From c5ccedb694697f81d63a0082d7acfefb7e6247b4 Mon Sep 17 00:00:00 2001
From: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
Date: Wed, 26 May 2021 10:35:21 +0300
Subject: [PATCH] store openstack external cloud controller ca.cert in a k8s
 secret instead of the host filesystem (#7603)

---
 .../openstack/tasks/main.yml                  | 26 +++++--------------
 .../tasks/openstack-write-cacert.yml          | 12 ---------
 ...ernal-openstack-cloud-config-secret.yml.j2 |  1 +
 ...enstack-cloud-controller-manager-ds.yml.j2 | 14 +++-------
 4 files changed, 12 insertions(+), 41 deletions(-)
 delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml

diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
index dd3528094..7934fc1cf 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml
@@ -2,31 +2,19 @@
 - include_tasks: openstack-credential-check.yml
   tags: external-openstack
 
-- name: External OpenStack Cloud Controller | Write cacert file
-  include_tasks: openstack-write-cacert.yml
-  run_once: true
-  loop: "{{ groups['k8s_cluster'] }}"
-  loop_control:
-    loop_var: delegate_host_to_write_cacert
+- name: External OpenStack Cloud Controller | Get base64 cacert
+  slurp:
+    src: "{{ external_openstack_cacert }}"
+  register: external_openstack_cacert_b64
   when:
-    - inventory_hostname in groups['k8s_cluster']
+    - inventory_hostname == groups['k8s_control_plane'][0]
     - external_openstack_cacert is defined
     - external_openstack_cacert | length > 0
   tags: external-openstack
 
-- name: External OpenStack Cloud Controller | Write External OpenStack cloud-config
-  template:
-    src: "external-openstack-cloud-config.j2"
-    dest: "{{ kube_config_dir }}/external_openstack_cloud_config"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  tags: external-openstack
-
 - name: External OpenStack Cloud Controller | Get base64 cloud-config
-  slurp:
-    src: "{{ kube_config_dir }}/external_openstack_cloud_config"
-  register: external_openstack_cloud_config_secret
+  set_fact:
+    external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}"
   when: inventory_hostname == groups['kube_control_plane'][0]
   tags: external-openstack
 
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml
deleted file mode 100644
index b975fe5b1..000000000
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-# include to workaround mitogen issue
-# https://github.com/dw/mitogen/issues/663
-
-- name: External OpenStack Cloud Controller | Write cacert file
-  copy:
-    src: "{{ external_openstack_cacert }}"
-    dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
-  tags: external-openstack
-  delegate_to: "{{ delegate_host_to_write_cacert }}"
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2
index 991cd2b49..06f82234f 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2
@@ -8,3 +8,4 @@ metadata:
   namespace: kube-system
 data:
   cloud.conf: {{ external_openstack_cloud_config_secret.content }}
+  ca.cert: {{ external_openstack_cacert_b64.content | default("") }}
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
index 149f70b42..36d17d805 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2
@@ -61,14 +61,14 @@ spec:
             - mountPath: /etc/ssl/certs
               name: ca-certs
               readOnly: true
-            - mountPath: /etc/config
+            - mountPath: /etc/config/cloud.conf
               name: cloud-config-volume
               readOnly: true
-{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
+              subPath: cloud.conf
             - mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
-              name: openstack-cacert
+              name: cloud-config-volume
               readOnly: true
-{% endif %}
+              subPath: ca.cert
 {% if kubelet_flexvolumes_plugins_dir is defined %}
             - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
               name: flexvolume-dir
@@ -98,9 +98,3 @@ spec:
       - name: cloud-config-volume
         secret:
           secretName: external-openstack-cloud-config
-{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
-      - hostPath:
-          path: {{ kube_config_dir }}/external-openstack-cacert.pem
-          type: FileOrCreate
-        name: openstack-cacert
-{% endif %}
-- 
GitLab