Allow reverse proxy setup for Ironic

This is the preferred mode for the combined Ironic process.

ironic-config/apache2-ironic-api.conf.j2

@@ -18,8 +18,13 @@ Listen 6385
  <VirtualHost {{ env.IRONIC_URL_HOST }}:6385>
 {% endif %}
 
+ {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
+ ProxyPass "/" "http://127.0.0.1:6388/"
+ ProxyPassReverse "/" "http://127.0.0.1:6388/"
+ {% else %}
  WSGIDaemonProcess ironic user=ironic group=ironic threads=10 display-name=%{GROUP}
  WSGIScriptAlias / /usr/bin/ironic-api-wsgi
+ {% endif %}
 
  SetEnv APACHE_RUN_USER ironic
  SetEnv APACHE_RUN_GROUP ironic
@@ -45,6 +50,17 @@ Listen 6385
  <Location ~ "^/(v1/?)?$">
  Require all granted
  </Location> 
+
+ {% if env.IRONIC_REVERSE_PROXY_SETUP | lower == "true" %}
+ <Location ~ "^/v1/.+">
+ {% if "HTTP_BASIC_HTPASSWD" in env and env.HTTP_BASIC_HTPASSWD | length %}
+ AuthType Basic
+ AuthName "Restricted area"
+ AuthUserFile "/etc/ironic/htpasswd"
+ Require valid-user
+ {% endif %}
+ </Location>
+ {% else %}
  <Directory /usr/bin >
  WSGIProcessGroup ironic
  WSGIApplicationGroup %{GLOBAL}
@@ -59,4 +75,5 @@ Listen 6385
  Require all granted
  {% endif %}
  </Directory>
+ {% endif %}
  </VirtualHost>

ironic-config/ironic.conf.j2

@@ -56,11 +56,16 @@ deploy_logs_local_path = /shared/log/ironic/deploy
 max_command_attempts = 30
 
 [api]
+{% if env.IRONIC_REVERSE_PROXY_SETUP == "true" %}
+host_ip = 127.0.0.1
+port = 6388
+{% else %}
 host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
-api_workers = {{ env.NUMWORKERS }}
 {% if env.IRONIC_TLS_SETUP == "true" %}
 enable_ssl_api = true
 {% endif %}
+{% endif %}
+api_workers = {{ env.NUMWORKERS }}
 
 [conductor]
 automated_clean = {{ env.IRONIC_AUTOMATED_CLEAN }}

scripts/runhttpd

@@ -9,6 +9,7 @@ export VMEDIA_TLS_PORT=${VMEDIA_TLS_PORT:-8083}
 
 INSPECTOR_ORIG_HTTPD_CONFIG=/etc/httpd/conf.d/inspector-apache.conf.j2
 INSPECTOR_RESULT_HTTPD_CONFIG=/etc/httpd/conf.d/ironic-inspector.conf
+export IRONIC_REVERSE_PROXY_SETUP=${IRONIC_REVERSE_PROXY_SETUP:-"false"}
 export INSPECTOR_REVERSE_PROXY_SETUP=${INSPECTOR_REVERSE_PROXY_SETUP:-"false"}
 
 # Whether to enable fast_track provisioning or not
@@ -44,10 +45,20 @@ else
  export INSPECTOR_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
 fi
 
+if [ "$IRONIC_TLS_SETUP" = "true" ]; then
+ if [[ "${IRONIC_REVERSE_PROXY_SETUP}" == "true" ]]; then
+ render_j2_config /etc/httpd-ironic-api.conf.j2 /etc/httpd/conf.d/ironic.conf
+ fi
+ # Add user 'apache' to the group `ironic-inspector`, so httpd can access /etc/ironic-inspector and read the pasword file
+ usermod -aG ironic apache
+else
+ export IRONIC_REVERSE_PROXY_SETUP="false" # If TLS is not used, we have no reason to use the reverse proxy
+fi
+
 # Configure HTTP basic auth for API server
-HTPASSWD_FILE=/etc/ironic-inspector/htpasswd
 if [ -n "${HTTP_BASIC_HTPASSWD:-}" ]; then
- printf "%s\n" "${HTTP_BASIC_HTPASSWD}" >"${HTPASSWD_FILE}"
+ printf "%s\n" "${HTTP_BASIC_HTPASSWD}" > /etc/ironic/htpasswd
+ printf "%s\n" "${HTTP_BASIC_HTPASSWD}" > /etc/ironic-inspector/htpasswd
 fi
 
 # Use configured values

scripts/runironic-api

@@ -4,6 +4,8 @@ export IRONIC_DEPLOYMENT="API"
 
 . /bin/configure-ironic.sh
 
+export IRONIC_REVERSE_PROXY_SETUP=false
+
 python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /etc/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf
 
 . /bin/runhttpd