From 490c7511bbe3be4d23393b73552c9a33ec67a9dc Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Tue, 14 Nov 2023 16:54:53 +0100
Subject: [PATCH] Minimum change to support inspection without inspector

A lot more clean-up is possible, but this change allows testing
the new approach already.

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>
---
 ironic-config/httpd-ironic-api.conf.j2 |  2 +-
 ironic-config/ironic.conf.j2           | 23 +++++++++++++++--------
 scripts/configure-ironic.sh            |  4 +++-
 scripts/ironic-common.sh               |  8 ++++++++
 scripts/runhttpd                       |  9 +++++++--
 scripts/runironic-inspector            |  5 +++++
 6 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/ironic-config/httpd-ironic-api.conf.j2 b/ironic-config/httpd-ironic-api.conf.j2
index 6338deca1..bda581669 100644
--- a/ironic-config/httpd-ironic-api.conf.j2
+++ b/ironic-config/httpd-ironic-api.conf.j2
@@ -79,7 +79,7 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
         Require all granted
     </Location>
 
-    <Location ~ "^/(v1/)?(lookup|heartbeat)" >
+    <Location ~ "^/(v1/)?(lookup|heartbeat|continue_inspection)" >
         Require all granted
     </Location>
 </VirtualHost>
diff --git a/ironic-config/ironic.conf.j2 b/ironic-config/ironic.conf.j2
index dd99ae14d..2ecdd654e 100644
--- a/ironic-config/ironic.conf.j2
+++ b/ironic-config/ironic.conf.j2
@@ -2,7 +2,7 @@
 auth_strategy = noauth
 debug = true
 default_deploy_interface = direct
-default_inspect_interface = inspector
+default_inspect_interface = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %}
 default_network_interface = noop
 enabled_bios_interfaces = idrac-wsman,no-bios,redfish,idrac-redfish,irmc,ilo
 enabled_boot_interfaces = ipxe,ilo-ipxe,pxe,ilo-pxe,fake,redfish-virtual-media,idrac-redfish-virtual-media,ilo-virtual-media
@@ -10,7 +10,7 @@ enabled_deploy_interfaces = direct,fake,ramdisk,custom-agent
 # NOTE(dtantsur): when changing this, make sure to update the driver
 # dependencies in Dockerfile.
 enabled_hardware_types = ipmi,idrac,irmc,fake-hardware,redfish,ibmc,manual-management,ilo,ilo5
-enabled_inspect_interfaces = inspector,idrac-wsman,irmc,fake,redfish,ilo
+enabled_inspect_interfaces = {% if env.USE_IRONIC_INSPECTOR == "true" %}inspector{% else %}agent{% endif %},idrac-wsman,irmc,fake,redfish,ilo
 enabled_management_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo,ilo5,noop
 enabled_power_interfaces = ipmitool,idrac-wsman,irmc,fake,redfish,idrac-redfish,ibmc,ilo
 enabled_raid_interfaces = no-raid,irmc,agent,fake,ibmc,idrac-wsman,redfish,idrac-redfish,ilo5
@@ -133,19 +133,26 @@ external_callback_url = {{ env.IRONIC_EXTERNAL_CALLBACK_URL }}
 dhcp_provider = none
 
 [inspector]
-endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
 power_off = {{ false if env.IRONIC_FAST_TRACK == "true" else true }}
-{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
-cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
-insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
-{% endif %}
 # NOTE(dtantsur): keep inspection arguments synchronized with inspector.ipxe
 # Also keep in mind that only parameters unique for inspection go here.
 # No need to duplicate pxe_append_params/kernel_append_params.
 extra_kernel_params = ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} ipa-enable-vlan-interfaces={{ env.IRONIC_INSPECTOR_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
+
+{% if env.USE_IRONIC_INSPECTOR == "true" %}
+endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
+{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+cafile = {{ env.IRONIC_INSPECTOR_CACERT_FILE }}
+insecure = {{ env.IRONIC_INSPECTOR_INSECURE }}
+{% endif %}
 {% if env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE %}
 callback_endpoint_override = {{ env.IRONIC_INSPECTOR_CALLBACK_ENDPOINT_OVERRIDE }}
 {% endif %}
+{% else %}
+hooks = $default_hooks,parse-lldp
+add_ports = all
+keep_ports = present
+{% endif %}
 
 [ipmi]
 # use_ipmitool_retries transfers the responsibility of retrying to ipmitool
@@ -212,7 +219,7 @@ kernel_append_params = nofb nomodeset vga=normal ipa-insecure=1 {% if env.IRONIC
 # boot (the default), ensuring that they boot correctly even if they start
 # netbooting for some reason (e.g. with the noop management interface).
 enable_netboot_fallback = true
-# Enable the fallback path to ironic-inspector
+# Enable the fallback path to in-band inspection
 ipxe_fallback_script = inspector.ipxe
 
 [redfish]
diff --git a/scripts/configure-ironic.sh b/scripts/configure-ironic.sh
index 6a50af0fa..6e36113a0 100755
--- a/scripts/configure-ironic.sh
+++ b/scripts/configure-ironic.sh
@@ -93,7 +93,9 @@ configure_json_rpc_auth
 # The original ironic.conf is empty, and can be found in ironic.conf_orig
 render_j2_config /etc/ironic/ironic.conf.j2 /etc/ironic/ironic.conf
 
-configure_client_basic_auth ironic-inspector
+if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+    configure_client_basic_auth ironic-inspector
+fi
 configure_client_basic_auth ironic-rpc
 
 # Make sure ironic traffic bypasses any proxies
diff --git a/scripts/ironic-common.sh b/scripts/ironic-common.sh
index 7fbdb38a2..f63f6a36a 100644
--- a/scripts/ironic-common.sh
+++ b/scripts/ironic-common.sh
@@ -100,3 +100,11 @@ export IRONIC_LISTEN_PORT=${IRONIC_LISTEN_PORT:-$IRONIC_ACCESS_PORT}
 
 export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
 export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
+
+# If this is false, built-in inspection is used.
+export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
+export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
+if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
+    echo "Discovery is only supported with ironic-inspector at this point"
+    exit 1
+fi
diff --git a/scripts/runhttpd b/scripts/runhttpd
index d05ae070d..ab8c4fcf1 100755
--- a/scripts/runhttpd
+++ b/scripts/runhttpd
@@ -33,7 +33,12 @@ chmod 0777 /shared/html
 
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 
-INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
+if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
+    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
+else
+    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
+fi
+
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
     INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
 fi
@@ -47,7 +52,7 @@ mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example
 # Render the core httpd config
 render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
 
-if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
+if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
     if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
         render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
     fi
diff --git a/scripts/runironic-inspector b/scripts/runironic-inspector
index 36902764e..9ff7da935 100755
--- a/scripts/runironic-inspector
+++ b/scripts/runironic-inspector
@@ -14,6 +14,11 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 
+if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
+    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
+    exit 1
+fi
+
 wait_for_interface_or_ip
 
 IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}