Merge pull request #355 from dtantsur/OCPBUGS-10343

OCPBUGS-10343: allow inspector to also be proxied
openshift · Apr 12, 2023 · 78226b6 · 78226b6
2 parents 3f0e784 + 753e7ed
commit 78226b6
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/ironic-config/apache2-proxy.conf.j2 b/ironic-config/apache2-proxy.conf.j2
@@ -1,4 +1,4 @@
-<VirtualHost *:{{ env.HTTP_PORT }}>
+<VirtualHost *:{{ env.IRONIC_PROXY_PORT }}>
 
     ErrorLog /dev/stderr
     LogLevel debug
@@ -29,3 +29,37 @@
     {% endif %}
 </VirtualHost>
 
+{% if env.IRONIC_INSPECTOR_PROXY_PORT %}
+Listen {{ env.IRONIC_INSPECTOR_PROXY_PORT }}
+
+<VirtualHost *:{{ env.IRONIC_INSPECTOR_PROXY_PORT }}>
+
+    ErrorLog /dev/stderr
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    ProxyPass "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
+    ProxyPassReverse "/"  "{{ env.IRONIC_INSPECTOR_UPSTREAM_PROTO }}://{{ env.IRONIC_INSPECTOR_UPSTREAM_IP }}:{{ env.IRONIC_INSPECTOR_UPSTREAM_PORT }}/"
+    {% if env.IRONIC_INSPECTOR_UPSTREAM_PROTO == "https" %}
+    SSLProxyEngine On
+
+    {% if env.IRONIC_INSPECTOR_INSECURE == "true" %}
+    SSLProxyVerify none
+    SSLProxyCheckPeerExpire off
+    {% else %}
+    SSLProxyCACertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLProxyVerify require
+    SSLProxyCheckPeerExpire on
+    {% endif %}
+    SSLProxyCheckPeerName off
+
+    {% endif %}
+
+    {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+    SSLEngine on
+    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+    {% endif %}
+</VirtualHost>
+{% endif %}
diff --git a/scripts/runironic-proxy b/scripts/runironic-proxy
@@ -6,16 +6,24 @@
 
 wait_for_interface_or_ip
 
-export HTTP_PORT=${HTTP_PORT:-6386}
+export IRONIC_PROXY_PORT=${IRONIC_PROXY_PORT:-${HTTP_PORT:-6386}}
+export IRONIC_INSPECTOR_PROXY_PORT=${IRONIC_INSPECTOR_PROXY_PORT:-}
 export IRONIC_UPSTREAM_IP=${IRONIC_UPSTREAM_IP:-$IRONIC_IP}
 export IRONIC_UPSTREAM_PORT=${IRONIC_UPSTREAM_PORT:-6385}
 export IRONIC_UPSTREAM_PROTO=${IRONIC_UPSTREAM_PROTO:-$IRONIC_SCHEME}
+export IRONIC_INSPECTOR_UPSTREAM_IP=${IRONIC_INSPECTOR_UPSTREAM_IP:-$IRONIC_IP}
+export IRONIC_INSPECTOR_UPSTREAM_PORT=${IRONIC_INSPECTOR_UPSTREAM_PORT:-5050}
+export IRONIC_INSPECTOR_UPSTREAM_PROTO=${IRONIC_INSPECTOR_UPSTREAM_PROTO:-$IRONIC_UPSTREAM_PROTO}
 
 if [[ "$IRONIC_UPSTREAM_IP" =~ .*:.* ]]; then
     export IRONIC_UPSTREAM_IP="[$IRONIC_UPSTREAM_IP]"
 fi
 
-sed -i 's/^Listen .*$/Listen [::]:'"$HTTP_PORT"'/' /etc/httpd/conf/httpd.conf
+if [[ "$IRONIC_INSPECTOR_UPSTREAM_IP" =~ .*:.* ]]; then
+    export IRONIC_INSPECTOR_UPSTREAM_IP="[$IRONIC_INSPECTOR_UPSTREAM_IP]"
+fi
+
+sed -i 's/^Listen .*$/Listen [::]:'"$IRONIC_PROXY_PORT"'/' /etc/httpd/conf/httpd.conf
 # Log to std out/err
 sed -i -e 's%^ \+CustomLog.*%    CustomLog /dev/stderr combined%g' /etc/httpd/conf/httpd.conf
 sed -i -e 's%^ErrorLog.*%ErrorLog /dev/stderr%g' /etc/httpd/conf/httpd.conf