Remove Inspector from all deployments scripts

With this change, the scripts will no longer install ironic-inspector,
relying on the ironic's built-in inspection instead.

Note that BMO itself still supports Inspector as the inspection backend,
the change only affects deploy.sh and Kustomization configs.

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>

config/README.md

@@ -21,9 +21,8 @@ in `hack/ci-e2e.sh`, and put them directly in the `e2e` overlays.
    - **basic-auth** - Enable basic authentication. Note that the basic-auth
       component is missing the actual credentials. This is on purpose, to make
       sure that the user is setting the password instead of using sample
-      credentials. The required secrets are:
+      credentials. The required secrets is called:
       - `ironic-credentials`
-      - `ironic-inspector-credentials`
    - **tls** - Enable TLS. A CA certificate is needed here to verify the
       connection to Ironic. If you deploy BMO together with Ironic in a
       Kubernetes cluster, they can share the secret created for Ironic. The CA

config/components/basic-auth/credentials_patch.yaml

@@ -12,13 +12,7 @@ spec:
         - name: ironic-credentials
           mountPath: "/opt/metal3/auth/ironic"
           readOnly: true
-        - name: ironic-inspector-credentials
-          mountPath: "/opt/metal3/auth/ironic-inspector"
-          readOnly: true
       volumes:
       - name: ironic-credentials
         secret:
           secretName: ironic-credentials
-      - name: ironic-inspector-credentials
-        secret:
-          secretName: ironic-inspector-credentials

config/components/basic-auth/kustomization.yaml

@@ -1,14 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-# NOTE: This component requires secrets with the basic auth credentials!
-# How you create them is up to you.
-# The required secrets are:
+# NOTE: This component requires a secret with the basic auth credentials!
+# How you create it is up to you. The required secrets is:
 # - ironic-credentials
-# - ironic-inspector-credentials
 #
-# Both should contain 2 fields: username and password.
-# Example:
+# It should contain 2 fields: username and password. Example:
 #
 # apiVersion: v1
 # kind: Secret

config/overlays/basic-auth_tls/kustomization.yaml

@@ -14,7 +14,3 @@ components:
 #     files:
 #     - username=ironic-username
 #     - password=ironic-password
-#   - name: ironic-inspector-credentials
-#     files:
-#     - username=ironic-inspector-username
-#     - password=ironic-inspector-password

config/overlays/e2e-release-0.5/kustomization.yaml

@@ -30,7 +30,3 @@ secretGenerator:
   files:
   - username=ironic-username
   - password=ironic-password
-- name: ironic-inspector-credentials
-  files:
-  - username=ironic-inspector-username
-  - password=ironic-inspector-password

config/overlays/e2e/kustomization.yaml

@@ -35,7 +35,3 @@ secretGenerator:
     files:
     - username=ironic-username
     - password=ironic-password
-  - name: ironic-inspector-credentials
-    files:
-    - username=ironic-inspector-username
-    - password=ironic-inspector-password

docs/deploying.md

@@ -110,9 +110,6 @@ ironic-deployment/
 │   │   ├── ironic-auth-config
 │   │   ├── ironic-auth-config-tpl
 │   │   ├── ironic-htpasswd
-│   │   ├── ironic-inspector-auth-config
-│   │   ├── ironic-inspector-auth-config-tpl
-│   │   ├── ironic-inspector-htpasswd
 │   │   └── kustomization.yaml
 │   ├── keepalived
 │   │   ├── ironic_bmo_configmap.env
@@ -148,8 +145,8 @@ more information, check the readme in the `ironic-deployment` folder.
 There is a useful deployment script that configures and deploys BareMetal
 Operator and Ironic. It requires some variables :
 
-- IRONIC_HOST : domain name for Ironic and inspector
-- IRONIC_HOST_IP : IP on which Ironic and inspector are listening
+- IRONIC_HOST : domain name for Ironic
+- IRONIC_HOST_IP : IP on which Ironic is listening
 
 In addition you can configure the following variables. They are **optional**.
 If you leave them unset, then passwords and certificates will be generated
@@ -158,18 +155,11 @@ for you.
 - KUBECTL_ARGS : Additional arguments to kubectl apply
 - IRONIC_USERNAME : username for ironic
 - IRONIC_PASSWORD : password for ironic
-- IRONIC_INSPECTOR_USERNAME : username for inspector
-- IRONIC_INSPECTOR_PASSWORD : password for inspector
 - IRONIC_CACERT_FILE : CA certificate path for ironic
 - IRONIC_CAKEY_FILE : CA certificate key path, unneeded if ironic
   certificates exist
 - IRONIC_CERT_FILE : Ironic certificate path
 - IRONIC_KEY_FILE : Ironic certificate key path
-- IRONIC_INSPECTOR_CERT_FILE : Inspector certificate path
-- IRONIC_INSPECTOR_KEY_FILE : Inspector certificate key path
-- IRONIC_INSPECTOR_CACERT_FILE : CA certificate path for inspector, defaults to
-  IRONIC_CACERT_FILE
-- IRONIC_INSPECTOR_CAKEY_FILE : CA certificate key path, unneeded if inspector
   certificates exist
 - MARIADB_KEY_FILE: Path to the key of MariaDB
 - MARIADB_CERT_FILE:  Path to the cert of MariaDB

docs/dev-setup.md

@@ -93,7 +93,6 @@ The following environment variables can be passed to configure the ironic:
 - DEPLOY_KERNEL_URL - the URL of the kernel to deploy ironic-python-agent
 - DEPLOY_RAMDISK_URL - the URL of the ramdisk to deploy ironic-python-agent
 - IRONIC_ENDPOINT - the endpoint of the ironic
-- IRONIC_INSPECTOR_ENDPOINT - the endpoint of the ironic inspector
 - CACHEURL - the URL of the cached images
 - IRONIC_FAST_TRACK - whether to enable fast_track provisioning or not
   (default true)
@@ -137,16 +136,11 @@ authentication enabled, you also need to export the following variables:
 - IRONIC_CACERT_FILE
 - IRONIC_CERT_FILE
 - IRONIC_KEY_FILE
-- IRONIC_INSPECTOR_CACERT_FILE
-- IRONIC_INSPECTOR_CERT_FILE
-- IRONIC_INSPECTOR_KEY_FILE
 
 ### Basic authentication variables
 
 - IRONIC_USERNAME
 - IRONIC_PASSWORD
-- IRONIC_INSPECTOR_USERNAME
-- IRONIC_INSPECTOR_PASSWORD
 
 The names of these variables are self explanatory. TLS variables expect the
 path of the corresponding certificate/key file as their value. Basic

docs/ironic-authentication.md

@@ -1,14 +1,14 @@
 # Authenticating to Ironic
 
-Because hosts under the control of Metal³ need to contact the Ironic and Ironic
-Inspector APIs during inspection and provisioning, it is highly advisable to
-require authentication on those APIs, since the provisioned hosts running user
+Because hosts under the control of Metal³ need to contact the Ironic
+API during inspection and provisioning, it is highly advisable to
+require authentication on this API, since the provisioned hosts running user
 workloads will remain connected to the provisioning network.
 
 ## Configuration
 
-The `baremetal-operator` supports connecting to Ironic and Ironic Inspector
-configured with the following `auth_strategy` modes:
+The `baremetal-operator` supports connecting to Ironic configured with the
+following `auth_strategy` modes:
 
 * `noauth` (no authentication)
 * `http_basic` (HTTP [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication))
@@ -19,10 +19,8 @@ Authentication configuration is read from the filesystem, beginning at the root
 directory specified in the environment variable `METAL3_AUTH_ROOT_DIR`. If this
 variable is empty or not specified, the default is `/opt/metal3/auth`.
 
-Within the root directory there are separate subdirectories, `ironic` for
-Ironic client configuration, and `ironic-inspector` for Ironic Inspector client
-configuration. (This allows the data to be populated from separate secrets when
-deploying in Kubernetes.)
+Within the root directory there is a separate subdirectory `ironic` for
+Ironic client configuration.
 
 ### `noauth`
 

hack/ci-e2e.sh

@@ -118,31 +118,21 @@ IRONIC_OVERLAY="${REPO_ROOT}/ironic-deployment/overlays/e2e"
 
 IRONIC_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)"
 IRONIC_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)"
-IRONIC_INSPECTOR_USERNAME="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)"
-IRONIC_INSPECTOR_PASSWORD="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 12 | head -n 1)"
 
 # These must be exported so that envsubst can pick them up below
 export IRONIC_USERNAME
 export IRONIC_PASSWORD
-export IRONIC_INSPECTOR_USERNAME
-export IRONIC_INSPECTOR_PASSWORD
 
 for overlay in "${BMO_OVERLAYS[@]}"; do
   echo "${IRONIC_USERNAME}" > "${overlay}/ironic-username"
   echo "${IRONIC_PASSWORD}" > "${overlay}/ironic-password"
-  echo "${IRONIC_INSPECTOR_USERNAME}" > "${overlay}/ironic-inspector-username"
-  echo "${IRONIC_INSPECTOR_PASSWORD}" > "${overlay}/ironic-inspector-password"
 done
 
 envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-auth-config-tpl" > \
   "${IRONIC_OVERLAY}/ironic-auth-config"
-envsubst < "${REPO_ROOT}/ironic-deployment/components/basic-auth/ironic-inspector-auth-config-tpl" > \
-  "${IRONIC_OVERLAY}/ironic-inspector-auth-config"
 
 echo "IRONIC_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_USERNAME}" "${IRONIC_PASSWORD}")" > \
   "${IRONIC_OVERLAY}/ironic-htpasswd"
-echo "INSPECTOR_HTPASSWD=$(htpasswd -n -b -B "${IRONIC_INSPECTOR_USERNAME}" \
-  "${IRONIC_INSPECTOR_PASSWORD}")" > "${IRONIC_OVERLAY}/ironic-inspector-htpasswd"
 
 
 # We need to gather artifacts/logs before exiting also if there are errors

ironic-deployment/base/ironic.yaml

@@ -111,38 +111,6 @@ spec:
           privileged: false
           runAsUser: 997 # ironic
           runAsGroup: 994 # ironic
-      - name: ironic-inspector
-        image: quay.io/metal3-io/ironic
-        imagePullPolicy: Always
-        readinessProbe:
-          exec:
-            command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
-          initialDelaySeconds: 30
-          periodSeconds: 30
-          timeoutSeconds: 10
-          successThreshold: 1
-          failureThreshold: 10
-        livenessProbe:
-          exec:
-            command: ["sh", "-c", "curl -sSf http://127.0.0.1:5050 || curl -sSf -k https://127.0.0.1:5050"]
-          initialDelaySeconds: 30
-          periodSeconds: 30
-          timeoutSeconds: 10
-          successThreshold: 1
-          failureThreshold: 10
-        command:
-        - /bin/runironic-inspector
-        envFrom:
-        - configMapRef:
-            name: ironic-bmo-configmap
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          runAsUser: 996 # ironic-inspector
-          runAsGroup: 993 # ironicinspector
       - name: ironic-httpd
         image: quay.io/metal3-io/ironic
         imagePullPolicy: Always

ironic-deployment/components/basic-auth/auth.yaml

@@ -7,33 +7,13 @@ spec:
     spec:
       containers:
       - name: ironic
-        volumeMounts:
-        # This is the credentials for authenticating with inspector
-        - name: ironic-inspector-auth-config
-          mountPath: "/auth/ironic-inspector"
-          readOnly: true
         envFrom:
-        # This is the htpassword matching the ironic-auth-config that inspector has
+        # This is the htpassword matching the ironic-auth-config
         - secretRef:
             name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
-      - name: ironic-inspector
-        volumeMounts:
-        # This is the credentials for authenticating with ironic
-        - name: ironic-auth-config
-          mountPath: "/auth/ironic"
-          readOnly: true
-        envFrom:
-        # This is the htpassword matching the ironic-inspector-auth-config that ironic has
-        - secretRef:
-            name: ironic-inspector-htpasswd
-        - configMapRef:
-            name: ironic-bmo-configmap
       volumes:
       - name: ironic-auth-config
         secret:
           secretName: ironic-auth-config
-      - name: ironic-inspector-auth-config
-        secret:
-          secretName: ironic-inspector-auth-config

ironic-deployment/components/basic-auth/kustomization.yaml

@@ -5,9 +5,7 @@ kind: Component
 # How you create them is up to you.
 # The required secrets are:
 # - ironic-htpasswd
-# - ironic-inspector-htpasswd
 # - ironic-auth-config
-# - ironic-inspector-auth-config
 #
 # The content should be as in these examples:
 #
@@ -21,23 +19,9 @@ kind: Component
 # apiVersion: v1
 # kind: Secret
 # metadata:
-#   name: ironic-inspector-htpasswd
-# data:
-#   INSPECTOR_HTPASSWD: <base64-encoded-htpasswd-string>
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
 #   name: ironic-auth-config
 # data:
 #   auth-config: <base64-encoded-auth-config>
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: ironic-inspector-auth-config
-# data:
-#   auth-config: <base64-encoded-auth-config>
 #
 # Check `ironic-auth-config-tpl` for a template of what to put in the auth-config.
 

ironic-deployment/components/keepalived/ironic_bmo_configmap.env

@@ -8,3 +8,4 @@ IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
 CACHEURL=http://172.22.0.1/images
 IRONIC_FAST_TRACK=true
 IRONIC_KERNEL_PARAMS=console=ttyS0
+USE_IRONIC_INSPECTOR=false

ironic-deployment/components/tls/certificate.yaml

@@ -39,16 +39,3 @@ spec:
     kind: Issuer
     name: ca-issuer
   secretName: ironic-cert
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: ironic-inspector-cert
-spec:
-  commonName: ironic-inspector-cert
-  ipAddresses:
-  - IRONIC_HOST_IP
-  issuerRef:
-    kind: Issuer
-    name: ca-issuer
-  secretName: ironic-inspector-cert

ironic-deployment/components/tls/tls.yaml

@@ -16,15 +16,10 @@ spec:
         env:
         - name: IRONIC_REVERSE_PROXY_SETUP
           value: "true"
-        - name: INSPECTOR_REVERSE_PROXY_SETUP
-          value: "true"
         volumeMounts:
         - name: cert-ironic-ca
           mountPath: "/certs/ca/ironic"
           readOnly: true
-        - name: cert-ironic-inspector-ca
-          mountPath: "/certs/ca/ironic-inspector"
-          readOnly: true
       - name: ironic-httpd
         livenessProbe:
          exec:
@@ -35,50 +30,17 @@ spec:
         env:
         - name: IRONIC_REVERSE_PROXY_SETUP
           value: "true"
-        - name: INSPECTOR_REVERSE_PROXY_SETUP
-          value: "true"
         volumeMounts:
         - name: cert-ironic
           mountPath: "/certs/ironic"
           readOnly: true
-        - name: cert-ironic-inspector
-          mountPath: "/certs/ironic-inspector"
-          readOnly: true
         - name: cert-ironic-ca
           mountPath: "/certs/ca/ironic"
           readOnly: true
-        - name: cert-ironic-inspector-ca
-          mountPath: "/certs/ca/ironic-inspector"
-          readOnly: true
-      - name: ironic-inspector
-        readinessProbe:
-          exec:
-            command: ["sh", "-c", "curl -sSf http://127.0.0.1:5049"]
-        livenessProbe:
-          exec:
-            command: ["sh", "-c", "curl -sSf http://127.0.0.1:5049"]
-        env:
-        - name: IRONIC_REVERSE_PROXY_SETUP
-          value: "true"
-        - name: INSPECTOR_REVERSE_PROXY_SETUP
-          value: "true"
-        volumeMounts:
-        - name: cert-ironic-ca
-          mountPath: "/certs/ca/ironic"
-          readOnly: true
-        - name: cert-ironic-inspector-ca
-          mountPath: "/certs/ca/ironic-inspector"
-          readOnly: true
       volumes:
       - name: cert-ironic-ca
         secret:
           secretName: ironic-cacert
-      - name: cert-ironic-inspector-ca
-        secret:
-          secretName: ironic-cacert
       - name: cert-ironic
         secret:
           secretName: ironic-cert
-      - name: cert-ironic-inspector
-        secret:
-          secretName: ironic-inspector-cert