From dea93049689dd0b6b1487bd4c663e9c6c13bec19 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Wed, 9 Oct 2019 12:19:49 +0300
Subject: [PATCH] Enable openstack_cacert to be either file or base64 string
 (#5243)

---
 docs/openstack.md                    |  3 +++
 roles/kubernetes/node/tasks/main.yml | 16 +++++++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/openstack.md b/docs/openstack.md
index 5d07fb33f..906d774a2 100644
--- a/docs/openstack.md
+++ b/docs/openstack.md
@@ -5,6 +5,9 @@ To deploy kubespray on [OpenStack](https://www.openstack.org/) uncomment the `cl
 
 After that make sure to source in your OpenStack credentials like you would do when using `nova-client` or `neutron-client` by using `source path/to/your/openstack-rc` or `. path/to/your/openstack-rc`.
 
+For those who prefer to pass the OpenStack CA certificate as a string, one can
+base64 encode the cacert file and store it in the variable `openstack_cacert`.
+
 The next step is to make sure the hostnames in your `inventory` file are identical to your instance names in OpenStack.
 Otherwise [cinder](https://wiki.openstack.org/wiki/Cinder) won't work as expected.
 
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 7c93249a5..45e532b19 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -166,14 +166,24 @@
     - cloud-provider
     - facts
 
+- name: Test if openstack_cacert is a base64 string
+  set_fact:
+    openstack_cacert_is_base64: "{% if openstack_cacert | b64decode %}true{% else %}false{% endif %}"
+  when:
+    - cloud_provider is defined
+    - cloud_provider == 'openstack'
+    - openstack_cacert is defined
+    - openstack_cacert | length > 0
+
+
 - name: Write cacert file
   copy:
-    src: "{{ openstack_cacert }}"
+    src: "{{ openstack_cacert if not openstack_cacert_is_base64 else omit }}"
+    content: "{{ openstack_cacert | b64decode if openstack_cacert_is_base64 else omit }}"
     dest: "{{ kube_config_dir }}/openstack-cacert.pem"
     group: "{{ kube_cert_group }}"
     mode: 0640
   when:
-    - inventory_hostname in groups['k8s-cluster']
     - cloud_provider is defined
     - cloud_provider == 'openstack'
     - openstack_cacert is defined
@@ -197,4 +207,4 @@
 - import_tasks: kubelet.yml
   tags:
     - kubelet
-    - kubeadm
\ No newline at end of file
+    - kubeadm