[BUGFIX] Fix ironic conductor for post-adoption baremetal provisioning

[imatza-rh]

Fix issues preventing post-adoption baremetal provisioning in the
test-with-ironic scenario. Contains workarounds for ironic-operator
bugs and related fixes. Discovered during shiftstack adoption CI
(OSPRH-27919),
but all fixes affect regular ironic adoption too.

Fixes:

1. Missing conductor DHCP ranges (OSPRH-28474):
   ironicConductors had no dhcpRanges, nodes couldn't PXE boot.
   Added 172.20.1.240-249 (non-overlapping with inspector 190-199).

2. IPA heartbeat using unreachable K8s hostname (OSPRH-28474):
   Set endpoint_override to MetalLB VIP in conductor [service_catalog].
   Uses ansible.utils.ipwrap
   for IPv6 bracket wrapping (RFC 3986).

3. Conductor dnsmasq missing UEFI boot directives (OSPRH-28474):
   ironic-operator conductor template lacks dhcp-boot lines (inspector
   template has them). Workaround patches dnsmasq.conf at runtime,
   gated by ironic_conductor_dnsmasq_uefi_fix toggle (default: true).
   Applied in both ironic_adoption and nova_verify because operator
   reconciliation can wipe the first patch (OSPRH-28479).

4. Conductor dnsmasq DHCP race (OSPRH-28474):
   Deployed instances get wrong IP from conductor pool (OVN doesn't serve
   vif_type=other ports). Workaround adds dhcp-host entry and reboots
   instance. Idempotent (skips if MAC already in config).

5. Deploy images cleared with no fallback (OSPRH-28476):
   Sets httpboot IPA deploy images on nodes using conductor pod IP.
   Old code blanked deploy_ramdisk/deploy_kernel with no replacement.

Additional fixes:

• Clean stale nova-compute services blocking FFU version convergence
  (soft-delete via UPDATE services SET deleted=id where version < MAX)
• Wait for source Keystone availability before pre-launch tests
• Fix wait_node_state to use --provision-state server-side filter
  (replaces fragile grep -P with escaped column names)
• Fix wait_image_active to use ${image_name} param (was hardcoded
  to Fedora-Cloud-Base-38)
• Add ERROR state detection in wait_server_active (early exit vs timeout)
• IPv6 URL bracket wrapping and CONDUCTOR_IP guards

Tested - full adoption pipeline (7/7 stages, ~10h):
deploy-infra → deploy-osp → deploy-ocp → install-operators →
install-shiftstack → run-adoption → run-shiftstack-after
(buildset 9821f411)

Bugs filed:

• OSPRH-28474 - ironic-operator conductor dnsmasq template gaps (Critical)
• OSPRH-28476 - ironic_adoption clears deploy images with no fallback
• OSPRH-28478 - Ironic adoption doc missing ML2 and conductor dhcpRanges
• OSPRH-28479 - RFE: CR field for custom conductor dnsmasq directives

Related-Issue: OSPRH-27919

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sathlan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hjensas]

This DHCP is for the standalone ironic - not for full RHOSO.
Neutron is providing DHCP for ironic provisioning.

[juliakreger]

Instead of changes, I'd like to request we schedule a meeting with the hardprov team to discuss this. We are concerned features are getting confused because DHCP for baremetal nodes should be provided by neutron, and standalone direct usage of the Ironic deployment is not an expected nor directly supported scenario outside of the integrated use case. i.e. Asking ironic to deploy a baremetal node with VIF would work and be supported, but operating ironic without neutron would not be inherently supported.

[imatza-rh]

Closing - our CI pipeline passes without these workarounds (buildset 23765d65).