From 0933868a027dc3062632dc34459a765e029e9577 Mon Sep 17 00:00:00 2001 From: Calin Cristian Andrei Date: Tue, 11 May 2021 15:45:35 +0000 Subject: [PATCH] store openstack external cloud controller ca.cert in a k8s secret instead of the host filesystem --- .../openstack/tasks/main.yml | 26 +++++-------------- .../tasks/openstack-write-cacert.yml | 12 --------- ...ernal-openstack-cloud-config-secret.yml.j2 | 1 + ...enstack-cloud-controller-manager-ds.yml.j2 | 14 +++------- 4 files changed, 12 insertions(+), 41 deletions(-) delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml index dd3528094b7..7934fc1cf0d 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml @@ -2,31 +2,19 @@ - include_tasks: openstack-credential-check.yml tags: external-openstack -- name: External OpenStack Cloud Controller | Write cacert file - include_tasks: openstack-write-cacert.yml - run_once: true - loop: "{{ groups['k8s_cluster'] }}" - loop_control: - loop_var: delegate_host_to_write_cacert +- name: External OpenStack Cloud Controller | Get base64 cacert + slurp: + src: "{{ external_openstack_cacert }}" + register: external_openstack_cacert_b64 when: - - inventory_hostname in groups['k8s_cluster'] + - inventory_hostname == groups['k8s_control_plane'][0] - external_openstack_cacert is defined - external_openstack_cacert | length > 0 tags: external-openstack -- name: External OpenStack Cloud Controller | Write External OpenStack cloud-config - template: - src: "external-openstack-cloud-config.j2" - dest: "{{ kube_config_dir }}/external_openstack_cloud_config" - group: "{{ kube_cert_group }}" - mode: 0640 - when: inventory_hostname == groups['kube_control_plane'][0] - tags: external-openstack - - name: External OpenStack Cloud Controller | Get base64 cloud-config - slurp: - src: "{{ kube_config_dir }}/external_openstack_cloud_config" - register: external_openstack_cloud_config_secret + set_fact: + external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}" when: inventory_hostname == groups['kube_control_plane'][0] tags: external-openstack diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml deleted file mode 100644 index b975fe5b121..00000000000 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# include to workaround mitogen issue -# https://github.com/dw/mitogen/issues/663 - -- name: External OpenStack Cloud Controller | Write cacert file - copy: - src: "{{ external_openstack_cacert }}" - dest: "{{ kube_config_dir }}/external-openstack-cacert.pem" - group: "{{ kube_cert_group }}" - mode: 0640 - tags: external-openstack - delegate_to: "{{ delegate_host_to_write_cacert }}" diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2 index 991cd2b4945..06f82234fbe 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2 +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2 @@ -8,3 +8,4 @@ metadata: namespace: kube-system data: cloud.conf: {{ external_openstack_cloud_config_secret.content }} + ca.cert: {{ external_openstack_cacert_b64.content | default("") }} diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 index 149f70b4227..36d17d805a7 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 @@ -61,14 +61,14 @@ spec: - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - - mountPath: /etc/config + - mountPath: /etc/config/cloud.conf name: cloud-config-volume readOnly: true -{% if external_openstack_cacert is defined and external_openstack_cacert != "" %} + subPath: cloud.conf - mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem - name: openstack-cacert + name: cloud-config-volume readOnly: true -{% endif %} + subPath: ca.cert {% if kubelet_flexvolumes_plugins_dir is defined %} - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec name: flexvolume-dir @@ -98,9 +98,3 @@ spec: - name: cloud-config-volume secret: secretName: external-openstack-cloud-config -{% if external_openstack_cacert is defined and external_openstack_cacert != "" %} - - hostPath: - path: {{ kube_config_dir }}/external-openstack-cacert.pem - type: FileOrCreate - name: openstack-cacert -{% endif %}