Apache webserver handles TLS on Ironic by namnx228 · Pull Request #728 · metal3-io/baremetal-operator

namnx228 · 2020-11-23T12:13:06Z

This PR let Apache web server handle TLS on Ironic
Related PRs:
metal3-io/ironic-image#230 (This PR needs to be merged before the current PR can pass the CI)
metal3-io/ironic-inspector-image#70

dhellmann · 2020-11-30T21:41:28Z

Do we want to use a "reverse proxy" or mod_wsgi? @dtantsur what is the recommendation for deploying Ironic outside of kubernetes?

If we don't want to use mod_wsgi, is there any reason not to use a sidecar for the TLS proxy?

namnx228 · 2020-12-01T11:51:16Z

/assign @maelk
/cc @dtantsur
/cc @derekhiggins
/cc @fmuyassarov
/cc @furkatgofurov7
/cc @zaneb

namnx228 · 2020-12-01T11:56:43Z

Do we want to use a "reverse proxy" or mod_wsgi? @dtantsur what is the recommendation for deploying Ironic outside of kubernetes?

If we don't want to use mod_wsgi, is there any reason not to use a sidecar for the TLS proxy?

@dhellmann Yes, we use mod_wsgi for Ironic-api, and use proxy for Ironic-conductor and ironic inspector. The proxy is deployed in the same container with the application (the conductor, the inspector) to improve security.

kashifest · 2021-03-15T09:46:02Z

            - configMapRef:
                name: ironic-bmo-configmap
+        - name: httpd-reverse-proxy
+          image: quay.io/metal3-io/ironic-inspector


Should it be inspector image or ironic image?

I think I got the answer. It was added here metal3-io/ironic-inspector-image@7e2757d#diff-9f9f6a924db88783257f0da0c2ae75be9d01b5b1ea71d522caaafab42362392f

kashifest · 2021-03-15T09:51:45Z

/lgtm

maelk · 2021-03-16T11:32:59Z

-        - name: ironic-httpd
-          image: quay.io/metal3-io/ironic
-          imagePullPolicy: Always
-          securityContext:
-             capabilities:
-               add: ["NET_ADMIN"]
-          command:
-            - /bin/runhttpd
-          volumeMounts:
-            - mountPath: /shared
-              name: ironic-data-volume
-          envFrom:
-            - configMapRef:
-                name: ironic-bmo-configmap


you should not remove this. This is the webserver for IPA image and other PXE related files

@maelk I remove it because the httpd server which works as a WSGI server inside the ironic-api pod will also serve the IPA image.

maelk · 2021-03-16T15:10:48Z

/lgtm

namnx228 · 2021-03-16T15:12:52Z

/assign @dtantsur

namnx228 · 2021-03-17T07:40:52Z

/test-integration
/test-centos-integration

furkatgofurov7

/lgtm

Add option to let Apache web server handle TLS on Ironic and Ironic-inspector sides Force the use of WSGI and remove the httpd container Remove the option to use reverse proxy for inspector Add option to use reverse proxy on ironic inspector

namnx228 · 2021-03-17T12:21:05Z

/test-integration
/test-centos-integration

metal3-io-bot · 2021-03-17T12:57:45Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: elfosardo, maelk, namnx228

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [maelk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

kashifest · 2021-03-17T13:15:49Z

/lgtm

namnx228 · 2021-03-17T13:22:09Z

Thanks very much everyone for your review and approval.

Now that metal3-io/baremetal-operator#728 has merged, we can remove net-tools installation command.

Now that metal3-io/baremetal-operator#728 has merged, we can remove net-tools installation command and the netstat entry in runironic-api.

metal3-io-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 23, 2020

namnx228 mentioned this pull request Nov 23, 2020

Apache reverse proxy metal3-io/ironic-inspector-image#70

Merged

metal3-io-bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Nov 23, 2020

namnx228 mentioned this pull request Nov 23, 2020

WIP: Apache webserver handles TLS on Ironic and Ironic-inspector sides metal3-io/metal3-dev-env#562

Closed

namnx228 mentioned this pull request Dec 1, 2020

Run ironic-api as WSGI when standalone with TLS capability metal3-io/ironic-image#230

Merged

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from eb51cfe to ae9fbe5 Compare December 1, 2020 11:21

namnx228 changed the title ~~WIP: Apache reverse proxy~~ Apache webserver handles TLS on Ironic and Ironic-inspector sides Dec 1, 2020

metal3-io-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 1, 2020

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from ae9fbe5 to 0cf4650 Compare December 1, 2020 11:27

metal3-io-bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 1, 2020

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch 2 times, most recently from 1f7eee3 to 647b7f9 Compare December 1, 2020 11:30

metal3-io-bot assigned maelk Dec 1, 2020

metal3-io-bot requested review from derekhiggins, dtantsur, fmuyassarov, furkatgofurov7 and zaneb December 1, 2020 11:51

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from 647b7f9 to 0002778 Compare December 16, 2020 16:34

metal3-io-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 16, 2020

namnx228 changed the title ~~Apache webserver handles TLS on Ironic and Ironic-inspector sides~~ WIP: Apache webserver handles TLS on Ironic and Ironic-inspector sides Dec 16, 2020

metal3-io-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 16, 2020

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch 2 times, most recently from a3378c0 to b866e68 Compare January 11, 2021 10:21

namnx228 changed the title ~~WIP: Apache webserver handles TLS on Ironic and Ironic-inspector sides~~ Apache webserver handles TLS on Ironic Jan 11, 2021

kashifest reviewed Mar 15, 2021

View reviewed changes

metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 15, 2021

maelk suggested changes Mar 16, 2021

View reviewed changes

maelk self-requested a review March 16, 2021 15:10

metal3-io-bot assigned dtantsur Mar 16, 2021

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from 6758178 to 04f0acb Compare March 17, 2021 07:39

metal3-io-bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021

elfosardo approved these changes Mar 17, 2021

View reviewed changes

Comment thread tools/deploy.sh Outdated

Comment thread tools/run_local_ironic.sh

furkatgofurov7 reviewed Mar 17, 2021

View reviewed changes

metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from 04f0acb to 6cfc9b4 Compare March 17, 2021 12:19

metal3-io-bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021

namnx228 force-pushed the ironic-apache-reverse-proxy-nam branch from 6cfc9b4 to cbdff6d Compare March 17, 2021 12:20

maelk approved these changes Mar 17, 2021

View reviewed changes

metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 17, 2021

metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021

metal3-io-bot merged commit 82fd2d7 into metal3-io:master Mar 17, 2021

elfosardo added a commit to elfosardo/ironic-image that referenced this pull request Mar 26, 2021

Remove net-tools installation

d8e9642

Now that metal3-io/baremetal-operator#728 has merged, we can remove net-tools installation command.

elfosardo mentioned this pull request Mar 26, 2021

Remove net-tools installation metal3-io/ironic-image#248

Merged

elfosardo added a commit to elfosardo/ironic-image that referenced this pull request Mar 29, 2021

Remove net-tools installation

62258c2

Now that metal3-io/baremetal-operator#728 has merged, we can remove net-tools installation command and the netstat entry in runironic-api.

elfosardo added a commit to elfosardo/ironic-image that referenced this pull request Mar 29, 2021

Remove net-tools installation

43d81c2

Now that metal3-io/baremetal-operator#728 has merged, we can remove net-tools installation command and the netstat entry in runironic-api.

Conversation

namnx228 commented Nov 23, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dhellmann commented Nov 30, 2020

Uh oh!

namnx228 commented Dec 1, 2020 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

namnx228 commented Dec 1, 2020

Uh oh!

kashifest Mar 15, 2021

Choose a reason for hiding this comment

Uh oh!

kashifest Mar 15, 2021

Choose a reason for hiding this comment

Uh oh!

kashifest commented Mar 15, 2021

Uh oh!

maelk Mar 16, 2021

Choose a reason for hiding this comment

Uh oh!

namnx228 Mar 16, 2021

Choose a reason for hiding this comment

Uh oh!

maelk commented Mar 16, 2021

Uh oh!

namnx228 commented Mar 16, 2021

Uh oh!

namnx228 commented Mar 17, 2021

Uh oh!

Uh oh!

Uh oh!

furkatgofurov7 left a comment

Choose a reason for hiding this comment

Uh oh!

namnx228 commented Mar 17, 2021

Uh oh!

metal3-io-bot commented Mar 17, 2021

Uh oh!

kashifest commented Mar 17, 2021

Uh oh!

namnx228 commented Mar 17, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

namnx228 commented Nov 23, 2020 •

edited

Loading

namnx228 commented Dec 1, 2020 •

edited

Loading