Require python-esiclient >= 1.3.0

We use the `openstack esi port forwarding` command in the `external_access`
role to configure port forwarding. Previously, this command would fail with
an error when attempting to create a port forwarding that already exists.
This made it difficult to identify legitimate failures.

With CCI-MOC/python-esiclient#89, python-esiclient is now idempotent and
will not emit an error if an existing port forwarding exactly matches the
requested configuration.

Author: larsks

cloudkit-aap/execution-environment/requirements.txt

@@ -1,6 +1,6 @@
 # This file was autogenerated by uv via the following command:
-#    uv pip compile pyproject.toml --python-version 3.11
-aiobotocore==2.21.1
+#    uv pip compile pyproject.toml
+aiobotocore==2.22.0
     # via cloudkit-aap (pyproject.toml)
 aiohappyeyeballs==2.6.1
     # via aiohttp
@@ -10,6 +10,8 @@ aioitertools==0.12.0
     # via aiobotocore
 aiosignal==1.3.2
     # via aiohttp
+annotated-types==0.7.0
+    # via pydantic
 ansible==11.5.0
     # via cloudkit-aap (pyproject.toml)
 ansible-core==2.18.5
@@ -27,32 +29,32 @@ autopage==0.5.2
     # via cliff
 babel==2.17.0
     # via python-esiclient
-boto3==1.37.1
+boto3==1.37.3
     # via cloudkit-aap (pyproject.toml)
-botocore==1.37.1
+botocore==1.37.3
     # via
     #   cloudkit-aap (pyproject.toml)
     #   aiobotocore
     #   boto3
     #   s3transfer
 cachetools==5.5.2
     # via google-auth
-certifi==2025.1.31
+certifi==2025.4.26
     # via
     #   kubernetes
     #   requests
 cffi==1.17.1
     # via cryptography
-charset-normalizer==3.4.1
+charset-normalizer==3.4.2
     # via requests
-cliff==4.9.1
+cliff==4.10.0
     # via
     #   osc-lib
     #   python-ironicclient
     #   python-openstackclient
 cmd2==2.5.11
     # via cliff
-cryptography==44.0.2
+cryptography==45.0.2
     # via
     #   ansible-core
     #   esisdk
@@ -68,12 +70,12 @@ decorator==5.2.1
     #   dogpile-cache
     #   esisdk
     #   openstacksdk
-dogpile-cache==1.3.4
+dogpile-cache==1.4.0
     # via
     #   esisdk
     #   openstacksdk
     #   python-ironicclient
-durationpy==0.9
+durationpy==0.10
     # via kubernetes
 esisdk==1.4.0
     # via
@@ -83,7 +85,7 @@ frozenlist==1.6.0
     # via
     #   aiohttp
     #   aiosignal
-google-auth==2.39.0
+google-auth==2.40.1
     # via kubernetes
 idna==3.10
     # via
@@ -115,9 +117,9 @@ jsonpointer==3.0.0
     # via jsonpatch
 jsonschema==4.23.0
     # via python-ironicclient
-jsonschema-specifications==2024.10.1
+jsonschema-specifications==2025.4.1
     # via jsonschema
-keystoneauth1==5.10.0
+keystoneauth1==5.11.0
     # via
     #   esisdk
     #   openstacksdk
@@ -136,7 +138,7 @@ metalsmith==2.4.1
     # via python-esiclient
 msgpack==1.1.0
     # via oslo-serialization
-multidict==6.4.3
+multidict==6.4.4
     # via
     #   aiobotocore
     #   aiohttp
@@ -170,7 +172,7 @@ osc-lib==4.0.0
     #   python-esiclient
     #   python-ironicclient
     #   python-openstackclient
-oslo-config==9.7.1
+oslo-config==9.8.0
     # via python-keystoneclient
 oslo-i18n==6.5.1
     # via
@@ -185,7 +187,7 @@ oslo-serialization==5.7.0
     # via
     #   python-keystoneclient
     #   python-novaclient
-oslo-utils==8.2.0
+oslo-utils==9.0.0
     # via
     #   osc-lib
     #   oslo-serialization
@@ -222,7 +224,7 @@ pbr==6.1.1
     #   stevedore
 pexpect==4.9.0
     # via ansible-runner
-platformdirs==4.3.7
+platformdirs==4.3.8
     # via
     #   openstacksdk
     #   python-ironicclient
@@ -251,6 +253,10 @@ pyasn1-modules==0.4.2
     # via google-auth
 pycparser==2.22
     # via cffi
+pydantic==2.11.4
+    # via cloudkit-aap (pyproject.toml)
+pydantic-core==2.33.2
+    # via pydantic
 pyparsing==3.2.3
     # via oslo-utils
 pyperclip==1.9.0
@@ -264,11 +270,11 @@ python-dateutil==2.9.0.post0
     #   aiobotocore
     #   botocore
     #   kubernetes
-python-esiclient==1.2.0
+python-esiclient==1.3.0
     # via cloudkit-aap (pyproject.toml)
 python-esileapclient==1.1.0
     # via cloudkit-aap (pyproject.toml)
-python-ironicclient==5.10.1
+python-ironicclient==5.11.0
     # via
     #   cloudkit-aap (pyproject.toml)
     #   python-esiclient
@@ -318,15 +324,15 @@ resolvelib==1.0.1
     # via ansible-core
 rfc3986==2.0.0
     # via oslo-config
-rpds-py==0.24.0
+rpds-py==0.25.0
     # via
     #   jsonschema
     #   referencing
 rsa==4.9.1
     # via google-auth
 s3transfer==0.11.3
     # via boto3
-setuptools==79.0.0
+setuptools==80.7.1
     # via pbr
 simplejson==3.20.1
     # via python-esiclient
@@ -352,7 +358,11 @@ typing-extensions==4.13.2
     # via
     #   keystoneauth1
     #   openstacksdk
-    #   referencing
+    #   pydantic
+    #   pydantic-core
+    #   typing-inspection
+typing-inspection==0.4.0
+    # via pydantic
 tzdata==2025.2
     # via
     #   oslo-serialization

cloudkit-aap/pyproject.toml

@@ -5,22 +5,19 @@ description = "Add your description here"
 readme = "README.md"
 requires-python = ">=3.13"
 dependencies = [
-    "aiobotocore>=2.21.1",
-    "ansible>=11.4.0",
-    "boto3>=1.37.0",
-    "botocore>=1.37.0",
-    "jmespath>=1.0.1",
-    "kubernetes>=32.0.1",
-    "pydantic>=2.11.3",
-    "python-esiclient>=1.1.0",
-    "python-esileapclient>=1.0.0",
-    "python-ironicclient>=5.10.0",
-    "python-openstackclient>=7.4.0",
-    "urllib3>=2.4.0",
+  "aiobotocore>=2.21.1",
+  "ansible>=11.4.0",
+  "boto3>=1.37.0",
+  "botocore>=1.37.0",
+  "jmespath>=1.0.1",
+  "kubernetes>=32.0.1",
+  "pydantic>=2.11.3",
+  "python-esiclient>=1.3.0",
+  "python-esileapclient>=1.0.0",
+  "python-ironicclient>=5.10.0",
+  "python-openstackclient>=7.4.0",
+  "urllib3>=2.4.0",
 ]
 
 [dependency-groups]
-development = [
-    "ansible-lint>=25.2.1",
-    "antsibull-changelog>=0.33.0",
-]
+development = ["ansible-lint>=25.2.1", "antsibull-changelog>=0.33.0"]

cloudkit-aap/roles/external_access/defaults/main.yaml

@@ -1,3 +1,4 @@
 external_access_resource_wait_retries: 360
 external_access_resource_wait_delay: 5
 external_access_dns_ttl: 1800
+external_access_agent_namespace: "hardware-inventory"

cloudkit-aap/roles/external_access/tasks/create_external_access.yaml

@@ -29,19 +29,11 @@
   ansible.builtin.set_fact:
     external_access_api_floating_ip: "{{ allocate_floating_ip_result }}"
 
-# FIXME: This will fail erroneously because the command is not idempotent;
-# see https://github.com/CCI-MOC/python-esiclient/issues/82. Unfortunately,
-# it will also fail legitimately if we failed to clean up from a previous
-# cluster and there exists a port forwarding to the same internal ip
-# address.
 - name: Create port forwarding  # noqa:no-changed-when
   ansible.builtin.command: >-
     openstack esi port forwarding create {{ external_access_api_internal_ip }} {{ external_access_api_floating_ip }}
       --internal-ip-network "{{ external_access_api_internal_network }}"
       -p {{ external_access_kube_apiserver_port }} -d "{{ external_access_name }}" -f json
-  register: create_forwarding
-  failed_when: >-
-    create_forwarding.rc != 0 and "duplicate port forwarding" not in create_forwarding.stderr
 
 - name: Create api dns records
   when: >-
@@ -64,8 +56,7 @@
     api_version: agent-install.openshift.io/v1beta1
     kind: Agent
 
-    # FIXME: This should not be hardcoded
-    namespace: "hardware-inventory"
+    namespace: "{{ external_access_agent_namespace }}"
     label_selectors:
     - "cloudkit.openshift.io/clusterorder={{ external_access_name }}"
   register: agents
@@ -101,9 +92,6 @@
   ansible.builtin.command: >-
     openstack esi port forwarding create {{ external_access_worker_node_ip }} {{ external_access_ingress_floating_ip }}
       -p 80 -p 443 -d "{{ external_access_name }}-ingress" -f json
-  register: create_forwarding
-  failed_when: >-
-    create_forwarding.rc != 0 and "duplicate port forwarding" not in create_forwarding.stderr
 
 - name: Create ingress dns record
   amazon.aws.route53: