Skip to content

Commit

Permalink
Mount ironic credentials as volumes
Browse files Browse the repository at this point in the history
Mount the ironic and inspector usernames and passwords as plain-text
volumes into the ironic-image pod, instead of the IRONIC_HTPASSWD and
INSPECTOR_HTPASSWD environment variables.

Signed-off-by: Mahnoor Asghar <masghar@redhat.com>
  • Loading branch information
MahnoorAsghar committed May 13, 2024
1 parent 7037f02 commit a54767b
Show file tree
Hide file tree
Showing 8 changed files with 40 additions and 19 deletions.
3 changes: 2 additions & 1 deletion hack/ci-e2e.sh
Original file line number Diff line number Diff line change
Expand Up @@ -180,9 +180,10 @@ for overlay in "${IRONIC_OVERLAYS[@]}"; do
"${overlay}/ironic-htpasswd"
envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \
"${overlay}/ironic-auth-config"

if [[ "${overlay}" =~ -with-inspector ]]; then
IRONIC_INSPECTOR_AUTH_CONFIG_TPL="/tmp/ironic-inspector-auth-config-tpl"
curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
envsubst < "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" > \
"${overlay}/ironic-inspector-auth-config"
echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \
Expand Down
11 changes: 8 additions & 3 deletions ironic-deployment/components/basic-auth/auth.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,13 @@ spec:
containers:
- name: ironic
envFrom:
# This is the htpassword matching the ironic password
- secretRef:
name: ironic-htpasswd
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- name: ironic-htpasswd
mountPath: "/auth/ironic"
readOnly: true
volumes:
- name: ironic-htpasswd
secret:
secretName: ironic-htpasswd
10 changes: 8 additions & 2 deletions ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,13 @@ spec:
containers:
- name: ironic-httpd
envFrom:
- secretRef:
name: ironic-htpasswd
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- name: ironic-htpasswd
mountPath: "/auth/ironic"
readOnly: true
volumes:
- name: ironic-htpasswd
secret:
secretName: ironic-htpasswd
5 changes: 3 additions & 2 deletions ironic-deployment/overlays/basic-auth_tls/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ patches:
# Example for how to generate the necessary secrets:
# secretGenerator:
# - behavior: create
# envs:
# - ironic-htpasswd
# files:
# - htpasswd=ironic-htpasswd
# name: ironic-htpasswd
# type: Opaque
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ images:
secretGenerator:
- name: ironic-htpasswd
behavior: create
envs:
- ironic-htpasswd
files:
- htpasswd=ironic-htpasswd
- name: ironic-inspector-htpasswd
behavior: create
envs:
- ironic-inspector-htpasswd
files:
- htpasswd=ironic-inspector-htpasswd
- name: ironic-auth-config
files:
- auth-config=ironic-auth-config
Expand Down
5 changes: 3 additions & 2 deletions ironic-deployment/overlays/e2e/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,9 @@ patches:
secretGenerator:
- name: ironic-htpasswd
behavior: create
envs:
- ironic-htpasswd
files:
- htpasswd=ironic-htpasswd
type: Opaque

replacements:
# Replace IRONIC_HOST_IP in certificates with the PROVISIONING_IP from the configmap
Expand Down
2 changes: 1 addition & 1 deletion tools/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
--namespace=baremetal-operator-system --nameprefix=baremetal-operator-

if [ "${DEPLOY_BASIC_AUTH}" == "true" ]; then
${KUSTOMIZE} edit add secret ironic-htpasswd --from-env-file=ironic-htpasswd
${KUSTOMIZE} edit add secret ironic-htpasswd --from-file=htpasswd=ironic-htpasswd

if [[ "${DEPLOY_TLS}" == "true" ]]; then
# Basic-auth + TLS is special since TLS also means reverse proxy, which affects basic-auth.
Expand Down
15 changes: 11 additions & 4 deletions tools/run_local_ironic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -170,10 +170,15 @@ fi

BASIC_AUTH_MOUNTS=""
IRONIC_HTPASSWD=""
IRONIC_HTPASSWD_FILE="${IRONIC_DATA_DIR}/auth/ironic-htpasswd"
IRONIC_HTPASSWD_MOUNT=""
set +x
if [ -n "$IRONIC_USERNAME" ]; then
IRONIC_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")"
IRONIC_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} --env IRONIC_HTPASSWD=${IRONIC_HTPASSWD}"
echo "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
IRONIC_HTPASSWD_MOUNT="-v ${IRONIC_HTPASSWD_FILE}:/auth/ironic/htpasswd"
fi
set -x

sudo mkdir -p "$IRONIC_DATA_DIR/html/images"
# Locally supplied IPA images are imported here when the environment variables are set accordingly.
Expand All @@ -192,13 +197,15 @@ fi

"$SCRIPTDIR/tools/remove_local_ironic.sh"

set +x
if [ "$IRONIC_USE_MARIADB" = "true" ]; then
# set password for mariadb
mariadb_password=$(echo "$(date;hostname)"|sha256sum |cut -c-20)
IRONIC_MARIADB_PASSWORD="--env MARIADB_PASSWORD=$mariadb_password"
else
IRONIC_MARIADB_PASSWORD=
fi
set -x

POD=""

Expand Down Expand Up @@ -235,9 +242,9 @@ sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name dnsmasq \
# https://github.com/metal3-io/ironic-image/blob/main/scripts/runhttpd
# shellcheck disable=SC2086
sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name httpd \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD_MOUNT} \
--env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
-v "$IRONIC_DATA_DIR:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
-v "${IRONIC_DATA_DIR}:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"

if [ "$IRONIC_USE_MARIADB" = "true" ]; then
# https://github.com/metal3-io/mariadb-image/blob/main/runmariadb
Expand All @@ -252,7 +259,7 @@ fi
# https://github.com/metal3-io/ironic-image/blob/main/scripts/runironic
# shellcheck disable=SC2086
sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD_MOUNT} \
--env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
${IRONIC_MARIADB_PASSWORD} --entrypoint /bin/runironic \
-v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}"
Expand Down

0 comments on commit a54767b

Please sign in to comment.