From 753e7edae60c4cf0606556d2a7df0f09a0b9ef99 Mon Sep 17 00:00:00 2001
From: Dmitry Tantsur <dtantsur@protonmail.com>
Date: Thu, 30 Mar 2023 16:39:12 +0200
Subject: [PATCH] OCPBUGS-10343: allow inspector to also be proxied

---
 ironic-config/apache2-proxy.conf.j2 | 36 ++++++++++++++++++++++++++++-
 scripts/runironic-proxy             | 12 ++++++++--
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/ironic-config/apache2-proxy.conf.j2 b/ironic-config/apache2-proxy.conf.j2
index 9ad490029..41a6d1b3b 100644
--- a/ironic-config/apache2-proxy.conf.j2
+++ b/ironic-config/apache2-proxy.conf.j2
@@ -1,4 +1,4 @@
-<VirtualHost *:{{ env.HTTP_PORT }}>
+<VirtualHost *:{{ env.IRONIC_PROXY_PORT }}>
 
     ErrorLog /dev/stderr
     LogLevel debug
@@ -29,3 +29,37 @@
     {% endif %}
 </VirtualHost>
 
+{% if env.IRONIC_INSPECTOR_PROXY_PORT %}
+Listen {{ env.IRONIC_INSPECTOR_PROXY_PORT }}
+
+<VirtualHost *:{{ env.IRONIC_INSPECTOR_PROXY_PORT }}>
+
+    ErrorLog /dev/stderr
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    ProxyPass "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
+    ProxyPassReverse "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
+    {% if env.IRONIC_INSPECTOR_UPSTREAM_PROTO == "https" %}
+    SSLProxyEngine On
+
+    {% if env.IRONIC_INSPECTOR_INSECURE == "true" %}
+    SSLProxyVerify none
+    SSLProxyCheckPeerExpire off
+    {% else %}
+    SSLProxyCACertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLProxyVerify require
+    SSLProxyCheckPeerExpire on
+    {% endif %}
+    SSLProxyCheckPeerName off
+
+    {% endif %}
+
+    {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+    SSLEngine on
+    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+    {% endif %}
+</VirtualHost>
+{% endif %}
diff --git a/scripts/runironic-proxy b/scripts/runironic-proxy
index 451fccf5d..1194b3685 100755
--- a/scripts/runironic-proxy
+++ b/scripts/runironic-proxy
@@ -6,16 +6,24 @@
 
 wait_for_interface_or_ip
 
-export HTTP_PORT=${HTTP_PORT:-6386}
+export IRONIC_PROXY_PORT=${IRONIC_PROXY_PORT:-${HTTP_PORT:-6386}}
+export IRONIC_INSPECTOR_PROXY_PORT=${IRONIC_INSPECTOR_PROXY_PORT:-}
 export IRONIC_UPSTREAM_IP=${IRONIC_UPSTREAM_IP:-$IRONIC_IP}
 export IRONIC_UPSTREAM_PORT=${IRONIC_UPSTREAM_PORT:-6385}
 export IRONIC_UPSTREAM_PROTO=${IRONIC_UPSTREAM_PROTO:-$IRONIC_SCHEME}
+export IRONIC_INSPECTOR_UPSTREAM_IP=${IRONIC_INSPECTOR_UPSTREAM_IP:-$IRONIC_IP}
+export IRONIC_INSPECTOR_UPSTREAM_PORT=${IRONIC_INSPECTOR_UPSTREAM_PORT:-5050}
+export IRONIC_INSPECTOR_UPSTREAM_PROTO=${IRONIC_INSPECTOR_UPSTREAM_PROTO:-$IRONIC_UPSTREAM_PROTO}
 
 if [[ "$IRONIC_UPSTREAM_IP" =~ .*:.* ]]; then
     export IRONIC_UPSTREAM_IP="[$IRONIC_UPSTREAM_IP]"
 fi
 
-sed -i 's/^Listen .*$/Listen [::]:'"$HTTP_PORT"'/' /etc/httpd/conf/httpd.conf
+if [[ "$IRONIC_INSPECTOR_UPSTREAM_IP" =~ .*:.* ]]; then
+    export IRONIC_INSPECTOR_UPSTREAM_IP="[$IRONIC_INSPECTOR_UPSTREAM_IP]"
+fi
+
+sed -i 's/^Listen .*$/Listen [::]:'"$IRONIC_PROXY_PORT"'/' /etc/httpd/conf/httpd.conf
 # Log to std out/err
 sed -i -e 's%^ \+CustomLog.*%    CustomLog /dev/stderr combined%g' /etc/httpd/conf/httpd.conf
 sed -i -e 's%^ErrorLog.*%ErrorLog /dev/stderr%g' /etc/httpd/conf/httpd.conf