Fix configuration of ironic inspector Jira: <OSPRH-10696>

Author: mumesan

controllers/ironicinspector_controller.go

@@ -33,6 +33,7 @@ import (
 	job "github.com/openstack-k8s-operators/lib-common/modules/common/job"
 	nad "github.com/openstack-k8s-operators/lib-common/modules/common/networkattachment"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	oko_secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
@@ -415,6 +416,25 @@ func (r *IronicInspectorReconciler) findObjectsForSrc(ctx context.Context, src c
 	return requests
 }
 
+func (r *IronicInspectorReconciler) getTransportURL(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *ironicv1.IronicInspector,
+) (string, error) {
+	if instance.Spec.RPCTransport != "oslo" {
+		return "fake://", nil
+	}
+	transportURLSecret, _, err := secret.GetSecret(ctx, h, instance.Status.TransportURLSecret, instance.Namespace)
+	if err != nil {
+		return "", err
+	}
+	transportURL, ok := transportURLSecret.Data["transport_url"]
+	if !ok {
+		return "", fmt.Errorf("transport_url %w Transport Secret", util.ErrNotFound)
+	}
+	return string(transportURL), nil
+}
+
 func (r *IronicInspectorReconciler) reconcileTransportURL(
 	ctx context.Context,
 	instance *ironicv1.IronicInspector,
@@ -589,15 +609,9 @@ func (r *IronicInspectorReconciler) reconcileConfigMapsAndSecrets(
 	// calculate an overall hash of hashes
 	//
 
-	//
-	// create Configmap required for ironic input
-	// - %-scripts configmap holding scripts to e.g. bootstrap the service
-	// - %-config configmap holding minimal ironic config required to get the
-	//   service up, user can add additional files to be added to the service
-	// - parameters which has passwords gets added from the OpenStack secret
-	//   via the init container
-	//
-	err = r.generateServiceConfigMaps(
+	// create Secret required for ironicInspector input. It contains minimal ironicinspector config required
+	// to get the service up, user can add additional files to be added to the service.
+	err = r.generateServiceSecrets(
 		ctx,
 		instance,
 		helper,
@@ -1411,24 +1425,16 @@ func (r *IronicInspectorReconciler) reconcileUpgrade(
 	return ctrl.Result{}, nil
 }
 
-// generateServiceConfigMaps - create create configmaps which hold scripts and service configuration
+// generateServiceSecrets - create secrets which hold service configuration
 // TODO add DefaultConfigOverwrite
-func (r *IronicInspectorReconciler) generateServiceConfigMaps(
+func (r *IronicInspectorReconciler) generateServiceSecrets(
 	ctx context.Context,
 	instance *ironicv1.IronicInspector,
 	h *helper.Helper,
 	envVars *map[string]env.Setter,
 	db *mariadbv1.Database,
 ) error {
-	//
-	// create Configmap/Secret required for ironic-inspector input
-	// - %-scripts configmap holding scripts to e.g. bootstrap the service
-	// - %-config configmap holding minimal ironic-inspector config required
-	//   to get the service up, user can add additional files to be added to
-	//   the service
-	// - parameters which has passwords gets added from the ospSecret via the
-	//   init container
-	//
+	// Create/update secrets from templates
 	cmLabels := labels.GetLabels(
 		instance,
 		labels.GetGroupLabel(ironic.ServiceName),
@@ -1439,20 +1445,24 @@ func (r *IronicInspectorReconciler) generateServiceConfigMaps(
 		tlsCfg = &tls.Service{}
 	}
 	// customData hold any customization for the service.
-	// custom.conf is going to /etc/ironic-inspector/inspector.conf.d
-	// all other files get placed into /etc/ironic-inspector to allow
-	// overwrite of e.g. policy.json.
-	// TODO: make sure custom.conf can not be overwritten
+	// 02-inspector-custom.conf is going to /etc/ironic-inspector/inspector.conf.d
+	// 01-inspector.conf is going to /etc/ironic-inspector/inspector such that it gets loaded before custom one
 	customData := map[string]string{
-		common.CustomServiceConfigFileName: instance.Spec.CustomServiceConfig,
-		"my.cnf":                           db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
+		"02-inspector-custom.conf": instance.Spec.CustomServiceConfig,
+		"my.cnf":                   db.GetDatabaseClientConfig(tlsCfg), //(mschuppert) for now just get the default my.cnf
 	}
 	for key, data := range instance.Spec.DefaultConfigOverwrite {
 		customData[key] = data
 	}
 	templateParameters := make(map[string]interface{})
-	if !instance.Spec.Standalone {
 
+	transportURL, err := r.getTransportURL(ctx, h, instance)
+	if err != nil {
+		return err
+	}
+	templateParameters["TransportURL"] = transportURL
+
+	if !instance.Spec.Standalone {
 		keystoneAPI, err := keystonev1.GetKeystoneAPI(
 			ctx, h, instance.Namespace, map[string]string{})
 		if err != nil {
@@ -1466,10 +1476,24 @@ func (r *IronicInspectorReconciler) generateServiceConfigMaps(
 		if err != nil {
 			return err
 		}
+		ospSecret, _, err := secret.GetSecret(ctx, h, instance.Spec.Secret, instance.Namespace)
+		if err != nil {
+			return err
+		}
+
+		servicePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Service])
 
 		templateParameters["ServiceUser"] = instance.Spec.ServiceUser
+		templateParameters["ServicePassword"] = servicePassword
 		templateParameters["KeystoneInternalURL"] = keystoneInternalURL
 		templateParameters["KeystonePublicURL"] = keystonePublicURL
+
+		// Other OpenStack services
+		templateParameters["ServicePassword"] = servicePassword
+		templateParameters["keystone_authtoken"] = servicePassword
+		templateParameters["service_catalog"] = servicePassword
+		templateParameters["ironic"] = servicePassword
+		templateParameters["swift"] = servicePassword
 	} else {
 		ironicAPI, err := ironicv1.GetIronicAPI(
 			ctx, h, instance.Namespace, map[string]string{})

pkg/ironicinspector/dbsync.go

@@ -27,7 +27,7 @@ import (
 
 const (
 	// DBSyncCommand -
-	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade'"
+	DBSyncCommand = "/usr/local/bin/kolla_set_configs && /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf --config-dir /etc/ironic-inspector/inspector.conf.d upgrade'"
 )
 
 // DbSyncJob func

pkg/ironicinspector/initcontainer.go

@@ -42,11 +42,10 @@ type APIDetails struct {
 }
 
 const (
-	// InitContainerCommand -
-	InitContainerCommand = "/usr/local/bin/container-scripts/init.sh"
-
 	// PxeInitContainerCommand -
 	PxeInitContainerCommand = "/usr/local/bin/container-scripts/inspector-pxe-init.sh"
+
+	InitCreateDirectoriesCommand = `mkdir -p /var/lib/ironic/httpboot /var/lib/ironic/ramdisk-logs`
 )
 
 // InitContainer - init container for Ironic Inspector pods
@@ -113,28 +112,17 @@ func InitContainer(init APIDetails) []corev1.Container {
 
 	containers := []corev1.Container{}
 
-	inspectorInit := corev1.Container{
-		Name:  "inspector-init",
-		Image: init.ContainerImage,
-		SecurityContext: &corev1.SecurityContext{
-			RunAsUser: &runAsUser,
-		},
-		Command: []string{
-			"/bin/bash",
-		},
-		Args:         []string{"-c", InitContainerCommand},
-		Env:          envs,
-		VolumeMounts: init.VolumeMounts,
-	}
-	containers = append(containers, inspectorInit)
-
 	if init.IpaInit {
 		ipaInit := corev1.Container{
 			Name:  "ironic-python-agent-init",
 			Image: init.IronicPythonAgentImage,
 			SecurityContext: &corev1.SecurityContext{
 				Privileged: &init.Privileged,
 			},
+			Command: []string{
+				"/bin/bash",
+			},
+			Args:         []string{"-c", InitCreateDirectoriesCommand},
 			Env:          imageCopyEnvs,
 			VolumeMounts: init.VolumeMounts,
 		}

pkg/ironicinspector/volumes.go

@@ -20,20 +20,14 @@ func GetVolumes(name string) []corev1.Volume {
 			},
 		},
 		{
-			Name: "config-data",
+			Name: "config",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
 					DefaultMode: &config0640AccessMode,
 					SecretName:  name + "-config-data",
 				},
 			},
 		},
-		{
-			Name: "config-data-merged",
-			VolumeSource: corev1.VolumeSource{
-				EmptyDir: &corev1.EmptyDirVolumeSource{Medium: ""},
-			},
-		},
 		{
 			Name: "var-lib-ironic",
 			VolumeSource: corev1.VolumeSource{
@@ -75,15 +69,10 @@ func GetInitVolumeMounts() []corev1.VolumeMount {
 			ReadOnly:  true,
 		},
 		{
-			Name:      "config-data",
+			Name:      "config",
 			MountPath: "/var/lib/config-data/default",
 			ReadOnly:  true,
 		},
-		{
-			Name:      "config-data-merged",
-			MountPath: "/var/lib/config-data/merged",
-			ReadOnly:  false,
-		},
 		{
 			Name:      "var-lib-ironic",
 			MountPath: "/var/lib/ironic",
@@ -107,12 +96,12 @@ func GetVolumeMounts(serviceName string) []corev1.VolumeMount {
 			ReadOnly:  true,
 		},
 		{
-			Name:      "config-data-merged",
-			MountPath: "/var/lib/config-data/merged",
-			ReadOnly:  false,
+			Name:      "config",
+			MountPath: "/var/lib/config-data/default",
+			ReadOnly:  true,
 		},
 		{
-			Name:      "config-data-merged",
+			Name:      "config",
 			MountPath: "/var/lib/kolla/config_files/config.json",
 			SubPath:   serviceName + "-config.json",
 			ReadOnly:  true,

templates/ironicinspector/bin/init.sh

@@ -22,7 +22,11 @@ export PODINDEX=$(echo ${HOSTNAME##*-})
 export InspectorNetworkIP=$(/usr/local/bin/container-scripts/get_net_ip ${InspectionNetwork})
 export INSPECTOR_HTTP_URL=$(python3 -c 'import os; print(os.environ["InspectorHTTPURL"] % os.environ)')
 
-export DNSMASQ_CFG=/var/lib/config-data/merged/dnsmasq.conf
+# Copy required config to modifiable location
+cp /var/lib/config-data/default/dnsmasq.conf /var/lib/ironic/
+cp /var/lib/config-data/default/inspector.ipxe /var/lib/ironic/
+
+export DNSMASQ_CFG=/var/lib/ironic/dnsmasq.conf
 sed -e "/BLOCK_PODINDEX_${PODINDEX}_BEGIN/,/BLOCK_PODINDEX_${PODINDEX}_END/p" \
     -e "/BLOCK_PODINDEX_.*_BEGIN/,/BLOCK_PODINDEX_.*_END/d" \
     -i ${DNSMASQ_CFG}
@@ -31,7 +35,7 @@ sed -e "/BLOCK_PODINDEX_${PODINDEX}_BEGIN/d" \
     -i ${DNSMASQ_CFG}
 envsubst < ${DNSMASQ_CFG} | tee ${DNSMASQ_CFG}
 
-export INSPECTOR_IPXE=/var/lib/config-data/merged/inspector.ipxe
+export INSPECTOR_IPXE=/var/lib/ironic/inspector.ipxe
 envsubst < ${INSPECTOR_IPXE} | tee ${INSPECTOR_IPXE}
 
 # run common pxe-init script

templates/ironicinspector/bin/inspector-pxe-init.sh

@@ -1,7 +1,7 @@
 [DEFAULT]
 auth_strategy={{if .Standalone}}noauth{{else}}keystone{{end}}
 log_file=/dev/stdout
-transport_url=fake://
+transport_url = {{ .TransportURL }}
 listen_address = localhost
 listen_port = 5051
 
@@ -28,6 +28,7 @@ endpoint_override={{ .IronicInternalURL }}
 auth_type=password
 auth_url={{ .KeystoneInternalURL }}
 username={{ .ServiceUser }}
+password = {{ .ServicePassword }}
 user_domain_name=Default
 project_name=service
 project_domain_name=Default
@@ -38,6 +39,7 @@ retry_interval=10
 auth_type=password
 auth_url={{ .KeystoneInternalURL }}
 username={{ .ServiceUser }}
+password = {{ .ServicePassword }}
 www_authenticate_uri={{ .KeystonePublicURL }}
 project_domain_name=Default
 user_domain_name=Default
@@ -47,6 +49,7 @@ project_name=service
 auth_type=password
 auth_url={{ .KeystoneInternalURL }}
 username={{ .ServiceUser }}
+password = {{ .ServicePassword }}
 user_domain_name=Default
 project_name=service
 project_domain_name=Default
@@ -55,6 +58,7 @@ project_domain_name=Default
 auth_type=password
 auth_url={{ .KeystoneInternalURL }}
 username={{ .ServiceUser }}
+password = {{ .ServicePassword }}
 project_domain_name=Default
 project_name=services
 user_domain_name=Default