Store htpasswd files in Secrets instead of ConfigMaps

The htpasswd files for Ironic and Inspector contains clear text usernames and hashed passwords so it is better to store them in Secrets. Depending on how exactly Ironic is deployed this could be a breaking change that requires manual action from the user. I have tested this with the [deploy.sh](https://github.com/metal3-io/baremetal-operator/blob/main/tools/deploy.sh) script and confirmed that it is working. Re-deploying Ironic, with the updated kustomization using the script, automatically creates the new Secrets and configures Ironic and Inspector to use them instead of the ConfigMaps. Note that the ConfigMaps are **not** automatically removed. Ideally, the user should remove the ConfigMaps and change the credentials. The ConfigMaps in question are named `baremetal-operator-ironic-htpasswd-<random-hash>` and `baremetal-operator-ironic-inspector-htpasswd-<random-hash>` and are located in the `baremetal-operator-system` Namespace by default. Note that if the credentials are changed, they must also be updated for BMO. This can be done in the same way by re-deploying using the script.
metal3-io · Mar 29, 2023 · a58a905 · a58a905
1 parent 6a798be
commit a58a905
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 7 deletions.
diff --git a/ironic-deployment/components/basic-auth/auth.yaml b/ironic-deployment/components/basic-auth/auth.yaml
@@ -14,7 +14,7 @@ spec:
           readOnly: true
         envFrom:
         # This is the htpassword matching the ironic-auth-config that inspector has
-        - configMapRef:
+        - secretRef:
             name: ironic-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap
@@ -26,7 +26,7 @@ spec:
           readOnly: true
         envFrom:
         # This is the htpassword matching the ironic-inspector-auth-config that ironic has
-        - configMapRef:
+        - secretRef:
             name: ironic-inspector-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap

diff --git a/ironic-deployment/components/basic-auth/kustomization.yaml b/ironic-deployment/components/basic-auth/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-configMapGenerator:
+secretGenerator:
 - behavior: create
   envs:
   - ironic-htpasswd
@@ -10,8 +10,6 @@ configMapGenerator:
   envs:
   - ironic-inspector-htpasswd
   name: ironic-inspector-htpasswd
-
-secretGenerator:
 - name: ironic-auth-config
   files:
   - auth-config=ironic-auth-config

diff --git a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml
@@ -8,9 +8,9 @@ spec:
       containers:
       - name: ironic-httpd
         envFrom:
-        - configMapRef:
+        - secretRef:
             name: ironic-htpasswd
-        - configMapRef:
+        - secretRef:
             name: ironic-inspector-htpasswd
         - configMapRef:
             name: ironic-bmo-configmap