Configure Basic Auth

charts/metal3/0.3.0/charts/baremetal-operator/templates/deployment.yaml

@@ -71,6 +71,24 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
+        {{- if .Values.global.enable_basicAuth }}
+        - name: ironic-basic-auth
+          mountPath: "/opt/metal3/auth/ironic/username"
+          subPath: username
+          readOnly: true
+        - name: ironic-basic-auth
+          mountPath: "/opt/metal3/auth/ironic/password"
+          subPath: password
+          readOnly: true
+        - name: ironic-inspector-basic-auth
+          mountPath: "/opt/metal3/auth/ironic-inspector/username"
+          subPath: username
+          readOnly: true
+        - name: ironic-inspector-basic-auth
+          mountPath: "/opt/metal3/auth/ironic-inspector/password"
+          subPath: password
+          readOnly: true
+        {{- end }}
         {{- if .Values.global.enable_tls }}
         - name: cacert
           mountPath: "/opt/metal3/certs/ca"
@@ -93,6 +111,14 @@ spec:
         secret:
           defaultMode: 420
           secretName: bmo-webhook-server-cert
+      {{- if .Values.global.enable_basicAuth }}
+      - name: ironic-basic-auth
+        secret:
+          secretName: ironic-basic-auth
+      - name: ironic-inspector-basic-auth
+        secret:
+          secretName: ironic-inspector-basic-auth
+      {{- end }}
       {{- if .Values.global.enable_tls }}
       - name: cacert
         secret:

charts/metal3/0.3.0/charts/baremetal-operator/values.yaml

@@ -45,8 +45,8 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: 
-  runAsUser: 11000
-  runAsGroup: 11000
+  runAsUser: 1000
+  runAsGroup: 1000
 
 securityContext: 
   allowPrivilegeEscalation: false

charts/metal3/0.3.0/charts/ironic/templates/configmap.yaml

@@ -71,4 +71,8 @@ data:
   IPA_INSECURE: "1"
   IRONIC_REVERSE_PROXY_SETUP: "false"
   {{- end }}
+  {{- if  ( .Values.global.enable_basicAuth ) }}
+  AUTH_STRATEGY: "http_basic"
+  INSPECTOR_AUTH_STRATEGY: "http_basic"
+  {{- end }}
   DATABASE_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local

charts/metal3/0.3.0/charts/ironic/templates/deployment.yaml

@@ -96,6 +96,13 @@ spec:
         - configMapRef:
             name: ironic-bmo
         env:
+        {{- if .Values.global.enable_basicAuth }}
+        - name: INSPECTOR_HTPASSWD
+          valueFrom:
+            secretKeyRef:
+              name: ironic-inspector-basic-auth
+              key: htpasswd
+        {{- end }}
         - name: MARIADB_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -129,6 +136,16 @@ spec:
           timeoutSeconds: 10
         volumeMounts:
           {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
+        {{- if .Values.global.enable_basicAuth }}
+          - mountPath: "/auth/ironic/auth-config"
+            name: ironic-basic-auth
+            subPath: auth-config
+            readOnly: true
+          - mountPath: "/auth/ironic-inspector/auth-config"
+            name: ironic-inspector-basic-auth
+            subPath: auth-config
+            readOnly: true
+        {{- end }}
         {{- if .Values.global.enable_tls }}
           {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
           - name: cert-ironic-inspector
@@ -151,6 +168,13 @@ spec:
         - configMapRef:
             name: ironic-bmo
         env:
+        {{- if .Values.global.enable_basicAuth }}
+        - name: IRONIC_HTPASSWD
+          valueFrom:
+            secretKeyRef:
+              name: ironic-basic-auth
+              key: htpasswd
+        {{- end }}
         - name: MARIADB_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -184,6 +208,16 @@ spec:
           timeoutSeconds: 10
         volumeMounts:
           {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
+          {{- if .Values.global.enable_basicAuth }}
+          - mountPath: "/auth/ironic/auth-config"
+            name: ironic-basic-auth
+            subPath: auth-config
+            readOnly: true
+          - mountPath: "/auth/ironic-inspector/auth-config"
+            name: ironic-inspector-basic-auth
+            subPath: auth-config
+            readOnly: true
+          {{- end }}
           {{- if .Values.global.enable_tls }}
           {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
           - name: cert-ironic
@@ -263,6 +297,14 @@ spec:
       - name: ironic-data-volume
         persistentVolumeClaim:
           claimName: ironic-shared-volume
+      {{- if .Values.global.enable_basicAuth }}
+      - name: ironic-basic-auth
+        secret:
+          secretName: ironic-basic-auth
+      - name: ironic-inspector-basic-auth
+        secret:
+          secretName: ironic-inspector-basic-auth
+      {{- end }}
       {{- if .Values.global.enable_tls }}
       - name: cert-ironic-ca
         secret:

charts/metal3/0.3.0/charts/ironic/templates/secrets-basic-auth.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.global.enable_basicAuth }}
+
+{{- $ironicUsername := "" -}}
+{{- $ironicPassword := "" -}}
+{{- $ironicSecretName := "ironic-basic-auth" -}}
+
+# Check if the secret is deployed and has a password
+{{- $oldIronicSecret := lookup "v1" "Secret" .Release.Namespace $ironicSecretName }}
+{{- if and $oldIronicSecret (index $oldIronicSecret.data "username") (index $oldIronicSecret.data "password") }}
+{{- $ironicUsername = index $oldIronicSecret.data "username" -}}
+{{- $ironicPassword = index $oldIronicSecret.data "password" -}}
+# If not, check if a username and password are provided in values.yaml
+{{- else if and (.Values.global.auth.ironicUsername) (.Values.global.auth.ironicPassword) }}
+{{- $ironicUsername = .Values.global.auth.ironicUsername -}}
+{{- $ironicPassword = .Values.global.auth.ironicPassword -}}
+{{- else }}
+# If no username and password are provided in values.yaml, generate new ones
+{{- $ironicUsername = "ironic" -}}
+{{- $ironicPassword = (randAlphaNum 20) -}}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $ironicSecretName }}
+type: Opaque
+data:
+  username: {{ $ironicUsername | b64enc }}
+  password: {{ $ironicPassword | b64enc }}
+  htpasswd: {{ b64enc (htpasswd $ironicUsername $ironicPassword) }}
+  auth-config: |
+  {{- printf "[ironic]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicUsername $ironicPassword | b64enc | nindent 4 }}
+---
+{{- $ironicInspectorUsername := "" -}}
+{{- $ironicInspectorPassword := "" -}}
+{{- $inspectorSecretName := "ironic-inspector-basic-auth" -}}
+
+# Check if the secret is deployed and has a password
+{{- $oldInspectorSecret := lookup "v1" "Secret" .Release.Namespace $inspectorSecretName }}
+{{- if and $oldInspectorSecret (index $oldInspectorSecret.data "username") (index $oldInspectorSecret.data "password") }}
+{{- $ironicInspectorUsername = index $oldInspectorSecret.data "username" -}}
+{{- $ironicInspectorPassword = index $oldInspectorSecret.data "password" -}}
+# If not, check if a username and password are provided in values.yaml
+{{- else if and (.Values.global.auth.ironicInspectorUsername) (.Values.global.auth.ironicInspectorPassword) }}
+{{- $ironicInspectorUsername = .Values.global.auth.ironicInspectorUsername -}}
+{{- $ironicInspectorPassword = .Values.global.auth.ironicInspectorPassword -}}
+{{- else }}
+# If no username and password are provided in values.yaml, generate new ones
+{{- $ironicInspectorUsername = "ironic" -}}
+{{- $ironicInspectorPassword = (randAlphaNum 20) -}}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $inspectorSecretName }}
+type: Opaque
+data:
+  username: {{ $ironicInspectorUsername | b64enc }}
+  password: {{ $ironicInspectorPassword | b64enc }}
+  htpasswd: {{ b64enc (htpasswd $ironicInspectorUsername  $ironicInspectorPassword) }}
+  auth-config: |
+  {{- printf "[inspector]\nauth_type=http_basic\nusername: %s\npassword: %s" $ironicInspectorUsername $ironicInspectorPassword | b64enc | nindent 4 }}
+{{- end }}

charts/metal3/0.3.0/values.yaml

@@ -25,6 +25,15 @@ global:
   # whether to enable tls
   enable_tls: true
 
+  # whether to enable basic auth
+  enable_basicAuth: true
+
+  auth:
+    ironicUsername: ""
+    ironicPassword: ""
+    ironicInspectorUsername: ""
+    ironicInspectorPassword: ""
+
   # Will be used when tls is enabled
   vmediaTLSPort: 6185
 

index.yaml

@@ -111,7 +111,7 @@ entries:
   metal3:
   - apiVersion: v2
     appVersion: 1.16.0
-    created: "2023-12-01T10:22:15.23758+02:00"
+    created: "2023-12-07T12:01:21.064919+02:00"
     dependencies:
     - alias: metal3-baremetal-operator
       name: baremetal-operator
@@ -131,7 +131,7 @@ entries:
       repository: file://./charts/media
       version: 0.3.0
     description: A Helm chart that installs all of the dependencies needed for Metal3
-    digest: 2f1d7b2d19829ab15c3b109292054f651eb0d0bfb08e8a76413e93d35c4e1841
+    digest: 4618759937031459bd923b9611d91ab974699e1ee64312a91a2d13074c4eab93
     icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg
     name: metal3
     type: application

packages/baremetal-operator/charts/templates/deployment.yaml

@@ -71,6 +71,24 @@ spec:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: cert
           readOnly: true
+        {{- if .Values.global.enable_basicAuth }}
+        - name: ironic-basic-auth
+          mountPath: "/opt/metal3/auth/ironic/username"
+          subPath: username
+          readOnly: true
+        - name: ironic-basic-auth
+          mountPath: "/opt/metal3/auth/ironic/password"
+          subPath: password
+          readOnly: true
+        - name: ironic-inspector-basic-auth
+          mountPath: "/opt/metal3/auth/ironic-inspector/username"
+          subPath: username
+          readOnly: true
+        - name: ironic-inspector-basic-auth
+          mountPath: "/opt/metal3/auth/ironic-inspector/password"
+          subPath: password
+          readOnly: true
+        {{- end }}
         {{- if .Values.global.enable_tls }}
         - name: cacert
           mountPath: "/opt/metal3/certs/ca"
@@ -93,6 +111,14 @@ spec:
         secret:
           defaultMode: 420
           secretName: bmo-webhook-server-cert
+      {{- if .Values.global.enable_basicAuth }}
+      - name: ironic-basic-auth
+        secret:
+          secretName: ironic-basic-auth
+      - name: ironic-inspector-basic-auth
+        secret:
+          secretName: ironic-inspector-basic-auth
+      {{- end }}
       {{- if .Values.global.enable_tls }}
       - name: cacert
         secret:

packages/baremetal-operator/charts/values.yaml

@@ -45,8 +45,8 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: 
-  runAsUser: 11000
-  runAsGroup: 11000
+  runAsUser: 1000
+  runAsGroup: 1000
 
 securityContext: 
   allowPrivilegeEscalation: false

packages/ironic/charts/templates/configmap.yaml

@@ -71,4 +71,8 @@ data:
   IPA_INSECURE: "1"
   IRONIC_REVERSE_PROXY_SETUP: "false"
   {{- end }}
+  {{- if  ( .Values.global.enable_basicAuth ) }}
+  AUTH_STRATEGY: "http_basic"
+  INSPECTOR_AUTH_STRATEGY: "http_basic"
+  {{- end }}
   DATABASE_HOST: {{ .Values.global.databaseServiceName }}.{{ .Release.Namespace }}.svc.cluster.local

packages/ironic/charts/templates/deployment.yaml

@@ -96,6 +96,13 @@ spec:
         - configMapRef:
             name: ironic-bmo
         env:
+        {{- if .Values.global.enable_basicAuth }}
+        - name: INSPECTOR_HTPASSWD
+          valueFrom:
+            secretKeyRef:
+              name: ironic-inspector-basic-auth
+              key: htpasswd
+        {{- end }}
         - name: MARIADB_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -129,6 +136,16 @@ spec:
           timeoutSeconds: 10
         volumeMounts:
           {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
+        {{- if .Values.global.enable_basicAuth }}
+          - mountPath: "/auth/ironic/auth-config"
+            name: ironic-basic-auth
+            subPath: auth-config
+            readOnly: true
+          - mountPath: "/auth/ironic-inspector/auth-config"
+            name: ironic-inspector-basic-auth
+            subPath: auth-config
+            readOnly: true
+        {{- end }}
         {{- if .Values.global.enable_tls }}
           {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
           - name: cert-ironic-inspector
@@ -151,6 +168,13 @@ spec:
         - configMapRef:
             name: ironic-bmo
         env:
+        {{- if .Values.global.enable_basicAuth }}
+        - name: IRONIC_HTPASSWD
+          valueFrom:
+            secretKeyRef:
+              name: ironic-basic-auth
+              key: htpasswd
+        {{- end }}
         - name: MARIADB_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -184,6 +208,16 @@ spec:
           timeoutSeconds: 10
         volumeMounts:
           {{- include "ironic.sharedVolumeMount" . | nindent 10 }}
+          {{- if .Values.global.enable_basicAuth }}
+          - mountPath: "/auth/ironic/auth-config"
+            name: ironic-basic-auth
+            subPath: auth-config
+            readOnly: true
+          - mountPath: "/auth/ironic-inspector/auth-config"
+            name: ironic-inspector-basic-auth
+            subPath: auth-config
+            readOnly: true
+          {{- end }}
           {{- if .Values.global.enable_tls }}
           {{- include "ironic.CAVolumeMounts" . | nindent 10 }}
           - name: cert-ironic
@@ -263,6 +297,14 @@ spec:
       - name: ironic-data-volume
         persistentVolumeClaim:
           claimName: ironic-shared-volume
+      {{- if .Values.global.enable_basicAuth }}
+      - name: ironic-basic-auth
+        secret:
+          secretName: ironic-basic-auth
+      - name: ironic-inspector-basic-auth
+        secret:
+          secretName: ironic-inspector-basic-auth
+      {{- end }}
       {{- if .Values.global.enable_tls }}
       - name: cert-ironic-ca
         secret: