From c685dc493fe6fec529fc5915a827615752c4d3c4 Mon Sep 17 00:00:00 2001
From: southquist <soderqvist.sebastian@gmail.com>
Date: Wed, 14 Feb 2018 17:15:25 +0100
Subject: [PATCH] allow for setting the cacert on openstack cloud provider

---
 .../master/templates/kubeadm-config.yaml.j2   |  6 +++++
 .../kube-controller-manager.manifest.j2       | 10 +++++++
 roles/kubernetes/node/defaults/main.yml       |  1 +
 .../node/templates/openstack-cloud-config.j2  |  3 +++
 roles/kubernetes/preinstall/tasks/main.yml    | 27 +++++++++++++++++++
 5 files changed, 47 insertions(+)

diff --git a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
index 32e6071b6..0852a37b4 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -75,6 +75,12 @@ controllerManagerExtraArgs:
   node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
   node-monitor-period: {{ kube_controller_node_monitor_period }}
   pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+controllerManagerExtraVolumes:
+- name: openstackcacert
+  hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+  mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+{% endif %}
 {% if kube_feature_gates %}
   feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
index 012372496..85e6043e6 100644
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -94,6 +94,11 @@ spec:
     - mountPath: "{{ kube_config_dir }}/cloud_config"
       name: cloudconfig
       readOnly: true
+{% endif %}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+    - mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+      name: openstackcacert
+      readOnly: true
 {% endif %}
   volumes:
   - name: ssl-certs-host
@@ -115,3 +120,8 @@ spec:
       path: "{{ kube_config_dir }}/cloud_config"
     name: cloudconfig
 {% endif %}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+  - hostPath:
+      path: "{{ kube_config_dir }}/openstack-cacert.pem"
+    name: openstackcacert
+{% endif %}
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 9a3a08e5b..d0841d872 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -111,6 +111,7 @@ openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_
 openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME') }}"
 openstack_domain_name: "{{ lookup('env','OS_USER_DOMAIN_NAME') }}"
 openstack_domain_id: "{{ lookup('env','OS_USER_DOMAIN_ID') }}"
+openstack_cacert: "{{ lookup('env','OS_CACERT') }}"
 
 # For the vsphere integration, kubelet will need credentials to access
 # vsphere apis
diff --git a/roles/kubernetes/node/templates/openstack-cloud-config.j2 b/roles/kubernetes/node/templates/openstack-cloud-config.j2
index e4dd33559..b6814b51b 100644
--- a/roles/kubernetes/node/templates/openstack-cloud-config.j2
+++ b/roles/kubernetes/node/templates/openstack-cloud-config.j2
@@ -12,6 +12,9 @@ domain-name="{{ openstack_domain_name }}"
 {% elif openstack_domain_id is defined and openstack_domain_id != "" %}
 domain-id ="{{ openstack_domain_id }}"
 {% endif %}
+{% if openstack_cacert is defined and openstack_cacert != "" %}
+ca-file="{{ kube_config_dir }}/openstack-cacert.pem"
+{% endif %}
 
 {% if openstack_blockstorage_version is defined %}
 [BlockStorage]
diff --git a/roles/kubernetes/preinstall/tasks/main.yml b/roles/kubernetes/preinstall/tasks/main.yml
index 75fafaf56..beec3370a 100644
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@@ -311,3 +311,30 @@
     - ansible_distribution in ["CentOS","RedHat"]
   tags:
     - bootstrap-os
+
+- name: Write cacert file
+  copy:
+    content: "{{ openstack_cacert }}"
+    dest: "{{ kube_config_dir }}/openstack-cacert.pem"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  when:
+    - inventory_hostname in groups['k8s-cluster']
+    - cloud_provider is defined
+    - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
+    - openstack_cacert is defined
+  tags:
+    - cloud-provider
+
+- name: Write cloud-config
+  template:
+    src: "{{ cloud_provider }}-cloud-config.j2"
+    dest: "{{ kube_config_dir }}/cloud_config"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  when:
+    - inventory_hostname in groups['k8s-cluster']
+    - cloud_provider is defined
+    - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
+  tags:
+    - cloud-provider