feat: add magnum certs

vexxhost · Oct 21, 2022 · 19cccb6 · 19cccb6
1 parent 62b89f0
commit 19cccb6
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,6 @@
 
 
 TODO:
-- Use Magnum certs - https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates.html
 - audit all labels + options to make sure it works
 - csi
 - autohealing

diff --git a/magnum_cluster_api/driver.py b/magnum_cluster_api/driver.py
@@ -57,6 +57,11 @@ def create_cluster(self, context, cluster, cluster_create_timeout):
             k8s, cluster, osc.auth_url, osc.cinder_region_name(), credential
         ).apply()
 
+        resources.ApiCertificateAuthoritySecret(k8s, cluster).apply()
+        resources.EtcdCertificateAuthoritySecret(k8s, cluster).apply()
+        resources.FrontProxyCertificateAuthoritySecret(k8s, cluster).apply()
+        resources.ServiceAccountCertificateAuthoritySecret(k8s, cluster).apply()
+
         for node_group in cluster.nodegroups:
             self.create_nodegroup(context, cluster, node_group, credential=credential)
 
@@ -86,8 +91,10 @@ def update_cluster_status(self, context, cluster, use_admin_ctx=False):
             # container_version
             # health_status_reason
 
-            if status_map.get("ControlPlaneReady") == "True":
-                cluster.api_address = f"https://{capi_cluster.obj['spec']['controlPlaneEndpoint']['host']}:{capi_cluster.obj['spec']['controlPlaneEndpoint']['port']}"
+            if status_map.get("ControlPlaneReady") != "True":
+                return
+
+            cluster.api_address = f"https://{capi_cluster.obj['spec']['controlPlaneEndpoint']['host']}:{capi_cluster.obj['spec']['controlPlaneEndpoint']['port']}"
 
             for node_group in cluster.nodegroups:
                 ng = self.update_nodegroup_status(context, cluster, node_group)
@@ -123,7 +130,12 @@ def update_cluster_status(self, context, cluster, use_admin_ctx=False):
                 ).delete()
             except keystoneauth1.exceptions.http.NotFound:
                 pass
+
             resources.CloudConfigSecret(k8s, cluster).delete()
+            resources.ApiCertificateAuthoritySecret(k8s, cluster).delete()
+            resources.EtcdCertificateAuthoritySecret(k8s, cluster).delete()
+            resources.FrontProxyCertificateAuthoritySecret(k8s, cluster).delete()
+            resources.ServiceAccountCertificateAuthoritySecret(k8s, cluster).delete()
 
             cluster.status = objects.fields.ClusterStatus.DELETE_COMPLETE
             cluster.save()

diff --git a/magnum_cluster_api/resources.py b/magnum_cluster_api/resources.py
@@ -10,7 +10,10 @@
 from oslo_serialization import base64
 
 from magnum_cluster_api import objects
+from magnum.common.x509 import operations as x509
 from magnum.common import neutron
+from magnum.common import cert_manager
+from oslo_utils import encodeutils
 
 KUBE_TAG = "v1.25.3"
 CLOUD_PROVIDER_TAG = "v1.25.3"
@@ -206,6 +209,56 @@ def get_object(self) -> objects.ClusterResourceSet:
         )
 
 
+class CertificateAuthoritySecret(ClusterBase):
+    def get_object(self) -> pykube.Secret:
+        ca_cert = cert_manager.get_backend().CertManager.get_cert(
+            getattr(self.cluster, self.REF),
+            resource_ref=self.cluster.uuid,
+        )
+
+        return pykube.Secret(
+            self.api,
+            {
+                "apiVersion": pykube.Secret.version,
+                "kind": pykube.Secret.kind,
+                "type": "kubernetes.io/tls",
+                "metadata": {
+                    "name": f"{name_from_cluster(self.cluster)}-{self.CERT}",
+                    "namespace": "magnum-system",
+                },
+                "stringData": {
+                    "tls.crt": encodeutils.safe_decode(ca_cert.get_certificate()),
+                    "tls.key": encodeutils.safe_decode(
+                        x509.decrypt_key(
+                            ca_cert.get_private_key(),
+                            ca_cert.get_private_key_passphrase()
+                        )
+                    ),
+                },
+            },
+        )
+
+
+class ApiCertificateAuthoritySecret(CertificateAuthoritySecret):
+    CERT = "ca"
+    REF = "ca_cert_ref"
+
+
+class EtcdCertificateAuthoritySecret(CertificateAuthoritySecret):
+    CERT = "etcd"
+    REF = "etcd_ca_cert_ref"
+
+
+class FrontProxyCertificateAuthoritySecret(CertificateAuthoritySecret):
+    CERT = "proxy"
+    REF = "front_proxy_ca_cert_ref"
+
+
+class ServiceAccountCertificateAuthoritySecret(CertificateAuthoritySecret):
+    CERT = "sa"
+    REF = "magnum_cert_ref"
+
+
 class CloudConfigSecret(ClusterBase):
     def __init__(
         self,
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,6 @@ @@
     TODO:
-    - Use Magnum certs - https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates.html
     - audit all labels + options to make sure it works
     - csi
     - autohealing
@@ Expand Down @@