From 84f1ae86e3ee9da2ed0213be04fcd9acae660008 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Fri, 5 Jan 2024 10:56:50 +0100 Subject: [PATCH] Backward compable callback endpoint when Inspector is off Some PreprovisioningImage controller, like the one we have downstream, hardcode {IP}:5050/v1/continue in their IPA configuration. To avoid updating them in a lockstep with disabling Inspector, provide a small virtual host that proxies :5050/v1/continue to :6385/v1/continue_inspection. Signed-off-by: Dmitry Tantsur --- Dockerfile | 1 + .../apache2-inspector-compat.conf.j2 | 48 +++++++++++++++++++ scripts/runironic-inspector | 14 ++++-- 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 ironic-config/apache2-inspector-compat.conf.j2 diff --git a/Dockerfile b/Dockerfile index 5a6226990..5dbde95f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -58,6 +58,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/ COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/ COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2 COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2 +COPY ironic-config/apache2-inspector-compat.conf.j2 /etc/httpd-inspector-compat.conf.j2 # IRONIC-INSPECTOR # RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \ diff --git a/ironic-config/apache2-inspector-compat.conf.j2 b/ironic-config/apache2-inspector-compat.conf.j2 new file mode 100644 index 000000000..3e184ec74 --- /dev/null +++ b/ironic-config/apache2-inspector-compat.conf.j2 @@ -0,0 +1,48 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +{% if env.LISTEN_ALL_INTERFACES | lower == "true" %} + +{% else %} + +{% endif %} + + SetEnv APACHE_RUN_USER ironic-inspector + SetEnv APACHE_RUN_GROUP ironic-inspector + + ErrorLog /dev/stdout + LogLevel debug + CustomLog /dev/stdout combined + + {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %} + SSLEngine On + SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }} + SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }} + SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }} + {% endif %} + + # Local connection, no need for proper TLS validation + SSLProxyVerify none + SSLProxyCheckPeerExpire off + + ProxyPass "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection" + ProxyPassReverse "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection" + + + Require all denied + + + + Require all granted + + + diff --git a/scripts/runironic-inspector b/scripts/runironic-inspector index 9ff7da935..731d63c3a 100755 --- a/scripts/runironic-inspector +++ b/scripts/runironic-inspector @@ -14,11 +14,6 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false} # shellcheck disable=SC1091 . /bin/auth-common.sh -if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then - echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR" - exit 1 -fi - wait_for_interface_or_ip IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT} @@ -39,6 +34,15 @@ build_j2_config() python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2" } +if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then + # Compatibility with existing preprovisioning image controllers + render_j2_config /etc/httpd-inspector-compat.conf.j2 /etc/httpd/conf.d/inspector-compat.conf + mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example + export HTTP_PORT="${IRONIC_INSPECTOR_LISTEN_PORT}" + render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf + exec /usr/sbin/httpd -DFOREGROUND +fi + # Merge with the original configuration file from the package. build_j2_config "$CONFIG" | crudini --merge "$CONFIG"