[WIP] 🌱 Backward compable callback endpoint when Inspector is off

Dockerfile

@@ -58,6 +58,7 @@ COPY ironic-config/httpd.conf.j2 /etc/httpd/conf/
 COPY ironic-config/httpd-modules.conf /etc/httpd/conf.modules.d/
 COPY ironic-config/apache2-vmedia.conf.j2 /etc/httpd-vmedia.conf.j2
 COPY ironic-config/apache2-ipxe.conf.j2 /etc/httpd-ipxe.conf.j2
+COPY ironic-config/apache2-inspector-compat.conf.j2 /etc/httpd-inspector-compat.conf.j2
 
 # IRONIC-INSPECTOR #
 RUN mkdir -p /var/lib/ironic /var/lib/ironic-inspector && \

configure-nonroot.sh

@@ -17,8 +17,9 @@ IRONIC_GROUP="ironic"
 INSPECTOR_GROUP="ironic-inspector"
 
 # most containers mount /shared but dnsmasq can live without it
-mkdir -p /shared
-chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /shared
+mkdir -p /shared{,/html}
+chown "${IRONIC_USER}":"${INSPECTOR_GROUP}" /shared{,/html}
+chmod 0777 /shared/html
 
 # we'll bind mount shared ca and ironic/inspector certificate dirs here
 # that need to have correct ownership as the entire ironic in BMO

ironic-config/apache2-inspector-compat.conf.j2

@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+{% if env.LISTEN_ALL_INTERFACES | lower == "true" %}
+ <VirtualHost *:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% else %}
+ <VirtualHost {{ env.IRONIC_URL_HOST }}:{{ env.IRONIC_INSPECTOR_LISTEN_PORT }}>
+{% endif %}
+
+    SetEnv APACHE_RUN_USER ironic-inspector
+    SetEnv APACHE_RUN_GROUP ironic-inspector
+
+    ErrorLog /dev/stdout
+    LogLevel debug
+    CustomLog /dev/stdout combined
+
+    {% if env.IRONIC_INSPECTOR_TLS_SETUP == "true" %}
+    SSLEngine On
+    SSLProtocol {{ env.IRONIC_SSL_PROTOCOL }}
+    SSLCertificateFile {{ env.IRONIC_INSPECTOR_CERT_FILE }}
+    SSLCertificateKeyFile {{ env.IRONIC_INSPECTOR_KEY_FILE }}
+    {% endif %}
+
+    # Local connection, no need for proper TLS validation
+    SSLProxyVerify none
+    SSLProxyCheckPeerExpire off
+
+    ProxyPass "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection"
+    ProxyPassReverse "/v1/continue" "{{ env.IRONIC_SCHEME }}://127.0.0.1:{{ env.IRONIC_ACCESS_PORT }}/v1/continue_inspection"
+
+    <Location / >
+        Require all denied
+    </Location>
+
+    <Location /v1/continue >
+        Require all granted
+    </Location>
+
+</VirtualHost>

scripts/ironic-common.sh

@@ -103,7 +103,7 @@ export IRONIC_INSPECTOR_ACCESS_PORT=${IRONIC_INSPECTOR_ACCESS_PORT:-5050}
 export IRONIC_INSPECTOR_LISTEN_PORT=${IRONIC_INSPECTOR_LISTEN_PORT:-$IRONIC_INSPECTOR_ACCESS_PORT}
 
 # If this is false, built-in inspection is used.
-export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-true}
+export USE_IRONIC_INSPECTOR=${USE_IRONIC_INSPECTOR:-false}
 export IRONIC_INSPECTOR_ENABLE_DISCOVERY=${IRONIC_INSPECTOR_ENABLE_DISCOVERY:-false}
 if [[ "${USE_IRONIC_INSPECTOR}" != "true" ]] && [[ "${IRONIC_INSPECTOR_ENABLE_DISCOVERY}" == "true" ]]; then
     echo "Discovery is only supported with ironic-inspector at this point"

scripts/runhttpd

@@ -28,16 +28,9 @@ export IRONIC_IPA_COLLECTORS=${IRONIC_IPA_COLLECTORS:-default,logs}
 
 wait_for_interface_or_ip
 
-mkdir -p /shared/html
-chmod 0777 /shared/html
-
 IRONIC_BASE_URL="${IRONIC_SCHEME}://${IRONIC_URL_HOST}"
 
-if [[ "${USE_IRONIC_INSPECTOR}" == "true" ]]; then
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
-else
-    INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}/v1/continue_inspection"
-fi
+INSPECTOR_EXTRA_ARGS=" ipa-inspection-callback-url=${IRONIC_BASE_URL}:${IRONIC_INSPECTOR_ACCESS_PORT}/v1/continue"
 
 if [[ "$IRONIC_FAST_TRACK" == "true" ]]; then
     INSPECTOR_EXTRA_ARGS+=" ipa-api-url=${IRONIC_BASE_URL}:${IRONIC_ACCESS_PORT}"

scripts/runironic-inspector

@@ -14,11 +14,6 @@ export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-false}
 # shellcheck disable=SC1091
 . /bin/auth-common.sh
 
-if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
-    echo "FATAL: ironic-inspector is disabled via USE_IRONIC_INSPECTOR"
-    exit 1
-fi
-
 wait_for_interface_or_ip
 
 IRONIC_INSPECTOR_PORT=${IRONIC_INSPECTOR_ACCESS_PORT}
@@ -39,6 +34,15 @@ build_j2_config()
     python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < "$CONFIG_FILE.j2"
 }
 
+if [[ "$USE_IRONIC_INSPECTOR" == "false" ]]; then
+    # Compatibility with existing preprovisioning image controllers
+    render_j2_config /etc/httpd-inspector-compat.conf.j2 /etc/httpd/conf.d/inspector-compat.conf
+    mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.example
+    export HTTP_PORT="${IRONIC_INSPECTOR_LISTEN_PORT}"
+    render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf
+    exec /usr/sbin/httpd -DFOREGROUND
+fi
+
 # Merge with the original configuration file from the package.
 build_j2_config "$CONFIG" | crudini --merge "$CONFIG"