Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow yawol to work with self-signed OpenStack APIs #392

Merged
merged 6 commits into from
Aug 19, 2024
Merged

allow yawol to work with self-signed OpenStack APIs #392

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1c53128
add ca-file capability to providerOptions
Aug 14, 2024
3879e6e
set minVersion of TLS to 1.2
Aug 14, 2024
6a32e19
add example config
Aug 14, 2024
939815a
allow additionalVolumes/volumeMounts for yawol-controller
hown3d Aug 14, 2024
3f7a62e
log flags indent
hown3d Aug 14, 2024
7c44dff
add README.md
Aug 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,8 @@ stringData:
username="<OS_USERNAME>"
password="<OS_PASSWORD>"
region="<OS_REGION_NAME>"
# Optional self-signed CA for OpenStack APIs
ca-file="/etc/ssl/myca.crt"
```

Assuming you saved the secret as `secret-cloud-provider-config.yaml`, apply it with:
Expand Down
2 changes: 1 addition & 1 deletion charts/yawol-controller/templates/yawol-cloud-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ spec:
{{- if .Values.yawolClassName }}
- -classname={{ .Values.yawolClassName }}
{{- end }}
{{- include "logFlags" . | indent 10 }}
{{- include "logFlags" . | indent 8 }}
env:
{{- if .Values.namespace }}
- name: CLUSTER_NAMESPACE
Expand Down
16 changes: 16 additions & 0 deletions charts/yawol-controller/templates/yawol-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ spec:
capabilities:
drop:
- ALL
{{- if .Values.yawolController.additionalVolumeMounts }}
volumeMounts:
{{ toYaml .Values.yawolController.additionalVolumeMounts | indent 8 }}
{{- end }}
- name: yawol-controller-loadbalancerset
image: "{{ .Values.yawolController.image.repository }}:{{ default .Chart.AppVersion .Values.yawolController.image.tag }}"
imagePullPolicy: Always
Expand Down Expand Up @@ -93,6 +97,10 @@ spec:
capabilities:
drop:
- ALL
{{- if .Values.yawolController.additionalVolumeMounts }}
volumeMounts:
{{ toYaml .Values.yawolController.additionalVolumeMounts | indent 8 }}
{{- end }}
- name: yawol-controller-loadbalancermachine
image: "{{ .Values.yawolController.image.repository }}:{{ default .Chart.AppVersion .Values.yawolController.image.tag }}"
imagePullPolicy: Always
Expand Down Expand Up @@ -134,4 +142,12 @@ spec:
capabilities:
drop:
- ALL
{{- if .Values.yawolController.additionalVolumeMounts }}
volumeMounts:
{{ toYaml .Values.yawolController.additionalVolumeMounts | indent 8 }}
{{- end }}
restartPolicy: Always
{{- if .Values.yawolController.additionalVolumes }}
volumes:
{{ toYaml .Values.yawolController.additionalVolumes | indent 6 }}
{{- end }}
4 changes: 4 additions & 0 deletions charts/yawol-controller/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ yawolCloudController:
tag: ""
serviceAccount: {}
#imagePullSecret: "registry-credentials"
additionalVolumeMounts: []
additionalVolumes: []

# -- values are passed as zap-flags to the containers. See https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/log/zap#Options.BindFlags for more information
logging:
Expand All @@ -49,6 +51,8 @@ yawolController:
repository: ghcr.io/stackitcloud/yawol/yawol-controller
# -- Allows you to override the yawol version in this chart. Use at your own risk.
tag: ""
additionalVolumeMounts: []
additionalVolumes: []

resources:
yawolCloudController:
Expand Down
1 change: 1 addition & 0 deletions example-setup/yawol-controller/provider-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ stringData:
username="USERNAME"
password="PASSWORD"
region="RegionOne"
ca-file="/etc/ssl/myca.crt"
kind: Secret
metadata:
name: cloud-provider-config
Expand Down
22 changes: 22 additions & 0 deletions internal/openstack/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,15 @@ package openstack

import (
"context"
"crypto/tls"
"fmt"
"net/http"
"strings"
"time"

netutil "k8s.io/apimachinery/pkg/util/net"
certutil "k8s.io/client-go/util/cert"

"github.com/gophercloud/gophercloud"
"github.com/gophercloud/gophercloud/openstack"
"github.com/gophercloud/utils/openstack/clientconfig"
Expand Down Expand Up @@ -231,6 +236,8 @@ func getProvider(
projectName := strings.TrimSpace(cfg.Section("Global").Key("project-name").String())
authInfo.ProjectID = strings.TrimSpace(cfg.Section("Global").Key("project-id").String())

caFile := strings.TrimSpace(cfg.Section("Global").Key("ca-file").String())

// TODO: remove legacyProjectName once openstack-cloud-controller has dropped tenant-name support. Link to ccm args:
//nolint:lll // link
// https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md
Expand All @@ -247,6 +254,17 @@ func getProvider(
authInfo.ProjectID = *overwrite.ProjectID
}

var transport http.RoundTripper
if caFile != "" {
roots, err := certutil.NewPool(caFile)
if err != nil {
return nil, nil, err
}
config := &tls.Config{MinVersion: tls.VersionTLS12}
config.RootCAs = roots
transport = netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
}

clientOpts := new(clientconfig.ClientOpts)
clientOpts.AuthInfo = &authInfo

Expand All @@ -260,6 +278,10 @@ func getProvider(
return nil, nil, err
}

if transport != nil {
provider.HTTPClient.Transport = transport
}

actx, acancel := context.WithTimeout(ctx, timeout)
defer acancel()

Expand Down