baremetal: Use HTTP basic auth for ironic on bootstrap host

openshift · Oct 9, 2020 · 8e03ebd · 8e03ebd
1 parent df07265
commit 8e03ebd
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 5 deletions.
diff --git a/data/data/baremetal/main.tf b/data/data/baremetal/main.tf
@@ -3,10 +3,15 @@ provider "libvirt" {
 }
 
 provider "ironic" {
-  url          = "http://${var.bootstrap_provisioning_ip}:6385/v1"
-  inspector    = "http://${var.bootstrap_provisioning_ip}:5050/v1"
-  microversion = "1.56"
-  timeout      = 3600
+  url                = "http://${var.bootstrap_provisioning_ip}:6385/v1"
+  inspector          = "http://${var.bootstrap_provisioning_ip}:5050/v1"
+  microversion       = "1.56"
+  timeout            = 3600
+  auth_strategy      = "http_basic"
+  ironic_username    = "${var.ironic_username}"
+  ironic_password    = "${var.ironic_password}"
+  inspector_username = "${var.ironic_username}"
+  inspector_password = "${var.ironic_password}"
 }
 
 module "bootstrap" {

diff --git a/data/data/baremetal/variables-baremetal.tf b/data/data/baremetal/variables-baremetal.tf
@@ -23,6 +23,16 @@ variable "provisioning_bridge" {
   description = "The name of the provisioning bridge"
 }
 
+variable "ironic_username" {
+  type        = string
+  description = "Username for authentication to Ironic"
+}
+
+variable "ironic_password" {
+  type        = string
+  description = "Password for authentication to Ironic"
+}
+
 variable "hosts" {
   type        = list(map(string))
   description = "Hardware details for hosts"

diff --git a/.../files/usr/local/bin/master-bmh-update.sh → ...r/local/bin/master-bmh-update.sh.template b/.../files/usr/local/bin/master-bmh-update.sh → ...r/local/bin/master-bmh-update.sh.template
@@ -39,7 +39,7 @@ for node in $(curl -s http://localhost:6385/v1/nodes | jq -r '.nodes[] | .uuid')
         --rm \
         --entrypoint /get-hardware-details \
         "${BAREMETAL_OPERATOR_IMAGE}" \
-        http://localhost:5050/v1 "$node" | jq '{hardware: .}')
+        http://{{.PlatformData.BareMetal.IronicUsername}}:{{.PlatformData.BareMetal.IronicPassword}}@localhost:5050/v1 "$node" | jq '{hardware: .}')
 
      oc annotate --overwrite -n openshift-machine-api baremetalhosts "$name" 'baremetalhost.metal3.io/status'="$HARDWARE_DETAILS" 'baremetalhost.metal3.io/paused-'
 done
diff --git a/data/data/bootstrap/baremetal/files/usr/local/bin/startironic.sh.template b/data/data/bootstrap/baremetal/files/usr/local/bin/startironic.sh.template
@@ -42,6 +42,35 @@ while [ -z "$(ip -o addr show dev $PROVISIONING_NIC | grep -v link)" ]; do
     sleep 1
 done
 
+# set password for ironic basic auth
+# The ironic container contains httpd (and thus httpd-tools), so rely on it to
+# supply the htpasswd command
+IRONIC_HTPASSWD="$(podman run --rm --entrypoint htpasswd ${IRONIC_IMAGE} -nbB {{.PlatformData.BareMetal.IronicUsername}} {{.PlatformData.BareMetal.IronicPassword}})"
+AUTH_DIR="$(mktemp -d ironic-auth-XXXXX --tmpdir)"
+mkdir ${AUTH_DIR}/ironic
+cat <<EOF >"${AUTH_DIR}/ironic/auth-config"
+[ironic]
+auth_type = http_basic
+username = {{.PlatformData.BareMetal.IronicUsername}}
+password = {{.PlatformData.BareMetal.IronicPassword}}
+EOF
+mkdir ${AUTH_DIR}/ironic-inspector
+cat <<EOF >"${AUTH_DIR}/ironic-inspector/auth-config"
+[inspector]
+auth_type = http_basic
+username = {{.PlatformData.BareMetal.IronicUsername}}
+password = {{.PlatformData.BareMetal.IronicPassword}}
+EOF
+mkdir ${AUTH_DIR}/ironic-rpc
+cat <<EOF >"${AUTH_DIR}/ironic-rpc/auth-config"
+[json_rpc]
+auth_type = http_basic
+username = {{.PlatformData.BareMetal.IronicUsername}}
+password = {{.PlatformData.BareMetal.IronicPassword}}
+http_basic_username = {{.PlatformData.BareMetal.IronicUsername}}
+http_basic_password = {{.PlatformData.BareMetal.IronicPassword}}
+EOF
+
 # set password for mariadb
 mariadb_password=$(uuidgen -r  | sed "s/-//g")
 
@@ -138,20 +167,26 @@ sudo podman run -d --net host --privileged --name ironic-conductor \
      --env MARIADB_PASSWORD=$mariadb_password \
      --env PROVISIONING_INTERFACE=$PROVISIONING_NIC \
      --env OS_CONDUCTOR__HEARTBEAT_TIMEOUT=120 \
+     --env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} \
      --entrypoint /bin/runironic-conductor \
+     -v $AUTH_DIR:/auth:ro \
      -v $IRONIC_SHARED_VOLUME:/shared:z ${IRONIC_IMAGE}
 
 # We need a better way to wait for the DB sync to happen..
 sleep 10
 
 podman run -d --net host --privileged --name ironic-inspector \
      --env PROVISIONING_INTERFACE=$PROVISIONING_NIC \
+     --env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} \
+     -v $AUTH_DIR:/auth:ro \
      -v $IRONIC_SHARED_VOLUME:/shared:z "${IRONIC_INSPECTOR_IMAGE}"
 
 sudo podman run -d --net host --privileged --name ironic-api \
      --env MARIADB_PASSWORD=$mariadb_password \
      --env PROVISIONING_INTERFACE=$PROVISIONING_NIC \
+     --env HTTP_BASIC_HTPASSWD=${IRONIC_HTPASSWD} \
      --entrypoint /bin/runironic-api \
+     -v $AUTH_DIR:/auth:ro \
      -v $IRONIC_SHARED_VOLUME:/shared:z ${IRONIC_IMAGE}
 
 # Now loop so the service remains active and restart everything should one of the containers exit unexpectedly.

diff --git a/pkg/asset/ignition/bootstrap/baremetal/template.go b/pkg/asset/ignition/bootstrap/baremetal/template.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/openshift/installer/pkg/types"
 	"github.com/openshift/installer/pkg/types/baremetal"
+	"github.com/openshift/installer/pkg/types/baremetal/auth"
 )
 
 // TemplateData holds data specific to templates used for the baremetal platform.
@@ -33,6 +34,12 @@ type TemplateData struct {
 	// ProvisioningDHCPAllowList contains a space-separated list of all of the control plane's boot
 	// MAC addresses. Requests to bootstrap DHCP from other hosts will be ignored.
 	ProvisioningDHCPAllowList string
+
+	// IronicUsername contains the username for authentication to Ironic
+	IronicUsername string
+
+	// IronicUsername contains the password for authentication to Ironic
+	IronicPassword string
 }
 
 // GetTemplateData returns platform-specific data for bootstrap templates.
@@ -76,5 +83,8 @@ func GetTemplateData(config *baremetal.Platform, networks []types.MachineNetwork
 		}
 	}
 
+	templateData.IronicUsername = auth.GetIronicUsername()
+	templateData.IronicPassword = auth.GetIronicPassword()
+
 	return &templateData
 }
diff --git a/pkg/tfvars/baremetal/baremetal.go b/pkg/tfvars/baremetal/baremetal.go
@@ -13,6 +13,7 @@ import (
 	"github.com/metal3-io/baremetal-operator/pkg/hardware"
 	"github.com/openshift/installer/pkg/tfvars/internal/cache"
 	"github.com/openshift/installer/pkg/types/baremetal"
+	"github.com/openshift/installer/pkg/types/baremetal/auth"
 	"github.com/pkg/errors"
 )
 
@@ -23,6 +24,9 @@ type config struct {
 	ExternalBridge          string `json:"external_bridge"`
 	ProvisioningBridge      string `json:"provisioning_bridge"`
 
+	IronicUsername string `json:"ironic_username"`
+	IronicPassword string `json:"ironic_password"`
+
 	// Data required for control plane deployment - several maps per host, because of terraform's limitations
 	Hosts         []map[string]interface{} `json:"hosts"`
 	RootDevices   []map[string]interface{} `json:"root_devices"`
@@ -143,6 +147,8 @@ func TFVars(libvirtURI, bootstrapProvisioningIP, bootstrapOSImage, externalBridg
 		BootstrapOSImage:        bootstrapOSImage,
 		ExternalBridge:          externalBridge,
 		ProvisioningBridge:      provisioningBridge,
+		IronicUsername:          auth.GetIronicUsername(),
+		IronicPassword:          auth.GetIronicPassword(),
 		Hosts:                   hosts,
 		Properties:              properties,
 		DriverInfos:             driverInfos,