store openstack external cloud controller ca.cert in a k8s secret instead of the host filesystem (#7603)

roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml

@@ -2,31 +2,19 @@
 - include_tasks: openstack-credential-check.yml
   tags: external-openstack
 
-- name: External OpenStack Cloud Controller | Write cacert file
-  include_tasks: openstack-write-cacert.yml
-  run_once: true
-  loop: "{{ groups['k8s_cluster'] }}"
-  loop_control:
-    loop_var: delegate_host_to_write_cacert
+- name: External OpenStack Cloud Controller | Get base64 cacert
+  slurp:
+    src: "{{ external_openstack_cacert }}"
+  register: external_openstack_cacert_b64
   when:
-    - inventory_hostname in groups['k8s_cluster']
+    - inventory_hostname == groups['k8s_control_plane'][0]
     - external_openstack_cacert is defined
     - external_openstack_cacert | length > 0
   tags: external-openstack
 
-- name: External OpenStack Cloud Controller | Write External OpenStack cloud-config
-  template:
-    src: "external-openstack-cloud-config.j2"
-    dest: "{{ kube_config_dir }}/external_openstack_cloud_config"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
-  when: inventory_hostname == groups['kube_control_plane'][0]
-  tags: external-openstack
-
 - name: External OpenStack Cloud Controller | Get base64 cloud-config
-  slurp:
-    src: "{{ kube_config_dir }}/external_openstack_cloud_config"
-  register: external_openstack_cloud_config_secret
+  set_fact:
+    external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}"
   when: inventory_hostname == groups['kube_control_plane'][0]
   tags: external-openstack
 

roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-write-cacert.yml

@@ -1,12 +0,0 @@
----
-# include to workaround mitogen issue
-# https://github.com/dw/mitogen/issues/663
-
-- name: External OpenStack Cloud Controller | Write cacert file
-  copy:
-    src: "{{ external_openstack_cacert }}"
-    dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
-    group: "{{ kube_cert_group }}"
-    mode: 0640
-  tags: external-openstack
-  delegate_to: "{{ delegate_host_to_write_cacert }}"

roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config-secret.yml.j2

@@ -8,3 +8,4 @@ metadata:
   namespace: kube-system
 data:
   cloud.conf: {{ external_openstack_cloud_config_secret.content }}
+  ca.cert: {{ external_openstack_cacert_b64.content | default("") }}

roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-ds.yml.j2

@@ -61,14 +61,14 @@ spec:
             - mountPath: /etc/ssl/certs
               name: ca-certs
               readOnly: true
-            - mountPath: /etc/config
+            - mountPath: /etc/config/cloud.conf
               name: cloud-config-volume
               readOnly: true
-{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
+              subPath: cloud.conf
             - mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
-              name: openstack-cacert
+              name: cloud-config-volume
               readOnly: true
-{% endif %}
+              subPath: ca.cert
 {% if kubelet_flexvolumes_plugins_dir is defined %}
             - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
               name: flexvolume-dir
@@ -98,9 +98,3 @@ spec:
       - name: cloud-config-volume
         secret:
           secretName: external-openstack-cloud-config
-{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
-      - hostPath:
-          path: {{ kube_config_dir }}/external-openstack-cacert.pem
-          type: FileOrCreate
-        name: openstack-cacert
-{% endif %}