Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1839226: Implement self-signed certificates support for the driver and the operator #30

Merged
merged 2 commits into from
Jun 4, 2020
Merged

Bug 1839226: Implement self-signed certificates support for the driver and the operator #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
33df5ca
Allow using user provided cert for Manila connection
Fedosin Jun 3, 2020
08ceab8
Implement SSC support for Manila Driver
Fedosin Jun 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
93 changes: 93 additions & 0 deletions pkg/controller/maniladriver/ca_cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
package maniladriver

import (
"context"

"github.com/go-logr/logr"
maniladriverv1alpha1 "github.com/openshift/csi-driver-manila-operator/pkg/apis/maniladriver/v1alpha1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
)

func (r *ReconcileManilaDriver) getCloudProviderCert() (string, error) {
cm := &corev1.ConfigMap{}
err := r.apiReader.Get(context.TODO(), types.NamespacedName{Name: "cloud-provider-config", Namespace: "openshift-config"}, cm)
if err != nil {
return "", err
}

return string(cm.Data["ca-bundle.pem"]), nil
}

// handleCACertConfigMap converts the cloud provider configmap with the ca cert, if it is available,
// into the driver configmap
func (r *ReconcileManilaDriver) handleCACertConfigMap(instance *maniladriverv1alpha1.ManilaDriver, reqLogger logr.Logger) error {
reqLogger.Info("Reconciling CA Cert ConfigMap")

cert, err := r.getCloudProviderCert()
if err != nil {
return err
}

// We don't have the certificate, so we don't need to create the configmap in for the driver
if cert == "" {
return nil
}

cm := generateCACertConfigMap(cert)

if err := annotator.SetLastAppliedAnnotation(cm); err != nil {
return err
}

found := &corev1.ConfigMap{}
err = r.apiReader.Get(context.TODO(), types.NamespacedName{Name: cm.Name, Namespace: cm.Namespace}, found)
if err == nil {
// Check if we need to update the object
equal, err := compareLastAppliedAnnotations(found, cm)
if err != nil {
return err
}

if !equal {
reqLogger.Info("Updating ConfigMap with new changes", "ConfigMap.Namespace", found.Namespace, "ConfigMap.Name", found.Name)
err = r.client.Update(context.TODO(), cm)
if err != nil {
return err
}
} else {
// ConfigMap already exists - don't requeue
reqLogger.Info("Skip reconcile: ConfigMap already exists", "ConfigMap.Namespace", found.Namespace, "ConfigMap.Name", found.Name)
}

return nil
}

if err != nil && !errors.IsNotFound(err) {
return err
}

// Convert the cloud provider configmap with the ca cert into driver configmap
reqLogger.Info("Creating a new ConfigMap", "ConfigMap.Namespace", cm.Namespace, "ConfigMap.Name", cm.Name)
err = r.client.Create(context.TODO(), cm)
if err != nil {
return err
}

// ConfigMap created successfully - don't requeue
return nil
}

func generateCACertConfigMap(cert string) *corev1.ConfigMap {
cm := corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "openstack-certificates",
Namespace: "openshift-manila-csi-driver",
},
Data: map[string]string{"cloud-provider-ca-bundle.pem": cert},
}

return &cm
}
23 changes: 23 additions & 0 deletions pkg/controller/maniladriver/manila_controllerplugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ func generateManilaControllerPluginDeployment() *appsv1.Deployment {
Name: "plugin-dir",
MountPath: "/var/lib/kubelet/plugins/manila.csi.openstack.org",
},
{
Name: "openstack-certificates",
MountPath: "/usr/share/pki/ca-trust-source",
},
},
},
{
Expand Down Expand Up @@ -145,6 +149,10 @@ func generateManilaControllerPluginDeployment() *appsv1.Deployment {
Name: "plugin-dir",
MountPath: "/var/lib/kubelet/plugins/manila.csi.openstack.org",
},
{
Name: "openstack-certificates",
MountPath: "/usr/share/pki/ca-trust-source",
},
},
},
{
Expand Down Expand Up @@ -208,6 +216,10 @@ func generateManilaControllerPluginDeployment() *appsv1.Deployment {
MountPath: "/var/lib/kubelet/pods",
MountPropagation: &mountPropagationBidirectional,
},
{
Name: "openstack-certificates",
MountPath: "/usr/share/pki/ca-trust-source",
},
},
},
},
Expand Down Expand Up @@ -239,6 +251,17 @@ func generateManilaControllerPluginDeployment() *appsv1.Deployment {
},
},
},
{
Name: "openstack-certificates",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "openstack-certificates",
},
Optional: &trueVar,
},
},
},
},
},
},
Expand Down
14 changes: 13 additions & 1 deletion pkg/controller/maniladriver/manila_credentials.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,23 @@ const (
func (r *ReconcileManilaDriver) createDriverCredentialsSecret(instance *maniladriverv1alpha1.ManilaDriver, cloudConfig clientconfig.Cloud, reqLogger logr.Logger) error {
reqLogger.Info("Reconciling Manila Credentials")

cert, err := r.getCloudProviderCert()
if err != nil {
return err
}

if cert != "" {
cloudConfig.CACertFile = "/usr/share/pki/ca-trust-source/cloud-provider-ca-bundle.pem"
}

secret := generateSecret(cloudConfig)

if err := annotator.SetLastAppliedAnnotation(secret); err != nil {
return err
}

found := &corev1.Secret{}
err := r.apiReader.Get(context.TODO(), types.NamespacedName{Name: driverSecretName, Namespace: secretNamespace}, found)
err = r.apiReader.Get(context.TODO(), types.NamespacedName{Name: driverSecretName, Namespace: secretNamespace}, found)
if err == nil {
// Check if we need to update the object
equal, err := compareLastAppliedAnnotations(found, secret)
Expand Down Expand Up @@ -107,6 +116,9 @@ func generateSecret(cloud clientconfig.Cloud) *corev1.Secret {
data["os-userDomainName"] = []byte(cloud.AuthInfo.UserDomainName)
data["os-domainName"] = []byte(cloud.AuthInfo.UserDomainName)
}
if cloud.CACertFile != "" {
data["os-certAuthorityPath"] = []byte(cloud.CACertFile)
}

secret := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Expand Down
19 changes: 19 additions & 0 deletions pkg/controller/maniladriver/manila_nodeplugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,10 @@ func generateManilaNodePluginManifest() *appsv1.DaemonSet {
Name: "registration-dir",
MountPath: "/registration",
},
{
Name: "openstack-certificates",
MountPath: "/usr/share/pki/ca-trust-source",
},
},
},
{
Expand Down Expand Up @@ -192,6 +196,10 @@ func generateManilaNodePluginManifest() *appsv1.DaemonSet {
Name: "fwd-plugin-dir",
MountPath: "/var/lib/kubelet/plugins/csi-nfsplugin",
},
{
Name: "openstack-certificates",
MountPath: "/usr/share/pki/ca-trust-source",
},
},
},
},
Expand Down Expand Up @@ -223,6 +231,17 @@ func generateManilaNodePluginManifest() *appsv1.DaemonSet {
},
},
},
{
Name: "openstack-certificates",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "openstack-certificates",
},
Optional: &trueVar,
},
},
},
},
},
},
Expand Down
29 changes: 29 additions & 0 deletions pkg/controller/maniladriver/maniladriver_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@ package maniladriver

import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"net/http"

"github.com/banzaicloud/k8s-objectmatcher/patch"
"github.com/go-logr/logr"
Expand Down Expand Up @@ -208,6 +211,11 @@ func (r *ReconcileManilaDriver) Reconcile(request reconcile.Request) (reconcile.
return reconcile.Result{}, err
}

err = r.handleCACertConfigMap(instance, reqLogger)
if err != nil {
return reconcile.Result{}, err
}

// Credentials Request
err = r.handleCredentialsRequest(instance, reqLogger)
if err != nil {
Expand Down Expand Up @@ -329,6 +337,27 @@ func (r *ReconcileManilaDriver) getManilaShareTypes(cloud clientconfig.Cloud, re
return nil, err
}

cert, err := r.getCloudProviderCert()
if err != nil && !errors.IsNotFound(err) {
return nil, fmt.Errorf("Failed to get cloud provider CA certificate: %v", err)
}

if cert != "" {
certPool, err := x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("Create system cert pool failed: %v", err)
}
certPool.AppendCertsFromPEM([]byte(cert))
client := http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
},
},
}
provider.HTTPClient = client
}

err = openstack.Authenticate(provider, *opts)
if err != nil {
return nil, err
Expand Down