From b1bb5a4796007bb1a69c620fe9f83a344dbed4af Mon Sep 17 00:00:00 2001
From: bozzo <bozzo@users.noreply.github.com>
Date: Tue, 6 Oct 2020 14:34:21 +0200
Subject: [PATCH] Fix cinder & external_openstack cacert deployment (#6745)

The CA cert was only deployed on master nodes
---
 .../csi_driver/cinder/tasks/cinder-write-cacert.yml  | 12 ++++++++++++
 .../kubernetes-apps/csi_driver/cinder/tasks/main.yml | 10 +++++-----
 .../openstack/tasks/main.yml                         | 10 +++++-----
 .../openstack/tasks/openstack-write-cacert.yml       | 12 ++++++++++++
 4 files changed, 34 insertions(+), 10 deletions(-)
 create mode 100644 roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml
 create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml

diff --git a/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml
new file mode 100644
index 000000000..2e997647c
--- /dev/null
+++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/cinder-write-cacert.yml
@@ -0,0 +1,12 @@
+---
+# include to workaround mitogen issue
+# https://github.com/dw/mitogen/issues/663
+
+- name: Cinder CSI Driver | Write cacert file
+  copy:
+    src: "{{ cinder_cacert }}"
+    dest: "{{ kube_config_dir }}/cinder-cacert.pem"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  tags: cinder-csi-driver
+  delegate_to: "{{ delegate_host_to_write_cacert }}"
diff --git a/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml b/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
index b63912d2b..14b827513 100644
--- a/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
+++ b/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml
@@ -3,11 +3,11 @@
   tags: cinder-csi-driver
 
 - name: Cinder CSI Driver | Write cacert file
-  copy:
-    src: "{{ cinder_cacert }}"
-    dest: "{{ kube_config_dir }}/cinder-cacert.pem"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
+  include_tasks: cinder-write-cacert.yml
+  run_once: true
+  loop: "{{ groups['k8s-cluster'] }}"
+  loop_control:
+    loop_var: delegate_host_to_write_cacert
   when:
     - inventory_hostname in groups['k8s-cluster']
     - cinder_cacert is defined
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
index b7b2f2ddf..1aa2795aa 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
@@ -3,11 +3,11 @@
   tags: external-openstack
 
 - name: External OpenStack Cloud Controller | Write cacert file
-  copy:
-    src: "{{ external_openstack_cacert }}"
-    dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
+  include_tasks: openstack-write-cacert.yml
+  run_once: true
+  loop: "{{ groups['k8s-cluster'] }}"
+  loop_control:
+    loop_var: delegate_host_to_write_cacert
   when:
     - inventory_hostname in groups['k8s-cluster']
     - external_openstack_cacert is defined
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml
new file mode 100644
index 000000000..b975fe5b1
--- /dev/null
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml
@@ -0,0 +1,12 @@
+---
+# include to workaround mitogen issue
+# https://github.com/dw/mitogen/issues/663
+
+- name: External OpenStack Cloud Controller | Write cacert file
+  copy:
+    src: "{{ external_openstack_cacert }}"
+    dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  tags: external-openstack
+  delegate_to: "{{ delegate_host_to_write_cacert }}"
-- 
GitLab