Bug 1809780: OpenStack: pass all CAs to bootstrap ignition

When the CA cert file referenced from the `clouds.yaml` contained more than one certficate, the complete cert bundle was added to the boostrap ignition file, but only the first one was actually trusted to gather the ignition file. This patch splits the CA cert bundle into separate certs and add them to the ignition file as separate entries.
openshift · Mar 5, 2020 · 59144cd · 59144cd
1 parent e0dd3b8
commit 59144cd
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/pkg/tfvars/openstack/bootstrap_ignition.go b/pkg/tfvars/openstack/bootstrap_ignition.go
@@ -2,6 +2,7 @@ package openstack
 
 import (
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"strings"
 
@@ -96,11 +97,26 @@ func generateIgnitionShim(userCA string, clusterID string, bootstrapConfigURL st
 
 	security := ignition.Security{}
 	if userCA != "" {
+		carefs := []ignition.CaReference{}
+		rest := []byte(userCA)
+
+		for {
+			var block *pem.Block
+			block, rest = pem.Decode(rest)
+			if block == nil {
+				return "", fmt.Errorf("unable to parse certificate, please check the cacert section of clouds.yaml")
+			}
+
+			carefs = append(carefs, ignition.CaReference{Source: dataurl.EncodeBytes(pem.EncodeToMemory(block))})
+
+			if len(rest) == 0 {
+				break
+			}
+		}
+
 		security = ignition.Security{
 			TLS: ignition.TLS{
-				CertificateAuthorities: []ignition.CaReference{{
-					Source: dataurl.EncodeBytes([]byte(userCA)),
-				}},
+				CertificateAuthorities: carefs,
 			},
 		}
 	}