From 38b2698e97384adabe44e3f7176f4b9e41f44e1a Mon Sep 17 00:00:00 2001
From: Ricardo Rocha <rocha.porto@gmail.com>
Date: Mon, 16 Jul 2018 15:24:21 +0200
Subject: [PATCH] [cern] [k8s] Add embed certs to config

cherry-picked from: https://review.openstack.org/#/c/582955/

Add embed certs to kubernetes config file to cluster config

Add option --output-certs to cluster config enabling the output of the
certificates files (ca, key, cert). This is for compatibility with tools
that require the certificates in separate files.

Change-Id: I595d243bc9f30d813af06aad46a9037afe383ab5
Story: 1774643
Task: 21668
---
 magnumclient/common/utils.py    | 30 ++++++++++++++++++------------
 magnumclient/osc/v1/clusters.py | 26 +++++++++++++++++---------
 2 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py
index af5642f..99676da 100644
--- a/magnumclient/common/utils.py
+++ b/magnumclient/common/utils.py
@@ -15,6 +15,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import base64
 import json
 import os
 
@@ -158,21 +159,23 @@ def handle_json_from_file(json_arg):
     return json_arg
 
 
-def config_cluster(cluster, cluster_template, cfg_dir, force=False):
+def config_cluster(cluster, cluster_template, cfg_dir, force=False,
+                   certs=None):
     """Return and write configuration for the given cluster."""
     if cluster_template.coe == 'kubernetes':
-        return _config_cluster_kubernetes(cluster, cluster_template,
-                                          cfg_dir, force)
+        return _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
+                                          force, certs)
     elif (cluster_template.coe == 'swarm'
           or cluster_template.coe == 'swarm-mode'):
-        return _config_cluster_swarm(cluster, cluster_template, cfg_dir, force)
+        return _config_cluster_swarm(cluster, cluster_template, cfg_dir,
+                                     force, certs)
 
 
-def _config_cluster_kubernetes(cluster, cluster_template,
-                               cfg_dir, force=False):
+def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir,
+                               force=False, certs=None):
     """Return and write configuration for the given kubernetes cluster."""
     cfg_file = "%s/config" % cfg_dir
-    if cluster_template.tls_disabled:
+    if cluster_template.tls_disabled or certs is None:
         cfg = ("apiVersion: v1\n"
                "clusters:\n"
                "- cluster:\n"
@@ -193,7 +196,7 @@ def _config_cluster_kubernetes(cluster, cluster_template,
         cfg = ("apiVersion: v1\n"
                "clusters:\n"
                "- cluster:\n"
-               "    certificate-authority: %(cfg_dir)s/ca.pem\n"
+               "    certificate-authority-data: %(ca)s\n"
                "    server: %(api_address)s\n"
                "  name: %(name)s\n"
                "contexts:\n"
@@ -207,11 +210,13 @@ def _config_cluster_kubernetes(cluster, cluster_template,
                "users:\n"
                "- name: admin\n"
                "  user:\n"
-               "    client-certificate: %(cfg_dir)s/cert.pem\n"
-               "    client-key: %(cfg_dir)s/key.pem\n"
+               "    client-certificate-data: %(cert)s\n"
+               "    client-key-data: %(key)s\n"
                % {'name': cluster.name,
                   'api_address': cluster.api_address,
-                  'cfg_dir': cfg_dir})
+                  'key': base64.b64encode(certs['key']),
+                  'cert': base64.b64encode(certs['cert']),
+                  'ca': base64.b64encode(certs['ca'])})
 
     if os.path.exists(cfg_file) and not force:
         raise exc.CommandError("File %s exists, aborting." % cfg_file)
@@ -225,7 +230,8 @@ def _config_cluster_kubernetes(cluster, cluster_template,
         return "export KUBECONFIG=%s\n" % cfg_file
 
 
-def _config_cluster_swarm(cluster, cluster_template, cfg_dir, force=False):
+def _config_cluster_swarm(cluster, cluster_template, cfg_dir,
+                          force=False, certs=None):
     """Return and write configuration for the given swarm cluster."""
     tls = "" if cluster_template.tls_disabled else True
     if 'csh' in os.environ['SHELL']:
diff --git a/magnumclient/osc/v1/clusters.py b/magnumclient/osc/v1/clusters.py
index c6857b7..8e85b96 100644
--- a/magnumclient/osc/v1/clusters.py
+++ b/magnumclient/osc/v1/clusters.py
@@ -293,6 +293,12 @@ class ConfigCluster(command.Command):
             dest='force',
             default=False,
             help=_('Overwrite files if existing.'))
+        parser.add_argument(
+            '--output-certs',
+            action='store_true',
+            dest='output_certs',
+            default=False,
+            help=_('Output certificates in separate files.'))
 
         return parser
 
@@ -319,21 +325,23 @@ class ConfigCluster(command.Command):
             'cluster_uuid': cluster.uuid,
         }
 
+        tls = None
         if not cluster_template.tls_disabled:
             tls = magnum_utils.generate_csr_and_key()
             tls['ca'] = mag_client.certificates.get(**opts).pem
             opts['csr'] = tls['csr']
             tls['cert'] = mag_client.certificates.create(**opts).pem
-            for k in ('key', 'cert', 'ca'):
-                fname = "%s/%s.pem" % (parsed_args.dir, k)
-                if os.path.exists(fname) and not parsed_args.force:
-                    raise Exception("File %s exists, aborting." % fname)
-                else:
-                    f = open(fname, "w")
-                    f.write(tls[k])
-                    f.close()
+            if parsed_args.output_certs:
+                for k in ('key', 'cert', 'ca'):
+                    fname = "%s/%s.pem" % (parsed_args.dir, k)
+                    if os.path.exists(fname) and not parsed_args.force:
+                        raise Exception("File %s exists, aborting." % fname)
+                    else:
+                        with open(fname, "w") as f:
+                            f.write(tls[k])
 
         print(magnum_utils.config_cluster(cluster,
                                           cluster_template,
                                           parsed_args.dir,
-                                          force=parsed_args.force))
+                                          force=parsed_args.force,
+                                          certs=tls))
-- 
GitLab