GilmanLab · jmgilman · May 1, 2026 · May 1, 2026
diff --git a/bootstrap/k0s/Dockerfile b/bootstrap/k0s/Dockerfile
@@ -82,7 +82,7 @@ RUN cue export /tmp/providers.cue \
 FROM ${K0S_IMAGE}
 
 COPY bootstrap/k0s/k0s.cue /opt/bootstrap/k0s.cue
-COPY bootstrap/k0s/manifests/providers/namespaces.yaml /var/lib/k0s/manifests/providers/00-namespaces.yaml
+COPY bootstrap/k0s/manifests/providers/namespaces.yaml /opt/bootstrap/providers/namespaces.yaml
 COPY bootstrap/k0s/bootstrap-k0s.sh /usr/local/bin/bootstrap-k0s.sh
 COPY --from=chart-builder /usr/local/bin/cue /usr/local/bin/cue
 COPY --from=chart-builder /out/cert-manager.tgz /opt/bootstrap/charts/cert-manager.tgz
@@ -92,8 +92,8 @@ COPY --from=chart-builder /out/providers.yaml /opt/bootstrap/providers/providers
 
 ENV K0S_ENTRYPOINT_ROLE=controller+worker
 
-# Namespace manifests are always present; provider CRs are staged later by the
-# helper once the operator CRDs and webhook are available.
+# Provider namespaces are staged from /opt because /var/lib/k0s is mounted at
+# runtime. Provider CRs are staged later once the operator webhook is ready.
 RUN mkdir -p /etc/k0s /opt/bootstrap/charts \
     && chmod 0755 /usr/local/bin/bootstrap-k0s.sh
 

diff --git a/bootstrap/k0s/README.md b/bootstrap/k0s/README.md
@@ -45,6 +45,10 @@ TINKERBELL_ARTIFACTS_FILE_SERVER=http://10.10.20.1:7173
 TINKERBELL_DHCP_BIND_INTERFACE=eth1.20
 ```
 
+The VyOS-hosted bootstrap path leaves DHCP with VyOS/Kea. Tinkerbell's DHCP
+listener is disabled, while its HTTP, TFTP, gRPC, and SSH listeners bind to
+`TINKERBELL_PUBLIC_IP`.
+
 For local smoke runs, set `TINKERBELL_DHCP_BIND_INTERFACE` to an interface that
 actually exists inside the disposable bootstrap container, such as `eth0`.
 

diff --git a/bootstrap/k0s/bootstrap-k0s.sh b/bootstrap/k0s/bootstrap-k0s.sh
@@ -1,8 +1,10 @@
 #!/bin/sh
 set -eu
 
+provider_namespaces_src="/opt/bootstrap/providers/namespaces.yaml"
 provider_src="/opt/bootstrap/providers/providers.yaml"
 provider_dst_dir="/var/lib/k0s/manifests/providers"
+provider_namespaces_dst="${provider_dst_dir}/00-namespaces.yaml"
 provider_dst="${provider_dst_dir}/10-providers.yaml"
 k0s_source="/opt/bootstrap/k0s.cue"
 k0s_config="/etc/k0s/k0s.yaml"
@@ -50,6 +52,8 @@ render_k0s_config() {
 }
 
 render_k0s_config
+mkdir -p "$provider_dst_dir"
+cp "$provider_namespaces_src" "$provider_namespaces_dst"
 
 echo "starting k0s bootstrap controller"
 k0s controller --config "$k0s_config" --single --ignore-pre-flight-checks &
@@ -88,7 +92,6 @@ while :; do
 
   if k0s kubectl --request-timeout=5s apply --dry-run=server -f "$provider_src" >/dev/null 2>&1; then
     echo "operator API is ready; handing provider manifests to k0s manifest deployer"
-    mkdir -p "$provider_dst_dir"
     cp "$provider_src" "$provider_dst"
     break
   fi

diff --git a/bootstrap/k0s/k0s.cue b/bootstrap/k0s/k0s.cue
@@ -36,6 +36,10 @@ cfgTrustedProxies: [for proxy in strings.Split(cfgTrustedProxiesCSV, ",") if str
 		type: "ClusterIP"
 	}
 	deployment: {
+		additionalEnvs: [{
+			name:  "TINKERBELL_BIND_ADDRESS"
+			value: cfgPublicIP
+		}]
 		hostNetwork: true
 		init: {
 			enabled: false
@@ -48,7 +52,7 @@ cfgTrustedProxies: [for proxy in strings.Split(cfgTrustedProxiesCSV, ",") if str
 				bindAddr: "0.0.0.0"
 			}
 			smee: {
-				dhcpEnabled:                  true
+				dhcpEnabled:                  false
 				dhcpMode:                     cfgDHCPMode
 				dhcpBindInterface:            cfgDHCPBindInterface
 				dhcpIPForPacket:              cfgPublicIP