Merge pull request #1097 from openshift-cherrypick-robot/cherry-pick-…

…1096-to-v1.3.x [v1.3.x] Trust openstackcontrolplane CAs in configgenerator
openstack-k8s-operators · Oct 23, 2024 · 0435510 · 0435510
2 parents 7b99c5b + 2043111
commit 0435510
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 6 deletions.
diff --git a/controllers/openstackconfiggenerator_controller.go b/controllers/openstackconfiggenerator_controller.go
@@ -222,6 +222,29 @@ func (r *OpenStackConfigGeneratorReconciler) Reconcile(ctx context.Context, req
 	}
 	templateParameters["OSPVersion"] = OSPVersion
 
+	//
+	// check CAConfigMap is there
+	//
+	if controlPlane.Spec.CAConfigMap != "" {
+		_, ctrlResult, err := common.GetConfigMap(
+			ctx,
+			r,
+			instance,
+			cond,
+			shared.ConditionDetails{
+				ConditionNotFoundType:   shared.CommonCondTypeWaiting,
+				ConditionNotFoundReason: shared.CommonCondReasonCAConfigMapMissing,
+				ConditionErrorType:      shared.CommonCondTypeError,
+				ConditionErrordReason:   shared.CommonCondReasonCAConfigMapError,
+			},
+			controlPlane.Spec.CAConfigMap,
+			20,
+		)
+		if (err != nil) || (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, err
+		}
+	}
+
 	//
 	// check if heat-env-config (customizations provided by administrator) exist if it does not exist, requeue
 	//
@@ -403,7 +426,7 @@ func (r *OpenStackConfigGeneratorReconciler) Reconcile(ctx context.Context, req
 	}
 
 	// Define a new Job object
-	job := openstackconfiggenerator.ConfigJob(instance, configMapHash, OSPVersion)
+	job := openstackconfiggenerator.ConfigJob(instance, configMapHash, OSPVersion, controlPlane.Spec.CAConfigMap)
 
 	var exports string
 	if instance.Status.ConfigHash != configMapHash {

diff --git a/pkg/openstackconfiggenerator/job.go b/pkg/openstackconfiggenerator/job.go
@@ -26,7 +26,7 @@ import (
 )
 
 // ConfigJob -
-func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash string, ospVersion shared.OSPVersion) *batchv1.Job {
+func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash string, ospVersion shared.OSPVersion, caConfigMap string) *batchv1.Job {
 
 	runAsUser := int64(openstackclient.CloudAdminUID)
 	runAsGroup := int64(openstackclient.CloudAdminGID)
@@ -42,8 +42,8 @@ func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash strin
 	var backoffLimit int32 = 2
 
 	// Get volumes
-	volumeMounts := GetVolumeMounts(cr)
-	volumes := GetVolumes(cr)
+	volumeMounts := GetVolumeMounts(cr, caConfigMap)
+	volumes := GetVolumes(cr, caConfigMap)
 
 	cmd := []string{"/bin/bash", "/home/cloud-admin/create-playbooks.sh"}
 	if cr.Spec.Interactive {

diff --git a/pkg/openstackconfiggenerator/volumes.go b/pkg/openstackconfiggenerator/volumes.go
@@ -23,7 +23,7 @@ import (
 )
 
 // GetVolumeMounts -
-func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.VolumeMount {
+func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator, caConfigMap string) []corev1.VolumeMount {
 	retVolMounts := []corev1.VolumeMount{
 		{
 			Name:      "tripleo-deploy-config-" + instance.Name,
@@ -75,11 +75,20 @@ func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []co
 			},
 		)
 	}
+
+	if caConfigMap != "" {
+		retVolMounts = append(retVolMounts, corev1.VolumeMount{
+			Name:      "ca-certs",
+			MountPath: "/mnt/ca-certs",
+			ReadOnly:  true,
+		})
+	}
+
 	return retVolMounts
 }
 
 // GetVolumes -
-func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.Volume {
+func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator, caConfigMap string) []corev1.Volume {
 	var config0600AccessMode int32 = 0600
 	var config0644AccessMode int32 = 0644
 	var config0755AccessMode int32 = 0755
@@ -174,5 +183,20 @@ func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.
 			},
 		)
 	}
+
+	if caConfigMap != "" {
+		retVolumes = append(retVolumes, corev1.Volume{
+			Name: "ca-certs",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					DefaultMode: &config0644AccessMode,
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: caConfigMap,
+					},
+				},
+			},
+		})
+	}
+
 	return retVolumes
 }
diff --git a/templates/openstackconfiggenerator/bin/create-playbooks.sh b/templates/openstackconfiggenerator/bin/create-playbooks.sh
@@ -5,6 +5,12 @@ umask 0022
 CHOWN_UID=$(id -u)
 CHOWN_GID=$(id -g)
 
+# Add any additional CA certs
+if [ -d /mnt/ca-certs ]; then
+  sudo cp -v /mnt/ca-certs/* /etc/pki/ca-trust/source/anchors/
+  sudo update-ca-trust
+fi
+
 # add cloud-admin ssh keys to $HOME/.ssh
 mkdir -p $HOME/.ssh
 sudo cp /mnt/ssh-config/* $HOME/.ssh/