2025-06-26 16:01:03 +02:00
5 changed files with 0 additions and 220 deletions
--- a/ironic-image/inspector-apache.conf.j2
+++ b/ironic-image/inspector-apache.conf.j2
@@ -1,57 +0,0 @@
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
 {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
 Listen {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
 <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
 {% else %}
 Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
 <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
 {% endif %}
    {% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
    ProxyPass "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
    ProxyPassReverse "/"  "unix:/shared/inspector.sock|http://127.0.0.1/"
    {% else %}
    ProxyPass "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
    ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}/"
    {% endif %}
    SetEnv APACHE_RUN_USER ironic-suse
    SetEnv APACHE_RUN_GROUP ironic-suse
    ErrorLog /dev/stdout
    LogLevel debug
    CustomLog /dev/stdout combined
    SSLEngine On
    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }} 
    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
    {% if "INSPECTOR_HTPASSWD" in env and env.INSPECTOR_HTPASSWD | length %}
    <Location / >
        AuthType Basic
        AuthName "Restricted area"
        AuthUserFile "/etc/ironic-inspector/htpasswd"
        Require valid-user
    </Location>
    <Location ~ "^/(v1/?)?$" >
        Require all granted
    </Location>
    <Location /v1/continue >
        Require all granted
    </Location>
    {% endif %}
 </VirtualHost>
--- a/ironic-image/ironic-inspector.conf.j2
+++ b/ironic-image/ironic-inspector.conf.j2
@@ -1,68 +0,0 @@
 [DEFAULT]
 auth_strategy = noauth
 debug = true
 transport_url = fake://
 use_stderr = true
 {% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %}
 {% if env.IRONIC_INSPECTOR_PRIVATE_PORT == "unix" %}
 listen_unix_socket = /shared/inspector.sock
 # NOTE(dtantsur): this is not ideal, but since the socket is accessed from
 # another container, we need to make it world-writeable.
 listen_unix_socket_mode = 0666
 {% else %}
 listen_port = {{ env.IRONIC_INSPECTOR_PRIVATE_PORT }}
 listen_address = 127.0.0.1
 {% endif %}
 {% elif env.LISTEN_ALL_INTERFACES | lower == "true" %}
 listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
 listen_address = ::
 {% else %}
 listen_port = {{ env.IRONIC_INSPECTOR_LISTEN_PORT }}
 listen_address = {{ env.IRONIC_IP }}
 {% endif %}
 host = {{ env.IRONIC_IP }}
 {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
 use_ssl = true
 {% endif %}
 [database]
 connection = sqlite:////var/lib/ironic-inspector/ironic-inspector.db
 {% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
 [discovery]
 enroll_node_driver = ipmi
 {% endif %}
 [ironic]
 auth_type = none
 endpoint_override = {{ env.IRONIC_BASE_URL }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 cafile = {{ env.IRONIC_CACERT_FILE }}
 insecure = {{ env.IRONIC_INSECURE }}
 {% endif %}
 [processing]
 add_ports = all
 always_store_ramdisk_logs = true
 keep_ports = present
 {% if env.IRONIC_INSPECTOR_ENABLE_DISCOVERY == "true" %}
 node_not_found_hook = enroll
 {% endif %}
 permit_active_introspection = true
 power_off = false
 processing_hooks = $default_processing_hooks,lldp_basic
 ramdisk_logs_dir = /shared/log/ironic-inspector/ramdisk
 store_data = database
 [pxe_filter]
 driver = noop
 [service_catalog]
 auth_type = none
 endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }}
 {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %}
 [ssl]
 cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }}
 key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }}
 {% endif %}
--- a/ironic-image/runironic-api
+++ b/ironic-image/runironic-api
@@ -1,13 +0,0 @@
 #!/usr/bin/bash
 export IRONIC_DEPLOYMENT="API"
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 export IRONIC_REVERSE_PROXY_SETUP=false
 python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /tmp/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
 # shellcheck disable=SC1091
 . /bin/runhttpd
--- a/ironic-image/runironic-conductor
+++ b/ironic-image/runironic-conductor
@@ -1,20 +0,0 @@
 #!/usr/bin/bash
 export IRONIC_DEPLOYMENT="Conductor"
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh
 # Ramdisk logs
 mkdir -p /shared/log/ironic/deploy
 run_ironic_dbsync
 if [[ "$IRONIC_TLS_SETUP" == "true" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_CERT_FILE}" | while read -r file event; do
        kill $(pgrep ironic)
    done &
 fi
 exec /usr/bin/ironic-conductor
--- a/ironic-image/runironic-inspector
+++ b/ironic-image/runironic-inspector
@@ -1,62 +0,0 @@
 #!/usr/bin/bash
 set -euxo pipefail
 CONFIG=/etc/ironic-inspector/ironic-inspector.conf
 export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # shellcheck disable=SC1091
 . /bin/tls-common.sh
 # shellcheck disable=SC1091
 . /bin/ironic-common.sh
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
    exit 1
 fi
 wait_for_interface_or_ip
 IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
 if [[ "$IRONIC_INSPECTOR_TLS_SETUP" == "true" ]]; then
    if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "true" ]] && [[ "${IRONIC_INSPECTOR_PRIVATE_PORT}" != "unix" ]]; then
        IRONIC_INSPECTOR_PORT=$IRONIC_INSPECTOR_PRIVATE_PORT
    fi
 else
    export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
 fi
 export IRONIC_INSPECTOR_BASE_URL="${IRONIC_INSPECTOR_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_INSPECTOR_PORT}"
 export IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}:${IRONIC_ACCESS_PORT}"
 build_j2_config()
 {
    local CONFIG_FILE="$1"
    python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
 }
 # Merge with the original configuration file from the package.
 build_j2_config "$CONFIG" | crudini --merge "$CONFIG"
 configure_inspector_auth
 configure_client_basic_auth ironic "${CONFIG}"
 ironic-inspector-dbsync --config-file "${CONFIG}" upgrade
 if [[ "$INSPECTOR_REVERSE_PROXY_SETUP" == "false" ]] && [[ "${RESTART_CONTAINER_CERTIFICATE_UPDATED}" == "true" ]]; then
    # shellcheck disable=SC2034
    inotifywait -m -e delete_self "${IRONIC_INSPECTOR_CERT_FILE}" | while read -r file event; do
        kill $(pgrep ironic)
    done &
 fi
 # Make sure ironic traffic bypasses any proxies
 export NO_PROXY="${NO_PROXY:-},$IRONIC_IP"
 # shellcheck disable=SC2086
 exec /usr/bin/ironic-inspector