From 38b2698e97384adabe44e3f7176f4b9e41f44e1a Mon Sep 17 00:00:00 2001
From: Ricardo Rocha <rocha.porto@gmail.com>
Date: Mon, 16 Jul 2018 15:24:21 +0200
Subject: [PATCH] [cern] [k8s] Add embed certs to config
cherry-picked from: https://review.openstack.org/#/c/582955/
Add embed certs to kubernetes config file to cluster config
Add option --output-certs to cluster config enabling the output of the
certificates files (ca, key, cert). This is for compatibility with tools
that require the certificates in separate files.
Change-Id: I595d243bc9f30d813af06aad46a9037afe383ab5
Story: 1774643
Task: 21668
---
magnumclient/common/utils.py | 30 ++++++++++++++++++------------
magnumclient/osc/v1/clusters.py | 26 +++++++++++++++++---------
2 files changed, 35 insertions(+), 21 deletions(-)
diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py
index af5642f..99676da 100644
--- a/magnumclient/common/utils.py
+++ b/magnumclient/common/utils.py
@@ -15,6 +15,7 @@
# License for the specific language governing permissions and limitations
# under the License.
+import base64
import json
import os
@@ -158,21 +159,23 @@ def handle_json_from_file(json_arg):
return json_arg
-def config_cluster(cluster, cluster_template, cfg_dir, force=False):
+def config_cluster(cluster, cluster_template, cfg_dir, force=False,
+ certs=None):
"""Return and write configuration for the given cluster."""
if cluster_template.coe == 'kubernetes':
- return _config_cluster_kubernetes(cluster, cluster_template,
- cfg_dir, force)
+ return _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
+ force, certs)
elif (cluster_template.coe == 'swarm'
or cluster_template.coe == 'swarm-mode'):
- return _config_cluster_swarm(cluster, cluster_template, cfg_dir, force)
+ return _config_cluster_swarm(cluster, cluster_template, cfg_dir,
+ force, certs)
-def _config_cluster_kubernetes(cluster, cluster_template,
- cfg_dir, force=False):
+def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
+ force=False, certs=None):
"""Return and write configuration for the given kubernetes cluster."""
cfg_file = "%s/config" % cfg_dir
- if cluster_template.tls_disabled:
+ if cluster_template.tls_disabled or certs is None:
cfg = ("apiVersion: v1\n"
"clusters:\n"
"- cluster:\n"
@@ -193,7 +196,7 @@ def _config_cluster_kubernetes(cluster, cluster_template,
cfg = ("apiVersion: v1\n"
"clusters:\n"
"- cluster:\n"
- " certificate-authority: %(cfg_dir)s/ca.pem\n"
+ " certificate-authority-data: %(ca)s\n"
" server: %(api_address)s\n"
" name: %(name)s\n"
"contexts:\n"
@@ -207,11 +210,13 @@ def _config_cluster_kubernetes(cluster, cluster_template,
"users:\n"
"- name: admin\n"
" user:\n"
- " client-certificate: %(cfg_dir)s/cert.pem\n"
- " client-key: %(cfg_dir)s/key.pem\n"
+ " client-certificate-data: %(cert)s\n"
+ " client-key-data: %(key)s\n"
% {'name': cluster.name,
'api_address': cluster.api_address,
- 'cfg_dir': cfg_dir})
+ 'key': base64.b64encode(certs['key']),
+ 'cert': base64.b64encode(certs['cert']),
+ 'ca': base64.b64encode(certs['ca'])})
if os.path.exists(cfg_file) and not force:
raise exc.CommandError("File %s exists, aborting." % cfg_file)
@@ -225,7 +230,8 @@ def _config_cluster_kubernetes(cluster, cluster_template,
return "export KUBECONFIG=%s\n" % cfg_file
-def _config_cluster_swarm(cluster, cluster_template, cfg_dir, force=False):
+def _config_cluster_swarm(cluster, cluster_template, cfg_dir,
+ force=False, certs=None):
"""Return and write configuration for the given swarm cluster."""
tls = "" if cluster_template.tls_disabled else True
if 'csh' in os.environ['SHELL']:
diff --git a/magnumclient/osc/v1/clusters.py b/magnumclient/osc/v1/clusters.py
index c6857b7..8e85b96 100644
--- a/magnumclient/osc/v1/clusters.py
+++ b/magnumclient/osc/v1/clusters.py
@@ -293,6 +293,12 @@ class ConfigCluster(command.Command):
dest='force',
default=False,
help=_('Overwrite files if existing.'))
+ parser.add_argument(
+ '--output-certs',
+ action='store_true',
+ dest='output_certs',
+ default=False,
+ help=_('Output certificates in separate files.'))
return parser
@@ -319,21 +325,23 @@ class ConfigCluster(command.Command):
'cluster_uuid': cluster.uuid,
}
+ tls = None
if not cluster_template.tls_disabled:
tls = magnum_utils.generate_csr_and_key()
tls['ca'] = mag_client.certificates.get(**opts).pem
opts['csr'] = tls['csr']
tls['cert'] = mag_client.certificates.create(**opts).pem
- for k in ('key', 'cert', 'ca'):
- fname = "%s/%s.pem" % (parsed_args.dir, k)
- if os.path.exists(fname) and not parsed_args.force:
- raise Exception("File %s exists, aborting." % fname)
- else:
- f = open(fname, "w")
- f.write(tls[k])
- f.close()
+ if parsed_args.output_certs:
+ for k in ('key', 'cert', 'ca'):
+ fname = "%s/%s.pem" % (parsed_args.dir, k)
+ if os.path.exists(fname) and not parsed_args.force:
+ raise Exception("File %s exists, aborting." % fname)
+ else:
+ with open(fname, "w") as f:
+ f.write(tls[k])
print(magnum_utils.config_cluster(cluster,
cluster_template,
parsed_args.dir,
- force=parsed_args.force))
+ force=parsed_args.force,
+ certs=tls))
--
GitLab