Merge pull request #2342 from southquist/add-ca-cert

allow for setting the cacert on openstack cloud provider
6 years ago · c288ffc55d
5 changed files with 47 additions and 0 deletions
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@ -75,6 +75,12 @@ controllerManagerExtraArgs:
  node-monitor-grace-period: {{ kube_controller_node_monitor_grace_period }}
  node-monitor-period: {{ kube_controller_node_monitor_period }}
  pod-eviction-timeout: {{ kube_controller_pod_eviction_timeout }}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+controllerManagerExtraVolumes:
+- name: openstackcacert
+  hostPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+  mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+{% endif %}
 {% if kube_feature_gates %}
  feature-gates: {{ kube_feature_gates|join(',') }}
 {% endif %}
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@ -94,6 +94,11 @@ spec:
    - mountPath: "{{ kube_config_dir }}/cloud_config"
      name: cloudconfig
      readOnly: true
+{% endif %}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+    - mountPath: "{{ kube_config_dir }}/openstack-cacert.pem"
+      name: openstackcacert
+      readOnly: true
 {% endif %}
  volumes:
  - name: ssl-certs-host
@ -115,3 +120,8 @@ spec:
      path: "{{ kube_config_dir }}/cloud_config"
    name: cloudconfig
 {% endif %}
+{% if cloud_provider is defined and cloud_provider in ["openstack"] and openstack_cacert is defined %}
+  - hostPath:
+      path: "{{ kube_config_dir }}/openstack-cacert.pem"
+    name: openstackcacert
+{% endif %}
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@ -114,6 +114,7 @@ openstack_tenant_id: "{{ lookup('env','OS_TENANT_ID')| default(lookup('env','OS_
 openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME') }}"
 openstack_domain_name: "{{ lookup('env','OS_USER_DOMAIN_NAME') }}"
 openstack_domain_id: "{{ lookup('env','OS_USER_DOMAIN_ID') }}"
+openstack_cacert: "{{ lookup('env','OS_CACERT') }}"

 # For the vsphere integration, kubelet will need credentials to access
 # vsphere apis
--- a/roles/kubernetes/node/templates/openstack-cloud-config.j2
+++ b/roles/kubernetes/node/templates/openstack-cloud-config.j2
@ -12,6 +12,9 @@ domain-name="{{ openstack_domain_name }}"
 {% elif openstack_domain_id is defined and openstack_domain_id != "" %}
 domain-id ="{{ openstack_domain_id }}"
 {% endif %}
+{% if openstack_cacert is defined and openstack_cacert != "" %}
+ca-file="{{ kube_config_dir }}/openstack-cacert.pem"
+{% endif %}

 {% if openstack_blockstorage_version is defined %}
 [BlockStorage]
--- a/roles/kubernetes/preinstall/tasks/main.yml
+++ b/roles/kubernetes/preinstall/tasks/main.yml
@ -311,3 +311,30 @@
    - ansible_distribution in ["CentOS","RedHat"]
  tags:
    - bootstrap-os
+
+- name: Write cacert file
+  copy:
+    content: "{{ openstack_cacert }}"
+    dest: "{{ kube_config_dir }}/openstack-cacert.pem"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  when:
+    - inventory_hostname in groups['k8s-cluster']
+    - cloud_provider is defined
+    - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
+    - openstack_cacert is defined
+  tags:
+    - cloud-provider
+
+- name: Write cloud-config
+  template:
+    src: "{{ cloud_provider }}-cloud-config.j2"
+    dest: "{{ kube_config_dir }}/cloud_config"
+    group: "{{ kube_cert_group }}"
+    mode: 0640
+  when:
+    - inventory_hostname in groups['k8s-cluster']
+    - cloud_provider is defined
+    - cloud_provider in [ 'openstack', 'azure', 'vsphere' ]
+  tags:
+    - cloud-provider