metal3-io · metal3-io-bot · Oct 6, 2020 · Sep 21, 2020 · Sep 10, 2020 · Sep 10, 2020
diff --git a/.gitignore b/.gitignore
@@ -82,4 +82,15 @@ tags
 .tiltbuild
 /tilt.d
 tilt-settings.json
-tilt_config.json
+tilt_config.json
+
+*.crt
+*.key
+
+username
+password
+*-htpasswd
+ironic-auth-config
+ironic-inspector-auth-config
+ironic-rpc-auth-config
+HTTP_BASIC_HTPASSWD
diff --git a/cmd/get-hardware-details/main.go b/cmd/get-hardware-details/main.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/gophercloud/gophercloud/openstack/baremetalintrospection/v1/introspection"
 
@@ -21,8 +22,19 @@ type options struct {
 
 func main() {
 	opts := getOptions()
+	ironicTrustedCAFile := os.Getenv("IRONIC_CACERT_FILE")
+	ironicInsecureStr := os.Getenv("IRONIC_INSECURE")
+	ironicInsecure := false
+	if strings.ToLower(ironicInsecureStr) == "true" {
+		ironicInsecure = true
+	}
+
+	tlsConf := clients.TLSConfig{
+		TrustedCAFile:      ironicTrustedCAFile,
+		InsecureSkipVerify: ironicInsecure,
+	}
 
-	inspector, err := clients.InspectorClient(opts.Endpoint, opts.AuthConfig)
+	inspector, err := clients.InspectorClient(opts.Endpoint, opts.AuthConfig, tlsConf)
 	if err != nil {
 		fmt.Printf("could not get inspector client: %s", err)
 		os.Exit(1)

diff --git a/deploy/basic-auth/default/credentials.yaml b/deploy/basic-auth/default/credentials.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metal3-baremetal-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: baremetal-operator
+        volumeMounts:
+        - name: ironic-credentials
+          mountPath: "/opt/metal3/auth/ironic"
+          readOnly: true
+        - name: ironic-inspector-credentials
+          mountPath: "/opt/metal3/auth/ironic-inspector"
+          readOnly: true
+      volumes:
+      - name: ironic-credentials
+        secret:
+          secretName: ironic-credentials
+      - name: ironic-inspector-credentials
+        secret:
+          secretName: ironic-inspector-credentials
diff --git a/deploy/basic-auth/default/kustomization.yaml b/deploy/basic-auth/default/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metal3
+resources:
+- ../../default
+
+secretGenerator:
+  - name: ironic-credentials
+    files:
+    - username=ironic-username
+    - password=ironic-password
+  - name: ironic-inspector-credentials
+    files:
+    - username=ironic-inspector-username
+    - password=ironic-inspector-password
+
+patchesStrategicMerge:
+- credentials.yaml
diff --git a/deploy/basic-auth/tls/credentials.yaml b/deploy/basic-auth/tls/credentials.yaml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metal3-baremetal-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: baremetal-operator
+        volumeMounts:
+        - name: ironic-credentials
+          mountPath: "/opt/metal3/auth/ironic"
+          readOnly: true
+        - name: ironic-inspector-credentials
+          mountPath: "/opt/metal3/auth/ironic-inspector"
+          readOnly: true
+      volumes:
+      - name: ironic-credentials
+        secret:
+          secretName: ironic-credentials
+      - name: ironic-inspector-credentials
+        secret:
+          secretName: ironic-inspector-credentials
diff --git a/deploy/basic-auth/tls/kustomization.yaml b/deploy/basic-auth/tls/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metal3
+resources:
+- ../../tls
+
+secretGenerator:
+  - name: ironic-credentials
+    files:
+    - username=ironic-username
+    - password=ironic-password
+  - name: ironic-inspector-credentials
+    files:
+    - username=ironic-inspector-username
+    - password=ironic-inspector-password
+
+patchesStrategicMerge:
+- credentials.yaml
diff --git a/deploy/tls/kustomization.yaml b/deploy/tls/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metal3
+resources:
+- ../default
+
+secretGenerator:
+  - name: ironic-cacert
+    files:
+    - crt=ca.crt
+
+patchesStrategicMerge:
+- tls_ca.yaml
diff --git a/deploy/tls/tls_ca.yaml b/deploy/tls/tls_ca.yaml
@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metal3-baremetal-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: baremetal-operator
+        volumeMounts:
+          - name: cacert
+            mountPath: "/opt/metal3/certs/ca"
+            readOnly: true
+      volumes:
+      - name: cacert
+        secret:
+          secretName: ironic-cacert
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -16,6 +16,11 @@ Ironic.
 `IRONIC_INSPECTOR_ENDPOINT` -- The URL for the operator to use when talking to
 Ironic Inspector.
 
+`IRONIC_CACERT_FILE` -- The path of the CA certificate file of Ironic, if needed
+
+`IRONIC_INSECURE` -- ("True", "False") Whether to skip the ironic certificate
+validation. It is highly recommend to not set it to True.
+
 `BMO_CONCURRENCY` -- The number of concurrent reconciles performed by the
 Operator. Default is 3.
 

diff --git a/docs/deploying.md b/docs/deploying.md
@@ -35,6 +35,9 @@ deploy/
 │   ├── role_binding.yaml
 │   ├── role.yaml
 │   └── service_account.yaml
+├── tls
+│   ├── kustomization.yaml
+│   └── tls_ca.yaml
 └── role.yaml -> rbac/role.yaml
 ```
 
@@ -66,31 +69,51 @@ namely `default`,  `ironic` and `keepalived`. `default` and `ironic` deploy
 only ironic, `keepalived` deploys the ironic with keepalived. As the name
 implies, `keepalived/keepalived_patch.yaml` patches the default image URL
 through kustomization.
-The user should run following commands to be able to meet requirements of each
-use case as provided below:
-
-### Commands to deploy baremetal-operator with Ironic
-
-```diff
-kustomize build $BMOPATH/deploy/default | kubectl apply -f-
-kustomize build $BMOPATH/ironic-deployment/default | kubectl apply -f-
-```
 
-### Command to deploy baremetal-operator without Ironic
-
-```diff
-kustomize build $BMOPATH/deploy/default | kubectl apply -f-
+## Deployment commands
+
+There is a useful deployment script that configures and deploys BareMetal
+Operator and Ironic. It requires some variables :
+
+- IRONIC_HOST : domain name for Ironic and inspector
+- IRONIC_HOST_IP : IP on which Ironic and inspector are listening
+
+In addition you can configure the following variables. They are **optional**.
+If you leave them unset, then passwords and certificates will be generated
+for you.
+
+- KUBECTL_ARGS : Additional arguments to kubectl apply
+- IRONIC_USERNAME : username for ironic
+- IRONIC_PASSWORD : password for ironic
+- IRONIC_INSPECTOR_USERNAME : username for inspector
+- IRONIC_INSPECTOR_PASSWORD : password for inspector
+- IRONIC_CACERT_FILE : CA certificate path for ironic
+- IRONIC_CAKEY_FILE : CA certificate key path, unneeded if ironic
+  certificates exist
+- IRONIC_CERT_FILE : Ironic certificate path
+- IRONIC_KEY_FILE : Ironic certificate key path
+- IRONIC_INSPECTOR_CERT_FILE : Inspector certificate path
+- IRONIC_INSPECTOR_KEY_FILE : Inspector certificate key path
+- IRONIC_INSPECTOR_CACERT_FILE : CA certificate path for inspector, defaults to
+  IRONIC_CACERT_FILE
+- IRONIC_INSPECTOR_CAKEY_FILE : CA certificate key path, unneeded if inspector
+  certificates exist
+
+Then run :
+
+```sh
+./tools/deploy.sh <deploy-BMO> <deploy-Ironic> <deploy-TLS> <deploy-Basic-Auth> <deploy-Keepalived>
 ```
 
-### Command to deploy only Ironic
-
-```diff
-kustomize build $BMOPATH/ironic-deployment/default | kubectl apply -f-
-```
+- `deploy-BMO` : deploy BareMetal Operator : "true" or "false"
+- `deploy-Ironic` : deploy Ironic : "true" or "false"
+- `deploy-TLS` : deploy with TLS enabled : "true" or "false"
+- `deploy-Basic-Auth` : deploy with Basic Auth enabled : "true" or "false"
+- `deploy-Keepalived` : deploy with Keepalived for ironic : "true" or "false"
 
-where $BMOPATH points to the baremetal-operator path.
+This will deploy BMO and / or Ironic with the proper configuration.
 
-#### Useful tips
+## Useful tips
 
 It is worth mentioning some tips for when the different configurations are
 useful as well. For example:

diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1
 	github.com/stretchr/testify v1.6.1
+	go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
 	k8s.io/api v0.19.0
 	k8s.io/apimachinery v0.19.0
 	k8s.io/client-go v0.19.0

diff --git a/go.sum b/go.sum
@@ -65,6 +65,7 @@ github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHo
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
@@ -373,6 +374,7 @@ github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=

diff --git a/ironic-deployment/basic-auth/default/auth.yaml b/ironic-deployment/basic-auth/default/auth.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metal3-ironic
+spec:
+  template:
+    spec:
+      containers:
+      - name: ironic-api
+        volumeMounts:
+        - name: ironic-rpc-auth-config
+          mountPath: "/auth/ironic-rpc"
+          readOnly: true
+        envFrom:
+        - configMapRef:
+            name: ironic-htpasswd
+        - configMapRef:
+            name: ironic-bmo-configmap
+      - name: ironic-conductor
+        volumeMounts:
+        - name: ironic-inspector-auth-config
+          mountPath: "/auth/ironic-inspector"
+          readOnly: true
+        - name: ironic-rpc-auth-config
+          mountPath: "/auth/ironic-rpc"
+          readOnly: true
+        envFrom:
+        - configMapRef:
+            name: ironic-htpasswd
+        - configMapRef:
+            name: ironic-bmo-configmap
+      - name: ironic-inspector
+        volumeMounts:
+        - name: ironic-auth-config
+          mountPath: "/auth/ironic"
+          readOnly: true
+        envFrom:
+        - configMapRef:
+            name: ironic-inspector-htpasswd
+        - configMapRef:
+            name: ironic-bmo-configmap
+      volumes:
+      - name: ironic-auth-config
+        secret:
+          secretName: ironic-auth-config
+      - name: ironic-inspector-auth-config
+        secret:
+          secretName: ironic-inspector-auth-config
+      - name: ironic-rpc-auth-config
+        secret:
+          secretName: ironic-rpc-auth-config
diff --git a/ironic-deployment/basic-auth/default/kustomization.yaml b/ironic-deployment/basic-auth/default/kustomization.yaml
@@ -0,0 +1,29 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: metal3
+resources:
+- ../../default
+
+configMapGenerator:
+- behavior: create
+  envs:
+  - ironic-htpasswd
+  name: ironic-htpasswd
+- behavior: create
+  envs:
+  - ironic-inspector-htpasswd
+  name: ironic-inspector-htpasswd
+
+secretGenerator:
+- name: ironic-auth-config
+  files:
+  - auth-config=ironic-auth-config
+- name: ironic-inspector-auth-config
+  files:
+  - auth-config=ironic-inspector-auth-config
+- name: ironic-rpc-auth-config
+  files:
+  - auth-config=ironic-rpc-auth-config
+
+patchesStrategicMerge:
+- auth.yaml
diff --git a/ironic-deployment/basic-auth/ironic-auth-config-tpl b/ironic-deployment/basic-auth/ironic-auth-config-tpl
@@ -0,0 +1,4 @@
+[ironic]
+auth_type=http_basic
+username=${IRONIC_USERNAME}
+password=${IRONIC_PASSWORD}
diff --git a/ironic-deployment/basic-auth/ironic-inspector-auth-config-tpl b/ironic-deployment/basic-auth/ironic-inspector-auth-config-tpl
@@ -0,0 +1,4 @@
+[inspector]
+auth_type=http_basic
+username=${IRONIC_INSPECTOR_USERNAME}
+password=${IRONIC_INSPECTOR_PASSWORD}
diff --git a/ironic-deployment/basic-auth/ironic-rpc-auth-config-tpl b/ironic-deployment/basic-auth/ironic-rpc-auth-config-tpl
@@ -0,0 +1,6 @@
+[json_rpc]
+auth_type=http_basic
+username=${IRONIC_USERNAME}
+password=${IRONIC_PASSWORD}
+http_basic_username=${IRONIC_USERNAME}
+http_basic_password=${IRONIC_PASSWORD}