Factory/ironic-image/runhttpd

#!/usr/bin/bash

# shellcheck disable=SC1091
. /bin/tls-common.sh
. /bin/ironic-common.sh
. /bin/auth-common.sh

export HTTP_PORT=${HTTP_PORT:-80}
export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}

INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}

# In Metal3 context they are called node images in Ironic context they are
# called user images.
export HTTPD_SERVE_NODE_IMAGES="${HTTPD_SERVE_NODE_IMAGES:-true}"

# Whether to enable fast_track provisioning or not
IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}

# Whether to activate the EnableSendfile apache directive for httpd
HTTPD_ENABLE_SENDFILE="${HTTPD_ENABLE_SENDFILE:-false}"

# Set of collectors that should be used with IPA inspection
export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}

wait_for_interface_or_ip

mkdir -p /shared/html
chmod 0777 /shared/html

IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"

if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
else
    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
fi

if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
    INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"
fi
export INSPECTOR_EXTRA_ARGS

# Copy files to shared mount
render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe
cp /tmp/uefi_esp.img /shared/html/uefi_esp.img

# Render the core httpd config
render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf

if [[ "$USE_IRONIC_INSPECTOR" == "true" ]] && [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]]; then
        render_j2_config "$INSPECTOR_ORIG_HTTPD_CONFIG" "$INSPECTOR_RESULT_HTTPD_CONFIG"
    fi
else
    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi

if [[ "$IRONIC_TLS_SETUP" == "true" ]]; then
    if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
        render_j2_config /tmp/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
    fi
else
    export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
fi

write_htpasswd_files

# Render httpd TLS configuration for /shared/html/<redifsh;ilo>
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
    render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf
fi

# Set up inotify to kill the container (restart) whenever cert files for ironic inspector change
if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
        kill -WINCH $(pgrep httpd)
    done &
fi

# Set up inotify to kill the container (restart) whenever cert files for ironic api change
if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
        kill -WINCH $(pgrep httpd)
    done &
fi

# Set up inotify to kill the container (restart) whenever cert of httpd for /shared/html/<redifsh;ilo> path change
if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_VMEDIA_CERT_FILE}" | while read -r file event; do
        kill -WINCH $(pgrep httpd)
    done &
fi

exec /usr/sbin/httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf