store openstack external cloud controller ca.cert in a k8s secret instead of the host filesystem (#7603)
This commit is contained in:
parent
858b29f425
commit
c5ccedb694
4 changed files with 12 additions and 41 deletions
|
@ -2,31 +2,19 @@
|
||||||
- include_tasks: openstack-credential-check.yml
|
- include_tasks: openstack-credential-check.yml
|
||||||
tags: external-openstack
|
tags: external-openstack
|
||||||
|
|
||||||
- name: External OpenStack Cloud Controller | Write cacert file
|
- name: External OpenStack Cloud Controller | Get base64 cacert
|
||||||
include_tasks: openstack-write-cacert.yml
|
slurp:
|
||||||
run_once: true
|
src: "{{ external_openstack_cacert }}"
|
||||||
loop: "{{ groups['k8s_cluster'] }}"
|
register: external_openstack_cacert_b64
|
||||||
loop_control:
|
|
||||||
loop_var: delegate_host_to_write_cacert
|
|
||||||
when:
|
when:
|
||||||
- inventory_hostname in groups['k8s_cluster']
|
- inventory_hostname == groups['k8s_control_plane'][0]
|
||||||
- external_openstack_cacert is defined
|
- external_openstack_cacert is defined
|
||||||
- external_openstack_cacert | length > 0
|
- external_openstack_cacert | length > 0
|
||||||
tags: external-openstack
|
tags: external-openstack
|
||||||
|
|
||||||
- name: External OpenStack Cloud Controller | Write External OpenStack cloud-config
|
|
||||||
template:
|
|
||||||
src: "external-openstack-cloud-config.j2"
|
|
||||||
dest: "{{ kube_config_dir }}/external_openstack_cloud_config"
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
mode: 0640
|
|
||||||
when: inventory_hostname == groups['kube_control_plane'][0]
|
|
||||||
tags: external-openstack
|
|
||||||
|
|
||||||
- name: External OpenStack Cloud Controller | Get base64 cloud-config
|
- name: External OpenStack Cloud Controller | Get base64 cloud-config
|
||||||
slurp:
|
set_fact:
|
||||||
src: "{{ kube_config_dir }}/external_openstack_cloud_config"
|
external_openstack_cloud_config_secret: "{{ lookup('template', 'external-openstack-cloud-config.j2') | b64encode }}"
|
||||||
register: external_openstack_cloud_config_secret
|
|
||||||
when: inventory_hostname == groups['kube_control_plane'][0]
|
when: inventory_hostname == groups['kube_control_plane'][0]
|
||||||
tags: external-openstack
|
tags: external-openstack
|
||||||
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
---
|
|
||||||
# include to workaround mitogen issue
|
|
||||||
# https://github.com/dw/mitogen/issues/663
|
|
||||||
|
|
||||||
- name: External OpenStack Cloud Controller | Write cacert file
|
|
||||||
copy:
|
|
||||||
src: "{{ external_openstack_cacert }}"
|
|
||||||
dest: "{{ kube_config_dir }}/external-openstack-cacert.pem"
|
|
||||||
group: "{{ kube_cert_group }}"
|
|
||||||
mode: 0640
|
|
||||||
tags: external-openstack
|
|
||||||
delegate_to: "{{ delegate_host_to_write_cacert }}"
|
|
|
@ -8,3 +8,4 @@ metadata:
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
data:
|
data:
|
||||||
cloud.conf: {{ external_openstack_cloud_config_secret.content }}
|
cloud.conf: {{ external_openstack_cloud_config_secret.content }}
|
||||||
|
ca.cert: {{ external_openstack_cacert_b64.content | default("") }}
|
||||||
|
|
|
@ -61,14 +61,14 @@ spec:
|
||||||
- mountPath: /etc/ssl/certs
|
- mountPath: /etc/ssl/certs
|
||||||
name: ca-certs
|
name: ca-certs
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- mountPath: /etc/config
|
- mountPath: /etc/config/cloud.conf
|
||||||
name: cloud-config-volume
|
name: cloud-config-volume
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
|
subPath: cloud.conf
|
||||||
- mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
|
- mountPath: {{ kube_config_dir }}/external-openstack-cacert.pem
|
||||||
name: openstack-cacert
|
name: cloud-config-volume
|
||||||
readOnly: true
|
readOnly: true
|
||||||
{% endif %}
|
subPath: ca.cert
|
||||||
{% if kubelet_flexvolumes_plugins_dir is defined %}
|
{% if kubelet_flexvolumes_plugins_dir is defined %}
|
||||||
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
|
- mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
|
||||||
name: flexvolume-dir
|
name: flexvolume-dir
|
||||||
|
@ -98,9 +98,3 @@ spec:
|
||||||
- name: cloud-config-volume
|
- name: cloud-config-volume
|
||||||
secret:
|
secret:
|
||||||
secretName: external-openstack-cloud-config
|
secretName: external-openstack-cloud-config
|
||||||
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
|
|
||||||
- hostPath:
|
|
||||||
path: {{ kube_config_dir }}/external-openstack-cacert.pem
|
|
||||||
type: FileOrCreate
|
|
||||||
name: openstack-cacert
|
|
||||||
{% endif %}
|
|
||||||
|
|
Loading…
Reference in a new issue