Merge pull request #40 from rgolangh/handle_ca_bundle

Bug 1794313: Some cluster operators fail to come up because RHV CA is not trusted by a pod

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // indirect
 	github.com/openshift/cluster-api v0.0.0-20191030113141-9a3a7bbe9258
 
-	github.com/ovirt/go-ovirt v0.0.0-20200214015642-90013aa942c3
+	github.com/ovirt/go-ovirt v0.0.0-20200313072907-d30f754823a6
 	github.com/pkg/errors v0.8.1
 	k8s.io/api v0.0.0-20190918155943-95b840bb6a1f
 	k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655

go.sum

@@ -207,8 +207,8 @@ github.com/onsi/gomega v1.5.0 h1:izbySO9zDPmjJ8rDjLvkA2zJHIo+HkYXHnf7eN7SSyo=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/openshift/cluster-api v0.0.0-20191030113141-9a3a7bbe9258 h1:xwws9WAUtMqrT6APUytx76PLDsSwbxl+m7cfRA0YyBE=
 github.com/openshift/cluster-api v0.0.0-20191030113141-9a3a7bbe9258/go.mod h1:T18COkr6nLh9RyZKPMP7YjnwBME7RX8P2ar1SQbBltM=
-github.com/ovirt/go-ovirt v0.0.0-20200214015642-90013aa942c3 h1:K89bdr853JXERYuP9zEgV6ZFpGkzfHUQ4ifw1pfxjT4=
-github.com/ovirt/go-ovirt v0.0.0-20200214015642-90013aa942c3/go.mod h1:fLDxPk1Sf64DBYtwIYxrnx3gPZ1q0xPdWdI1y9vxUaw=
+github.com/ovirt/go-ovirt v0.0.0-20200313072907-d30f754823a6 h1:LFsvZMgJpJgpZOr8uOb2i+61SsT57W2MY1ggmIB9jV0=
+github.com/ovirt/go-ovirt v0.0.0-20200313072907-d30f754823a6/go.mod h1:fLDxPk1Sf64DBYtwIYxrnx3gPZ1q0xPdWdI1y9vxUaw=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=

pkg/cloud/ovirt/clients/credentials.go

@@ -8,10 +8,14 @@ package clients
 import (
 	"context"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"strconv"
+	"strings"
 
 	apicorev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/klog"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -21,6 +25,7 @@ type OvirtCreds struct {
 	Password string
 	CAFile   string
 	Insecure bool
+	CABundle string
 }
 
 func GetCredentialsSecret(coreClient client.Client, namespace string, secretName string) (*OvirtCreds, error) {
@@ -39,11 +44,39 @@ func GetCredentialsSecret(coreClient client.Client, namespace string, secretName
 	o.Username = string(credentialsSecret.Data["ovirt_username"])
 	o.Password = string(credentialsSecret.Data["ovirt_password"])
 	o.CAFile = string(credentialsSecret.Data["ovirt_cafile"])
-	insecure, err  := strconv.ParseBool(string(credentialsSecret.Data["ovirt_insecure"]))
+	insecure, err := strconv.ParseBool(string(credentialsSecret.Data["ovirt_insecure"]))
 	if err == nil {
 		o.Insecure = insecure
 	}
+	o.CABundle = string(credentialsSecret.Data["ovirt_ca_bundle"])
 
+	// write CA bundle to a file if exist.
+	// its best if we could mount the secret into a file,
+	// but this controller deployment cannot
+	if o.CABundle != "" {
+		caFilePath, err := writeCA(strings.NewReader(o.CABundle))
+		if err != nil {
+			klog.Errorf("failed to extract and store the CA %s", err)
+			return nil, err
+		}
+		o.CAFile = caFilePath
+	}
 	return &o, nil
 }
 
+func writeCA(source io.Reader) (string, error) {
+	f, err := ioutil.TempFile("", "ovirt-ca-bundle")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	content, err := ioutil.ReadAll(source)
+	if err != nil {
+		return "", err
+	}
+	_, err = f.Write(content)
+	if err != nil {
+		return "", err
+	}
+	return f.Name(), nil
+}