Only set IRONIC_DEPLOYMENT and IRONIC_INSECURE when needed

metal3-io · Dec 1, 2023 · d7a472d · d7a472d
1 parent dc93164
commit d7a472d
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 10 deletions.
diff --git a/api/v1alpha1/ironic_types.go b/api/v1alpha1/ironic_types.go
@@ -163,6 +163,12 @@ type IronicSpec struct {
 	// +optional
 	DisableVirtualMediaTLS bool `json:"disableVirtualMediaTLS,omitempty"`
 
+	// DisableRPCHostValidation turns off TLS host validation for JSON RPC connections between Ironic instances.
+	// This reduces the security of TLS. Only use if you're unable to provide TLS certificates valid for JSON RPC.
+	// Has no effect if Distributed is not set to true.
+	// +optional
+	DisableRPCHostValidation bool `json:"disableRPCHostValidation,omitempty"`
+
 	// Distributed causes Ironic to be deployed as a DaemonSet on control plane nodes instead of a deployment with 1 replica.
 	// Requires database to be installed and linked to DatabaseRef.
 	// EXPERIMENTAL: do not use (validation will fail)!

diff --git a/config/crd/bases/metal3.io_ironics.yaml b/config/crd/bases/metal3.io_ironics.yaml
@@ -56,6 +56,12 @@ spec:
                     type: string
                 type: object
                 x-kubernetes-map-type: atomic
+              disableRPCHostValidation:
+                description: DisableRPCHostValidation turns off TLS host validation
+                  for JSON RPC connections between Ironic instances. This reduces
+                  the security of TLS. Only use if you're unable to provide TLS certificates
+                  valid for JSON RPC. Has no effect if Distributed is not set to true.
+                type: boolean
               disableVirtualMediaTLS:
                 description: DisableVirtualMediaTLS turns off TLS on the virtual media
                   server, which may be required for hardware that cannot accept HTTPS

diff --git a/pkg/ironic/containers.go b/pkg/ironic/containers.go
@@ -137,16 +137,6 @@ func buildIronicEnvVars(ironic *metal3api.Ironic, db *metal3api.IronicDatabase,
 			Name:  "IRONIC_EXPOSE_JSON_RPC",
 			Value: strconv.FormatBool(ironic.Spec.Distributed),
 		},
-		// TODO(dtantsur): try to get rid of this one eventually
-		{
-			Name:  "IRONIC_INSECURE",
-			Value: "true",
-		},
-		// NOTE(dtantsur): this is not strictly correct but is required for JSON RPC authentication
-		{
-			Name:  "IRONIC_DEPLOYMENT",
-			Value: "Conductor",
-		},
 	}...)
 
 	if db != nil {
@@ -159,6 +149,20 @@ func buildIronicEnvVars(ironic *metal3api.Ironic, db *metal3api.IronicDatabase,
 		)
 	}
 
+	if ironic.Spec.Distributed {
+		result = append(result, []corev1.EnvVar{
+			// NOTE(dtantsur): this is not strictly correct but is required for JSON RPC authentication
+			{
+				Name:  "IRONIC_DEPLOYMENT",
+				Value: "Conductor",
+			},
+			{
+				Name:  "IRONIC_INSECURE",
+				Value: strconv.FormatBool(ironic.Spec.DisableRPCHostValidation),
+			},
+		}...)
+	}
+
 	// When TLS is used, httpd is responsible for authentication.
 	// When JSON RPC is enabled, the password is required for it as well.
 	if htpasswd != "" && (ironic.Spec.TLSRef.Name == "" || ironic.Spec.Distributed) {