From a58a905cccd69284e13eda3db4da07ef2c707aad Mon Sep 17 00:00:00 2001 From: Lennart Jern Date: Tue, 28 Mar 2023 12:09:58 +0300 Subject: [PATCH] Store htpasswd files in Secrets instead of ConfigMaps The htpasswd files for Ironic and Inspector contains clear text usernames and hashed passwords so it is better to store them in Secrets. Depending on how exactly Ironic is deployed this could be a breaking change that requires manual action from the user. I have tested this with the [deploy.sh](https://github.com/metal3-io/baremetal-operator/blob/main/tools/deploy.sh) script and confirmed that it is working. Re-deploying Ironic, with the updated kustomization using the script, automatically creates the new Secrets and configures Ironic and Inspector to use them instead of the ConfigMaps. Note that the ConfigMaps are **not** automatically removed. Ideally, the user should remove the ConfigMaps and change the credentials. The ConfigMaps in question are named `baremetal-operator-ironic-htpasswd-` and `baremetal-operator-ironic-inspector-htpasswd-` and are located in the `baremetal-operator-system` Namespace by default. Note that if the credentials are changed, they must also be updated for BMO. This can be done in the same way by re-deploying using the script. --- ironic-deployment/components/basic-auth/auth.yaml | 4 ++-- ironic-deployment/components/basic-auth/kustomization.yaml | 4 +--- ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/ironic-deployment/components/basic-auth/auth.yaml b/ironic-deployment/components/basic-auth/auth.yaml index ee46229d06..d710aa1362 100644 --- a/ironic-deployment/components/basic-auth/auth.yaml +++ b/ironic-deployment/components/basic-auth/auth.yaml @@ -14,7 +14,7 @@ spec: readOnly: true envFrom: # This is the htpassword matching the ironic-auth-config that inspector has - - configMapRef: + - secretRef: name: ironic-htpasswd - configMapRef: name: ironic-bmo-configmap @@ -26,7 +26,7 @@ spec: readOnly: true envFrom: # This is the htpassword matching the ironic-inspector-auth-config that ironic has - - configMapRef: + - secretRef: name: ironic-inspector-htpasswd - configMapRef: name: ironic-bmo-configmap diff --git a/ironic-deployment/components/basic-auth/kustomization.yaml b/ironic-deployment/components/basic-auth/kustomization.yaml index a80dada76a..e64a63acae 100644 --- a/ironic-deployment/components/basic-auth/kustomization.yaml +++ b/ironic-deployment/components/basic-auth/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component -configMapGenerator: +secretGenerator: - behavior: create envs: - ironic-htpasswd @@ -10,8 +10,6 @@ configMapGenerator: envs: - ironic-inspector-htpasswd name: ironic-inspector-htpasswd - -secretGenerator: - name: ironic-auth-config files: - auth-config=ironic-auth-config diff --git a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml index 1c156e1b1d..a2b56205ed 100644 --- a/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml +++ b/ironic-deployment/overlays/basic-auth_tls/basic-auth_tls.yaml @@ -8,9 +8,9 @@ spec: containers: - name: ironic-httpd envFrom: - - configMapRef: + - secretRef: name: ironic-htpasswd - - configMapRef: + - secretRef: name: ironic-inspector-htpasswd - configMapRef: name: ironic-bmo-configmap