From 7e2757d890917dc7256bbae1b23fed00c8e74b73 Mon Sep 17 00:00:00 2001 From: Nam Xuan Nguyen Date: Fri, 22 Jan 2021 11:05:50 +0200 Subject: [PATCH] Add an option to let a reverse proxy handling TLS --- Dockerfile | 3 +++ inspector-apache.conf.j2 | 43 +++++++++++++++++++++++++++++++++++++ ironic-inspector.conf.j2 | 9 ++++++-- main-packages-list.txt | 4 +++- scripts/runhttpd | 42 ++++++++++++++++++++++++++++++++++++ scripts/runironic-inspector | 18 ++++++++++------ 6 files changed, 110 insertions(+), 9 deletions(-) create mode 100644 inspector-apache.conf.j2 create mode 100755 scripts/runhttpd diff --git a/Dockerfile b/Dockerfile index cae3396..119a564 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,9 @@ RUN prepare-image.sh && \ COPY ironic-inspector.conf.j2 /etc/ironic-inspector/ COPY scripts/ /bin/ +COPY ./inspector-apache.conf.j2 /etc/httpd/conf.d/ironic-inspector.conf.j2 HEALTHCHECK CMD /bin/runhealthcheck +RUN rm /etc/httpd/conf.d/ssl.conf -f +RUN chmod +x /bin/runironic-inspector ENTRYPOINT ["/bin/runironic-inspector"] diff --git a/inspector-apache.conf.j2 b/inspector-apache.conf.j2 new file mode 100644 index 0000000..4bff0d7 --- /dev/null +++ b/inspector-apache.conf.j2 @@ -0,0 +1,43 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +Listen 5050 + + ProxyPass "/" "http://127.0.0.1:5049/" + ProxyPassReverse "/" "http://127.0.0.1:5049/" + + SetEnv APACHE_RUN_USER ironic-inspector + SetEnv APACHE_RUN_GROUP ironic-inspector + + ErrorLog /dev/stdout + LogLevel debug + CustomLog /dev/stdout combined + + ServerName 172.22.0.2 + + SSLEngine On + SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }} + SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }} + + + + {% if "HTTP_BASIC_HTPASSWD" in env and env.HTTP_BASIC_HTPASSWD | length %} + AuthType Basic + AuthName "Restricted area" + AuthUserFile "/etc/ironic-inspector/htpasswd" + Require valid-user + {% endif %} + + + + diff --git a/ironic-inspector.conf.j2 b/ironic-inspector.conf.j2 index b20a2e0..c3cb8bc 100644 --- a/ironic-inspector.conf.j2 +++ b/ironic-inspector.conf.j2 @@ -3,9 +3,14 @@ auth_strategy = noauth debug = true transport_url = fake:// use_stderr = true +{% if env.INSPECTOR_REVERSE_PROXY_SETUP == "true" %} +listen_port = 5049 +listen_address = 127.0.0.1 +{% else %} listen_address = :: +{% endif %} host = {{ env.IRONIC_IP }} -{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %} +{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %} use_ssl = true {% endif %} @@ -45,7 +50,7 @@ driver = noop auth_type = none endpoint_override = {{ env.IRONIC_INSPECTOR_BASE_URL }} -{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %} +{% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" and env.INSPECTOR_REVERSE_PROXY_SETUP == "false" %} [ssl] cert_file = {{ env.IRONIC_INSPECTOR_CERT_FILE }} key_file = {{ env.IRONIC_INSPECTOR_KEY_FILE }} diff --git a/main-packages-list.txt b/main-packages-list.txt index ae98201..9841c3b 100644 --- a/main-packages-list.txt +++ b/main-packages-list.txt @@ -2,4 +2,6 @@ crudini iproute openstack-ironic-inspector psmisc -sqlite \ No newline at end of file +sqlite +httpd +mod_ssl diff --git a/scripts/runhttpd b/scripts/runhttpd new file mode 100755 index 0000000..be98fea --- /dev/null +++ b/scripts/runhttpd @@ -0,0 +1,42 @@ +#!/usr/bin/bash + +APACHE_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf + +export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt +export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key +export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-"false"} + +if [ -f "$IRONIC_INSPECTOR_CERT_FILE" ] && [ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ] ; then + echo "Missing TLS Certificate key file /certs/ironic-inspector/tls.key" + exit 1 +fi +if [ ! -f "$IRONIC_INSPECTOR_CERT_FILE" ] && [ -f "$IRONIC_INSPECTOR_KEY_FILE" ] ; then + echo "Missing TLS Certificate file /certs/ironic-inspector/tls.crt" + exit 1 +fi + +if [ -f "$IRONIC_INSPECTOR_CERT_FILE" ]; then + export IRONIC_INSPECTOR_TLS_SETUP="true" +else + export IRONIC_INSPECTOR_TLS_SETUP="false" + export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy + exit 0 +fi + +function build_j2_config() { + CONFIG_FILE=$1 +python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < $CONFIG_FILE.j2 +} + +# Configure HTTP basic auth for API server +HTPASSWD_FILE=/etc/ironic-inspector/htpasswd +if [ -n "${HTTP_BASIC_HTPASSWD}" ]; then + printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}" +fi + +build_j2_config $APACHE_CONFIG > $APACHE_CONFIG +sed -i "/Listen 80/c\#Listen 80" /etc/httpd/conf/httpd.conf +sed -i 's/User apache/User ironic-inspector/g' /etc/httpd/conf/httpd.conf +sed -i 's/Group apache/Group ironic-inspector/g' /etc/httpd/conf/httpd.conf +exec /usr/sbin/httpd -DFOREGROUND + diff --git a/scripts/runironic-inspector b/scripts/runironic-inspector index 89159a9..648bad2 100755 --- a/scripts/runironic-inspector +++ b/scripts/runironic-inspector @@ -11,6 +11,7 @@ export IRONIC_INSECURE=${IRONIC_INSECURE:-false} export IRONIC_INSPECTOR_CACERT_FILE=/certs/ca/ironic-inspector/tls.crt export IRONIC_INSPECTOR_CERT_FILE=/certs/ironic-inspector/tls.crt export IRONIC_INSPECTOR_KEY_FILE=/certs/ironic-inspector/tls.key +export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-"false"} if [ -f "$IRONIC_INSPECTOR_CERT_FILE" ] && [ ! -f "$IRONIC_INSPECTOR_KEY_FILE" ] ; then echo "Missing TLS Certificate key file /certs/ironic-inspector/tls.key" @@ -34,6 +35,7 @@ if [ -f "$IRONIC_INSPECTOR_CERT_FILE" ]; then else export IRONIC_INSPECTOR_TLS_SETUP="false" export IRONIC_INSPECTOR_BASE_URL="http://${IRONIC_URL_HOST}:5050" + export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy fi if [ -f "$IRONIC_CERT_FILE" ] || [ -f "$IRONIC_CACERT_FILE" ]; then @@ -47,26 +49,30 @@ else export IRONIC_BASE_URL="http://${IRONIC_URL_HOST}:6385" fi - cp $CONFIG $CONFIG.orig function build_j2_config() { -python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < $CONFIG.j2 + CONFIG_FILE=$1 +python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < $CONFIG_FILE.j2 } # Merge with the original configuration file from the package. -build_j2_config | crudini --merge /etc/ironic-inspector/ironic-inspector.conf +build_j2_config $CONFIG | crudini --merge /etc/ironic-inspector/ironic-inspector.conf + # Configure HTTP basic auth for API server HTPASSWD_FILE=/etc/ironic-inspector/htpasswd if [ -n "${HTTP_BASIC_HTPASSWD}" ]; then printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}" - crudini --set $CONFIG DEFAULT auth_strategy http_basic - crudini --set $CONFIG DEFAULT http_basic_auth_user_file "${HTPASSWD_FILE}" + if [[ $INSPECTOR_REVERSE_PROXY_SETUP == "false" ]] + then + crudini --set $CONFIG DEFAULT auth_strategy http_basic + crudini --set $CONFIG DEFAULT http_basic_auth_user_file "${HTPASSWD_FILE}" + fi fi # Configure auth for ironic client -CONFIG_OPTIONS="--config-file /etc/ironic-inspector/inspector-dist.conf --config-file ${CONFIG}" +CONFIG_OPTIONS="--config-file ${CONFIG}" auth_config_file="/auth/ironic/auth-config" if [ -f ${auth_config_file} ]; then CONFIG_OPTIONS+=" --config-file ${auth_config_file}"