Improve support for custom OpenStack CAs (#410)

* Prefactor: upgrade Earthfile This allows using `LET` to overwrite a previously declared `ARG`. This is used in the next commit. * Support setting custom OpenStack CA for yawollet build * Allow overwriting OpenStack CA bundle via env
stackitcloud · Sep 10, 2024 · 19a519f · 19a519f
1 parent 0d2cf21
commit 19a519f
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 14 deletions.
diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
@@ -30,7 +30,7 @@ jobs:
     - name: Docker login
       run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io --username "${{ github.actor }}" --password-stdin
     - name: Install earthly
-      run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.6.23/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
+      run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.8.15/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
     - name: Earthly version
       run: earthly --version
     - name: Run build

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -24,7 +24,7 @@ jobs:
         fi
         git checkout -b "$branch" || true
     - name: Install earthly
-      run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.6.23/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
+      run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.8.15/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
     - name: Configure pull-through-cache
       run: |
         mkdir ~/.earthly
@@ -44,4 +44,3 @@ jobs:
       run: earthly --ci --secret SNYK_TOKEN +snyk
     - name: Run Tests
       run: earthly --ci +all-except-snyk
-
diff --git a/Earthfile b/Earthfile
@@ -1,14 +1,14 @@
-VERSION 0.6
+VERSION 0.8
 FROM golang:1.22
-ARG DOCKER_REPO=ghcr.io/stackitcloud/yawol/
-ARG BINPATH=/usr/local/bin/
-ARG GOCACHE=/go-cache
+ARG --global DOCKER_REPO=ghcr.io/stackitcloud/yawol/
+ARG --global BINPATH=/usr/local/bin/
+ARG --global GOCACHE=/go-cache
 
-ARG ENVOY_VERSION=v1.27.0
-ARG HELM_VERSION=3.12.3
-ARG GOLANGCI_LINT_VERSION=v1.54.2
-ARG PACKER_VERSION=1.9
-ARG TERRAFORM_VERSION=1.4.6
+ARG --global ENVOY_VERSION=v1.27.0
+ARG --global HELM_VERSION=3.12.3
+ARG --global GOLANGCI_LINT_VERSION=v1.54.2
+ARG --global PACKER_VERSION=1.9
+ARG --global TERRAFORM_VERSION=1.4.6
 
 local-setup:
     LOCALLY
@@ -125,6 +125,13 @@ build-yawollet-image:
     ARG --required OS_USERNAME
     ARG --required OS_REGION_NAME
 
+    ARG OS_CACERT
+    # packer doesn't accept a raw CA bundle in OS_CACERT so we need to write it to a file
+    IF [ -n "$OS_CACERT" ]
+      RUN echo "$OS_CACERT" > /etc/ssl/certs/openstack.crt
+      LET OS_CACERT=/etc/ssl/certs/openstack.crt
+    END
+
     COPY +get-envoy/envoy out/envoy/envoy
     COPY +get-envoy/envoylibs out/envoy/lib
     COPY (+build/controller --CONTROLLER=yawollet --GOOS=$TARGETOS --GOARCH=$TARGETARCH) out/yawollet
@@ -158,6 +165,8 @@ build-packer-environment:
     ARG --required OS_USERNAME
     ARG --required OS_REGION_NAME
 
+    ARG OS_CACERT
+
     COPY --dir hack/packer-infrastructure .
 
     WORKDIR /packer-infrastructure
@@ -181,6 +190,7 @@ destroy-packer-environment:
     ARG --required OS_PASSWORD
     ARG --required OS_USERNAME
     ARG --required OS_REGION_NAME
+    ARG OS_CACERT
 
     COPY --dir hack/packer-infrastructure .
 

diff --git a/README.md b/README.md
@@ -63,6 +63,7 @@ earthly +build-packer-environment \
    --OS_PASSWORD="$OS_PASSWORD" \
    --OS_USERNAME="$OS_USERNAME" \
    --OS_REGION_NAME="$OS_REGION_NAME"
+#  --OS_CACERT="$OS_CACERT" # optional, should be the full CA bundle, not a file path
 #  --FLOATING_NETWORK_NAME=floating-net
 ```
 
@@ -79,6 +80,7 @@ earthly +destroy-packer-environment \
    --OS_PASSWORD="$OS_PASSWORD" \
    --OS_USERNAME="$OS_USERNAME" \
    --OS_REGION_NAME="$OS_REGION_NAME"
+#  --OS_CACERT="$OS_CACERT" # optional, should be the full CA bundle, not a file path
 #  --FLOATING_NETWORK_NAME=floating-net
 ```
 
@@ -115,8 +117,9 @@ earthly --platform=linux/amd64 +build-yawollet-image \
    --OS_PASSWORD="$OS_PASSWORD" \
    --OS_USERNAME="$OS_USERNAME" \
    --OS_REGION_NAME="$OS_REGION_NAME"
-#   --MACHINE_FLAVOR=c1.2
-#   --VOLUME_TYPE=storage_premium_perf6
+#  --OS_CACERT="$OS_CACERT" # optional, should be the full CA bundle, not a file path
+#  --MACHINE_FLAVOR=c1.2
+#  --VOLUME_TYPE=storage_premium_perf6
 ```
 
 ### Cluster Installation

diff --git a/internal/openstack/client.go b/internal/openstack/client.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"net/http"
+	"os"
 	"strings"
 	"time"
 
@@ -254,7 +255,16 @@ func getProvider(
 		authInfo.ProjectID = *overwrite.ProjectID
 	}
 
+	// construct transport that trusts the configured CA bundle
 	var transport http.RoundTripper
+
+	// If OS_CACERT env var is set it takes precedence over the configuration.
+	// This is useful for running yawol-controller locally where the configured file name in the cloud-provider config
+	// might not match with the local environment.
+	if caFileEnv := os.Getenv("OS_CACERT"); caFileEnv != "" {
+		caFile = caFileEnv
+	}
+
 	if caFile != "" {
 		roots, err := certutil.NewPool(caFile)
 		if err != nil {