Merge pull request #4335 from staebler/c2s_custom_trust

aws: support custom trust bundle for c2s regions
openshift · Nov 11, 2020 · cb31ad0 · cb31ad0
2 parents b561540 + bcb34f6
commit cb31ad0
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 3 deletions.
diff --git a/pkg/asset/ignition/bootstrap/bootstrap.go b/pkg/asset/ignition/bootstrap/bootstrap.go
@@ -95,6 +95,7 @@ func (a *Bootstrap) Dependencies() []asset.Asset {
 		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerProxyCertKey{},
 		&tls.BootstrapSSHKeyPair{},
+		&tls.CloudProviderCABundle{},
 		&tls.EtcdCABundle{},
 		&tls.EtcdMetricCABundle{},
 		&tls.EtcdMetricSignerCertKey{},
@@ -481,6 +482,7 @@ func (a *Bootstrap) addParentFiles(dependencies asset.Parents) {
 		&tls.AggregatorClientCertKey{},
 		&tls.AggregatorSignerCertKey{},
 		&tls.APIServerProxyCertKey{},
+		&tls.CloudProviderCABundle{},
 		&tls.EtcdCABundle{},
 		&tls.EtcdMetricCABundle{},
 		&tls.EtcdMetricSignerCertKey{},

diff --git a/pkg/asset/manifests/cloudproviderconfig.go b/pkg/asset/manifests/cloudproviderconfig.go
@@ -34,7 +34,8 @@ var (
 )
 
 const (
-	cloudProviderConfigDataKey = "config"
+	cloudProviderConfigDataKey         = "config"
+	cloudProviderConfigCABundleDataKey = "ca-bundle.pem"
 )
 
 // CloudProviderConfig generates the cloud-provider-config.yaml files.
@@ -83,8 +84,15 @@ func (cpc *CloudProviderConfig) Generate(dependencies asset.Parents) error {
 	}
 
 	switch installConfig.Config.Platform.Name() {
-	case awstypes.Name, libvirttypes.Name, nonetypes.Name, baremetaltypes.Name, ovirttypes.Name:
+	case libvirttypes.Name, nonetypes.Name, baremetaltypes.Name, ovirttypes.Name:
 		return nil
+	case awstypes.Name:
+		// Store the additional trust bundle in the ca-bundle.pem key if the cluster is being installed on a C2S region.
+		trustBundle := installConfig.Config.AdditionalTrustBundle
+		if trustBundle == "" || !awstypes.C2SRegions.Has(installConfig.Config.AWS.Region) {
+			return nil
+		}
+		cm.Data[cloudProviderConfigCABundleDataKey] = trustBundle
 	case openstacktypes.Name:
 		cloud, err := icopenstack.GetSession(installConfig.Config.Platform.OpenStack.Cloud)
 		if err != nil {
@@ -99,7 +107,7 @@ func (cpc *CloudProviderConfig) Generate(dependencies asset.Parents) error {
 			if err != nil {
 				return errors.Wrap(err, "failed to read clouds.yaml ca-cert from disk")
 			}
-			cm.Data["ca-bundle.pem"] = string(caFile)
+			cm.Data[cloudProviderConfigCABundleDataKey] = string(caFile)
 		}
 	case azuretypes.Name:
 		session, err := installConfig.Azure.Session()

diff --git a/pkg/asset/tls/cloudprovidercabundle.go b/pkg/asset/tls/cloudprovidercabundle.go
@@ -0,0 +1,64 @@
+package tls
+
+import (
+	"github.com/openshift/installer/pkg/asset"
+	"github.com/openshift/installer/pkg/asset/installconfig"
+	awstypes "github.com/openshift/installer/pkg/types/aws"
+)
+
+// CloudProviderCABundle is the asset the generates the CA bundle for
+// trusting communication with the cloud provider. This bundle is used
+// by the machine-config-operator on the bootstrap node.
+type CloudProviderCABundle struct {
+	File *asset.File
+}
+
+var _ asset.WritableAsset = (*CloudProviderCABundle)(nil)
+
+// Dependencies returns the dependency of the CA bundle.
+func (a *CloudProviderCABundle) Dependencies() []asset.Asset {
+	return []asset.Asset{
+		&installconfig.InstallConfig{},
+	}
+}
+
+// Generate generates the CA bundle based on its dependencies.
+func (a *CloudProviderCABundle) Generate(deps asset.Parents) error {
+	ic := &installconfig.InstallConfig{}
+	deps.Get(ic)
+
+	if ic.Config.AdditionalTrustBundle == "" {
+		return nil
+	}
+	if ic.Config.Platform.Name() != awstypes.Name {
+		return nil
+	}
+	if !awstypes.C2SRegions.Has(ic.Config.Platform.AWS.Region) {
+		return nil
+	}
+
+	a.File = &asset.File{
+		Filename: assetFilePath("cloud-ca-cert.pem"),
+		Data:     []byte(ic.Config.AdditionalTrustBundle),
+	}
+
+	return nil
+}
+
+// Name returns the human-friendly name of the asset.
+func (a *CloudProviderCABundle) Name() string {
+	return "Cloud Provider CA Bundle"
+}
+
+// Files returns the files generated by the asset.
+func (a *CloudProviderCABundle) Files() []*asset.File {
+	if a.File == nil {
+		return nil
+	}
+	return []*asset.File{a.File}
+}
+
+// Load is a no-op because TLS assets are not written to disk.
+func (a *CloudProviderCABundle) Load(asset.FileFetcher) (bool, error) {
+	return false, nil
+}
diff --git a/pkg/types/aws/platform.go b/pkg/types/aws/platform.go
@@ -1,5 +1,12 @@
 package aws
 
+import "k8s.io/apimachinery/pkg/util/sets"
+
+var (
+	// C2SRegions are the C2S AWS regions.
+	C2SRegions = sets.NewString("us-iso-east-1")
+)
+
 // Platform stores all the global configuration that all machinesets
 // use.
 type Platform struct {