Merge metal3-io/ironic-inspector-image as of Nov 30, 2020 #50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We've seen some issues where the static-ip-refresh doesn't happen quickly enough, and/or static-ip-set from initContainers expires before we start the ironic containers. To ensure we don't fail in that case, wait for the provisioning IP to be assigned, then the exact order of container start is not important, and we'll wait until static-ip-refresh has configured the nic.
Wait for PROVISIONING_INTERFACE to be up
There's no need to keep it around, and reduces the overall size a bit.
Remove yum cache from image
Moving to Train branch to use the latest cool features.
Move to Train branch
This patch adds back the features that were removed because we were on Stain branch: - continuous introspection - ironic-prometheus-exporter - mdns support
Re-adding Train features
The mdns feature is not compatible withv ipv6 yet.
Disabling mdns for ipv6 testing
Removing a forgotten mdns configuration parameter that might interfere if mdns is disabled.
Removing forgotten mdns conf param
This commit makes the neccessary changes for Inspector to work on IPv6, including handling brakcets around URL's, and using the PROVISIONING_IP variable to wait for a known IP on an interface, which may be an IPv6 address.
IPv6 support for inspector
We don't appear to need these, infact they output errors on container startup...
Remove iptables filters from ironic-inspector containers
The inspector image has a typo in ironic-common.sh that's preventing the endpoint for Ironic to be set correctly when using IPv6. This matches ironic-common.sh with the exact one from the ironic-image which already got the fix for this.
Sync ironic-common.sh with ironic-image
Start using Centos 8 as base
Remove sqlite package after it did its job
Use master for tripleo repo
The current-tripleo repo is now available for centos8 and we should use it.
Stop logging to file
Use tested packages
Add http_basic auth support
* Allow basic_auth to be configured independently on client and server interfaces, based on the presence of the required configuration data, rather than using a single global USE_HTTP_BASIC environment variable. * Expect the server credentials to be passed in the form of an HTTP_BASIC_HTPASSWD environment variable containing both the username and the *hash* of the password, in the htpasswd format. This is more secure, as it allows the container not to hold a copy of the password when it doesn't need it purely for authenticating connections. * Expect client credentials to be passed in the form of a file named /auth/ironic/auth-config, formatted as an ini config file setting the appropriate options (for basic auth, this is auth_strategy=http_basic, and the username and password options; however this mechanism should work unchanged for other auth strategies). This is more secure because in k8s the password is never passed as an environment variable nor written to disk, but remains in a tmpfs filesystem.
Simplify HTTP basic auth configuration
This commit allows the user to start Inspector using TLS on all endpoints, by setting the following environment variables: - CACERT_FILE: path to the CA cert that signed the ironic cert (optional) - CERT_FILE: path to the cert - KEY_FILE: path to the key
Add TLS support
An improvement for testing and customization, moving all the files we need to install in the main image to a file and having dnf read its content. This allows exotic compositions of sources, like urls and local dirs, without having to touch the Dockerfile.
This will allow to pass a custom list of packages to install during build time with very little effort.
Sync openshift changes to metal-3
…watch Add runlogwatch.sh entry point to dump ramdisk inspection logs
Discovery of new nodes requires explicit support from BMO, which does not seem to exist, nor is on the roadmap. Having discovery enabled may cause hard to debug situations when an accidentally booted IPA results in a new node added. An option is left to enable discovery for testing purposes or for future implementation on the BMO side.
Disable node discovery by default
In the effort of cleaning the Dockerfile, we move the image preparation steps logic to a script.
Move image preparation logic to a script
Align OWNERS with other images
openshift-ci-robot
added
the
approved
elfosardo
approved these changes
Nov 30, 2020
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur, elfosardo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a real merge to ensure we have easier time from now on.