From ab62a6c4417562d2a67d6e825c31139c2b911e7c Mon Sep 17 00:00:00 2001
From: Hidekazu Nakamura <hidekazuna@gmail.com>
Date: Tue, 5 Feb 2019 05:44:03 +0000
Subject: [PATCH] Support keystone with cacert

---
 .../examples/openstack/generate-yaml.sh       |  25 ++++-
 .../clouds-secrets/kustomization.yaml         |   1 +
 .../centos/templates/master-user-data.sh      |  10 ++
 .../centos/templates/worker-user-data.sh      |   2 +
 .../user-data/coreos/templates/common.yaml    |  10 ++
 .../user-data/coreos/templates/master.yaml    |   6 ++
 .../ubuntu/templates/master-user-data.sh      |  10 ++
 .../ubuntu/templates/worker-user-data.sh      |   2 +
 ...v1alpha1_openstackclusterproviderspec.yaml |   6 ++
 .../openstackproviderconfig/v1alpha1/types.go |   6 ++
 .../v1alpha1/zz_generated.deepcopy.go         |   5 +
 pkg/cloud/openstack/clients/machineservice.go |  56 +++++++---
 pkg/cloud/openstack/cluster/actuator.go       | 100 +++++++++++++++++-
 13 files changed, 222 insertions(+), 17 deletions(-)

diff --git a/cmd/clusterctl/examples/openstack/generate-yaml.sh b/cmd/clusterctl/examples/openstack/generate-yaml.sh
index a507e883ae..e4bead45a5 100755
--- a/cmd/clusterctl/examples/openstack/generate-yaml.sh
+++ b/cmd/clusterctl/examples/openstack/generate-yaml.sh
@@ -136,6 +136,7 @@ OPENSTACK_CLOUD_CONFIG_PLAIN=$(cat "$CLOUDS_PATH")
 
 MACHINE_CONTROLLER_SSH_PRIVATE_FILE=openstack_tmp
 MACHINE_CONTROLLER_SSH_HOME=${HOME}/.ssh/
+CACERT="/etc/certs/cacert"
 
 # Set up the output dir if it does not yet exist
 mkdir -p $PWD/$OUTPUT
@@ -159,7 +160,7 @@ PASSWORD=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" | yq r - clouds.$CLOUD.auth.pass
 REGION=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" | yq r - clouds.$CLOUD.region_name)
 PROJECT_ID=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" | yq r - clouds.$CLOUD.auth.project_id)
 DOMAIN_NAME=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" | yq r - clouds.$CLOUD.auth.user_domain_name)
-
+CACERT_ORIGINAL=$(echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" | yq r - clouds.$CLOUD.cacert)
 
 # Basic cloud.conf, no LB configuration as that data is not known yet.
 OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN="[Global]
@@ -171,11 +172,23 @@ tenant-id=\"$PROJECT_ID\"
 domain-name=\"$DOMAIN_NAME\"
 "
 
+if [ "$CACERT_ORIGINAL" != "null" ]; then
+  OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN="$OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN
+  ca-file=\"$CACERT\"
+  "
+fi
+
 OS=$(uname)
 if [[ "$OS" =~ "Linux" ]]; then
   OPENSTACK_CLOUD_PROVIDER_CONF=$(echo "$OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN"|base64 -w0)
+  if [ "$CACERT_ORIGINAL" != "null" ]; then
+    OPENSTACK_CLOUD_CACERT_CONFIG=$(cat "$CACERT_ORIGINAL"|base64 -w0)
+  fi
 elif [[ "$OS" =~ "Darwin" ]]; then
   OPENSTACK_CLOUD_PROVIDER_CONF=$(echo "$OPENSTACK_CLOUD_PROVIDER_CONF_PLAIN"|base64)
+  if [ "$CACERT_ORIGINAL" != "null" ]; then
+    OPENSTACK_CLOUD_CACERT_CONFIG=$(cat "$CACERT_ORIGINAL"|base64)
+  fi
 else
   echo "Unrecognized OS : $OS"
   exit 1
@@ -184,24 +197,32 @@ fi
 if [[ "$PROVIDER_OS" == "coreos" ]]; then
   cat $COREOS_COMMON_SECTION \
     | sed -e "s#\$OPENSTACK_CLOUD_PROVIDER_CONF#$OPENSTACK_CLOUD_PROVIDER_CONF#" \
+    | sed -e "s#\$OPENSTACK_CLOUD_CACERT_CONFIG#$OPENSTACK_CLOUD_CACERT_CONFIG#" \
     | yq m -a - $COREOS_MASTER_SECTION  \
     > $COREOS_MASTER_USER_DATA
   cat $COREOS_COMMON_SECTION \
     | sed -e "s#\$OPENSTACK_CLOUD_PROVIDER_CONF#$OPENSTACK_CLOUD_PROVIDER_CONF#" \
+    | sed -e "s#\$OPENSTACK_CLOUD_CACERT_CONFIG#$OPENSTACK_CLOUD_CACERT_CONFIG#" \
     | yq m -a - $COREOS_WORKER_SECTION  \
     > $COREOS_WORKER_USER_DATA
 else
   cat "$MASTER_USER_DATA" \
       | sed -e "s#\$OPENSTACK_CLOUD_PROVIDER_CONF#$OPENSTACK_CLOUD_PROVIDER_CONF#" \
+      | sed -e "s#\$OPENSTACK_CLOUD_CACERT_CONFIG#$OPENSTACK_CLOUD_CACERT_CONFIG#" \
       > $USERDATA/$PROVIDER_OS/master-user-data.sh
   cat "$WORKER_USER_DATA" \
     | sed -e "s#\$OPENSTACK_CLOUD_PROVIDER_CONF#$OPENSTACK_CLOUD_PROVIDER_CONF#" \
+    | sed -e "s#\$OPENSTACK_CLOUD_CACERT_CONFIG#$OPENSTACK_CLOUD_CACERT_CONFIG#" \
     > $USERDATA/$PROVIDER_OS/worker-user-data.sh
 fi
 
 printf $CLOUD > $CONFIG_DIR/os_cloud.txt
 echo "$OPENSTACK_CLOUD_CONFIG_PLAIN" > $CONFIG_DIR/clouds.yaml
-
+if [ "$CACERT_ORIGINAL" != "null" ]; then
+  cat "$CACERT_ORIGINAL" > $CONFIG_DIR/cacert
+else
+  echo "dummy" > $CONFIG_DIR/cacert
+fi
 
 # Build provider-components.yaml with kustomize
 # Coreos has a different kubeadm path (/usr is read-only) so gets a different kustomization.
diff --git a/cmd/clusterctl/examples/openstack/provider-component/clouds-secrets/kustomization.yaml b/cmd/clusterctl/examples/openstack/provider-component/clouds-secrets/kustomization.yaml
index b827b58782..036c9ee8f7 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/clouds-secrets/kustomization.yaml
+++ b/cmd/clusterctl/examples/openstack/provider-component/clouds-secrets/kustomization.yaml
@@ -7,6 +7,7 @@ secretGenerator:
 - name: cloud-config
   commands:
     clouds.yaml: "cat configs/clouds.yaml"
+    cacert: "cat configs/cacert"
   type: Opaque
 - name: cloud-selector
   commands:
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/master-user-data.sh b/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/master-user-data.sh
index e3f999b9f8..2741ef6e03 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/master-user-data.sh
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/master-user-data.sh
@@ -86,6 +86,8 @@ echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables
 echo '1' > /proc/sys/net/ipv4/ip_forward
 
 echo $OPENSTACK_CLOUD_PROVIDER_CONF | base64 -d > /etc/kubernetes/cloud.conf
+mkdir /etc/certs
+echo $OPENSTACK_CLOUD_CACERT_CONFIG | base64 -d > /etc/certs/cacert
 
 # Set up kubeadm config file to pass parameters to kubeadm init.
 cat > /etc/kubernetes/kubeadm_config.yaml <<EOF
@@ -122,6 +124,10 @@ apiServer:
     mountPath: /etc/kubernetes/cloud.conf
     name: cloud
     readOnly: true
+  - hostPath: "/etc/certs/cacert"
+    mountPath: "/etc/certs/cacert"
+    name: cacert
+    readOnly: true
   timeoutForControlPlane: 4m0s
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
@@ -138,6 +144,10 @@ controllerManager:
     mountPath: /etc/kubernetes/cloud.conf
     name: cloud
     readOnly: true
+  - hostPath: "/etc/certs/cacert"
+    mountPath: "/etc/certs/cacert"
+    name: cacert
+    readOnly: true
 dns:
   type: CoreDNS
 etcd:
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/worker-user-data.sh b/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/worker-user-data.sh
index cd251b302f..03f87642f6 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/worker-user-data.sh
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/centos/templates/worker-user-data.sh
@@ -45,6 +45,8 @@ install_configure_docker
 
 # Write the cloud.conf so that the kubelet can use it.
 echo $OPENSTACK_CLOUD_PROVIDER_CONF | base64 -d > /etc/kubernetes/cloud.conf
+mkdir /etc/certs
+echo $OPENSTACK_CLOUD_CACERT_CONFIG | base64 -d > /etc/certs/cacert
 
 # Set up kubeadm config file to pass to kubeadm join.
 cat > /etc/kubernetes/kubeadm_config.yaml <<EOF
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/common.yaml b/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/common.yaml
index c3555bdf68..82329c1bb6 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/common.yaml
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/common.yaml
@@ -120,6 +120,16 @@ storage:
         id: 0
       group:
         id: 0
+    - path: /etc/certs/cacert
+      filesystem: root
+      contents:
+        inline: !!binary |
+          $OPENSTACK_CLOUD_CACERT_CONFIG
+      mode: 0600
+      user:
+        id: 0
+      group:
+        id: 0
     - path: /etc/modules-load.d/ipvs.conf
       filesystem: root
       contents:
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/master.yaml b/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/master.yaml
index 096e17b225..bc7760f625 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/master.yaml
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/coreos/templates/master.yaml
@@ -31,6 +31,9 @@ storage:
           - name: cloud
             hostPath: "/etc/kubernetes/cloud.conf"
             mountPath: "/etc/kubernetes/cloud.conf"
+          - name: cacert
+            hostPath: "/etc/certs/cacert"
+            mountPath: "/etc/certs/cacert"
         controllerManager:
           extraArgs:
             cluster-cidr: {{ .PodCIDR }}
@@ -42,6 +45,9 @@ storage:
           - name: cloud
             hostPath: "/etc/kubernetes/cloud.conf"
             mountPath: "/etc/kubernetes/cloud.conf"
+          - name: cacert
+            hostPath: "/etc/certs/cacert"
+            mountPath: "/etc/certs/cacert"
     user:
       id: 0
     group:
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/master-user-data.sh b/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/master-user-data.sh
index e1d81c902f..6513de93f5 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/master-user-data.sh
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/master-user-data.sh
@@ -107,6 +107,8 @@ EOF
 
 echo $OPENSTACK_CLOUD_PROVIDER_CONF | base64 -d > /etc/kubernetes/cloud.conf
 chmod 600 /etc/kubernetes/cloud.conf
+mkdir /etc/certs
+echo $OPENSTACK_CLOUD_CACERT_CONFIG | base64 -d > /etc/certs/cacert
 
 systemctl daemon-reload
 systemctl restart kubelet.service
@@ -150,6 +152,10 @@ apiServer:
     mountPath: /etc/kubernetes/cloud.conf
     name: cloud
     readOnly: true
+  - hostPath: "/etc/certs/cacert"
+    mountPath: "/etc/certs/cacert"
+    name: cacert
+    readOnly: true
   timeoutForControlPlane: 4m0s
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
@@ -166,6 +172,10 @@ controllerManager:
     mountPath: /etc/kubernetes/cloud.conf
     name: cloud
     readOnly: true
+  - hostPath: "/etc/certs/cacert"
+    mountPath: "/etc/certs/cacert"
+    name: cacert
+    readOnly: true
 dns:
   type: CoreDNS
 etcd:
diff --git a/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/worker-user-data.sh b/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/worker-user-data.sh
index 3e8d787b43..461db40e05 100644
--- a/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/worker-user-data.sh
+++ b/cmd/clusterctl/examples/openstack/provider-component/user-data/ubuntu/templates/worker-user-data.sh
@@ -79,6 +79,8 @@ CLUSTER_DNS_SERVER=$(prips ${SERVICE_CIDR} | head -n 11 | tail -n 1)
 
 # Write the cloud.conf so that the kubelet can use it.
 echo $OPENSTACK_CLOUD_PROVIDER_CONF | base64 -d > /etc/kubernetes/cloud.conf
+mkdir /etc/certs
+echo $OPENSTACK_CLOUD_CACERT_CONFIG | base64 -d > /etc/certs/cacert
 
 # Set up kubeadm config file to pass to kubeadm join.
 cat > /etc/kubernetes/kubeadm_config.yaml <<EOF
diff --git a/config/crds/openstackproviderconfig_v1alpha1_openstackclusterproviderspec.yaml b/config/crds/openstackproviderconfig_v1alpha1_openstackclusterproviderspec.yaml
index c060d199b1..de86f2f9e3 100644
--- a/config/crds/openstackproviderconfig_v1alpha1_openstackclusterproviderspec.yaml
+++ b/config/crds/openstackproviderconfig_v1alpha1_openstackclusterproviderspec.yaml
@@ -16,6 +16,10 @@ spec:
       properties:
         apiVersion:
           type: string
+        cloudName:
+          type: string
+        cloudsSecret:
+          type: object
         disableServerTags:
           type: boolean
         dnsNameservers:
@@ -37,6 +41,8 @@ spec:
             type: string
           type: array
       required:
+      - cloudsSecret
+      - cloudName
       - managedSecurityGroups
   version: v1alpha1
 status:
diff --git a/pkg/apis/openstackproviderconfig/v1alpha1/types.go b/pkg/apis/openstackproviderconfig/v1alpha1/types.go
index 28b4b56752..cc0513504f 100644
--- a/pkg/apis/openstackproviderconfig/v1alpha1/types.go
+++ b/pkg/apis/openstackproviderconfig/v1alpha1/types.go
@@ -187,6 +187,12 @@ type OpenstackClusterProviderSpec struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// The name of the secret containing the openstack credentials
+	CloudsSecret *corev1.SecretReference `json:"cloudsSecret"`
+
+	// The name of the cloud to use from the clouds secret
+	CloudName string `json:"cloudName"`
+
 	// NodeCIDR is the OpenStack Subnet to be created. Cluster actuator will create a
 	// network, a subnet with NodeCIDR, and a router connected to this subnet.
 	// If you leave this empty, no network will be created.
diff --git a/pkg/apis/openstackproviderconfig/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/openstackproviderconfig/v1alpha1/zz_generated.deepcopy.go
index ff428a83ea..32cbff367a 100644
--- a/pkg/apis/openstackproviderconfig/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/openstackproviderconfig/v1alpha1/zz_generated.deepcopy.go
@@ -106,6 +106,11 @@ func (in *OpenstackClusterProviderSpec) DeepCopyInto(out *OpenstackClusterProvid
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	if in.CloudsSecret != nil {
+		in, out := &in.CloudsSecret, &out.CloudsSecret
+		*out = new(v1.SecretReference)
+		**out = **in
+	}
 	if in.DNSNameservers != nil {
 		in, out := &in.DNSNameservers, &out.DNSNameservers
 		*out = make([]string, len(*in))
diff --git a/pkg/cloud/openstack/clients/machineservice.go b/pkg/cloud/openstack/clients/machineservice.go
index 5626d04044..8f414be163 100644
--- a/pkg/cloud/openstack/clients/machineservice.go
+++ b/pkg/cloud/openstack/clients/machineservice.go
@@ -17,8 +17,11 @@ limitations under the License.
 package clients
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"net/http"
 	"time"
 
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/groups"
@@ -53,6 +56,7 @@ import (
 
 const (
 	CloudsSecretKey = "clouds.yaml"
+	CaSecretKey     = "cacert"
 
 	TimeoutTrunkDelete       = 3 * time.Minute
 	RetryIntervalTrunkDelete = 5 * time.Second
@@ -91,34 +95,40 @@ type InstanceListOpts struct {
 	Name string `q:"name"`
 }
 
-func GetCloudFromSecret(kubeClient kubernetes.Interface, namespace string, secretName string, cloudName string) (clientconfig.Cloud, error) {
+func GetCloudFromSecret(kubeClient kubernetes.Interface, namespace string, secretName string, cloudName string) (clientconfig.Cloud, []byte, error) {
 	emptyCloud := clientconfig.Cloud{}
 
 	if secretName == "" {
-		return emptyCloud, nil
+		return emptyCloud, nil, nil
 	}
 
 	if secretName != "" && cloudName == "" {
-		return emptyCloud, fmt.Errorf("Secret name set to %v but no cloud was specified. Please set cloud_name in your machine spec.", secretName)
+		return emptyCloud, nil, fmt.Errorf("Secret name set to %v but no cloud was specified. Please set cloud_name in your machine spec.", secretName)
 	}
 
 	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(secretName, metav1.GetOptions{})
 	if err != nil {
-		return emptyCloud, err
+		return emptyCloud, nil, err
 	}
 
 	content, ok := secret.Data[CloudsSecretKey]
 	if !ok {
-		return emptyCloud, fmt.Errorf("OpenStack credentials secret %v did not contain key %v",
+		return emptyCloud, nil, fmt.Errorf("OpenStack credentials secret %v did not contain key %v",
 			secretName, CloudsSecretKey)
 	}
 	var clouds clientconfig.Clouds
 	err = yaml.Unmarshal(content, &clouds)
 	if err != nil {
-		return emptyCloud, fmt.Errorf("failed to unmarshal clouds credentials stored in secret %v: %v", secretName, err)
+		return emptyCloud, nil, fmt.Errorf("failed to unmarshal clouds credentials stored in secret %v: %v", secretName, err)
 	}
 
-	return clouds.Clouds[cloudName], nil
+	// get cacert
+	cacert, ok := secret.Data[CaSecretKey]
+	if !ok {
+		return emptyCloud, nil, err
+	}
+
+	return clouds.Clouds[cloudName], cacert, nil
 }
 
 // TODO: Eventually we'll have a NewInstanceServiceFromCluster too
@@ -128,25 +138,28 @@ func NewInstanceServiceFromMachine(kubeClient kubernetes.Interface, machine *clu
 		return nil, err
 	}
 	cloud := clientconfig.Cloud{}
+	var cacert []byte
+
 	if machineSpec.CloudsSecret != nil && machineSpec.CloudsSecret.Name != "" {
 		namespace := machineSpec.CloudsSecret.Namespace
 		if namespace == "" {
 			namespace = machine.Namespace
 		}
-		cloud, err = GetCloudFromSecret(kubeClient, namespace, machineSpec.CloudsSecret.Name, machineSpec.CloudName)
+		cloud, cacert, err = GetCloudFromSecret(kubeClient, namespace, machineSpec.CloudsSecret.Name, machineSpec.CloudName)
 		if err != nil {
 			return nil, err
 		}
 	}
-	return NewInstanceServiceFromCloud(cloud)
+	return NewInstanceServiceFromCloud(cloud, cacert)
 }
 
 func NewInstanceService() (*InstanceService, error) {
 	cloud := clientconfig.Cloud{}
-	return NewInstanceServiceFromCloud(cloud)
+	var cacert []byte
+	return NewInstanceServiceFromCloud(cloud, cacert)
 }
 
-func NewInstanceServiceFromCloud(cloud clientconfig.Cloud) (*InstanceService, error) {
+func NewInstanceServiceFromCloud(cloud clientconfig.Cloud, cacert []byte) (*InstanceService, error) {
 	clientOpts := new(clientconfig.ClientOpts)
 	var opts *gophercloud.AuthOptions
 
@@ -165,9 +178,26 @@ func NewInstanceServiceFromCloud(cloud clientconfig.Cloud) (*InstanceService, er
 
 	opts.AllowReauth = true
 
-	provider, err := openstack.AuthenticatedClient(*opts)
+	provider, err := openstack.NewClient(opts.IdentityEndpoint)
+	if err != nil {
+		return nil, fmt.Errorf("create providerClient err: %v", err)
+	}
+
+	config := &tls.Config{}
+	cloudFromYaml, err := clientconfig.GetCloudFromYAML(clientOpts)
+	if cloudFromYaml.CACertFile != "" {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cacert)
+		config.RootCAs = caCertPool
+	}
+
+	config.InsecureSkipVerify = *cloudFromYaml.Verify
+	transport := &http.Transport{Proxy: http.ProxyFromEnvironment, TLSClientConfig: config}
+	provider.HTTPClient.Transport = transport
+
+	err = openstack.Authenticate(provider, *opts)
 	if err != nil {
-		return nil, fmt.Errorf("Create providerClient err: %v", err)
+		return nil, fmt.Errorf("providerClient authentication err: %v", err)
 	}
 
 	identityClient, err := openstack.NewIdentityV3(provider, gophercloud.EndpointOpts{
diff --git a/pkg/cloud/openstack/cluster/actuator.go b/pkg/cloud/openstack/cluster/actuator.go
index d581fa3559..f99d9175e9 100644
--- a/pkg/cloud/openstack/cluster/actuator.go
+++ b/pkg/cloud/openstack/cluster/actuator.go
@@ -2,12 +2,20 @@ package cluster
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
+	"net/http"
+
+	"gopkg.in/yaml.v2"
 
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	"github.com/pkg/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
 	"k8s.io/klog"
 	providerv1 "sigs.k8s.io/cluster-api-provider-openstack/pkg/apis/openstackproviderconfig/v1alpha1"
 	providerv1openstack "sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/openstack"
@@ -15,6 +23,11 @@ import (
 	clusterv1 "sigs.k8s.io/cluster-api/pkg/apis/cluster/v1alpha1"
 )
 
+const (
+	CloudsSecretKey = "clouds.yaml"
+	CaSecretKey     = "cacert"
+)
+
 // Actuator controls cluster related infrastructure.
 type Actuator struct {
 	params providerv1openstack.ActuatorParams
@@ -119,22 +132,105 @@ func (a *Actuator) storeClusterStatus(cluster *clusterv1.Cluster, status *provid
 	return nil
 }
 
+func GetCloudFromSecret(kubeClient kubernetes.Interface, namespace string, secretName string, cloudName string) (clientconfig.Cloud, []byte, error) {
+	emptyCloud := clientconfig.Cloud{}
+
+	if secretName == "" {
+		return emptyCloud, nil, nil
+	}
+
+	if secretName != "" && cloudName == "" {
+		return emptyCloud, nil, fmt.Errorf("Secret name set to %v but no cloud was specified. Please set cloud_name in your machine spec.", secretName)
+	}
+
+	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(secretName, metav1.GetOptions{})
+	if err != nil {
+		return emptyCloud, nil, err
+	}
+
+	content, ok := secret.Data[CloudsSecretKey]
+	if !ok {
+		return emptyCloud, nil, fmt.Errorf("OpenStack credentials secret %v did not contain key %v",
+			secretName, CloudsSecretKey)
+	}
+	var clouds clientconfig.Clouds
+	err = yaml.Unmarshal(content, &clouds)
+	if err != nil {
+		return emptyCloud, nil, fmt.Errorf("failed to unmarshal clouds credentials stored in secret %v: %v", secretName, err)
+	}
+
+	// get cacert
+	cacert, ok := secret.Data[CaSecretKey]
+	if !ok {
+		return emptyCloud, nil, err
+	}
+
+	return clouds.Clouds[cloudName], cacert, nil
+}
+
 // getNetworkClient returns an gophercloud.ServiceClient provided by openstack.NewNetworkV2
 // TODO(chrigl) currently ignoring cluster, but in the future we might store OS-Credentials
 // as secrets referenced by the cluster.
 // See https://github.com/kubernetes-sigs/cluster-api-provider-openstack/pull/136
 func (a *Actuator) getNetworkClient(cluster *clusterv1.Cluster) (*gophercloud.ServiceClient, error) {
+	kubeClient := a.params.KubeClient
+	clusterSpec, err := providerv1.ClusterSpecFromProviderSpec(cluster.Spec.ProviderSpec)
+	if err != nil {
+		return nil, errors.Errorf("failed to load cluster provider spec: %v", err)
+	}
+	cloud := clientconfig.Cloud{}
+	var cacert []byte
+
+	if clusterSpec.CloudsSecret != nil && clusterSpec.CloudsSecret.Name != "" {
+		namespace := clusterSpec.CloudsSecret.Namespace
+		if namespace == "" {
+			namespace = cluster.Namespace
+		}
+		cloud, cacert, err = GetCloudFromSecret(kubeClient, namespace, clusterSpec.CloudsSecret.Name, clusterSpec.CloudName)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	clientOpts := new(clientconfig.ClientOpts)
-	opts, err := clientconfig.AuthOptions(clientOpts)
+	var opts *gophercloud.AuthOptions
+
+	if cloud.AuthInfo != nil {
+		clientOpts.AuthInfo = cloud.AuthInfo
+		clientOpts.AuthType = cloud.AuthType
+		clientOpts.Cloud = cloud.Cloud
+		clientOpts.RegionName = cloud.RegionName
+	}
+
+	opts, err = clientconfig.AuthOptions(clientOpts)
 	if err != nil {
 		return nil, err
 	}
 
-	provider, err := openstack.AuthenticatedClient(*opts)
+	opts.AllowReauth = true
+
+	provider, err := openstack.NewClient(opts.IdentityEndpoint)
 	if err != nil {
 		return nil, fmt.Errorf("create providerClient err: %v", err)
 	}
 
+	config := &tls.Config{}
+	cloudFromYaml, err := clientconfig.GetCloudFromYAML(clientOpts)
+	if cloudFromYaml.CACertFile != "" {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(cacert)
+		config.RootCAs = caCertPool
+	}
+
+	config.InsecureSkipVerify = *cloudFromYaml.Verify
+	transport := &http.Transport{Proxy: http.ProxyFromEnvironment, TLSClientConfig: config}
+	provider.HTTPClient.Transport = transport
+
+	err = openstack.Authenticate(provider, *opts)
+	if err != nil {
+		return nil, fmt.Errorf("providerClient authentication err: %v", err)
+	}
+
 	client, err := openstack.NewNetworkV2(provider, gophercloud.EndpointOpts{
 		Region: clientOpts.RegionName,
 	})