Mount ironic credentials as volumes

Mount the ironic and inspector usernames and passwords as plain-text
volumes into the ironic-image pod, instead of the IRONIC_HTPASSWD and
INSPECTOR_HTPASSWD environment variables.

Signed-off-by: Mahnoor Asghar <masghar@redhat.com>

hack/ci-e2e.sh

@@ -176,17 +176,17 @@ for overlay in "${BMO_OVERLAYS[@]}"; do
 done
 
 for overlay in "${IRONIC_OVERLAYS[@]}"; do
-  echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \
-    "${overlay}/ironic-htpasswd"
+  echo "${IRONIC_USERNAME}" > "${overlay}/ironic-username"
+  echo "${IRONIC_PASSWORD}" > "${overlay}/ironic-password"
   envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \
   "${overlay}/ironic-auth-config"
   if [[ "${overlay}" =~ -with-inspector ]]; then
     IRONIC_INSPECTOR_AUTH_CONFIG_TPL="/tmp/ironic-inspector-auth-config-tpl"
-    curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl 
+    curl -o "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" https://raw.githubusercontent.com/metal3-io/baremetal-operator/release-0.5/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl
     envsubst < "${IRONIC_INSPECTOR_AUTH_CONFIG_TPL}" > \
       "${overlay}/ironic-inspector-auth-config"
-    echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \
-      "${IRONIC_INSPECTOR_PASSWORD}")" > "${overlay}/ironic-inspector-htpasswd"
+    echo "${IRONIC_INSPECTOR_USERNAME}" > "${overlay}/ironic-inspector-username"
+    echo "${IRONIC_INSPECTOR_PASSWORD}" > "${overlay}/ironic-inspector-password"
   fi
 done
 

ironic-deployment/components/basic-auth/auth.yaml

@@ -8,8 +8,13 @@ spec:
       containers:
       - name: ironic
         envFrom:
-        # This is the htpassword matching the ironic password
-        - secretRef:
-            name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
+        volumeMounts:
+        - name: ironic-credentials
+          mountPath: "/auth/ironic"
+          readOnly: true
+      volumes:
+      - name: ironic-credentials
+        secret:
+          secretName: ironic-credentials

ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml

@@ -8,7 +8,13 @@ spec:
       containers:
       - name: ironic-httpd
         envFrom:
-        - secretRef:
-            name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
+        volumeMounts:
+        - name: ironic-credentials
+          mountPath: "/auth/ironic"
+          readOnly: true
+      volumes:
+      - name: ironic-credentials
+        secret:
+          secretName: ironic-credentials

ironic-deployment/overlays/basic-auth_tls/kustomization.yaml

@@ -24,6 +24,8 @@ patches:
 # Example for how to generate the necessary secrets:
 # secretGenerator:
 # - behavior: create
-#   envs:
-#   - ironic-htpasswd
-#   name: ironic-htpasswd
+#   files:
+#   - username=ironic-username
+#   - password=ironic-password
+#   name: ironic-credentials
+#   type: Opaque

ironic-deployment/overlays/e2e-release-24.0-with-inspector/kustomization.yaml

@@ -24,14 +24,18 @@ images:
 
 # NOTE: These credentials are generated automatically in hack/ci-e2e.sh
 secretGenerator:
-- name: ironic-htpasswd
+- name: ironic-credentials
   behavior: create
-  envs:
-  - ironic-htpasswd
-- name: ironic-inspector-htpasswd
+  files:
+  - username=ironic-username
+  - password=ironic-password
+  type: Opaque
+- name: ironic-inspector-credentials
   behavior: create
-  envs:
-  - ironic-inspector-htpasswd
+  files:
+  - username=ironic-inspector-username
+  - password=ironic-inspector-password
+  type: Opaque
 - name: ironic-auth-config
   files:
   - auth-config=ironic-auth-config

ironic-deployment/overlays/e2e-with-inspector/kustomization.yaml

@@ -20,14 +20,18 @@ patches:
 
 # NOTE: These credentials are generated automatically in hack/ci-e2e.sh
 secretGenerator:
-- name: ironic-htpasswd
+- name: ironic-credentials
   behavior: create
-  envs:
-  - ironic-htpasswd
-- name: ironic-inspector-htpasswd
+  files:
+  - username=ironic-username
+  - password=ironic-password
+  type: Opaque
+- name: ironic-inspector-credentials
   behavior: create
-  envs:
-  - ironic-inspector-htpasswd
+  files:
+  - username=ironic-inspector-username
+  - password=ironic-inspector-password
+  type: Opaque
 - name: ironic-auth-config
   files:
   - auth-config=ironic-auth-config

ironic-deployment/overlays/e2e/kustomization.yaml

@@ -20,10 +20,12 @@ patches:
 
 # NOTE: These credentials are generated automatically in hack/ci-e2e.sh
 secretGenerator:
-- name: ironic-htpasswd
+- name: ironic-credentials
   behavior: create
-  envs:
-  - ironic-htpasswd
+  files:
+  - username=ironic-username
+  - password=ironic-password
+  type: Opaque
 
 replacements:
   # Replace IRONIC_HOST_IP in certificates with the PROVISIONING_IP from the configmap

tools/deploy.sh

@@ -148,8 +148,8 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then
     fi
 
     if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
-        echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \
-        "${TEMP_IRONIC_OVERLAY}/ironic-htpasswd"
+        echo "${IRONIC_USERNAME}" > "${TEMP_IRONIC_OVERLAY}/ironic-username"
+        echo "${IRONIC_PASSWORD}" > "${TEMP_IRONIC_OVERLAY}/ironic-password"
     fi
 fi
 
@@ -164,7 +164,8 @@ if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
     --namespace=baremetal-operator-system --nameprefix=baremetal-operator-
 
     if [ "${DEPLOY_BASIC_AUTH}" == "true" ]; then
-        ${KUSTOMIZE} edit add secret ironic-htpasswd --from-env-file=ironic-htpasswd
+        ${KUSTOMIZE} edit add secret ironic-credentials \
+            --from-file=username=ironic-username --from-file=password=ironic-password
 
         if [[ "${DEPLOY_TLS}" == "true" ]]; then
             # Basic-auth + TLS is special since TLS also means reverse proxy, which affects basic-auth.
@@ -270,7 +271,8 @@ if [[ "${DEPLOY_BASIC_AUTH}" == "true" ]]; then
     fi
 
     if [[ "${DEPLOY_IRONIC}" == "true" ]]; then
-        rm "${TEMP_IRONIC_OVERLAY}/ironic-htpasswd"
+        rm "${TEMP_IRONIC_OVERLAY}/ironic-username"
+        rm "${TEMP_IRONIC_OVERLAY}/ironic-password"
 
         rm -f "${TEMP_IRONIC_OVERLAY}/ironic-auth-config"
         rm -f "${TEMP_IRONIC_OVERLAY}/ironic-inspector-auth-config"

tools/run_local_ironic.sh

@@ -4,7 +4,7 @@ set -ex
 
 SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )/.." && pwd )"
 
-IRONIC_IMAGE=${IRONIC_IMAGE:-"quay.io/metal3-io/ironic:main"}
+IRONIC_IMAGE=${IRONIC_IMAGE:-"quay.io/rh-ee-masghar/myii:nineteen"}
 IRONIC_KEEPALIVED_IMAGE=${IRONIC_KEEPALIVED_IMAGE:-"quay.io/metal3-io/keepalived"}
 IPA_DOWNLOADER_IMAGE=${IPA_DOWNLOADER_IMAGE:-"quay.io/metal3-io/ironic-ipa-downloader:main"}
 MARIADB_IMAGE=${MARIADB_IMAGE:-"quay.io/metal3-io/mariadb:main"}
@@ -13,8 +13,8 @@ IPA_BASEURI=${IPA_BASEURI:-}
 IRONIC_DATA_DIR=${IRONIC_DATA_DIR:-"/opt/metal3-dev-env/ironic"}
 CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-podman}"
 HTTP_PORT=${HTTP_PORT:-"6180"}
-PROVISIONING_IP="${PROVISIONING_IP:-"172.22.0.1"}"
-CLUSTER_PROVISIONING_IP="${CLUSTER_PROVISIONING_IP:-"172.22.0.2"}"
+PROVISIONING_IP="${PROVISIONING_IP:-"10.6.48.32"}"
+CLUSTER_PROVISIONING_IP="${CLUSTER_PROVISIONING_IP:-"10.6.48.32"}"
 # ironicendpoint is used in the CI setup
 if ip link show ironicendpoint > /dev/null; then
     PROVISIONING_INTERFACE="${PROVISIONING_INTERFACE:-ironicendpoint}"
@@ -169,11 +169,18 @@ if [[ -r "${IPXE_KEY_FILE}" ]]; then
 fi
 
 BASIC_AUTH_MOUNTS=""
-IRONIC_HTPASSWD=""
+IRONIC_CRED_USERNAME_FILE="${IRONIC_DATA_DIR}/auth/ironic-username"
+IRONIC_CRED_PASSWORD_FILE="${IRONIC_DATA_DIR}/auth/ironic-password"
+set +x
 if [ -n "$IRONIC_USERNAME" ]; then
-     IRONIC_HTPASSWD="$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")"
-     IRONIC_HTPASSWD="--env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} --env IRONIC_HTPASSWD=${IRONIC_HTPASSWD}"
+     echo "$IRONIC_USERNAME" > "${IRONIC_CRED_USERNAME_FILE}"
+     IRONIC_CRED_USERNAME="-v ${IRONIC_CRED_USERNAME_FILE}:/auth/ironic/username"
 fi
+if [ -n "$IRONIC_PASSWORD" ]; then
+     echo "${IRONIC_PASSWORD}" > "${IRONIC_CRED_PASSWORD_FILE}"
+     IRONIC_CRED_PASSWORD="-v ${IRONIC_CRED_PASSWORD_FILE}:/auth/ironic/password"
+fi
+set -x
 
 sudo mkdir -p "$IRONIC_DATA_DIR/html/images"
 # Locally supplied IPA images are imported here when the environment variables are set accordingly.
@@ -192,13 +199,15 @@ fi
 
 "$SCRIPTDIR/tools/remove_local_ironic.sh"
 
+set +x
 if [ "$IRONIC_USE_MARIADB" = "true" ]; then
     # set password for mariadb
     mariadb_password=$(echo "$(date;hostname)"|sha256sum |cut -c-20)
     IRONIC_MARIADB_PASSWORD="--env MARIADB_PASSWORD=$mariadb_password"
 else
     IRONIC_MARIADB_PASSWORD=
 fi
+set -x
 
 POD=""
 
@@ -235,9 +244,10 @@ sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name dnsmasq \
 # https://github.com/metal3-io/ironic-image/blob/main/scripts/runhttpd
 # shellcheck disable=SC2086
 sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name httpd \
-     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
+     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} \
      --env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
-     -v "$IRONIC_DATA_DIR:/shared" --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
+     -v "${IRONIC_DATA_DIR}:/shared" ${IRONIC_CRED_USERNAME} \
+     ${IRONIC_CRED_PASSWORD} --entrypoint /bin/runhttpd "${IRONIC_IMAGE}"
 
 if [ "$IRONIC_USE_MARIADB" = "true" ]; then
     # https://github.com/metal3-io/mariadb-image/blob/main/runmariadb
@@ -252,10 +262,11 @@ fi
 # https://github.com/metal3-io/ironic-image/blob/main/scripts/runironic
 # shellcheck disable=SC2086
 sudo "${CONTAINER_RUNTIME}" run -d --net host --privileged --name ironic \
-     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} ${IRONIC_HTPASSWD} \
+     ${POD} ${CERTS_MOUNTS} ${BASIC_AUTH_MOUNTS} \
      --env-file "${IRONIC_DATA_DIR}/ironic-vars.env" \
      ${IRONIC_MARIADB_PASSWORD} --entrypoint /bin/runironic \
-     -v "$IRONIC_DATA_DIR:/shared" "${IRONIC_IMAGE}"
+     -v "$IRONIC_DATA_DIR:/shared" ${IRONIC_CRED_USERNAME} \
+     ${IRONIC_CRED_PASSWORD} "${IRONIC_IMAGE}"
 
 # Start ironic-endpoint-keepalived
 # shellcheck disable=SC2086