#!/usr/bin/bash # shellcheck disable=SC1091 . /bin/tls-common.sh . /bin/ironic-common.sh . /bin/auth-common.sh export HTTP_PORT=${HTTP_PORT:-80} export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083} INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2 INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false} export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false} # In Metal3 context they are called node images in Ironic context they are # called user images. export HTTPD_SERVE_NODE_IMAGES="${HTTPD_SERVE_NODE_IMAGES:-true}" # Whether to enable fast_track provisioning or not IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true} # Whether to activate the EnableSendfile apache directive for httpd HTTPD_ENABLE_SENDFILE="${HTTPD_ENABLE_SENDFILE:-false}" # Set of collectors that should be used with IPA inspection export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs} wait_for_interface_or_ip mkdir -p /shared/html chmod 0777 /shared/html IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}" if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue" else INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection" fi if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}" fi export INSPECTOR_EXTRA_ARGS # Copy files to shared mount render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe cp /tmp/uefi_esp.img /shared/html/uefi_esp.img # Render the core httpd config render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG" fi else export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy fi if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf fi else export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy fi write_htpasswd_files # Render httpd TLS configuration for /shared/html/ if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf fi # Set up inotify to kill the container (restart) whenever cert files for ironic inspector change if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then # shellcheck disable=SC2034 inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do kill -WINCH $(pgrep httpd) done & fi # Set up inotify to kill the container (restart) whenever cert files for ironic api change if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then # shellcheck disable=SC2034 inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do kill -WINCH $(pgrep httpd) done & fi # Set up inotify to kill the container (restart) whenever cert of httpd for /shared/html/ path change if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then # shellcheck disable=SC2034 inotifywait -m -e delete_self "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do kill -WINCH $(pgrep httpd) done & fi exec /usr/sbin/httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf