⚠️ Remove support for API/conductor split

ironic-config/httpd-ironic-api.conf.j2

@@ -19,8 +19,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
  <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}>
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
-
     {% if env.IRONIC_PRIVATE_PORT == "unix" %}
     ProxyPass "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
     ProxyPassReverse "/"  "unix:/shared/ironic.sock|http://127.0.0.1/"
@@ -29,14 +27,8 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     ProxyPassReverse "/"  "http://127.0.0.1:{{ env.IRONIC_PRIVATE_PORT }}/"
     {% endif %}
 
-    {% else %}
-    WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
-    WSGIScriptAlias / /usr/bin/ironic-api-wsgi
-    {% endif %}
-
     SetEnv APACHE_RUN_USER ironic
     SetEnv APACHE_RUN_GROUP ironic
-    WSGIProcessGroup ironic
 
     ErrorLog /dev/stderr
     LogLevel debug
@@ -49,7 +41,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
     SSLCertificateKeyFile {{ env.IRONIC_KEY_FILE }}
 {% endif %}
 
-    {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
     <Location />
          {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
             AuthType Basic
@@ -58,22 +49,6 @@ Listen {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_LISTEN_PORT }}
             Require valid-user
          {% endif %}
     </Location>
-    {% else %}
-    <Directory /usr/bin >
-        WSGIProcessGroup ironic
-        WSGIApplicationGroup %{GLOBAL}
-        AllowOverride None
-
-        {% if "IRONIC_HTPASSWD" in env and env.IRONIC_HTPASSWD | length %}
-        AuthType Basic
-        AuthName "Restricted WSGI area"
-        AuthUserFile "/etc/ironic/htpasswd"
-        Require valid-user
-        {% else %}
-        Require all granted
-        {% endif %}
-    </Directory>
-    {% endif %}
 
     <Location ~ "^/(v1/?)?$" >
         Require all granted

ironic-config/httpd-modules.conf

@@ -5,7 +5,6 @@ LoadModule dir_module modules/mod_dir.so
 LoadModule authz_core_module modules/mod_authz_core.so
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule mpm_event_module modules/mod_mpm_event.so
-LoadModule wsgi_module modules/mod_wsgi_python3.so
 LoadModule ssl_module modules/mod_ssl.so
 LoadModule env_module modules/mod_env.so
 LoadModule proxy_module modules/mod_proxy.so

ironic-config/ironic.conf.j2

@@ -25,14 +25,7 @@ use_stderr = true
 # NOTE(dtantsur): the default md5 is not compatible with FIPS mode
 hash_ring_algorithm = sha256
 my_ip = {{ env.IRONIC_IP }}
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-# If we run both API and conductor in the same pod, use localhost
-host = localhost
-{% else %}
 host = {{ env.IRONIC_CONDUCTOR_HOST }}
-{% endif %}
 
 # If a path to a certificate is defined, use that first for webserver
 {% if env.WEBSERVER_CACERT_FILE %}
@@ -189,15 +182,9 @@ cipher_suite_versions = 3,17
 # authentication over localhost, using the same credentials as API, to prevent
 # unauthenticated connections from other processes in the same host since the
 # containers are in host networking.
-auth_strategy = {{ env.JSON_RPC_AUTH_STRATEGY }}
+auth_strategy = http_basic
 http_basic_auth_user_file = /etc/ironic/htpasswd-rpc
-{% if env.IRONIC_DEPLOYMENT == "Conductor" and env.JSON_RPC_AUTH_STRATEGY == "noauth" %}
-# if access is unauthenticated, we bind only to localhost - use that as the
-# host name also, so that the client can find the server
-host_ip = localhost
-{% else %}
 host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
-{% endif %}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 use_ssl = true
 cafile = {{ env.IRONIC_CACERT_FILE }}

main-packages-list.txt

@@ -8,7 +8,6 @@ iproute
 mod_ssl
 procps
 python3-jinja2
-python3-mod_wsgi
 qemu-img
 sqlite
 syslinux-nonlinux

scripts/auth-common.sh

@@ -4,10 +4,16 @@ set -euxo pipefail
 
 export IRONIC_HTPASSWD=${IRONIC_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
 export INSPECTOR_HTPASSWD=${INSPECTOR_HTPASSWD:-${HTTP_BASIC_HTPASSWD:-}}
-export IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-false}
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 
+# Backward compatibility
+if [[ "${IRONIC_DEPLOYMENT:-}" == "Conductor" ]]; then
+    export IRONIC_EXPOSE_JSON_RPC=true
+else
+    export IRONIC_EXPOSE_JSON_RPC="${IRONIC_EXPOSE_JSON_RPC:-false}"
+fi
+
 IRONIC_HTPASSWD_FILE=/etc/ironic/htpasswd
 INSPECTOR_HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
 
@@ -16,22 +22,19 @@ configure_client_basic_auth()
     local auth_config_file="/auth/$1/auth-config"
     local dest="${2:-/etc/ironic/ironic.conf}"
     if [[ -f "${auth_config_file}" ]]; then
-        # Merge configurations in the "auth" directory into the default ironic configuration file because there is no way to choose the configuration file
-        # when running the api as a WSGI app.
+        # Merge configurations in the "auth" directory into the default ironic configuration file
         crudini --merge "${dest}" < "${auth_config_file}"
     fi
 }
 
 configure_json_rpc_auth()
 {
-    export JSON_RPC_AUTH_STRATEGY="noauth"
-    if [[ -n "${IRONIC_HTPASSWD}" ]]; then
-        if [[ "${IRONIC_DEPLOYMENT}" == "Conductor" ]]; then
-            export JSON_RPC_AUTH_STRATEGY="http_basic"
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
-        else
-            printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}"
+    if [[ "${IRONIC_EXPOSE_JSON_RPC}" == "true" ]]; then
+        if [[ -z "${IRONIC_HTPASSWD}" ]]; then
+            echo "FATAL: enabling JSON RPC requires authentication"
+            exit 1
         fi
+        printf "%s\n" "${IRONIC_HTPASSWD}" > "${IRONIC_HTPASSWD_FILE}-rpc"
     fi
 }
 

scripts/configure-ironic.sh

@@ -2,7 +2,6 @@
 
 set -euxo pipefail
 
-IRONIC_DEPLOYMENT="${IRONIC_DEPLOYMENT:-}"
 IRONIC_EXTERNAL_IP="${IRONIC_EXTERNAL_IP:-}"
 
 # Define the VLAN interfaces to be included in introspection report, e.g.
@@ -38,7 +37,6 @@ fi
 export NUMWORKERS=${NUMWORKERS:-$NUMPROC}
 
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-true}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-true}
 
 # Whether to enable fast_track provisioning or not
 export IRONIC_FAST_TRACK=${IRONIC_FAST_TRACK:-true}

scripts/runironic

@@ -1,9 +1,7 @@
 #!/usr/bin/bash
 
-# These settings must go before configure-ironic since it has different
-# defaults.
+# This setting must go before configure-ironic since it has different defaults.
 export IRONIC_USE_MARIADB=${IRONIC_USE_MARIADB:-false}
-export IRONIC_EXPOSE_JSON_RPC=${IRONIC_EXPOSE_JSON_RPC:-false}
 
 # shellcheck disable=SC1091
 . /bin/configure-ironic.sh