Merge pull request #8532 from dulek/kuryr-ssl

Add option to pass OpenStack CA cert to Kuryr

roles/kuryr/README.md

@@ -26,6 +26,7 @@ pods. This allows to have interconnectivity between pods and OpenStack VMs.
 * ``kuryr_openstack_project_id=project_uuid``
 * ``kuryr_openstack_username=kuryr``
 * ``kuryr_openstack_password=kuryr_pass``
+* ``kuryr_openstack_ca=/etc/ssl/ca.crt` (defaults to ``OS_CACERT`` env var)
 * ``kuryr_openstack_pod_sg_id=pod_security_group_uuid``
 * ``kuryr_openstack_pod_subnet_id=pod_subnet_uuid``
 * ``kuryr_openstack_pod_service_id=service_subnet_uuid``

roles/kuryr/tasks/master.yaml

@@ -13,6 +13,17 @@
     src: node-images.yaml.j2
     dest: "{{ manifests_tmpdir.stdout }}/node-images.yaml"
 
+- name: Set certificate contents as fact
+  set_fact:
+    kuryr_ca_certificate: "{{ lookup('file', kuryr_openstack_ca | default(lookup('env', 'OS_CACERT'))) }}"
+  ignore_errors: yes
+
+- name: Create Kuryr certificates Secret manifest
+  become: yes
+  template:
+    src: certificates-secret.yaml.j2
+    dest: "{{ manifests_tmpdir.stdout }}/certificates-secret.yaml"
+
 - name: Create kuryr ConfigMap manifest
   become: yes
   template:
@@ -42,6 +53,16 @@
   run_once: true
   ignore_errors: yes
 
+- name: Apply Kuryr certificates Secret
+  oc_obj:
+    state: present
+    kind: Secret
+    name: "kuryr-certificates"
+    namespace: "{{ kuryr_namespace }}"
+    files:
+    - "{{ manifests_tmpdir.stdout }}/certificates-secret.yaml"
+  run_once: true
+
 - name: Apply ConfigMap manifest
   oc_obj:
     state: present

roles/kuryr/templates/certificates-secret.yaml.j2

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kuryr-certificates
+  namespace: {{ kuryr_namespace }}
+type: Opaque
+data:
+  kuryr-ca-bundle.crt: "{{ kuryr_ca_certificate | default('') | b64encode }}"

roles/kuryr/templates/configmap.yaml.j2

@@ -247,6 +247,12 @@ data:
     # Deprecated group/name - [neutron]/auth_plugin
     auth_type = password
 
+{% if kuryr_ca_certificate is defined %}
+    # PEM encoded Certificate Authority to use when verifying HTTPs connections.
+    # (string value)
+    cafile = /etc/ssl/certs/kuryr-ca-bundle.crt
+{% endif %}
+
     # Domain ID to scope to (string value)
     user_domain_name = {{ kuryr_openstack_user_domain_name }}
 

roles/kuryr/templates/controller-deployment.yaml.j2

@@ -45,9 +45,16 @@ spec:
         - name: config-volume
           mountPath: "/etc/kuryr/kuryr.conf"
           subPath: kuryr.conf
+        - name: certificates-volume
+          mountPath: "/etc/ssl/certs/kuryr-ca-bundle.crt"
+          subPath: kuryr-ca-bundle.crt
+          readOnly: true
       volumes:
       - name: config-volume
         configMap:
           name: kuryr-config
           defaultMode: 0666
+      - name: certificates-volume
+        secret:
+          secretName: kuryr-certificates
       restartPolicy: Always