feat: Support endpoint configuration for cluster-api (#211)

* feat: Support endpoint configuration for cluster-api * Fix lint errors * Add missing dep --------- Co-authored-by: Mohammed Naser <mnaser@vexxhost.com>
vexxhost · Oct 2, 2023 · 8a5ffac · 8a5ffac
1 parent 963ce70
commit 8a5ffac
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 12 deletions.
diff --git a/docs/user/configs.md b/docs/user/configs.md
@@ -88,3 +88,23 @@ Options under this group are used for configuring Manila client.
 :   If set, then the server's certificate will not be verified.
     **Type**: `boolean`
     **Default value**: `False`
+
+## capi_client
+Options under this group are used for configuring Openstack authentication for CAPO.
+
+`endpoint_type`
+
+:   Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
+    **Type**: `string`
+    **Default value**: `publicURL`
+
+`ca_file`
+
+:   Optional CA cert file to use in SSL connections.
+    **Type**: `string`
+
+`insecure`
+
+:   If set, then the server's certificate will not be verified.
+    **Type**: `boolean`
+    **Default value**: `False`
diff --git a/magnum_cluster_api/conf.py b/magnum_cluster_api/conf.py
@@ -17,6 +17,10 @@
 
 auto_scaling_group = cfg.OptGroup(name="auto_scaling", title="Options for auto scaling")
 
+capi_client_group = cfg.OptGroup(
+    name="capi_client", title="Options for the Cluster API client"
+)
+
 manila_client_group = cfg.OptGroup(
     name="manila_client", title="Options for the Manila client"
 )
@@ -61,6 +65,18 @@
 ]
 
 
+capi_client_opts = [
+    cfg.StrOpt(
+        "endpoint_type",
+        default="publicURL",
+        help=_(
+            "Type of endpoint in Identity service catalog to use "
+            "for communication with the OpenStack service."
+        ),
+    ),
+]
+
+
 manila_client_opts = [
     cfg.StrOpt(
         "region_name",
@@ -100,7 +116,10 @@
 
 CONF = cfg.CONF
 CONF.register_group(auto_scaling_group)
+CONF.register_group(capi_client_group)
 CONF.register_group(manila_client_group)
 CONF.register_opts(auto_scaling_opts, group=auto_scaling_group)
+CONF.register_opts(capi_client_opts, group=capi_client_group)
+CONF.register_opts(common_security_opts, group=capi_client_group)
 CONF.register_opts(manila_client_opts, group=manila_client_group)
 CONF.register_opts(common_security_opts, group=manila_client_group)
diff --git a/magnum_cluster_api/driver.py b/magnum_cluster_api/driver.py
@@ -44,9 +44,9 @@ def create_cluster(self, context, cluster, cluster_create_timeout):
         )
 
         resources.CloudConfigSecret(
+            context,
             self.k8s_api,
             cluster,
-            osc.url_for(service_type="identity", interface="public"),
             osc.cinder_region_name(),
             credential,
         ).apply()

diff --git a/magnum_cluster_api/resources.py b/magnum_cluster_api/resources.py
@@ -24,7 +24,6 @@
 import yaml
 from magnum import objects as magnum_objects
 from magnum.common import context, neutron
-from magnum.common import utils as magnum_utils
 from magnum.common.cert_manager import cert_manager
 from magnum.common.x509 import operations as x509
 from magnum.conductor.handlers.common import cert_manager as cert_manager_handlers
@@ -260,6 +259,7 @@ def get_object(self) -> pykube.ConfigMap:
                                 "namespace": "kube-system",
                             },
                             "stringData": utils.generate_manila_csi_cloud_config(
+                                self.context,
                                 self.api,
                                 self.cluster,
                             ),
@@ -472,19 +472,24 @@ def get_certificate(self) -> cert_manager.Cert:
 class CloudConfigSecret(ClusterBase):
     def __init__(
         self,
+        context: context.RequestContext,
         api: pykube.HTTPClient,
         cluster: any,
-        auth_url: str = None,
         region_name: str = None,
         credential: any = types.SimpleNamespace(id=None, secret=None),
     ):
         super().__init__(api, cluster)
-        self.auth_url = auth_url
+        self.context = context
+        osc = clients.get_openstack_api(self.context)
+        self.auth_url = osc.url_for(
+            service_type="identity",
+            interface=CONF.capi_client.endpoint_type.replace("URL", ""),
+        )
         self.region_name = region_name
         self.credential = credential
 
     def get_object(self) -> pykube.Secret:
-        ca_certificate = magnum_utils.get_openstack_ca()
+        ca_certificate = utils.get_capi_client_ca_cert()
 
         return pykube.Secret(
             self.api,
@@ -507,11 +512,11 @@ def get_object(self) -> pykube.Secret:
                             "clouds": {
                                 "default": {
                                     "region_name": self.region_name,
-                                    "interface": CONF.nova_client.endpoint_type.replace(
+                                    "interface": CONF.capi_client.endpoint_type.replace(
                                         "URL", ""
                                     ),
                                     "identity_api_version": 3,
-                                    "verify": CONF.drivers.verify_ca,
+                                    "verify": not CONF.capi_client.insecure,
                                     "auth": {
                                         "auth_url": self.auth_url,
                                         "application_credential_id": self.credential.id,
@@ -1901,7 +1906,7 @@ def get_object(self) -> objects.Cluster:
                                 "name": "cloudControllerManagerConfig",
                                 "value": base64.encode_as_text(
                                     utils.generate_cloud_controller_manager_config(
-                                        self.api, self.cluster
+                                        self.context, self.api, self.cluster
                                     )
                                 ),
                             },

diff --git a/magnum_cluster_api/utils.py b/magnum_cluster_api/utils.py
@@ -23,6 +23,7 @@
 from magnum.api import attr_validator
 from magnum.common import context, exception, octavia
 from magnum.common import utils as magnum_utils
+from oslo_config import cfg
 from oslo_serialization import base64
 from oslo_utils import strutils
 from tenacity import retry, retry_if_exception_type
@@ -32,6 +33,7 @@
 from magnum_cluster_api import image_utils, images, objects
 
 AVAILABLE_OPERATING_SYSTEMS = ["ubuntu", "flatcar"]
+CONF = cfg.CONF
 
 
 def get_cluster_api_cloud_config_secret_name(cluster: magnum_objects.Cluster) -> str:
@@ -81,14 +83,27 @@ def get_cloud_ca_cert() -> str:
     return magnum_utils.get_openstack_ca()
 
 
+def get_capi_client_ca_cert() -> str:
+    ca_file = CONF.capi_client.ca_file
+
+    if ca_file:
+        with open(ca_file) as fd:
+            return fd.read()
+    else:
+        return ""
+
+
 def generate_cloud_controller_manager_config(
+    ctx: context.RequestContext,
     api: pykube.HTTPClient,
     cluster: magnum_objects.Cluster,
 ) -> str:
     """
     Generate coniguration for openstack-cloud-controller-manager if it does
     already exist.
     """
+
+    osc = clients.get_openstack_api(ctx)
     data = pykube.Secret.objects(api, namespace="magnum-system").get_by_name(
         get_cluster_api_cloud_config_secret_name(cluster)
     )
@@ -98,39 +113,41 @@ def generate_cloud_controller_manager_config(
     return textwrap.dedent(
         f"""\
         [Global]
-        auth-url={cloud_config["clouds"]["default"]["auth"]["auth_url"]}
+        auth-url={osc.url_for(service_type="identity", interface="public")}
         region={cloud_config["clouds"]["default"]["region_name"]}
         application-credential-id={cloud_config["clouds"]["default"]["auth"]["application_credential_id"]}
         application-credential-secret={cloud_config["clouds"]["default"]["auth"]["application_credential_secret"]}
-        tls-insecure={"false" if cloud_config["clouds"]["default"]["verify"] else "true"}
+        tls-insecure={"false" if CONF.drivers.verify_ca else "true"}
         {"ca-file=/etc/config/ca.crt" if get_cloud_ca_cert() else ""}
         """
     )
 
 
 def generate_manila_csi_cloud_config(
+    ctx: context.RequestContext,
     api: pykube.HTTPClient,
     cluster: magnum_objects.Cluster,
 ) -> str:
     """
     Generate coniguration of Openstack authentication  for manila csi
     """
+    osc = clients.get_openstack_api(ctx)
     data = pykube.Secret.objects(api, namespace="magnum-system").get_by_name(
         get_cluster_api_cloud_config_secret_name(cluster)
     )
     clouds_yaml = base64.decode_as_text(data.obj["data"]["clouds.yaml"])
     cloud_config = yaml.safe_load(clouds_yaml)
 
     return {
-        "os-authURL": cloud_config["clouds"]["default"]["auth"]["auth_url"],
+        "os-authURL": osc.url_for(service_type="identity", interface="public"),
         "os-region": cloud_config["clouds"]["default"]["region_name"],
         "os-applicationCredentialID": cloud_config["clouds"]["default"]["auth"][
             "application_credential_id"
         ],
         "os-applicationCredentialSecret": cloud_config["clouds"]["default"]["auth"][
             "application_credential_secret"
         ],
-        "os-TLSInsecure": "false"
+        "os-TLSInsecure": {"false" if CONF.drivers.verify_ca else "true"}
         if cloud_config["clouds"]["default"]["verify"]
         else "true",
         "os-certAuthorityPath": "/etc/config/ca.crt",