Skip to content

Commit

Permalink
Mount ironic HTPASSWD as volume instead of environment variable
Browse files Browse the repository at this point in the history
Signed-off-by: Mahnoor Asghar <masghar@redhat.com>
  • Loading branch information
MahnoorAsghar committed Apr 19, 2024
1 parent d0378b4 commit e0b507b
Show file tree
Hide file tree
Showing 9 changed files with 70 additions and 33 deletions.
10 changes: 5 additions & 5 deletions hack/ci-e2e.sh
Original file line number Diff line number Diff line change
Expand Up @@ -176,17 +176,17 @@ for overlay in "${BMO_OVERLAYS[@]}"; do
done

for overlay in "${IRONIC_OVERLAYS[@]}"; do
echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \
"${overlay}/ironic-htpasswd"
echo "${IRONIC_USERNAME}" > "${overlay}/ironic-username"
echo "${IRONIC_PASSWORD}" > "${overlay}/ironic-password"
envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \
"${overlay}/ironic-auth-config"
if [[ "${overlay}" =~ -with-inspector ]]; then
IRONIC_INSPECTOR_AUTH_CONFIG_TPL="/tmp/ironic-inspector-auth-config-tpl"
curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
envsubst < "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" > \
"${overlay}/ironic-inspector-auth-config"
echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \
"${IRONIC_INSPECTOR_PASSWORD}")" > "${overlay}/ironic-inspector-htpasswd"
echo "${IRONIC_INSPECTOR_USERNAME}" > "${overlay}/ironic-inspector-username"
echo "${IRONIC_INSPECTOR_PASSWORD}" > "${overlay}/ironic-inspector-password"
fi
done

Expand Down
12 changes: 9 additions & 3 deletions ironic-deployment/components/basic-auth/auth.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,14 @@ spec:
containers:
- name: ironic
envFrom:
# This is the htpassword matching the ironic password
- secretRef:
name: ironic-htpasswd
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- name: ironic-htpasswd
mountPath: "/auth/ironic"
readOnly: true
volumes:
# This is the htpassword matching the ironic password
- name: ironic-htpasswd
secret:
secretName: ironic-htpasswd
10 changes: 8 additions & 2 deletions ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,13 @@ spec:
containers:
- name: ironic-httpd
envFrom:
- secretRef:
name: ironic-htpasswd
- configMapRef:
name: ironic-bmo-configmap
volumeMounts:
- name: ironic-htpasswd
mountPath: "/auth/ironic"
readOnly: true
volumes:
- name: ironic-htpasswd
secret:
secretName: ironic-htpasswd
6 changes: 4 additions & 2 deletions ironic-deployment/overlays/basic-auth_tls/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ patches:
# Example for how to generate the necessary secrets:
# secretGenerator:
# - behavior: create
# envs:
# - ironic-htpasswd
# - files:
# - username=ironic-username
# - password=ironic-password
# name: ironic-htpasswd
# type: Opaque
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,16 @@ images:
secretGenerator:
- name: ironic-htpasswd
behavior: create
envs:
- ironic-htpasswd
- files:
- username=ironic-username
- password=ironic-password
type: Opaque
- name: ironic-inspector-htpasswd
behavior: create
envs:
- ironic-inspector-htpasswd
- files:
- username=ironic-inspector-username
- password=ironic-inspector-password
type: Opaque
- name: ironic-auth-config
files:
- auth-config=ironic-auth-config
Expand Down
12 changes: 8 additions & 4 deletions ironic-deployment/overlays/e2e-with-inspector/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,16 @@ patches:
secretGenerator:
- name: ironic-htpasswd
behavior: create
envs:
- ironic-htpasswd
- files:
- username=ironic-username
- password=ironic-password
type: Opaque
- name: ironic-inspector-htpasswd
behavior: create
envs:
- ironic-inspector-htpasswd
- files:
- username=ironic-inspector-username
- password=ironic-inspector-password
type: Opaque
- name: ironic-auth-config
files:
- auth-config=ironic-auth-config
Expand Down
6 changes: 4 additions & 2 deletions ironic-deployment/overlays/e2e/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ patches:
secretGenerator:
- name: ironic-htpasswd
behavior: create
envs:
- ironic-htpasswd
- files:
- username=ironic-username
- password=ironic-password
type: Opaque

replacements:
# Replace IRONIC_HOST_IP in certificates with the PROVISIONING_IP from the configmap
Expand Down
10 changes: 6 additions & 4 deletions tools/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -148,8 +148,8 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then
fi

if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \
"${TEMP_IRONIC_OVERLAY}/ironic-htpasswd"
echo "${IRONIC_USERNAME}" > "${TEMP_IRONIC_OVERLAY}/ironic-username"
echo "${IRONIC_PASSWORD}" > "${TEMP_IRONIC_OVERLAY}/ironic-password"
fi
fi

Expand All @@ -164,7 +164,8 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
--namespace=baremetal-operator-system --nameprefix=baremetal-operator-

if [ "${DEPLOY_BASIC_AUTH}" == "true" ]; then
${KUSTOMIZE} edit add secret ironic-htpasswd --from-env-file=ironic-htpasswd
${KUSTOMIZE} edit add secret ironic-htpasswd \
--from-file=username=ironic-username --from-file=password=ironic-password

if [[ "${DEPLOY_TLS}" == "true" ]]; then
# Basic-auth + TLS is special since TLS also means reverse proxy, which affects basic-auth.
Expand Down Expand Up @@ -270,7 +271,8 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then
fi

if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
rm "${TEMP_IRONIC_OVERLAY}/ironic-htpasswd"
rm "${TEMP_IRONIC_OVERLAY}/ironic-username"
rm "${TEMP_IRONIC_OVERLAY}/ironic-password"

rm -f "${TEMP_IRONIC_OVERLAY}/ironic-auth-config"
rm -f "${TEMP_IRONIC_OVERLAY}/ironic-inspector-auth-config"
Expand Down
25 changes: 18 additions & 7 deletions tools/run_local_ironic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -169,11 +169,18 @@ if [[ -r "${IPXE_KEY_FILE}" ]]; then
fi

BASIC_AUTH_MOUNTS=""
IRONIC_HTPASSWD=""
IRONIC_HTPASSWD_USERNAME_FILE="${IRONIC_DATA_DIR}/auth/ironic-username"
IRONIC_HTPASSWD_PASSWORD_FILE="${IRONIC_DATA_DIR}/auth/ironic-password"
set +x
if [ -n "$IRONIC_USERNAME" ]; then
IRONIC_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")"
IRONIC_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} --env IRONIC_HTPASSWD=${IRONIC_HTPASSWD}"
echo "$IRONIC_USERNAME" > "${IRONIC_HTPASSWD_USERNAME_FILE}"
IRONIC_HTPASSWD_USERNAME="-v ${IRONIC_HTPASSWD_USERNAME_FILE}:/auth/ironic/username"
fi
if [ -n "$IRONIC_PASSWORD" ]; then
echo "${IRONIC_PASSWORD}" > "${IRONIC_HTPASSWD_PASSWORD_FILE}"
IRONIC_HTPASSWD_PASSWORD="-v ${IRONIC_HTPASSWD_PASSWORD_FILE}:/auth/ironic/password"
fi
set -x

sudo mkdir -p "$IRONIC_DATA_DIR/html/images"
# Locally supplied IPA images are imported here when the environment variables are set accordingly.
Expand All @@ -192,13 +199,15 @@ fi

"$SCRIPTDIR/tools/remove_local_ironic.sh"

set +x
if [ "$IRONIC_USE_MARIADB" = "true" ]; then
# set password for mariadb
mariadb_password=$(echo "$(date;hostname)"|sha256sum |cut -c-20)
IRONIC_MARIADB_PASSWORD="--env MARIADB_PASSWORD=$mariadb_password"
else
IRONIC_MARIADB_PASSWORD=
fi
set -x

POD=""

Expand Down Expand Up @@ -235,9 +244,10 @@ sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name dnsmasq \
# https://github.com/metal3-io/ironic-image/blob/main/scripts/runhttpd
# shellcheck disable=SC2086
sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name httpd \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} \
--env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
-v "$IRONIC_DATA_DIR:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
-v "${IRONIC_DATA_DIR}:/shared" ${IRONIC_HTPASSWD_USERNAME} \
${IRONIC_HTPASSWD_PASSWORD} --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"

if [ "$IRONIC_USE_MARIADB" = "true" ]; then
# https://github.com/metal3-io/mariadb-image/blob/main/runmariadb
Expand All @@ -252,10 +262,11 @@ fi
# https://github.com/metal3-io/ironic-image/blob/main/scripts/runironic
# shellcheck disable=SC2086
sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} \
--env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
${IRONIC_MARIADB_PASSWORD} --entrypoint /bin/runironic \
-v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}"
-v "$IRONIC_DATA_DIR:/shared" ${IRONIC_HTPASSWD_USERNAME} \
${IRONIC_HTPASSWD_PASSWORD} "${IRONIC_IMAGE}"

# Start ironic-endpoint-keepalived
# shellcheck disable=SC2086
Expand Down

0 comments on commit e0b507b

Please sign in to comment.