Skip to content

Commit

Permalink
Merge pull request #487 from dtantsur/deprecated-arch
Browse files Browse the repository at this point in the history
⚠️ Remove support for API/conductor split
  • Loading branch information
metal3-io-bot authored Mar 21, 2024
2 parents 308a6dd + 06a225e commit 2bfb898
Show file tree
Hide file tree
Showing 9 changed files with 15 additions and 89 deletions.
25 changes: 0 additions & 25 deletions ironic-config/httpd-ironic-api.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
<VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
{% endif %}

{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}

{% if env.IRONIC_PRIVATE_PORT == "unix" %}
ProxyPass "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
ProxyPassReverse "/" "unix:/shared/ironic.sock|http://127.0.0.1/"
Expand All @@ -29,14 +27,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
ProxyPassReverse "/" "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
{% endif %}

{% else %}
WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
WSGIScriptAlias / /usr/bin/ironic-api-wsgi
{% endif %}

SetEnv APACHE_RUN_USER ironic
SetEnv APACHE_RUN_GROUP ironic
WSGIProcessGroup ironic

ErrorLog /dev/stderr
LogLevel debug
Expand All @@ -49,7 +41,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
{% endif %}

{% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
<Location />
{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
Expand All @@ -58,22 +49,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
Require valid-user
{% endif %}
</Location>
{% else %}
<Directory /usr/bin >
WSGIProcessGroup ironic
WSGIApplicationGroup %{GLOBAL}
AllowOverride None

{% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
AuthType Basic
AuthName "Restricted WSGI area"
AuthUserFile "/etc/ironic/htpasswd"
Require valid-user
{% else %}
Require all granted
{% endif %}
</Directory>
{% endif %}

<Location ~ "^/(v1/?)?$" >
Require all granted
Expand Down
1 change: 0 additions & 1 deletion ironic-config/httpd-modules.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ LoadModule dir_module modules/mod_dir.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule wsgi_module modules/mod_wsgi_python3.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule env_module modules/mod_env.so
LoadModule proxy_module modules/mod_proxy.so
Expand Down
15 changes: 1 addition & 14 deletions ironic-config/ironic.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,7 @@ use_stderr = true
# NOTE(dtantsur): the default md5 is not compatible with FIPS mode
hash_ring_algorithm = sha256
my_ip = {{ env.IRONIC_IP }}
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
# If we run both API and conductor in the same pod, use localhost
host = localhost
{% else %}
host = {{ env.IRONIC_CONDUCTOR_HOST }}
{% endif %}

# If a path to a certificate is defined, use that first for webserver
{% if env.WEBSERVER_CACERT_FILE %}
Expand Down Expand Up @@ -189,15 +182,9 @@ cipher_suite_versions = 3,17
# authentication over localhost, using the same credentials as API, to prevent
# unauthenticated connections from other processes in the same host since the
# containers are in host networking.
auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
auth_strategy = http_basic
http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
# if access is unauthenticated, we bind only to localhost - use that as the
# host name also, so that the client can find the server
host_ip = localhost
{% else %}
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
{% endif %}
{% if env.IRONIC_TLS_SETUP == "true" %}
use_ssl = true
cafile = {{ env.IRONIC_CACERT_FILE }}
Expand Down
1 change: 0 additions & 1 deletion main-packages-list.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ iproute
mod_ssl
procps
python3-jinja2
python3-mod_wsgi
qemu-img
sqlite
syslinux-nonlinux
Expand Down
23 changes: 13 additions & 10 deletions scripts/auth-common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,16 @@ set -euxo pipefail

export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}

# Backward compatibility
if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
export IRONIC_EXPOSE_JSON_RPC=true
else
export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
fi

IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd

Expand All @@ -16,22 +22,19 @@ configure_client_basic_auth()
local auth_config_file="/auth/$1/auth-config"
local dest="${2:-/etc/ironic/ironic.conf}"
if [[ -f "${auth_config_file}" ]]; then
# Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
# when running the api as a WSGI app.
# Merge configurations in the "auth" directory into the default ironic configuration file
crudini --merge "${dest}" < "${auth_config_file}"
fi
}

configure_json_rpc_auth()
{
export JSON_RPC_AUTH_STRATEGY="noauth"
if [[ -n "${IRONIC_HTPASSWD}" ]]; then
if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
export JSON_RPC_AUTH_STRATEGY="http_basic"
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
else
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
if [[ -z "${IRONIC_HTPASSWD}" ]]; then
echo "FATAL: enabling JSON RPC requires authentication"
exit 1
fi
printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
fi
}

Expand Down
2 changes: 0 additions & 2 deletions scripts/configure-ironic.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

set -euxo pipefail

IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"

# Define the VLAN interfaces to be included in introspection report, e.g.
Expand Down Expand Up @@ -38,7 +37,6 @@ fi
export NUMWORKERS=${NUMWORKERS:-$NUMPROC}

export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}

# Whether to enable fast_track provisioning or not
export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}
Expand Down
4 changes: 1 addition & 3 deletions scripts/runironic
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
#!/usr/bin/bash

# These settings must go before configure-ironic since it has different
# defaults.
# This setting must go before configure-ironic since it has different defaults.
export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}

# shellcheck disable=SC1091
. /bin/configure-ironic.sh
Expand Down
13 changes: 0 additions & 13 deletions scripts/runironic-api

This file was deleted.

20 changes: 0 additions & 20 deletions scripts/runironic-conductor

This file was deleted.

0 comments on commit 2bfb898

Please sign in to comment.