provisioning
The gb10-provision control plane is a self-contained, state-free PXE/onboarding system designed to bring a fresh NVIDIA GB10 (DGX Spark) appliance online over an isolated provisioning LAN 1. It operates as a containerized architecture shipped as images and a Helm chart, deployed on the appliance’s own k3s cluster. The system enforces an isolated-LAN security model where the API binds only to the provisioning interface and runs unprivileged, assuming the network is physically or logically isolated.
The deployment strategy relies on a Helm chart that wires the subsystems together, ensuring that all pods run with hostNetwork: true so DHCP, TFTP, and HTTP services can bind directly to the physical LAN interface . This approach allows a fresh PXE-booting GB10, which has no IP yet, to communicate with the control plane without relying on ordinary ClusterIP services . The architecture uses strict templating with StrictUndefined to ensure that missing variables fail loudly rather than shipping a broken autoinstall seed.
| Subsystem | Description |
|---|---|
| gb10-dnsmasq | Provides DHCP and TFTP/PXE services for the isolated provisioning network. |
| gb10-provision-api | A FastAPI control plane that serves cloud-init/autoinstall, tracks per-client onboarding state, and renders user-data. |
| nginx | Serves static content and proxies requests to the API, running on the host network . |
| Helm Chart | Wires dnsmasq, nginx, and the API together, deploying them into the appliance’s k3s cluster. |
# gb10-provision
> **Disclaimer: unofficial and unsupported.** Provided for testing and
> evaluation only, on an "AS IS" basis, with no warranty and no support. Not
> affiliated with or endorsed by Dell. See [DISCLAIMER.md](DISCLAIMER.md).
Wiki: https://sddcinfo.github.io/provisioning/
A self-contained, state-free PXE/onboarding **control plane** for bringing a fresh
NVIDIA GB10 (DGX Spark) appliance online over an isolated provisioning LAN.
It ships as container images + a Helm chart deployed on the appliance's own k3s:
```
containers/
gb10-dnsmasq/ # DHCP + TFTP/PXE for the isolated provisioning network
gb10-provision-api/ # FastAPI control-plane: serves cloud-init/autoinstall,
# tracks per-client onboarding state, renders user-data
helm/
gb10-provision/ # Helm chart wiring dnsmasq + nginx + the API together
```
## Design
- **State-free.** No site inventory, credentials, MACs, or operator data live in this
repo. Everything host-specific is supplied at deploy time via Helm values / env.
- **Isolated-LAN security model.** The API binds only to the provisioning interface
(`--host $(LAN_IP)`, never `0.0.0.0`) and runs unprivileged. It assumes the
provisioning network is physically/logically isolated; it is **not** intended to be
exposed on a routable network.
- **Strict templating.** Jinja rendering uses `StrictUndefined`, so a missing variable
fails loudly rather than shipping a broken autoinstall seed.
## Deploy
```bash
# Import the images into the appliance's k3s containerd, then:
helm upgrade --install gb10-provision ./helm/gb10-provision \
--namespace gb10-provision --create-namespace \