User guide: updates for Inspector removal

Depends on:
- metal3-io/baremetal-operator#1544

Signed-off-by: Dmitry Tantsur <dtantsur@protonmail.com>

docs/user-guide/src/baremetal/guide.md

@@ -134,8 +134,8 @@ Install following requirements on the host.
   # The URL of the Ironic endpoint.
   export IRONIC_URL="http://172.22.0.1:6385/v1/"
 
-  # The URL of the Ironic inspector endpoint.
-  export IRONIC_INSPECTOR_URL="http://172.22.0.1:5050/v1/"
+  # The URL of the Ironic inspector endpoint - only before BMO 0.5.0.
+  #export IRONIC_INSPECTOR_URL="http://172.22.0.1:5050/v1/"
 
   # Do not use a dedicated CA certificate for Ironic API.
   # Any value provided in this variable disables additional CA certificate validation.
@@ -147,13 +147,13 @@ Install following requirements on the host.
   # Any value provided in this variable disables authentication.
   # To enable authentication, leave this variable unset.
   # If unset, then IRONIC_USERNAME and IRONIC_PASSWORD must be set.
-  export IRONIC_NO_BASIC_AUTH=true
+  #export IRONIC_NO_BASIC_AUTH=true
 
-  # Disables basic authentication for Ironic inspector API.
+  # Disables basic authentication for Ironic inspector API (when used).
   # Any value provided in this variable disables authentication.
   # To enable authentication, leave this variable unset.
   # If unset, then IRONIC_INSPECTOR_USERNAME and IRONIC_INSPECTOR_PASSWORD must be set.
-  export IRONIC_INSPECTOR_NO_BASIC_AUTH=true
+  #export IRONIC_INSPECTOR_NO_BASIC_AUTH=true
   ```
 
 - Launch baremetal operator.

docs/user-guide/src/bmo/install_baremetal_operator.md

@@ -26,9 +26,6 @@ drivers that support ISO boot. Optional if kernel/ramdisk are set.
 `IRONIC_ENDPOINT` -- The URL for the operator to use when talking to
 Ironic.
 
-`IRONIC_INSPECTOR_ENDPOINT` -- The URL for the operator to use when talking to
-Ironic Inspector.
-
 `IRONIC_CACERT_FILE` -- The path of the CA certificate file of Ironic, if needed
 
 `IRONIC_INSECURE` -- ("True", "False") Whether to skip the ironic certificate
@@ -59,6 +56,11 @@ BMO_CONCURRENCY value lower than the requested PROVISIONING_LIMIT. Default is 20
 nodes that use IPv6. In dual stack environments, this can be used to tell Ironic which IP
 version it should set on the BMC.
 
+### Deprecated options
+
+`IRONIC_INSPECTOR_ENDPOINT` -- The URL for the operator to use when talking to
+Ironic Inspector. Only supported before baremetal-operator 0.5.0.
+
 ## Kustomization Configuration
 
 It is possible to deploy ```baremetal-operator``` with three different operator
@@ -81,29 +83,28 @@ When an external Ironic is used, the following requirements must be met:
 
 ## Authenticating to Ironic
 
-Because hosts under the control of Metal³ need to contact the Ironic and Ironic
-Inspector APIs during inspection and provisioning, it is highly advisable to
-require authentication on those APIs, since the provisioned hosts running user
-workloads will remain connected to the provisioning network.
+Because hosts under the control of Metal³ need to contact the Ironic API during
+inspection and provisioning, it is highly advisable to require authentication
+on those APIs, since the provisioned hosts running user workloads will remain
+connected to the provisioning network.
 
 ### Configuration
 
-The `baremetal-operator` supports connecting to Ironic and Ironic Inspector
-configured with the following `auth_strategy` modes:
+The `baremetal-operator` supports connecting to Ironic with the following
+`auth_strategy` modes:
 
-* `noauth` (no authentication)
+* `noauth` (no authentication - not recommended)
 * `http_basic` (HTTP [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication))
 
-Note that Keystone authentication methods are not yet supported.
+Note that Keystone (OpenStack Identity) authentication methods are not yet
+supported.
 
 Authentication configuration is read from the filesystem, beginning at the root
 directory specified in the environment variable `METAL3_AUTH_ROOT_DIR`. If this
 variable is empty or not specified, the default is `/opt/metal3/auth`.
 
-Within the root directory there are separate subdirectories, `ironic` for
-Ironic client configuration, and `ironic-inspector` for Ironic Inspector client
-configuration. (This allows the data to be populated from separate secrets when
-deploying in Kubernetes.)
+Within the root directory, there is a separate subdirectory `ironic` for
+Ironic client configuration.
 
 #### `noauth`
 
@@ -229,9 +230,6 @@ ironic-deployment/
 │   │   ├── ironic-auth-config
 │   │   ├── ironic-auth-config-tpl
 │   │   ├── ironic-htpasswd
-│   │   ├── ironic-inspector-auth-config
-│   │   ├── ironic-inspector-auth-config-tpl
-│   │   ├── ironic-inspector-htpasswd
 │   │   └── kustomization.yaml
 │   ├── keepalived
 │   │   ├── ironic_bmo_configmap.env
@@ -266,8 +264,8 @@ For more information, check the readme in the `ironic-deployment` folder.
 There is a useful deployment script that configures and deploys BareMetal
 Operator and Ironic. It requires some variables :
 
-* IRONIC_HOST : domain name for Ironic and inspector
-* IRONIC_HOST_IP : IP on which Ironic and inspector are listening
+* IRONIC_HOST : domain name for Ironic
+* IRONIC_HOST_IP : IP on which Ironic is listening
 
 In addition you can configure the following variables. They are **optional**.
 If you leave them unset, then passwords and certificates will be generated
@@ -276,23 +274,26 @@ for you.
 * KUBECTL_ARGS : Additional arguments to kubectl apply
 * IRONIC_USERNAME : username for ironic
 * IRONIC_PASSWORD : password for ironic
-* IRONIC_INSPECTOR_USERNAME : username for inspector
-* IRONIC_INSPECTOR_PASSWORD : password for inspector
 * IRONIC_CACERT_FILE : CA certificate path for ironic
 * IRONIC_CAKEY_FILE : CA certificate key path, unneeded if ironic
 * certificates exist
 * IRONIC_CERT_FILE : Ironic certificate path
 * IRONIC_KEY_FILE : Ironic certificate key path
+* MARIADB_KEY_FILE: Path to the key of MariaDB
+* MARIADB_CERT_FILE:  Path to the cert of MariaDB
+* MARIADB_CAKEY_FILE: Path to the CA key of MariaDB
+* MARIADB_CACERT_FILE: Path to the CA certificate of MariaDB
+
+Before version 0.5.0, Ironic Inspector parameters were also used:
+
+* IRONIC_INSPECTOR_USERNAME : username for inspector
+* IRONIC_INSPECTOR_PASSWORD : password for inspector
 * IRONIC_INSPECTOR_CERT_FILE : Inspector certificate path
 * IRONIC_INSPECTOR_KEY_FILE : Inspector certificate key path
 * IRONIC_INSPECTOR_CACERT_FILE : CA certificate path for inspector, defaults to
-* IRONIC_CACERT_FILE
+  IRONIC_CACERT_FILE
 * IRONIC_INSPECTOR_CAKEY_FILE : CA certificate key path, unneeded if inspector
   certificates exist
-* MARIADB_KEY_FILE: Path to the key of MariaDB
-* MARIADB_CERT_FILE:  Path to the cert of MariaDB
-* MARIADB_CAKEY_FILE: Path to the CA key of MariaDB
-* MARIADB_CACERT_FILE: Path to the CA certificate of MariaDB
 
 Then run :
 

docs/user-guide/src/bmo/ironic_bmo_configmap.env

@@ -4,8 +4,8 @@ DHCP_RANGE=172.22.0.10,172.22.0.100
 DEPLOY_KERNEL_URL=http://172.22.0.2:6180/images/ironic-python-agent.kernel
 DEPLOY_RAMDISK_URL=http://172.22.0.2:6180/images/ironic-python-agent.initramfs
 IRONIC_ENDPOINT=http://172.22.0.2:6385/v1/
-IRONIC_INSPECTOR_ENDPOINT=http://172.22.0.2:5050/v1/
+# IRONIC_INSPECTOR_ENDPOINT=http://172.22.0.2:5050/v1/
 CACHEURL=http://172.22.0.1/images
 IRONIC_FAST_TRACK=true
 IRONIC_KERNEL_PARAMS=console=ttyS0
-IRONIC_INSPECTOR_VLAN_INTERFACES=all
+IRONIC_INSPECTOR_VLAN_INTERFACES=all

docs/user-guide/src/capm3/pivoting.md

@@ -119,8 +119,8 @@ This can now be achieved with the following procedure:
  is up and running then the CAPI and provider components can be installed with `clusterctl` to
  the bootstrap cluster.
 
-2. Install Ironic  components namely: ironic, ironic-inspector,
-   ironic-endpoint-keepalived, httpd and dnsmasq.
+2. Install Ironic components, namely: ironic, ironic-endpoint-keepalived, httpd
+   and dnsmasq.
 
 3. Use clusterctl init to install the provider components
 

docs/user-guide/src/developer_environment/tryit.md

@@ -585,7 +585,7 @@ useful for troubleshooting to find out why a node did not deploy.
 | driver_internal_info   | {u'last_power_state_change': u'2022-01-19T13:04:01.981882', u'agent_version': u'8.3.1.dev2', u'agent_last_heartbeat': u'2022-01-19T13:03:51.874842', u'clean_steps': None, u'agent_erase_devices_iterations': 1, u'agent_erase_devices_zeroize': True, u'agent_continue_if_secure_erase_failed': False, u'agent_continue_if_ata_erase_failed': False, u'agent_enable_nvme_secure_erase': True, u'disk_erasure_concurrency': 1, u'agent_erase_skip_read_only': False, u'hardware_manager_version': {u'generic_hardware_manager': u'1.1'}, u'agent_cached_clean_steps_refreshed': u'2022-01-19 13:03:47.558697', u'deploy_steps': None, u'agent_cached_deploy_steps_refreshed': u'2022-01-19 12:09:34.731244'} |
 | extra                  | {}                                                         |
 | fault                  | None                                                       |
-| inspect_interface      | inspector                                                  |
+| inspect_interface      | agent                                                      |
 | inspection_finished_at | None                                                       |
 | inspection_started_at  | 2022-01-19T10:56:17+00:00                                  |
 | instance_info          | {u'capabilities': {}, u'image_source': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img', u'image_os_hash_algo': u'md5', u'image_os_hash_value': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img.md5sum', u'image_checksum': u'http://172.22.0.1/images/CENTOS_8_NODE_IMAGE_K8S_v1.22.3-raw.img.md5sum', u'image_disk_format': u'raw'} |

docs/user-guide/src/ironic/ironic-python-agent.md

@@ -1,6 +1,6 @@
 # Ironic Python Agent (IPA)
 
-[IPA](https://docs.openstack.org/ironic-python-agent/latest/) is a service written in python that runs within a ramdisk. It provides remote access to `ironic` and `ironic-inspector` services to perform various operations on the managed server. It also sends information about the server to `Ironic`.
+[IPA](https://docs.openstack.org/ironic-python-agent/latest/) is a service written in python that runs within a ramdisk. It provides remote access for `Ironic` to perform various operations on the managed server. It also sends information about the server to `Ironic`.
 
 By default, we pull IPA images from [Ironic upstream](https://tarballs.opendev.org/openstack/ironic-python-agent/dib) archive where an image is built on every commit to the *master* git branch.
 
@@ -11,14 +11,14 @@ However, another remote registry or a local IPA archive can be specified. [ipa-d
 IPA interacts with other components. The information exchanged and the component to which it is sent to or received from are described below.
 The communication between IPA and these components can be encrypted in-transit with SSL/TLS.
 
+- Inspection: data about hardware details, such as CPU, disk, RAM and network interfaces.
 - Heartbeat: periodic message informing Ironic that the node is still running.
 - Lookup: data sent to Ironic that helps it determine Ironic’s node UUID for the node.
-- Introspection: data about hardware details, such as CPU, disk, RAM and network interfaces.
 
 The above data is sent/received as follows.
 
+- Inspection result is sent to Ironic
 - Lookup/heartbeats data is sent to Ironic.
-- Introspection result is sent to ironic-inspector.
 - User supplied boot image that will be written to the node’s disk is retrieved from HTTPD server
 
 ## References

docs/user-guide/src/ironic/ironic_installation.md

@@ -6,7 +6,6 @@ there are a couple of containers that must run in order to provision
 baremetal nodes:
 
 - ironic (the main provisioning service)
-- ironic-inspector (the auxiliary inspection service)
 - ipa-downloader (init container to download and cache the deployment ramdisk
   image)
 - httpd (HTTP server that serves cached images and iPXE configuration)
@@ -20,6 +19,8 @@ A few other containers are optional:
 - ironic-log-watch (to provide access to the deployment ramdisk logs)
 - mariadb (the provisioning service database; SQLite can be used as
   a lightweight alternative)
+- ironic-inspector (the auxiliary inspection service - only used in older
+  versions of Metal3)
 
 ## Prerequisites
 
@@ -30,7 +31,7 @@ A separate provisioning network is required when network boot is used.
 The following ports must be accessible by the hosts being provisioned:
 
 - TCP 6385 (Ironic API)
-- TCP 5050 (Inspector API)
+- TCP 5050 (Inspector API; when used)
 - TCP 80 (HTTP server; can be changed via the `HTTP_PORT` environment variable)
 - UDP 67/68/546/547 (DHCP and DHCPv6; when network boot is used)
 - UDP 69 (TFTP; when network boot is used)
@@ -89,7 +90,6 @@ variables](#environmental-variables) on the current shell before calling [run_lo
 installation script. This will start below containers:
 
 - ironic
-- ironic-inspector
 - ironic-endpoint-keepalived
 - ironic-log-watch
 - ipa-downloader
@@ -101,7 +101,7 @@ If in-cluster ironic installation, we used different manifests for TLS and basic
 here we are exporting environment variables for enabling/disabling TLS & basic auth
 but use the same script.
 
-TLS and Basic authentication disabled
+TLS and Basic authentication disabled (not recommended)
 
 ```bash
  export IRONIC_FAST_TRACK="false"  # Example of manipulating Ironic settings

docs/user-guide/src/ironic/ironic_variables.md

@@ -10,7 +10,6 @@ The following environmental variables can be passed to configure the Ironic serv
 - `DEPLOY_KERNEL_URL` - the URL of the kernel to deploy ironic-python-agent
 - `DEPLOY_RAMDISK_URL` - the URL of the ramdisk to deploy ironic-python-agent
 - `IRONIC_ENDPOINT` - the endpoint of the ironic
-- `IRONIC_INSPECTOR_ENDPOINT` - the endpoint of the ironic inspector
 - `CACHEURL` - the URL of the cached images
 - `IRONIC_FAST_TRACK` - whether to enable fast_track provisioning or not (default true)
 - `IRONIC_KERNEL_PARAMS` - kernel parameters to pass to IPA (default console=ttyS0)