Allow independent credentials for JSON RPC

It's probably not a great idea to allow users to easily access JSON RPC, so a different set of credentials is useful. Also allow the secret to be mounted directly without the convoluted auth-config format (which is an ini file in reality). Deprecate the auth-config approach (JSON RPC is the last instance where it's used). Signed-off-by: Dmitry Tantsur <[email protected]>
metal3-io · Jun 5, 2024 · 6fbe31a · 6fbe31a
1 parent 164ad23
commit 6fbe31a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 16 deletions.
diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh
@@ -15,32 +15,50 @@ IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
 if [[ -f "/auth/ironic/htpasswd" ]]; then
     IRONIC_HTPASSWD=$(</auth/ironic/htpasswd)
 fi
+if [[ -f "/auth/ironic-rpc/htpasswd" ]]; then
+    IRONIC_RPC_HTPASSWD=$(</auth/ironic-rpc/htpasswd)
+fi
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
+export IRONIC_RPC_HTPASSWD=${IRONIC_RPC_HTPASSWD:-${IRONIC_HTPASSWD}}
+
+IRONIC_CONFIG=/etc/ironic/ironic.conf
 
-configure_client_basic_auth()
-{
-    local auth_config_file="/auth/$1/auth-config"
-    local dest="${2:-/etc/ironic/ironic.conf}"
-    if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file
-        crudini --merge "${dest}" < "${auth_config_file}"
-    fi
-}
 
 configure_json_rpc_auth()
 {
     if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
-        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
-            echo "FATAL: enabling JSON RPC requires authentication"
+        local auth_config_file="/auth/ironic-rpc/auth-config"
+        local username_file="/auth/ironic-rpc/username"
+        local password_file="/auth/ironic-rpc/password"
+        if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
+            crudini --set "${IRONIC_CONFIG}" json_rpc username "$(<${username_file})"
+            set +x
+            crudini --set "${IRONIC_CONFIG}" json_rpc password "$(<${password_file})"
+            set -x
+        elif [[ -f "${auth_config_file}" ]]; then
+            echo "WARNING: using auth-config is deprecated, mount a secret directly"
+            # Merge configurations in the "auth" directory into the default ironic configuration file
+            crudini --merge "${IRONIC_CONFIG}" < "${auth_config_file}"
+        else
+            echo "FATAL: no client-side credentials provided for JSON RPC"
             exit 1
         fi
-        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
+
+        if [[ -z "${IRONIC_RPC_HTPASSWD}" ]]; then
+            if [[ -f "${username_file}" ]] && [[ -f "${password_file}" ]]; then
+                htpasswd -c -i -B "${IRONIC_HTPASSWD_FILE}-rpc" "$(<${username_file})" <"${password_file}"
+            else
+                echo "FATAL: enabling JSON RPC requires authentication"
+                exit 1
+            fi
+        else
+            printf "%s\n" "${IRONIC_RPC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
+        fi
     fi
 }
 
 configure_ironic_auth()
 {
-    local config=/etc/ironic/ironic.conf
     # Configure HTTP basic auth for API server
     if [[ -n "${IRONIC_HTPASSWD}" ]]; then
         printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"

diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh
@@ -84,12 +84,10 @@ env | grep "^OS_" || true
 mkdir -p /shared/html
 mkdir -p /shared/ironic_prometheus_exporter
 
-configure_json_rpc_auth
-
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-configure_client_basic_auth ironic-rpc
+configure_json_rpc_auth
 
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"