store openstack external cloud controller ca.cert in a k8s secret instead of the host filesystem (#7603)

This commit is contained in:
Cristian Calin 2021-05-26 10:35:21 +03:00 committed by GitHub
parent 858b29f425
commit c5ccedb694
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 41 deletions

View file

@ -2,31 +2,19 @@
- include_tasks: openstack-credential-check.yml - include_tasks: openstack-credential-check.yml
tags: external-openstack tags: external-openstack
- name: External OpenStack Cloud Controller | Write cacert file - name: External OpenStack Cloud Controller | Get base64 cacert
include_tasks: openstack-write-cacert.yml slurp:
run_once: true src: "{{ external_openstack_cacert }}"
loop: "{{ groups['k8s_cluster'] }}" register: external_openstack_cacert_b64
loop_control:
loop_var: delegate_host_to_write_cacert
when: when:
- inventory_hostname in groups['k8s_cluster'] - inventory_hostname == groups['k8s_control_plane'][0]
- external_openstack_cacert is defined - external_openstack_cacert is defined
- external_openstack_cacert | length > 0 - external_openstack_cacert | length > 0
tags: external-openstack tags: external-openstack
- name: External OpenStack Cloud Controller | Write External OpenStack cloud-config
template:
src: "external-openstack-cloud-config.j2"
dest: "{{ kube_config_dir }}/external_openstack_cloud_config"
group: "{{ kube_cert_group }}"
mode: 0640
when: inventory_hostname == groups['kube_control_plane'][0]
tags: external-openstack
- name: External OpenStack Cloud Controller | Get base64 cloud-config - name: External OpenStack Cloud Controller | Get base64 cloud-config
slurp: set_fact:
src: "{{ kube_config_dir }}/external_openstack_cloud_config" external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}"
register: external_openstack_cloud_config_secret
when: inventory_hostname == groups['kube_control_plane'][0] when: inventory_hostname == groups['kube_control_plane'][0]
tags: external-openstack tags: external-openstack

View file

@ -1,12 +0,0 @@
---
# include to workaround mitogen issue
# https://github.com/dw/mitogen/issues/663
- name: External OpenStack Cloud Controller | Write cacert file
copy:
src: "{{ external_openstack_cacert }}"
dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
group: "{{ kube_cert_group }}"
mode: 0640
tags: external-openstack
delegate_to: "{{ delegate_host_to_write_cacert }}"

View file

@ -8,3 +8,4 @@ metadata:
namespace: kube-system namespace: kube-system
data: data:
cloud.conf: {{ external_openstack_cloud_config_secret.content }} cloud.conf: {{ external_openstack_cloud_config_secret.content }}
ca.cert: {{ external_openstack_cacert_b64.content | default("") }}

View file

@ -61,14 +61,14 @@ spec:
- mountPath: /etc/ssl/certs - mountPath: /etc/ssl/certs
name: ca-certs name: ca-certs
readOnly: true readOnly: true
- mountPath: /etc/config - mountPath: /etc/config/cloud.conf
name: cloud-config-volume name: cloud-config-volume
readOnly: true readOnly: true
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %} subPath: cloud.conf
- mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem - mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
name: openstack-cacert name: cloud-config-volume
readOnly: true readOnly: true
{% endif %} subPath: ca.cert
{% if kubelet_flexvolumes_plugins_dir is defined %} {% if kubelet_flexvolumes_plugins_dir is defined %}
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
name: flexvolume-dir name: flexvolume-dir
@ -98,9 +98,3 @@ spec:
- name: cloud-config-volume - name: cloud-config-volume
secret: secret:
secretName: external-openstack-cloud-config secretName: external-openstack-cloud-config
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
- hostPath:
path: {{ kube_config_dir }}/external-openstack-cacert.pem
type: FileOrCreate
name: openstack-cacert
{% endif %}