item.database_name }}"
  when:
--- a/ansible/roles/ironic/tasks/bootstrap_service.yml
+++ b/ansible/roles/ironic/tasks/bootstrap_service.yml
@@ -24,29 +24,6 @@
  delegate_to: "{{ groups[ironic_api.group][0] }}"
  when: inventory_hostname in groups[ironic_api.group]
 - name: Running Ironic Inspector bootstrap container
  vars:
    ironic_inspector: "{{ ironic_services['ironic-inspector'] }}"
  become: true
  kolla_container:
    action: "start_container"
    common_options: "{{ docker_common_options }}"
    detach: False
    environment:
      KOLLA_BOOTSTRAP:
      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
    image: "{{ ironic_inspector.image }}"
    labels:
      BOOTSTRAP:
    name: "bootstrap_ironic_inspector"
    restart_policy: oneshot
    volumes: "{{ ironic_inspector.volumes | reject('equalto', '') | list }}"
  run_once: True
  delegate_to: "{{ groups[ironic_inspector.group][0] }}"
  when:
    - inventory_hostname in groups[ironic_inspector.group]
    - enable_ironic_inspector | bool
 - name: Running ironic-tftp bootstrap container
  vars:
    service: "{{ ironic_services['ironic-tftp'] }}"
--- a/ansible/roles/ironic/tasks/clone.yml
+++ b/ansible/roles/ironic/tasks/clone.yml
@@ -6,12 +6,3 @@
    dest: "{{ kolla_dev_repos_directory }}/{{ project_name }}"
    update: "{{ ironic_dev_repos_pull }}"
    version: "{{ ironic_source_version }}"
 - name: Cloning ironic-inspector source repository for development
  become: true
  git:
    repo: "{{ ironic_inspector_git_repository }}"
    dest: "{{ kolla_dev_repos_directory }}/ironic-inspector"
    update: "{{ ironic_dev_repos_pull }}"
    version: "{{ ironic_inspector_source_version }}"
  when: ironic_inspector_dev_mode | bool
--- a/ansible/roles/ironic/tasks/config.yml
+++ b/ansible/roles/ironic/tasks/config.yml
@@ -21,18 +21,6 @@
        - "{{ node_custom_config }}/ironic/"
      skip: true
 - name: Check if Ironic Inspector policies shall be overwritten
  stat:
    path: "{{ item }}"
  delegate_to: localhost
  run_once: True
  register: ironic_inspector_policy
  with_first_found:
    - files: "{{ supported_policy_format_list }}"
      paths:
        - "{{ node_custom_config }}/ironic/inspector/"
      skip: true
 - name: Set ironic policy file
  set_fact:
    ironic_policy_file: "{{ ironic_policy.results.0.stat.path | basename }}"
@@ -40,38 +28,6 @@
  when:
    - ironic_policy.results
 - name: Set ironic-inspector policy file
  set_fact:
    ironic_inspector_policy_file: "{{ ironic_inspector_policy.results.0.stat.path | basename }}"
    ironic_inspector_policy_file_path: "{{ ironic_inspector_policy.results.0.stat.path }}"
  when:
    - ironic_inspector_policy.results
 - name: Check if Ironic Inspector known_devices.yaml shall be overwritten
  stat:
    path: "{{ node_custom_config }}/ironic-inspector/known_devices.yaml"
  delegate_to: localhost
  run_once: True
  register: ironic_inspector_known_devices
 - name: Set known_devices file path
  set_fact:
    ironic_inspector_known_devices_file_path: "{{ ironic_inspector_known_devices.stat.path }}"
  when:
    - ironic_inspector_known_devices.stat.exists
 - name: Copying over known_devices.yaml
  vars:
    service: "{{ ironic_services['ironic-inspector'] }}"
  template:
    src: "{{ ironic_inspector_known_devices_file_path }}"
    dest: "{{ node_config_directory }}/ironic-inspector/known_devices.yaml"
    mode: "0660"
  become: true
  when:
    - ironic_inspector_known_devices_file_path is defined
    - service | service_enabled_and_mapped_to_host
 - include_tasks: copy-certs.yml
  when:
    - ironic_copy_certs | bool
@@ -101,21 +57,6 @@
    - item.key in [ "ironic-api", "ironic-conductor", "ironic-prometheus-exporter" ]
  with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
 - name: Copying over inspector.conf
  vars:
    service: "{{ ironic_services['ironic-inspector'] }}"
  merge_configs:
    sources:
      - "{{ role_path }}/templates/ironic-inspector.conf.j2"
      - "{{ node_custom_config }}/global.conf"
      - "{{ node_custom_config }}/ironic-inspector.conf"
      - "{{ node_custom_config }}/ironic-inspector/inspector.conf"
      - "{{ node_custom_config }}/ironic-inspector/{{ inventory_hostname }}/inspector.conf"
    dest: "{{ node_config_directory }}/ironic-inspector/inspector.conf"
    mode: "0660"
  become: true
  when: service | service_enabled_and_mapped_to_host
 - name: Copying over dnsmasq.conf
  vars:
    service: "{{ ironic_services['ironic-dnsmasq'] }}"
@@ -143,8 +84,8 @@
    - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/pxelinux.default"
    - "pxelinux.default.j2"
  when:
-    # Only required when Ironic inspector is in use.
+    # Only required when Ironic dnsmasq is in use.
-    - groups['ironic-inspector'] | length > 0
+    - groups['ironic-dnsmasq'] | length > 0
    - service | service_enabled_and_mapped_to_host
    - not ironic_dnsmasq_serve_ipxe | bool
@@ -160,8 +101,8 @@
    - "ironic-agent.kernel"
    - "ironic-agent.initramfs"
  when:
-    # Only required when Ironic inspector is in use.
+    # Only required when Ironic dnsmasq is in use.
-    - groups['ironic-inspector'] | length > 0
+    - groups['ironic-dnsmasq'] | length > 0
    - service | service_enabled_and_mapped_to_host
    - not ironic_dnsmasq_serve_ipxe | bool
@@ -177,25 +118,25 @@
    - "ironic-agent.kernel"
    - "ironic-agent.initramfs"
  when:
-    # Only required when Ironic inspector is in use.
+    # Only required when Ironic dnsmasq is in use.
-    - groups['ironic-inspector'] | length > 0
+    - groups['ironic-dnsmasq'] | length > 0
    - service | service_enabled_and_mapped_to_host
- name: Copying inspector.ipxe
+- name: Copying ipa.ipxe
  vars:
    service: "{{ ironic_services['ironic-http'] }}"
  template:
    src: "{{ item }}"
-    dest: "{{ node_config_directory }}/ironic-http/inspector.ipxe"
+    dest: "{{ node_config_directory }}/ironic-http/ipa.ipxe"
    mode: "0660"
  become: true
  with_first_found:
-    - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/inspector.ipxe"
+    - "{{ node_custom_config }}/ironic/{{ inventory_hostname }}/ipa.ipxe"
-    - "{{ node_custom_config }}/ironic/inspector.ipxe"
+    - "{{ node_custom_config }}/ironic/ipa.ipxe"
-    - "inspector.ipxe.j2"
+    - "ipa.ipxe.j2"
  when:
-    # Only required when Ironic inspector is in use.
+    # Only required when Ironic dnsmasq is in use.
-    - groups['ironic-inspector'] | length > 0
+    - groups['ironic-dnsmasq'] | length > 0
    - service | service_enabled_and_mapped_to_host
 - name: Copying ironic-http-httpd.conf
@@ -240,20 +181,6 @@
    - item.key in services_require_policy_json
  with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
 - name: Copying over existing Ironic Inspector policy file
  vars:
    services_require_inspector_policy_json:
      - ironic-inspector
  template:
    src: "{{ ironic_inspector_policy_file_path }}"
    dest: "{{ node_config_directory }}/{{ item.key }}/{{ ironic_inspector_policy_file }}"
    mode: "0660"
  become: true
  when:
    - ironic_inspector_policy_file is defined
    - item.key in services_require_inspector_policy_json
  with_dict: "{{ ironic_services | select_services_enabled_and_mapped_to_host }}"
 - name: Copying over ironic-api-wsgi.conf
  vars:
    service: "{{ ironic_services['ironic-api'] }}"
--- a/ansible/roles/ironic/tasks/deploy.yml
+++ b/ansible/roles/ironic/tasks/deploy.yml
@@ -15,20 +15,3 @@
 - name: Flush handlers
  meta: flush_handlers
 # NOTE(mgoddard): If inspector was previously configured to use the iptables
 # PXE filter, it may leave rules in place that block inspection. Clean them up.
 # The iptables Ansible module is not idempotent - it fails if the chain does
 # not exist, so use a command instead.
 - name: Flush and delete ironic-inspector iptables chain
  become: true
  command: iptables --{{ item }} ironic-inspector
  register: ironic_inspector_chain
  with_items:
    - flush
    - delete-chain
  when: ironic_inspector_pxe_filter != 'iptables'
  changed_when: ironic_inspector_chain.rc == 0
  failed_when:
    - ironic_inspector_chain.rc != 0
    - "'No chain/target/match by that name' not in ironic_inspector_chain.stderr"
--- a/ansible/roles/ironic/tasks/precheck.yml
+++ b/ansible/roles/ironic/tasks/precheck.yml
@@ -12,7 +12,6 @@
    container_engine: "{{ kolla_container_engine }}"
    name:
      - ironic_api
      - ironic_inspector
      - ironic_http
      - ironic_prometheus_exporter
  check_mode: false
@@ -29,17 +28,6 @@
    - container_facts.containers['ironic_api'] is not defined
    - inventory_hostname in groups['ironic-api']
 - name: Checking free port for Ironic Inspector
  wait_for:
    host: "{{ api_interface_address }}"
    port: "{{ ironic_inspector_listen_port }}"
    connect_timeout: 1
    timeout: 1
    state: stopped
  when:
    - container_facts.containers['ironic_inspector'] is not defined
    - inventory_hostname in groups['ironic-inspector']
 - name: Checking free port for Ironic HTTP server
  wait_for:
    host: "{{ api_interface_address }}"
@@ -63,7 +51,7 @@
    - container_facts.containers['ironic_prometheus_exporter'] is not defined
    - inventory_hostname in groups['ironic-conductor']
- name: Checking ironic-agent files exist for Ironic Inspector
+- name: Checking ironic-agent files exist for Ironic
  stat:
    path: "{{ ironic_agent_files_directory }}/ironic/{{ item }}"
  delegate_to: localhost
@@ -71,8 +59,8 @@
  register: result
  failed_when: not result.stat.exists
  when:
-    # Only required when Ironic inspector is in use.
+    # Only required when Ironic dnsmasq is in use.
-    - groups['ironic-inspector'] | length > 0
+    - groups['ironic-dnsmasq'] | length > 0
    - (not ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-tftp']) or
        (ironic_dnsmasq_serve_ipxe | bool and inventory_hostname in groups['ironic-http'])
  with_items:
--- a/ansible/roles/ironic/tasks/upgrade.yml
+++ b/ansible/roles/ironic/tasks/upgrade.yml
@@ -1,6 +1,55 @@
 ---
 # TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
 - name: Remove ironic-inspector
  become: true
  kolla_container:
    action: "stop_and_remove_container"
    common_options: "{{ docker_common_options }}"
    name: "ironic_inspector"
    ignore_missing: true
 # TODO(mnasiadka): Remove this block in Gazpacho/2026.1 release
 - name: Handle volume migration for ironic_dnsmasq
  when: enable_ironic_dnsmasq | bool
  block:
    - name: Stop ironic_dnsmasq container
      become: true
      kolla_container:
        action: "stop_container"
        common_options: "{{ docker_common_options }}"
        name: "ironic_dnsmasq"
        ignore_missing: true
    - name: Create ironic_dhcp_hosts volume
      become: true
      command: "{{ kolla_container_engine }} volume create ironic_dhcp_hosts"
    - name: Migrate data from ironic_inspector_dhcp_hosts volume
      become: true
      vars:
        volumes_dir: >-
          {{ '/var/lib/docker/volumes' if kolla_container_engine == 'docker'
          else '/var/lib/containers/storage/volumes' }}
      command: >-
        mv {{ volumes_dir }}/ironic_inspector_dhcp_hosts/_data/
        {{ volumes_dir }}/ironic_dhcp_hosts/_data
 - name: Get Ironic API container facts
  become: true
  vars:
    container_name: "{{ ironic_services['ironic-api'].container_name }}"
  kolla_container_facts:
    action: get_containers
    container_engine: "{{ kolla_container_engine }}"
    name:
      - "{{ container_name }}"
  check_mode: false
  register: container_facts
 - name: Wait for Ironic nodes not to wait
  become: true
  vars:
    container_name: "{{ ironic_services['ironic-api'].container_name }}"
  command: >
    {{ kolla_container_engine }} exec kolla_toolbox openstack
    --os-interface {{ openstack_interface }}
@@ -25,10 +74,18 @@
       select('search', '\\bwait\\b') |
       length) == 0
  run_once: true
-  when: not ironic_upgrade_skip_wait_check | bool
+  when:
    - not ironic_upgrade_skip_wait_check | bool
    - container_facts.containers[container_name] is defined
 - include_tasks: rolling_upgrade.yml
  when: ironic_enable_rolling_upgrade | bool
 - include_tasks: legacy_upgrade.yml
  when: not ironic_enable_rolling_upgrade | bool
 # TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
 - name: Remove ironic_inspector_dhcp_hosts volume
  become: true
  command: "{{ kolla_container_engine }} volume rm ironic_inspector_dhcp_hosts"
  when: enable_ironic_dnsmasq | bool
--- a/ansible/roles/ironic/templates/inspector.ipxe.j2
+++ b/ansible/roles/ironic/templates/inspector.ipxe.j2
@@ -7,12 +7,12 @@ dhcp || goto retry_dhcp
 {% if not enable_neutron | bool %}
 # load the MAC-specific file or fail if it's not found
 :boot_system
-chain pxelinux.cfg/${mac:hexhyp} || goto inspector_ipa
+chain pxelinux.cfg/${mac:hexhyp} || goto ipa
 {% endif %}
-:inspector_ipa
+:ipa
 :retry_boot
 imgfree
-kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_inspector_kernel_cmdline_extras | join(' ') }} || goto retry_boot
+kernel --timeout 30000 {{ ironic_http_url }}/ironic-agent.kernel ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes BOOTIF=${mac} initrd=ironic-agent.initramfs {{ ironic_kernel_cmdline_extras | join(' ') }} || goto retry_boot
 initrd --timeout 30000 {{ ironic_http_url }}/ironic-agent.initramfs || goto retry_boot
 boot
--- a/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-dnsmasq.conf.j2
@@ -25,7 +25,7 @@ dhcp-match=ipxe,175
 dhcp-match=set:efi,option:client-arch,7
 dhcp-match=set:efi,option:client-arch,9
 # Client is already running iPXE; move to next stage of chainloading
-dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/inspector.ipxe
+dhcp-option=tag:ipxe,option:bootfile-name,{{ ironic_http_url }}/ipa.ipxe
 # Client is PXE booting over EFI without iPXE ROM,
 # send EFI version of iPXE chainloader
 dhcp-option=tag:efi,tag:!ipxe,option:bootfile-name,{{ ironic_dnsmasq_uefi_ipxe_boot_file }}
@@ -39,6 +39,6 @@ log-facility=/var/log/kolla/ironic/dnsmasq.log
 log-dhcp
 {% endif %}
-{% if ironic_inspector_pxe_filter == 'dnsmasq' %}
+{% if ironic_pxe_filter == 'dnsmasq' %}
 dhcp-hostsdir=/etc/dnsmasq/dhcp-hostsdir
 {% endif %}
--- a/ansible/roles/ironic/templates/ironic-http.json.j2
+++ b/ansible/roles/ironic/templates/ironic-http.json.j2
@@ -3,7 +3,7 @@
 {
    "command": "{{ apache_cmd }} -DFOREGROUND",
    "config_files": [
-{% if groups['ironic-inspector'] | length > 0 %}
+{% if groups['ironic-dnsmasq'] | length > 0 %}
        {
            "source": "{{ container_config_directory }}/ironic-agent.kernel",
            "dest": "/var/lib/ironic/httpboot/ironic-agent.kernel",
@@ -17,8 +17,8 @@
            "perm": "0644"
        },
        {
-            "source": "{{ container_config_directory }}/inspector.ipxe",
+            "source": "{{ container_config_directory }}/ipa.ipxe",
-            "dest": "/var/lib/ironic/httpboot/inspector.ipxe",
+            "dest": "/var/lib/ironic/httpboot/ipa.ipxe",
            "owner": "root",
            "perm": "0644"
        },
--- a/ansible/roles/ironic/templates/ironic-inspector.conf.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.conf.j2
@@ -1,103 +0,0 @@
 [DEFAULT]
 debug = {{ ironic_logging_debug }}
 log_dir = /var/log/kolla/ironic-inspector
 {% if not ironic_enable_keystone_integration | bool %}
 auth_strategy = noauth
 {% endif %}
 listen_address = {{ api_interface_address }}
 listen_port = {{ ironic_inspector_listen_port }}
 transport_url = {{ rpc_transport_url }}
 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}
 [oslo_messaging_rabbit]
 use_queue_manager = true
 heartbeat_in_pthread = false
 {% if om_enable_rabbitmq_tls | bool %}
 ssl = true
 ssl_ca_file = {{ om_rabbitmq_cacert }}
 {% endif %}
 rabbit_quorum_queue = true
 {% if om_enable_rabbitmq_stream_fanout | bool %}
 rabbit_stream_fanout = true
 rabbit_qos_prefetch_count = {{ om_rabbitmq_qos_prefetch_count }}
 {% endif %}
 rabbit_transient_quorum_queue = true
 [ironic]
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 user_domain_id = {{ default_user_domain_id }}
 username = {{ ironic_inspector_keystone_user }}
 password = {{ ironic_inspector_keystone_password }}
 valid_interfaces = internal
 cafile = {{ openstack_cacert }}
 region_name = {{ openstack_region_name }}
 system_scope = all
 {% else %}
 auth_type = none
 endpoint_override = {{ ironic_internal_endpoint }}
 {% endif %}
 {% if ironic_enable_keystone_integration | bool %}
 [keystone_authtoken]
 service_type = baremetal-introspection
 www_authenticate_uri = {{ keystone_public_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
 project_name = service
 username = {{ ironic_inspector_keystone_user }}
 password = {{ ironic_inspector_keystone_password }}
 cafile = {{ openstack_cacert }}
 region_name = {{ openstack_region_name }}
 memcache_security_strategy = {{ memcache_security_strategy }}
 memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 {% endif %}
 {% if ironic_policy_file is defined %}
 [oslo_policy]
 policy_file = {{ ironic_policy_file }}
 {% endif %}
 [database]
 connection = mysql+pymysql://{{ ironic_inspector_database_user }}:{{ ironic_inspector_database_password }}@{{ ironic_inspector_database_address }}/{{ ironic_inspector_database_name }}{{ '?ssl_ca=' ~ openstack_cacert if ironic_database_enable_tls_internal | bool }}
 connection_recycle_time = {{ database_connection_recycle_time }}
 max_pool_size = {{ database_max_pool_size }}
 [processing]
 ramdisk_logs_dir = /var/log/kolla/ironic-inspector
 [pxe_filter]
 driver = {{ ironic_inspector_pxe_filter }}
 {% if ironic_inspector_pxe_filter == 'iptables' %}
 [iptables]
 dnsmasq_interface = {{ ironic_dnsmasq_interface }}
 {% endif %}
 [coordination]
 {% if ironic_coordination_backend == 'redis' %}
 backend_url = {{ redis_connection_string }}
 {% elif ironic_coordination_backend == 'etcd' %}
 # NOTE(yoctozepto): we must use etcd3gw (aka etcd3+http) due to issues with alternative (etcd3) and eventlet (as used by cinder)
 # see https://bugs.launchpad.net/kolla-ansible/+bug/1854932
 # and https://review.opendev.org/466098 for details
 # NOTE(jan.gutter): etcd v3.4 removed the default `v3alpha` api_version. Until
 # tooz defaults to a newer version, we should explicitly specify `v3`
 backend_url = etcd3+{{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ etcd_client_port }}?api_version=v3{% if openstack_cacert %}?ca_cert={{ openstack_cacert }}{% endif %}
 {% endif %}
 {% if ironic_inspector_known_devices_file_path is defined %}
 [accelerators]
 known_devices = /etc/ironic-inspector/known_devices.yaml
 {% endif %}
 [oslo_concurrency]
 lock_path = /var/lib/ironic-inspector/tmp
--- a/ansible/roles/ironic/templates/ironic-inspector.json.j2
+++ b/ansible/roles/ironic/templates/ironic-inspector.json.j2
@@ -1,28 +0,0 @@
 {
    "command": "ironic-inspector --config-file /etc/ironic-inspector/inspector.conf",
    "config_files": [
        {
            "source": "{{ container_config_directory }}/inspector.conf",
            "dest": "/etc/ironic-inspector/inspector.conf",
            "owner": "ironic-inspector",
            "perm": "0600"
        }{% if ironic_inspector_policy_file is defined %},
        {
            "source": "{{ container_config_directory }}/{{ ironic_inspector_policy_file }}",
            "dest": "/etc/ironic-inspector/{{ ironic_inspector_policy_file }}",
            "owner": "ironic-inspector",
            "perm": "0600"
        }{% endif %}{% if ironic_inspector_known_devices_file_path is defined %},
        {
            "source": "{{ container_config_directory }}/known_devices.yaml",
            "dest": "/etc/ironic-inspector/known_devices.yaml",
            "owner": "ironic-inspector",
        }{% endif %}{% if kolla_copy_ca_into_containers | bool %},
        {
            "source": "{{ container_config_directory }}/ca-certificates",
            "dest": "/var/lib/kolla/share/ca-certificates",
            "owner": "root",
            "perm": "0600"
        }{% endif %}
    ]
 }
--- a/ansible/roles/ironic/templates/ironic-tftp.json.j2
+++ b/ansible/roles/ironic/templates/ironic-tftp.json.j2
@@ -4,7 +4,7 @@
 {
    "command": "/usr/sbin/in.tftpd --verbose --foreground --user nobody --address {{ ironic_tftp_listen_address }}:69 --map-file /map-file /var/lib/ironic/tftpboot",
    "config_files": [
-{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-inspector'] | length > 0 %}
+{% if not ironic_dnsmasq_serve_ipxe | bool and groups['ironic-dnsmasq'] | length > 0 %}
        {
            "source": "{{ container_config_directory }}/ironic-agent.kernel",
            "dest": "/var/lib/ironic/tftpboot/ironic-agent.kernel",
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -155,23 +155,6 @@ valid_interfaces = internal
 cafile = {{ openstack_cacert }}
 {% endif %}
 [inspector]
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
 user_domain_id = default
 project_name = service
 username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 region_name = {{ openstack_region_name }}
 valid_interfaces = internal
 cafile = {{ openstack_cacert }}
 {% else %}
 auth_type = none
 endpoint_override = {{ ironic_inspector_internal_endpoint }}
 {% endif %}
 [service_catalog]
 {% if ironic_enable_keystone_integration | bool %}
 auth_url = {{ keystone_internal_url }}
--- a/ansible/roles/ironic/templates/pxelinux.default.j2
+++ b/ansible/roles/ironic/templates/pxelinux.default.j2
@@ -3,6 +3,6 @@ default introspect
 label introspect
 kernel ironic-agent.kernel
-append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_inspector_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_inspector_kernel_cmdline_extras | join(' ') }}
+append initrd=ironic-agent.initramfs ipa-inspection-callback-url={{ ironic_internal_endpoint }}/v1/continue systemd.journald.forward_to_console=yes {{ ironic_kernel_cmdline_extras | join(' ') }}
 ipappend 3
--- a/ansible/roles/loadbalancer/tasks/precheck.yml
+++ b/ansible/roles/loadbalancer/tasks/precheck.yml
@@ -435,19 +435,6 @@
    - haproxy_stat.find('ironic_api') == -1
    - haproxy_vip_prechecks
 - name: Checking free port for Ironic Inspector HAProxy
  wait_for:
    host: "{{ kolla_internal_vip_address }}"
    port: "{{ ironic_inspector_port }}"
    connect_timeout: 1
    timeout: 1
    state: stopped
  when:
    - enable_ironic | bool
    - inventory_hostname in groups['loadbalancer']
    - haproxy_stat.find('ironic_inspector') == -1
    - haproxy_vip_prechecks
 - name: Checking free port for Keystone Internal HAProxy
  wait_for:
    host: "{{ kolla_internal_vip_address }}"
--- a/ansible/roles/loadbalancer/tasks/upgrade.yml
+++ b/ansible/roles/loadbalancer/tasks/upgrade.yml
@@ -27,4 +27,13 @@
  when:
    - inventory_hostname in groups['loadbalancer']
 # TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
 - name: Removing config for ironic-inspector
  file:
    path: "{{ node_config_directory }}/haproxy/services.d/ironic-inspector.cfg"
    state: "absent"
  become: true
  when:
    - inventory_hostname in groups['loadbalancer']
 - import_tasks: deploy.yml
--- a/ansible/roles/prometheus/defaults/main.yml
+++ b/ansible/roles/prometheus/defaults/main.yml
@@ -250,8 +250,6 @@ prometheus_blackbox_exporter_endpoints_default:
  - endpoints:
      - "ironic:os_endpoint:{{ ironic_public_endpoint }}"
      - "{{ ('ironic_internal:os_endpoint:' + ironic_internal_endpoint) if not kolla_same_external_internal_vip | bool }}"
      - "ironic_inspector:os_endpoint:{{ ironic_inspector_public_endpoint }}"
      - "{{ ('ironic_inspector_internal:os_endpoint:' + ironic_inspector_internal_endpoint) if not kolla_same_external_internal_vip | bool }}"
    enabled: "{{ enable_ironic | bool }}"
  - endpoints:
      - "keystone:os_endpoint:{{ keystone_public_url }}"
--- a/ansible/roles/service-ks-register/tasks/main.yml
+++ b/ansible/roles/service-ks-register/tasks/main.yml
@@ -64,15 +64,19 @@
      retries: "{{ service_ks_register_retries }}"
      delay: "{{ service_ks_register_delay }}"
-    - name: "{{ project_name }} | Creating users"
+    - name: "{{ project_name }} | Creating/deleting users"
      kolla_toolbox:
        container_engine: "{{ kolla_container_engine }}"
        module_name: openstack.cloud.identity_user
        module_args:
          default_project: "{{ item.project }}"
          name: "{{ item.user }}"
-          password: "{{ item.password }}"
+          password: "{{ item.password | default(omit) }}"
-          update_password: "{{ 'always' if update_keystone_service_user_passwords | bool else 'on_create' }}"
+          update_password: >-
            {{ 'always' if
            update_keystone_service_user_passwords | bool and
            item.password is defined
            else 'on_create' }}
          domain: "{{ service_ks_register_domain }}"
          region_name: "{{ service_ks_register_region_name }}"
          auth: "{{ service_ks_register_auth }}"
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -552,7 +552,6 @@
  hosts:
    - ironic-api
    - ironic-conductor
    - ironic-inspector
    - ironic-tftp
    - ironic-http
    - '&enable_ironic_True'
--- a/doc/source/reference/bare-metal/ironic-guide.rst
+++ b/doc/source/reference/bare-metal/ironic-guide.rst
@@ -26,7 +26,7 @@ define a network to be used for the Ironic cleaning network:
   ironic_dnsmasq_interface: "eth1"
   ironic_cleaning_network: "public1"
-Finally, define at least one DHCP range for Ironic inspector:
+Finally, define at least one DHCP range for Ironic inspection:
 .. code-block:: yaml
@@ -76,7 +76,7 @@ The default lease time for each range can be configured globally via
 ``ironic_dnsmasq_dhcp_default_lease_time`` variable or per range via
 ``lease_time`` parameter.
-In the same file, specify the PXE bootloader file for Ironic Inspector. The
+In the same file, specify the PXE bootloader file for Ironic inspection. The
 file is relative to the ``/var/lib/ironic/tftpboot`` directory. The default is
 ``pxelinux.0``, and should be correct for x86 systems. Other platforms may
 require a different value, for example aarch64 on Debian requires
@@ -86,7 +86,7 @@ require a different value, for example aarch64 on Debian requires
   ironic_dnsmasq_boot_file: pxelinux.0
-Ironic inspector also requires a deploy kernel and ramdisk to be placed in
+Ironic inspection also requires a deploy kernel and ramdisk to be placed in
 ``/etc/kolla/config/ironic/``. The following example uses coreos which is
 commonly used in Ironic deployments, though any compatible kernel/ramdisk may
 be used:
@@ -103,7 +103,7 @@ You may optionally pass extra kernel parameters to the inspection kernel using:
 .. code-block:: yaml
-   ironic_inspector_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1']
+   ironic_kernel_cmdline_extras: ['ipa-lldp-timeout=90.0', 'ipa-collect-lldp=1']
 in ``/etc/kolla/globals.yml``.
@@ -120,7 +120,7 @@ Revert to plain PXE (not recommended)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Starting with Yoga, Ironic has changed the default PXE from plain PXE to iPXE.
 Kolla Ansible follows this upstream decision by choosing iPXE as the default
-for Ironic Inspector but allows users to revert to the previous default of
+for Ironic inspection but allows users to revert to the previous default of
 plain PXE by setting the following in
 ``/etc/kolla/globals.yml``:
@@ -215,7 +215,7 @@ Post-deployment configuration
 The :ironic-doc:`Ironic documentation <install/configure-glance-images>`
 describes how to create the deploy kernel and ramdisk and register them with
 Glance. In this example we're reusing the same images that were fetched for the
-Inspector:
+inspection:
 .. code-block:: console
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -639,14 +639,14 @@ workaround_ansible_issue_8743: yes
 #############################
 # Ironic options
 #############################
-# dnsmasq bind interface for Ironic Inspector, by default is network_interface
+# dnsmasq bind interface for Ironic inspection, by default is network_interface
 #ironic_dnsmasq_interface: "{{ network_interface }}"
 # The following value must be set when enabling ironic, the value format is a
 # list of ranges - at least one must be configured, for example:
 # - range: 192.168.0.10,192.168.0.100
 # See Kolla Ansible docs on Ironic for details.
 #ironic_dnsmasq_dhcp_ranges:
-# PXE bootloader file for Ironic Inspector, relative to /var/lib/ironic/tftpboot.
+# PXE bootloader file for Ironic inspection, relative to /var/lib/ironic/tftpboot.
 #ironic_dnsmasq_boot_file: "pxelinux.0"
 # Configure ironic upgrade option, due to currently kolla support
@@ -657,7 +657,7 @@ workaround_ansible_issue_8743: yes
 #ironic_enable_rolling_upgrade: "yes"
 # List of extra kernel parameters passed to the kernel used during inspection
-#ironic_inspector_kernel_cmdline_extras: []
+#ironic_kernel_cmdline_extras: []
 # Valid options are [ '', redis, etcd ]
 #ironic_coordination_backend: "{{ 'redis' if enable_redis|bool else 'etcd' if enable_etcd|bool else '' }}"
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -96,9 +96,6 @@ heat_domain_admin_password:
 ironic_database_password:
 ironic_keystone_password:
 ironic_inspector_database_password:
 ironic_inspector_keystone_password:
 magnum_database_password:
 magnum_keystone_password:
--- a/releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml
+++ b/releasenotes/notes/drop-ironic-inspector-38fc91c64517ffc1.yaml
@@ -0,0 +1,12 @@
 ---
 upgrade:
  - |
    The ``ironic-inspector`` deployment support has been dropped following
    retirement of that service in ``Ironic`` project.
    ``ironic_inspector_kernel_cmdline_extras`` has been renamed to
    ``ironic_kernel_cmdline_extras`` and  ``ironic_inspector_pxe_filter``
    has been renamed to ``ironic_pxe_filter``.
    Also the ``inspector.ipxe`` file has been renamed to ``ipa.ipxe``.
  - |
    ``bifrost`` support for deploying legacy ironic inspector has been
    dropped together with ``bifrost_enable_ironic_inspector`` variable.
--- a/roles/openstack-clients/defaults/main.yml
+++ b/roles/openstack-clients/defaults/main.yml
@@ -8,8 +8,6 @@ openstack_clients_pip_packages:
    enabled: true
  - package: python-ironicclient
    enabled: "{{ scenario == 'ironic' }}"
  - package: python-ironic-inspector-client
    enabled: "{{ scenario == 'ironic' }}"
  - package: python-magnumclient
    enabled: "{{ scenario == 'magnum' }}"
  - package: python-masakariclient
--- a/tests/get_logs.sh
+++ b/tests/get_logs.sh
@@ -123,7 +123,7 @@ copy_logs() {
    # bifrost related logs
    if [[ $(${CONTAINER_ENGINE} ps --filter name=bifrost_deploy --format "{{.Names}}") ]]; then
-        for service in dnsmasq ironic ironic-api ironic-conductor ironic-inspector mariadb nginx; do
+        for service in dnsmasq ironic ironic-api ironic-conductor mariadb nginx; do
            mkdir -p ${LOG_DIR}/kolla/$service
            ${CONTAINER_ENGINE} exec bifrost_deploy systemctl status $service > ${LOG_DIR}/kolla/$service/systemd-status-$service.txt
        done
@@ -136,12 +136,6 @@ copy_logs() {
        ${CONTAINER_ENGINE} exec haproxy bash -c 'echo show stat | socat stdio /var/lib/kolla/haproxy/haproxy.sock' > ${LOG_DIR}/kolla/haproxy/stats.txt
    fi
    # FIXME: remove
    if [[ $(${CONTAINER_ENGINE} ps -a --filter name=ironic_inspector --format "{{.Names}}") ]]; then
        mkdir -p ${LOG_DIR}/kolla/ironic-inspector
        ls -lR ${VOLUMES_DIR}/ironic_inspector_dhcp_hosts > ${LOG_DIR}/kolla/ironic-inspector/var-lib-ls.txt
    fi
    for container in $(${CONTAINER_ENGINE} ps -a --format "{{.Names}}"); do
        ${CONTAINER_ENGINE} logs --timestamps --tail=${LOGS_TAIL_PARAMETER} ${container} &> ${LOG_DIR}/container_logs/${container}.txt
    done
--- a/tests/templates/inventory.j2
+++ b/tests/templates/inventory.j2
@@ -410,9 +410,15 @@ ironic
 [ironic-conductor:children]
 ironic
 {# NOTE(mnasiadka): Remove in Gazpacho/2026.1 release #}
 {% if is_upgrade | bool %}
 [ironic-inspector:children]
 ironic
 {% endif %}
 [ironic-dnsmasq:children]
 ironic
 [ironic-tftp:children]
 ironic
--- a/tests/templates/ironic-overrides.j2
+++ b/tests/templates/ironic-overrides.j2
@@ -1,5 +1,10 @@
 [DEFAULT]
 enabled_inspect_interfaces = no-inspect, agent
 default_inspect_interface = agent
 [neutron]
 cleaning_network = public1
 inspection_network = public1
 provisioning_network = public1
 # This IPMI configuration has been taken from the metal3.io ironic-image
--- a/tests/test-ironic.sh
+++ b/tests/test-ironic.sh
@@ -19,7 +19,7 @@ function test_ironic_logged {
    # Smoke test ironic API.
    openstack --os-cloud kolla-admin-system-internal baremetal driver list
-    openstack baremetal node list
+    openstack --os-cloud kolla-admin-system-internal baremetal node list
    openstack baremetal port list
    openstack baremetal node show tk0
@@ -27,14 +27,43 @@ function test_ironic_logged {
    openstack baremetal node show tk0
    openstack baremetal node manage tk0
    openstack baremetal node show tk0
    openstack baremetal node provide tk0
    openstack baremetal node show tk0
    openstack baremetal node validate tk0
-    echo "TESTING: Server creation"
+    echo "TESTING: Server inspection"
-    openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test
+    openstack baremetal node inspect tk0
    local attempt
    attempt=1
    while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "manageable" ]]; do
        echo "Server not yet manageable, check $attempt - retrying"
        attempt=$((attempt+1))
        if [[ $attempt -eq 16 ]]; then
            echo "FAILED: Server did not finish inspection after $attempt checks"
            openstack baremetal node show tk0
            return 1
        fi
        sleep 60
    done
    openstack baremetal node inventory save tk0
    echo ""
    echo "SUCCESS: Server inspection"
    echo "TESTING: Server creation"
    openstack baremetal node provide tk0
    attempt=1
    while [[ $(openstack baremetal node show tk0 -f value -c provision_state) != "available" ]]; do
        echo "Server not yet available, check $attempt - retrying"
        attempt=$((attempt+1))
        if [[ $attempt -eq 16 ]]; then
            echo "FAILED: Server did not get to available state after $attempt checks"
            openstack baremetal node show tk0
            return 1
        fi
        sleep 60
    done
    # NOTE(mnasiadka): Wait for nova-compute-ironic to pick up the new node
    sleep 60
    openstack server create --image cirros --flavor test-rc --key-name mykey --network public1 kolla_bm_boot_test
    attempt=1
    while [[ $(openstack server show kolla_bm_boot_test -f value -c status) != "ACTIVE" ]]; do
        echo "Server not yet active, check $attempt - retrying"
        attempt=$((attempt+1))
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -359,6 +359,30 @@
    vars:
      base_distro: ubuntu
 - job:
    name: kolla-ansible-rocky9-ironic-upgrade
    parent: kolla-ansible-ironic-base
    nodeset: kolla-ansible-rocky9
    vars:
      base_distro: rocky
      is_upgrade: true
 - job:
    name: kolla-ansible-debian-ironic-upgrade
    parent: kolla-ansible-ironic-base
    nodeset: kolla-ansible-debian-bookworm-16GB
    vars:
      base_distro: debian
      is_upgrade: true
 - job:
    name: kolla-ansible-ubuntu-ironic-upgrade
    parent: kolla-ansible-ironic-base
    nodeset: kolla-ansible-ubuntu-noble-8GB
    vars:
      base_distro: ubuntu
      is_upgrade: true
 - job:
    name: kolla-ansible-rocky9-magnum
    parent: kolla-ansible-magnum-base
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -25,6 +25,8 @@
        - kolla-ansible-ubuntu-masakari
        - kolla-ansible-debian-ironic
        - kolla-ansible-ubuntu-ironic
        - kolla-ansible-debian-ironic-upgrade
        - kolla-ansible-ubuntu-ironic-upgrade
        - kolla-ansible-debian-upgrade
        - kolla-ansible-ubuntu-upgrade
        - kolla-ansible-ubuntu-cells