Backward compable callback endpoint when Inspector is off

Some PreprovisioningImage controller, like the one we have downstream,
hardcode {IP}:5050/v1/continue in their IPA configuration. To avoid
updating them in a lockstep with disabling Inspector, provide a small
virtual host that proxies :5050/v1/continue to :6385/v1/continue_inspection.

Signed-off-by: Dmitry Tantsur <[email protected]>

Dockerfile

@@ -58,6 +58,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-inspector-compat.conf.j2 /etc/httpd-inspector-compat.conf.j2
 
 # IRONIC-INSPECTOR #
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \

ironic-config/apache2-inspector-compat.conf.j2

@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
+ <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% else %}
+ <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% endif %}
+
+    SetEnv APACHE_RUN_USER ironic-inspector
+    SetEnv APACHE_RUN_GROUP ironic-inspector
+
+    ErrorLog /dev/stdout
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+    SSLEngine On
+    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+    {% endif %}
+
+    # Local connection, no need for proper TLS validation
+    SSLProxyVerify none
+    SSLProxyCheckPeerExpire off
+
+    ProxyPass "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection"
+    ProxyPassReverse "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection"
+
+    <Location / >
+        Require all denied
+    </Location>
+
+    <Location /v1/continue >
+        Require all granted
+    </Location>
+
+</VirtualHost>

scripts/runironic-inspector

@@ -14,11 +14,6 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 
-if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
-    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
-    exit 1
-fi
-
 wait_for_interface_or_ip
 
 IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
@@ -39,6 +34,15 @@ build_j2_config()
     python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
 }
 
+if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
+    # Compatibility with existing preprovisioning image controllers
+    render_j2_config /etc/httpd-inspector-compat.conf.j2 /etc/httpd/conf.d/inspector-compat.conf
+    mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example
+    export HTTP_PORT="${IRONIC_INSPECTOR_LISTEN_PORT}"
+    render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
+    exec /usr/sbin/httpd -DFOREGROUND
+fi
+
 # Merge with the original configuration file from the package.
 build_j2_config "$CONFIG" | crudini --merge "$CONFIG"