diff --git a/config/README.md b/config/README.md index 275c99a966..3bef7f6393 100644 --- a/config/README.md +++ b/config/README.md @@ -21,9 +21,8 @@ in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays. - **basic-auth** - Enable basic authentication. Note that the basic-auth component is missing the actual credentials. This is on purpose, to make sure that the user is setting the password instead of using sample - credentials. The required secrets are: + credentials. The required secrets is called: - `ironic-credentials` - - `ironic-inspector-credentials` - **tls** - Enable TLS. A CA certificate is needed here to verify the connection to Ironic. If you deploy BMO together with Ironic in a Kubernetes cluster, they can share the secret created for Ironic. The CA diff --git a/config/components/basic-auth/credentials_patch.yaml b/config/components/basic-auth/credentials_patch.yaml index c3a600f7eb..3048c16f3b 100644 --- a/config/components/basic-auth/credentials_patch.yaml +++ b/config/components/basic-auth/credentials_patch.yaml @@ -12,13 +12,7 @@ spec: - name: ironic-credentials mountPath: "/opt/metal3/auth/ironic" readOnly: true - - name: ironic-inspector-credentials - mountPath: "/opt/metal3/auth/ironic-inspector" - readOnly: true volumes: - name: ironic-credentials secret: secretName: ironic-credentials - - name: ironic-inspector-credentials - secret: - secretName: ironic-inspector-credentials diff --git a/config/components/basic-auth/kustomization.yaml b/config/components/basic-auth/kustomization.yaml index 44e9f0c413..9e91544ef6 100644 --- a/config/components/basic-auth/kustomization.yaml +++ b/config/components/basic-auth/kustomization.yaml @@ -1,14 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -# NOTE: This component requires secrets with the basic auth credentials! -# How you create them is up to you. -# The required secrets are: +# NOTE: This component requires a secret with the basic auth credentials! +# How you create it is up to you. The required secrets is: # - ironic-credentials -# - ironic-inspector-credentials # -# Both should contain 2 fields: username and password. -# Example: +# It should contain 2 fields: username and password. Example: # # apiVersion: v1 # kind: Secret diff --git a/config/overlays/basic-auth_tls/kustomization.yaml b/config/overlays/basic-auth_tls/kustomization.yaml index 490f7c0be1..35d5c5ec37 100644 --- a/config/overlays/basic-auth_tls/kustomization.yaml +++ b/config/overlays/basic-auth_tls/kustomization.yaml @@ -14,7 +14,3 @@ components: # files: # - username=ironic-username # - password=ironic-password -# - name: ironic-inspector-credentials -# files: -# - username=ironic-inspector-username -# - password=ironic-inspector-password diff --git a/config/overlays/e2e/kustomization.yaml b/config/overlays/e2e/kustomization.yaml index 63c1e21eda..99c0f10336 100644 --- a/config/overlays/e2e/kustomization.yaml +++ b/config/overlays/e2e/kustomization.yaml @@ -35,7 +35,3 @@ secretGenerator: files: - username=ironic-username - password=ironic-password - - name: ironic-inspector-credentials - files: - - username=ironic-inspector-username - - password=ironic-inspector-password diff --git a/docs/deploying.md b/docs/deploying.md index dedc0428af..d2c9e278f3 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -110,9 +110,6 @@ ironic-deployment/ │   │   ├── ironic-auth-config │   │   ├── ironic-auth-config-tpl │   │   ├── ironic-htpasswd -│   │   ├── ironic-inspector-auth-config -│   │   ├── ironic-inspector-auth-config-tpl -│   │   ├── ironic-inspector-htpasswd │   │   └── kustomization.yaml │   ├── keepalived │   │   ├── ironic_bmo_configmap.env @@ -148,8 +145,8 @@ more information, check the readme in the `ironic-deployment` folder. There is a useful deployment script that configures and deploys BareMetal Operator and Ironic. It requires some variables : -- IRONIC_HOST : domain name for Ironic and inspector -- IRONIC_HOST_IP : IP on which Ironic and inspector are listening +- IRONIC_HOST : domain name for Ironic +- IRONIC_HOST_IP : IP on which Ironic is listening In addition you can configure the following variables. They are **optional**. If you leave them unset, then passwords and certificates will be generated @@ -158,18 +155,11 @@ for you. - KUBECTL_ARGS : Additional arguments to kubectl apply - IRONIC_USERNAME : username for ironic - IRONIC_PASSWORD : password for ironic -- IRONIC_INSPECTOR_USERNAME : username for inspector -- IRONIC_INSPECTOR_PASSWORD : password for inspector - IRONIC_CACERT_FILE : CA certificate path for ironic - IRONIC_CAKEY_FILE : CA certificate key path, unneeded if ironic certificates exist - IRONIC_CERT_FILE : Ironic certificate path - IRONIC_KEY_FILE : Ironic certificate key path -- IRONIC_INSPECTOR_CERT_FILE : Inspector certificate path -- IRONIC_INSPECTOR_KEY_FILE : Inspector certificate key path -- IRONIC_INSPECTOR_CACERT_FILE : CA certificate path for inspector, defaults to - IRONIC_CACERT_FILE -- IRONIC_INSPECTOR_CAKEY_FILE : CA certificate key path, unneeded if inspector certificates exist - MARIADB_KEY_FILE: Path to the key of MariaDB - MARIADB_CERT_FILE: Path to the cert of MariaDB diff --git a/docs/dev-setup.md b/docs/dev-setup.md index bff0e10f3f..9f23425b19 100644 --- a/docs/dev-setup.md +++ b/docs/dev-setup.md @@ -93,7 +93,6 @@ The following environment variables can be passed to configure the ironic: - DEPLOY_KERNEL_URL - the URL of the kernel to deploy ironic-python-agent - DEPLOY_RAMDISK_URL - the URL of the ramdisk to deploy ironic-python-agent - IRONIC_ENDPOINT - the endpoint of the ironic -- IRONIC_INSPECTOR_ENDPOINT - the endpoint of the ironic inspector - CACHEURL - the URL of the cached images - IRONIC_FAST_TRACK - whether to enable fast_track provisioning or not (default true) @@ -137,16 +136,11 @@ authentication enabled, you also need to export the following variables: - IRONIC_CACERT_FILE - IRONIC_CERT_FILE - IRONIC_KEY_FILE -- IRONIC_INSPECTOR_CACERT_FILE -- IRONIC_INSPECTOR_CERT_FILE -- IRONIC_INSPECTOR_KEY_FILE ### Basic authentication variables - IRONIC_USERNAME - IRONIC_PASSWORD -- IRONIC_INSPECTOR_USERNAME -- IRONIC_INSPECTOR_PASSWORD The names of these variables are self explanatory. TLS variables expect the path of the corresponding certificate/key file as their value. Basic diff --git a/docs/ironic-authentication.md b/docs/ironic-authentication.md index f7eb633843..e74487a469 100644 --- a/docs/ironic-authentication.md +++ b/docs/ironic-authentication.md @@ -1,14 +1,14 @@ # Authenticating to Ironic -Because hosts under the control of Metal³ need to contact the Ironic and Ironic -Inspector APIs during inspection and provisioning, it is highly advisable to -require authentication on those APIs, since the provisioned hosts running user +Because hosts under the control of Metal³ need to contact the Ironic +API during inspection and provisioning, it is highly advisable to +require authentication on this API, since the provisioned hosts running user workloads will remain connected to the provisioning network. ## Configuration -The `baremetal-operator` supports connecting to Ironic and Ironic Inspector -configured with the following `auth_strategy` modes: +The `baremetal-operator` supports connecting to Ironic configured with the +following `auth_strategy` modes: * `noauth` (no authentication) * `http_basic` (HTTP [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication)) @@ -19,10 +19,8 @@ Authentication configuration is read from the filesystem, beginning at the root directory specified in the environment variable `METAL3_AUTH_ROOT_DIR`. If this variable is empty or not specified, the default is `/opt/metal3/auth`. -Within the root directory there are separate subdirectories, `ironic` for -Ironic client configuration, and `ironic-inspector` for Ironic Inspector client -configuration. (This allows the data to be populated from separate secrets when -deploying in Kubernetes.) +Within the root directory there is a separate subdirectory `ironic` for +Ironic client configuration. ### `noauth` diff --git a/hack/ci-e2e.sh b/hack/ci-e2e.sh index 7af7e41d13..c7c5ae68a6 100755 --- a/hack/ci-e2e.sh +++ b/hack/ci-e2e.sh @@ -118,29 +118,19 @@ IRONIC_OVERLAY="${REPO_ROOT}/ironic-deployment/overlays/e2e" IRONIC_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" IRONIC_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" -IRONIC_INSPECTOR_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" -IRONIC_INSPECTOR_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" echo "${IRONIC_USERNAME}" > "${BMO_OVERLAY}/ironic-username" echo "${IRONIC_PASSWORD}" > "${BMO_OVERLAY}/ironic-password" -echo "${IRONIC_INSPECTOR_USERNAME}" > "${BMO_OVERLAY}/ironic-inspector-username" -echo "${IRONIC_INSPECTOR_PASSWORD}" > "${BMO_OVERLAY}/ironic-inspector-password" BMO_UPGRADE_FROM_OVERLAY="${REPO_ROOT}/config/overlays/e2e-release-0.4" echo "${IRONIC_USERNAME}" > "${BMO_UPGRADE_FROM_OVERLAY}/ironic-username" echo "${IRONIC_PASSWORD}" > "${BMO_UPGRADE_FROM_OVERLAY}/ironic-password" -echo "${IRONIC_INSPECTOR_USERNAME}" > "${BMO_UPGRADE_FROM_OVERLAY}/ironic-inspector-username" -echo "${IRONIC_INSPECTOR_PASSWORD}" > "${BMO_UPGRADE_FROM_OVERLAY}/ironic-inspector-password" envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \ "${IRONIC_OVERLAY}/ironic-auth-config" -envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl" > \ - "${IRONIC_OVERLAY}/ironic-inspector-auth-config" echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \ "${IRONIC_OVERLAY}/ironic-htpasswd" -echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \ - "${IRONIC_INSPECTOR_PASSWORD}")" > "${IRONIC_OVERLAY}/ironic-inspector-htpasswd" # We need to gather artifacts/logs before exiting also if there are errors diff --git a/ironic-deployment/base/ironic.yaml b/ironic-deployment/base/ironic.yaml index 31609189ac..2af30f0552 100644 --- a/ironic-deployment/base/ironic.yaml +++ b/ironic-deployment/base/ironic.yaml @@ -111,38 +111,6 @@ spec: privileged: false runAsUser: 997 # ironic runAsGroup: 994 # ironic - - name: ironic-inspector - image: quay.io/metal3-io/ironic - imagePullPolicy: Always - readinessProbe: - exec: - command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"] - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - livenessProbe: - exec: - command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"] - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - command: - - /bin/runironic-inspector - envFrom: - - configMapRef: - name: ironic-bmo-configmap - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - runAsUser: 996 # ironic-inspector - runAsGroup: 993 # ironicinspector - name: ironic-httpd image: quay.io/metal3-io/ironic imagePullPolicy: Always diff --git a/ironic-deployment/components/basic-auth/auth.yaml b/ironic-deployment/components/basic-auth/auth.yaml index d710aa1362..5262be045f 100644 --- a/ironic-deployment/components/basic-auth/auth.yaml +++ b/ironic-deployment/components/basic-auth/auth.yaml @@ -7,33 +7,13 @@ spec: spec: containers: - name: ironic - volumeMounts: - # This is the credentials for authenticating with inspector - - name: ironic-inspector-auth-config - mountPath: "/auth/ironic-inspector" - readOnly: true envFrom: - # This is the htpassword matching the ironic-auth-config that inspector has + # This is the htpassword matching the ironic-auth-config - secretRef: name: ironic-htpasswd - configMapRef: name: ironic-bmo-configmap - - name: ironic-inspector - volumeMounts: - # This is the credentials for authenticating with ironic - - name: ironic-auth-config - mountPath: "/auth/ironic" - readOnly: true - envFrom: - # This is the htpassword matching the ironic-inspector-auth-config that ironic has - - secretRef: - name: ironic-inspector-htpasswd - - configMapRef: - name: ironic-bmo-configmap volumes: - name: ironic-auth-config secret: secretName: ironic-auth-config - - name: ironic-inspector-auth-config - secret: - secretName: ironic-inspector-auth-config diff --git a/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl b/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl deleted file mode 100644 index 78bbcbd7ce..0000000000 --- a/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl +++ /dev/null @@ -1,4 +0,0 @@ -[inspector] -auth_type=http_basic -username=${IRONIC_INSPECTOR_USERNAME} -password=${IRONIC_INSPECTOR_PASSWORD} \ No newline at end of file diff --git a/ironic-deployment/components/basic-auth/kustomization.yaml b/ironic-deployment/components/basic-auth/kustomization.yaml index 8eaff16af5..062ca12583 100644 --- a/ironic-deployment/components/basic-auth/kustomization.yaml +++ b/ironic-deployment/components/basic-auth/kustomization.yaml @@ -5,9 +5,7 @@ kind: Component # How you create them is up to you. # The required secrets are: # - ironic-htpasswd -# - ironic-inspector-htpasswd # - ironic-auth-config -# - ironic-inspector-auth-config # # The content should be as in these examples: # @@ -21,23 +19,9 @@ kind: Component # apiVersion: v1 # kind: Secret # metadata: -# name: ironic-inspector-htpasswd -# data: -# INSPECTOR_HTPASSWD: -# --- -# apiVersion: v1 -# kind: Secret -# metadata: # name: ironic-auth-config # data: # auth-config: -# --- -# apiVersion: v1 -# kind: Secret -# metadata: -# name: ironic-inspector-auth-config -# data: -# auth-config: # # Check `ironic-auth-config-tpl` for a template of what to put in the auth-config. diff --git a/ironic-deployment/components/keepalived/ironic_bmo_configmap.env b/ironic-deployment/components/keepalived/ironic_bmo_configmap.env index 7e31d52ea3..d9c459514b 100644 --- a/ironic-deployment/components/keepalived/ironic_bmo_configmap.env +++ b/ironic-deployment/components/keepalived/ironic_bmo_configmap.env @@ -8,3 +8,4 @@ IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/ CACHEURL=http://172.22.0.1/images IRONIC_FAST_TRACK=true IRONIC_KERNEL_PARAMS=console=ttyS0 +USE_IRONIC_INSPECTOR=false diff --git a/ironic-deployment/components/tls/certificate.yaml b/ironic-deployment/components/tls/certificate.yaml index 9bd75b4cd2..d8a83c7aa7 100644 --- a/ironic-deployment/components/tls/certificate.yaml +++ b/ironic-deployment/components/tls/certificate.yaml @@ -39,16 +39,3 @@ spec: kind: Issuer name: ca-issuer secretName: ironic-cert ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: ironic-inspector-cert -spec: - commonName: ironic-inspector-cert - ipAddresses: - - IRONIC_HOST_IP - issuerRef: - kind: Issuer - name: ca-issuer - secretName: ironic-inspector-cert diff --git a/ironic-deployment/components/tls/tls.yaml b/ironic-deployment/components/tls/tls.yaml index a09a51105b..491eb7eaf3 100644 --- a/ironic-deployment/components/tls/tls.yaml +++ b/ironic-deployment/components/tls/tls.yaml @@ -16,15 +16,10 @@ spec: env: - name: IRONIC_REVERSE_PROXY_SETUP value: "true" - - name: INSPECTOR_REVERSE_PROXY_SETUP - value: "true" volumeMounts: - name: cert-ironic-ca mountPath: "/certs/ca/ironic" readOnly: true - - name: cert-ironic-inspector-ca - mountPath: "/certs/ca/ironic-inspector" - readOnly: true - name: ironic-httpd livenessProbe: exec: @@ -35,50 +30,17 @@ spec: env: - name: IRONIC_REVERSE_PROXY_SETUP value: "true" - - name: INSPECTOR_REVERSE_PROXY_SETUP - value: "true" volumeMounts: - name: cert-ironic mountPath: "/certs/ironic" readOnly: true - - name: cert-ironic-inspector - mountPath: "/certs/ironic-inspector" - readOnly: true - name: cert-ironic-ca mountPath: "/certs/ca/ironic" readOnly: true - - name: cert-ironic-inspector-ca - mountPath: "/certs/ca/ironic-inspector" - readOnly: true - - name: ironic-inspector - readinessProbe: - exec: - command: ["sh", "-c", "curl -sSf http://127.0.0.1:5049"] - livenessProbe: - exec: - command: ["sh", "-c", "curl -sSf http://127.0.0.1:5049"] - env: - - name: IRONIC_REVERSE_PROXY_SETUP - value: "true" - - name: INSPECTOR_REVERSE_PROXY_SETUP - value: "true" - volumeMounts: - - name: cert-ironic-ca - mountPath: "/certs/ca/ironic" - readOnly: true - - name: cert-ironic-inspector-ca - mountPath: "/certs/ca/ironic-inspector" - readOnly: true volumes: - name: cert-ironic-ca secret: secretName: ironic-cacert - - name: cert-ironic-inspector-ca - secret: - secretName: ironic-cacert - name: cert-ironic secret: secretName: ironic-cert - - name: cert-ironic-inspector - secret: - secretName: ironic-inspector-cert diff --git a/ironic-deployment/default/ironic_bmo_configmap.env b/ironic-deployment/default/ironic_bmo_configmap.env index 7351648a6a..39f612e2b5 100644 --- a/ironic-deployment/default/ironic_bmo_configmap.env +++ b/ironic-deployment/default/ironic_bmo_configmap.env @@ -8,4 +8,4 @@ CACHEURL=http://172.22.0.1/images IRONIC_FAST_TRACK=true IRONIC_KERNEL_PARAMS=console=ttyS0 IRONIC_INSPECTOR_VLAN_INTERFACES=all -USE_IRONIC_INSPECTOR=true +USE_IRONIC_INSPECTOR=false diff --git a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml index a2b56205ed..cd734eed84 100644 --- a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml +++ b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml @@ -10,21 +10,13 @@ spec: envFrom: - secretRef: name: ironic-htpasswd - - secretRef: - name: ironic-inspector-htpasswd - configMapRef: name: ironic-bmo-configmap volumeMounts: - mountPath: /auth/ironic name: ironic-auth-config readOnly: true - - mountPath: /auth/ironic-inspector - name: ironic-inspector-auth-config - readOnly: true volumes: - name: ironic-auth-config secret: secretName: ironic-auth-config - - name: ironic-inspector-auth-config - secret: - secretName: ironic-inspector-auth-config diff --git a/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml b/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml index 9df46e96de..4768fb42d4 100644 --- a/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml +++ b/ironic-deployment/overlays/basic-auth_tls/kustomization.yaml @@ -20,13 +20,6 @@ patches: # envs: # - ironic-htpasswd # name: ironic-htpasswd -# - behavior: create -# envs: -# - ironic-inspector-htpasswd -# name: ironic-inspector-htpasswd # - name: ironic-auth-config # files: # - auth-config=ironic-auth-config -# - name: ironic-inspector-auth-config -# files: -# - auth-config=ironic-inspector-auth-config diff --git a/ironic-deployment/overlays/e2e/ironic_bmo_configmap.env b/ironic-deployment/overlays/e2e/ironic_bmo_configmap.env index 24c556e11a..2686d1ddea 100644 --- a/ironic-deployment/overlays/e2e/ironic_bmo_configmap.env +++ b/ironic-deployment/overlays/e2e/ironic_bmo_configmap.env @@ -7,3 +7,4 @@ CACHEURL=http://192.168.222.199/images IRONIC_FAST_TRACK=true IRONIC_KERNEL_PARAMS=console=ttyS0 IRONIC_INSPECTOR_VLAN_INTERFACES=all +USE_IRONIC_INSPECTOR=false diff --git a/ironic-deployment/overlays/e2e/kustomization.yaml b/ironic-deployment/overlays/e2e/kustomization.yaml index 7710dbc3b9..7978315158 100644 --- a/ironic-deployment/overlays/e2e/kustomization.yaml +++ b/ironic-deployment/overlays/e2e/kustomization.yaml @@ -24,16 +24,9 @@ secretGenerator: behavior: create envs: - ironic-htpasswd -- name: ironic-inspector-htpasswd - behavior: create - envs: - - ironic-inspector-htpasswd - name: ironic-auth-config files: - auth-config=ironic-auth-config -- name: ironic-inspector-auth-config - files: - - auth-config=ironic-inspector-auth-config replacements: # Replace IRONIC_HOST_IP in certificates with the PROVISIONING_IP from the configmap diff --git a/tools/deploy.sh b/tools/deploy.sh index b486006223..4427a28902 100755 --- a/tools/deploy.sh +++ b/tools/deploy.sh @@ -142,41 +142,18 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then IRONIC_PASSWORD="$(cat "${IRONIC_AUTH_DIR}ironic-password")" fi fi - if [ -z "${IRONIC_INSPECTOR_USERNAME:-}" ]; then - if [ ! -f "${IRONIC_AUTH_DIR}ironic-inspector-username" ]; then - IRONIC_INSPECTOR_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" - echo "$IRONIC_INSPECTOR_USERNAME" > "${IRONIC_AUTH_DIR}ironic-inspector-username" - else - IRONIC_INSPECTOR_USERNAME="$(cat "${IRONIC_AUTH_DIR}ironic-inspector-username")" - fi - fi - if [ -z "${IRONIC_INSPECTOR_PASSWORD:-}" ]; then - if [ ! -f "${IRONIC_AUTH_DIR}ironic-inspector-password" ]; then - IRONIC_INSPECTOR_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)" - echo "$IRONIC_INSPECTOR_PASSWORD" > "${IRONIC_AUTH_DIR}ironic-inspector-password" - else - IRONIC_INSPECTOR_PASSWORD="$(cat "${IRONIC_AUTH_DIR}ironic-inspector-password")" - fi - fi if [[ "${DEPLOY_BMO}" == "true" ]]; then echo "${IRONIC_USERNAME}" > "${TEMP_BMO_OVERLAY}/ironic-username" echo "${IRONIC_PASSWORD}" > "${TEMP_BMO_OVERLAY}/ironic-password" - - echo "${IRONIC_INSPECTOR_USERNAME}" > "${TEMP_BMO_OVERLAY}/ironic-inspector-username" - echo "${IRONIC_INSPECTOR_PASSWORD}" > "${TEMP_BMO_OVERLAY}/ironic-inspector-password" fi if [[ "${DEPLOY_IRONIC}" == "true" ]]; then envsubst < "${IRONIC_BASIC_AUTH_COMPONENT}/ironic-auth-config-tpl" > \ "${TEMP_IRONIC_OVERLAY}/ironic-auth-config" - envsubst < "${IRONIC_BASIC_AUTH_COMPONENT}/ironic-inspector-auth-config-tpl" > \ - "${TEMP_IRONIC_OVERLAY}/ironic-inspector-auth-config" echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \ "${TEMP_IRONIC_OVERLAY}/ironic-htpasswd" - echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \ - "${IRONIC_INSPECTOR_PASSWORD}")" > "${TEMP_IRONIC_OVERLAY}/ironic-inspector-htpasswd" fi fi @@ -192,9 +169,7 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then if [ "${DEPLOY_BASIC_AUTH}" == "true" ]; then ${KUSTOMIZE} edit add secret ironic-htpasswd --from-env-file=ironic-htpasswd - ${KUSTOMIZE} edit add secret ironic-inspector-htpasswd --from-env-file=ironic-inspector-htpasswd ${KUSTOMIZE} edit add secret ironic-auth-config --from-file=auth-config=ironic-auth-config - ${KUSTOMIZE} edit add secret ironic-inspector-auth-config --from-file=auth-config=ironic-inspector-auth-config if [[ "${DEPLOY_TLS}" == "true" ]]; then # Basic-auth + TLS is special since TLS also means reverse proxy, which affects basic-auth. @@ -235,8 +210,6 @@ if [[ "${DEPLOY_BMO}" == "true" ]]; then # These files are created below ${KUSTOMIZE} edit add secret ironic-credentials \ --from-file=username=ironic-username --from-file=password=ironic-password - ${KUSTOMIZE} edit add secret ironic-inspector-credentials \ - --from-file=username=ironic-inspector-username --from-file=password=ironic-inspector-password fi if [[ "${DEPLOY_TLS}" == "true" ]]; then @@ -270,11 +243,6 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then fi IRONIC_BMO_CONFIGMAP="${TEMP_IRONIC_OVERLAY}/ironic_bmo_configmap.env" cp "${IRONIC_BMO_CONFIGMAP_SOURCE}" "${IRONIC_BMO_CONFIGMAP}" - if grep -q "INSPECTOR_REVERSE_PROXY_SETUP" "${IRONIC_BMO_CONFIGMAP}" ; then - sed "s/\(INSPECTOR_REVERSE_PROXY_SETUP\).*/\1=${DEPLOY_TLS}/" -i "${IRONIC_BMO_CONFIGMAP}" - else - echo "INSPECTOR_REVERSE_PROXY_SETUP=${DEPLOY_TLS}" >> "${IRONIC_BMO_CONFIGMAP}" - fi if grep -q "RESTART_CONTAINER_CERTIFICATE_UPDATED" "${IRONIC_BMO_CONFIGMAP}" ; then sed "s/\(RESTART_CONTAINER_CERTIFICATE_UPDATED\).*/\1=${RESTART_CONTAINER_CERTIFICATE_UPDATED}/" -i "${IRONIC_BMO_CONFIGMAP}" else @@ -302,15 +270,15 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then if [[ "${DEPLOY_BMO}" == "true" ]]; then rm "${TEMP_BMO_OVERLAY}/ironic-username" rm "${TEMP_BMO_OVERLAY}/ironic-password" - rm "${TEMP_BMO_OVERLAY}/ironic-inspector-username" - rm "${TEMP_BMO_OVERLAY}/ironic-inspector-password" + rm -f "${TEMP_BMO_OVERLAY}/ironic-inspector-username" + rm -f "${TEMP_BMO_OVERLAY}/ironic-inspector-password" fi if [[ "${DEPLOY_IRONIC}" == "true" ]]; then rm "${TEMP_IRONIC_OVERLAY}/ironic-auth-config" - rm "${TEMP_IRONIC_OVERLAY}/ironic-inspector-auth-config" - rm "${TEMP_IRONIC_OVERLAY}/ironic-htpasswd" - rm "${TEMP_IRONIC_OVERLAY}/ironic-inspector-htpasswd" + + rm -f "${TEMP_IRONIC_OVERLAY}/ironic-inspector-auth-config" + rm -f "${TEMP_IRONIC_OVERLAY}/ironic-inspector-htpasswd" fi fi diff --git a/tools/run_local_ironic.sh b/tools/run_local_ironic.sh index 17c0e168e4..64616e9340 100755 --- a/tools/run_local_ironic.sh +++ b/tools/run_local_ironic.sh @@ -31,10 +31,6 @@ IRONIC_CERT_FILE="${IRONIC_CERT_FILE:-}" IRONIC_KEY_FILE="${IRONIC_KEY_FILE:-}" IRONIC_TLS_SETUP=${IRONIC_TLS_SETUP:-"true"} -IRONIC_INSPECTOR_CACERT_FILE="${IRONIC_INSPECTOR_CACERT_FILE:-}" -IRONIC_INSPECTOR_CERT_FILE="${IRONIC_INSPECTOR_CERT_FILE:-}" -IRONIC_INSPECTOR_KEY_FILE="${IRONIC_INSPECTOR_KEY_FILE:-}" - MARIADB_CACERT_FILE="${MARIADB_CACERT_FILE:-}" MARIADB_CERT_FILE="${MARIADB_CERT_FILE:-}" MARIADB_KEY_FILE="${MARIADB_KEY_FILE:-}" @@ -72,15 +68,6 @@ if [ "$IRONIC_TLS_SETUP" = "true" ]; then -out "${IRONIC_CERT_FILE}" -keyout "${IRONIC_KEY_FILE}" fi - if [ -z "$IRONIC_INSPECTOR_CERT_FILE" ]; then - IRONIC_INSPECTOR_CERT_FILE="${IRONIC_DATA_DIR}/tls/inspector.crt" - IRONIC_INSPECTOR_KEY_FILE="${IRONIC_DATA_DIR}/tls/inspector.key" - IRONIC_INSPECTOR_CACERT_FILE="${IRONIC_CERT_FILE}" - sudo openssl req -x509 -newkey rsa:4096 -nodes -days 365 -subj "/CN=ironic" \ - -addext "subjectAltName = IP:${CLUSTER_PROVISIONING_IP},IP:${PROVISIONING_IP}" \ - -out "${IRONIC_INSPECTOR_CERT_FILE}" -keyout "${IRONIC_INSPECTOR_KEY_FILE}" - fi - export IRONIC_BASE_URL="https://${CLUSTER_PROVISIONING_IP}" if [ -z "$IRONIC_CACERT_FILE" ]; then export IRONIC_CACERT_FILE=$IRONIC_CERT_FILE @@ -96,13 +83,11 @@ IRONIC_ENDPOINT="${IRONIC_ENDPOINT:-"${IRONIC_BASE_URL}:6385/v1/"}" CACHEURL="${CACHEURL:-"http://${PROVISIONING_IP}/images"}" IRONIC_FAST_TRACK="${IRONIC_FAST_TRACK:-"true"}" IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-"true"} -INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-"true"} IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-"false"} if [[ $IRONIC_TLS_SETUP == *false* ]] then # No reverse proxy for Ironic if TLS is not used IRONIC_REVERSE_PROXY_SETUP="false" - INSPECTOR_REVERSE_PROXY_SETUP="false" fi IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES:-"all"} @@ -120,15 +105,14 @@ IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK} IRONIC_KERNEL_PARAMS=${IRONIC_KERNEL_PARAMS} IRONIC_BOOT_ISO_SOURCE=${IRONIC_BOOT_ISO_SOURCE} IRONIC_TLS_SETUP=${IRONIC_TLS_SETUP} -IRONIC_INSPECTOR_TLS_SETUP=${IRONIC_TLS_SETUP} IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP} -INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP} IRONIC_INSPECTOR_VLAN_INTERFACES=${IRONIC_INSPECTOR_VLAN_INTERFACES} IPA_BASEURI=${IPA_BASEURI} IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB} HTTP_PROXY=${HTTP_PROXY} HTTPS_PROXY=${HTTPS_PROXY} NO_PROXY=${NO_PROXY} +USE_IRONIC_INSPECTOR=false EOF if [ "$IRONIC_TLS_SETUP" == "true" ] && [ -n "$IRONIC_CA_CERT_B64" ]; then @@ -163,15 +147,6 @@ fi if [ -r "$IRONIC_KEY_FILE" ]; then CERTS_MOUNTS="${CERTS_MOUNTS} -v ${IRONIC_KEY_FILE}:/certs/ironic/tls.key " fi -if [ -r "$IRONIC_INSPECTOR_CACERT_FILE" ]; then - CERTS_MOUNTS="${CERTS_MOUNTS} -v ${IRONIC_INSPECTOR_CACERT_FILE}:/certs/ca/ironic-inspector/tls.crt " -fi -if [ -r "$IRONIC_INSPECTOR_CERT_FILE" ]; then - CERTS_MOUNTS="${CERTS_MOUNTS} -v ${IRONIC_INSPECTOR_CERT_FILE}:/certs/ironic-inspector/tls.crt " -fi -if [ -r "$IRONIC_INSPECTOR_KEY_FILE" ]; then - CERTS_MOUNTS="${CERTS_MOUNTS} -v ${IRONIC_INSPECTOR_KEY_FILE}:/certs/ironic-inspector/tls.key " -fi if [ -r "$MARIADB_CACERT_FILE" ]; then CERTS_MOUNTS="${CERTS_MOUNTS} -v ${MARIADB_CACERT_FILE}:/certs/ca/mariadb/tls.crt " @@ -202,14 +177,6 @@ if [ -n "$IRONIC_USERNAME" ]; then IRONIC_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" IRONIC_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} --env IRONIC_HTPASSWD=${IRONIC_HTPASSWD}" fi -IRONIC_INSPECTOR_HTPASSWD="" -if [ -n "$IRONIC_INSPECTOR_USERNAME" ]; then - envsubst < "${SCRIPTDIR}/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl" > \ - "${IRONIC_DATA_DIR}/auth/ironic-inspector-auth-config" - BASIC_AUTH_MOUNTS="${BASIC_AUTH_MOUNTS} -v ${IRONIC_DATA_DIR}/auth/ironic-inspector-auth-config:/auth/ironic-inspector/auth-config" - IRONIC_INSPECTOR_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" "${IRONIC_INSPECTOR_PASSWORD}")" - IRONIC_INSPECTOR_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_INSPECTOR_HTPASSWD} --env INSPECTOR_HTPASSWD=${IRONIC_INSPECTOR_HTPASSWD}" -fi sudo mkdir -p "$IRONIC_DATA_DIR/html/images" # Locally supplied IPA images are imported here when the environment variables are set accordingly. @@ -304,11 +271,3 @@ sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic-endpoin sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic-log-watch \ ${POD} --entrypoint /bin/runlogwatch.sh \ -v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}" - -# Start Ironic Inspector -# shellcheck disable=SC2086 -sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic-inspector \ - ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_INSPECTOR_HTPASSWD} \ - --env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \ - --entrypoint /bin/runironic-inspector \ - -v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}"