Support keystone with certificate

[hidekazuna]

What this PR does / why we need it:

This PR supports keystone endpoint with certificate by the following clouds.yaml with cacert key.

clouds:
  openstack:
    auth:
      auth_url: https://yourauthurl:5000/v3
      username: foo
      password: bar
      project_id: foobar123
      project_name: foobar
      user_domain_name: "Default"
    cacert: /path/to/cacertfile
    region_name: "Region_1"
    interface: "public"
    identity_api_version: 3

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #209

Special notes for your reviewer:

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Release note:

[k8s-ci-robot]

Hi @hidekazuna. Thanks for your PR.

I'm waiting for a kubernetes-sigs or kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jichenjc]

/ok-to-test

[jichenjc]

forgive me if I misunderstand something here.. I believe https need ca and http doesn't need it
from context we are requesting that to be mandatory https ,maybe I missed something?

[hidekazuna]

Yes, you are right. I should have update code https is not mandatory. I will fix.

[hidekazuna]

Fixed in the following commit: 192e70c

[jichenjc]

this should be problem if cacert doesn't exist...

[hidekazuna]

Fixed in the following commit: 192e70c

[chrigl]

I am thinking about the mounted caFile here. In theory, the entire code allows us to use a separate clouds.yaml per machine. But it is only possible to pass in a caFile for all machines.

How about extending the cloud-config secret with another field for the contents of the caFile.... and create a separate x509.CertPool from this secret?

I think it would be ok to extend the cloud-config secret, because it relates directly to the clouds.yaml, rather than having a separate secret.

[jichenjc]

@hidekazuna @gyliu513 provided this to me
master...cdc1807:cacert-auth

I think we can try to refer to this one, at least it works for me now on a https openstack and I think we can use secret to replace the CACERT in the commit diff

[hidekazuna]

@jichenjc Thanks advice.
I updated like this: 672c5af#diff-6f1595bb05179a80513b3baba49fbaf1R58
I noticed I need to update getNetworkClient function in pkg/cloud/openstack/cluster/actuator.go.
But I wonder how to fix this function as well. Could you advice?

[jichenjc]

I might need more time to figure out but FYI https://github.com/kubernetes/cloud-provider-openstack has a set of https handling including network, maybe we can refer to their implementation @hidekazuna

[hidekazuna]

@chrigl @jichenjc getNetworkClient is the method of Actuator in cluster package and it's augment is *clusterv1.Cluster. We can not secrets from Actuator nor clusterv1.Cluster. I thinks this is from design issue.
Since we have to create a CA file for using OpenStack Cloud provider anyway, can't we make a compromise to use CA file?

[jichenjc]

I am not aware clusterv1 can't use secrets from Actuator, ... but conceptually yes, if you want to sync cluster to create network, apparently we need CA in order to connect to openstack, so I think it's mandatory to use CA in actuator, can we define in openstackclusterspec for this ? @hidekazuna

[hidekazuna]

@jichenjc Thanks, now I am trying to update.

[hidekazuna]

@jichenjc I updated by 0bf8a1b

[morvencao]

/cc

[k8s-ci-robot]

@morvencao: GitHub didn't allow me to request PR reviews from the following users: morvencao.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hchenxa]

@gyliu513 @jichenjc , I create create the VM with cacert now.

[gyliu513]

Thanks @hchenxa

/lgtm

/cc @jichenjc @chrigl

[jichenjc]

Just curious
this is only for ubuntu, do we have a centos version? I didn't see it ...

[hidekazuna]

Thanks added this for centos.

[jichenjc]

you updated centos and ubuntu
but how about coreos ? I didn't see the change ,maybe a follow up??

[hidekazuna]

I Updated files for coreos.

[jichenjc]

thanks @hchenxa and @hidekazuna
I think we may leave this for a few days to get some opinion then we can merge it

in addition, I had some comments above, can you help to take a look @hidekazuna ? thank you

[gyliu513]

@hidekazuna make generate_yaml_test failed, can you help check?

mv kustomize_1.0.11_linux_amd64 /usr/local/bin/kustomize
chmod +x /usr/local/bin/kustomize
# Create a dummy file for test only
echo 'clouds' > dummy-clouds-test.yaml
cmd/clusterctl/examples/openstack/generate-yaml.sh -f dummy-clouds-test.yaml openstack ubuntu dummy-make-auto-test
Generating SSH key files for machine controller.
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/openstack_tmp.
Your public key has been saved in /root/.ssh/openstack_tmp.pub.
The key fingerprint is:
SHA256:L90G006kSqwbMxM0lT0drVo+4bXNMIGj7bsPZaG91j8 root@5807cc27-67fb-11e9-be50-0a580a6c05bf
The key's randomart image is:
+---[RSA 2048]----+
|        .o ..+   |
|       .. o + o  |
|      o    +.o.. |
|     . o  .+=o+. |
|      . S +*+o+* |
|       + +.*=o.oo|
|      * o o =oo .|
|       * . ..o E.|
|      .     .o. o|
+----[SHA256]-----+
cat: null: No such file or directory
Makefile:78: recipe for target 'generate_yaml_test' failed
make: *** [generate_yaml_test] Error 1
+ EXIT_VALUE=2
+ set +o xtrace

[hidekazuna]

/test pull-cluster-api-provider-openstack-test

[jichenjc]

copy the link I added in the slack channel :)

@hidekazuna the #224 failed with a new test I added recently #322, at least it works when I submit the PR with my local stuffs and gate, please let me know whether some edge case triggered by your PR and any info needed by me ,thanks

[jichenjc]

/lgtm

[jichenjc]

I think we are ready for this one, as the @hchenxa already tested it

[gyliu513]

LGTM

Leave this to @chrigl for approve.

[gyliu513]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gyliu513, hidekazuna

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gyliu513]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment