Stop reading ironic API passwords from env vars

Signed-off-by: Mahnoor Asghar <[email protected]>
metal3-io · Mar 25, 2024 · d9779be · d9779be
1 parent 2bfb898
commit d9779be
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 16 deletions.
diff --git a/scripts/auth-common.sh b/scripts/auth-common.sh
@@ -2,8 +2,6 @@
 
 set -euxo pipefail
 
-export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 
@@ -16,6 +14,24 @@ fi
 
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
 INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
+yaml() {
+        python3 -c "import yaml;
+try:
+    print(yaml.safe_load(open('$1'))$2)
+except:
+    print('')"
+}
+
+IRONIC_HTPASSWD=$(yaml ${IRONIC_HTPASSWD_FILE} "['data']['htpasswd']")
+IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
+if [[ -n "${IRONIC_HTPASSWD}" ]]; then
+    export IRONIC_HTPASSWD
+fi
+INSPECTOR_HTPASSWD=$(yaml ${INSPECTOR_HTPASSWD_FILE} "['data']['htpasswd']")
+INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
+if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
+    export INSPECTOR_HTPASSWD
+fi
 
 configure_client_basic_auth()
 {
@@ -43,7 +59,6 @@ configure_ironic_auth()
     local config=/etc/ironic/ironic.conf
     # Configure HTTP basic auth for API server
     if [[ -n "${IRONIC_HTPASSWD}" ]]; then
-        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
         if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "false" ]]; then
             crudini --set "${config}" DEFAULT auth_strategy http_basic
             crudini --set "${config}" DEFAULT http_basic_auth_user_file "${IRONIC_HTPASSWD_FILE}"
@@ -55,20 +70,9 @@ configure_inspector_auth()
 {
     local config=/etc/ironic-inspector/ironic-inspector.conf
     if [[ -n "${INSPECTOR_HTPASSWD}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
         if [[ "${INSPECTOR_REVERSE_PROXY_SETUP}" == "false" ]]; then
             crudini --set "${config}" DEFAULT auth_strategy http_basic
             crudini --set "${config}" DEFAULT http_basic_auth_user_file "${INSPECTOR_HTPASSWD_FILE}"
         fi
     fi
 }
-
-write_htpasswd_files()
-{
-    if [[ -n "${IRONIC_HTPASSWD:-}" ]]; then
-        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
-    fi
-    if [[ -n "${INSPECTOR_HTPASSWD:-}" ]]; then
-        printf "%s\n" "${INSPECTOR_HTPASSWD}" > "${INSPECTOR_HTPASSWD_FILE}"
-    fi
-}
diff --git a/scripts/runhttpd b/scripts/runhttpd
@@ -68,8 +68,6 @@ else
     export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
 fi
 
-write_htpasswd_files
-
 # Render httpd TLS configuration for /shared/html/<redifsh;ilo>
 if [[ "$IRONIC_VMEDIA_TLS_SETUP" == "true" ]]; then
     render_j2_config /etc/httpd-vmedia.conf.j2 /etc/httpd/conf.d/vmedia.conf