x
/
k8s-cloud-provider
Code Issues Proposed changes

Merge pull request #41309 from kars7e/add-cafile-openstack 

Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628)

Add custom CA file to openstack cloud provider config

**What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what https://github.com/kubernetes/kubernetes/pull/35488 did for authentication.  


**Which issue this PR fixes**: None

**Special notes for your reviewer**: Based on https://github.com/kubernetes/kubernetes/pull/35488 which added support for custom CA file for authentication.

**Release note**:
This commit is contained in:
Kubernetes Submit Queue 2017-02-26 08:10:00 -08:00 committed by GitHub
parent 0f9833ff05 378f247206
commit 7baf5e263a
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cloudprovider/providers/openstack/BUILD
View File

@ -54,6 +54,8 @@ go_library(
"//vendor:gopkg.in/gcfg.v1",
"//vendor:k8s.io/apimachinery/pkg/api/resource",
"//vendor:k8s.io/apimachinery/pkg/types",
"//vendor:k8s.io/apimachinery/pkg/util/net",
"//vendor:k8s.io/client-go/util/cert",
],
)

14
pkg/cloudprovider/providers/openstack/openstack.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package openstack
import (
"crypto/tls"
"errors"
"fmt"
"io"
@ -37,6 +38,8 @@ import (
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/types"
netutil "k8s.io/apimachinery/pkg/util/net"
certutil "k8s.io/client-go/util/cert"
"k8s.io/kubernetes/pkg/api/v1"
"k8s.io/kubernetes/pkg/cloudprovider"
)
@ -116,6 +119,7 @@ type Config struct {
DomainId string `gcfg:"domain-id"`
DomainName string `gcfg:"domain-name"`
Region string
CAFile string `gcfg:"ca-file"`
}
LoadBalancer LoadBalancerOpts
BlockStorage BlockStorageOpts
@ -214,6 +218,16 @@ func newOpenStack(cfg Config) (*OpenStack, error) {
if err != nil {
return nil, err
}
if cfg.Global.CAFile != "" {
roots, err := certutil.NewPool(cfg.Global.CAFile)
if err != nil {
return nil, err
}
config := &tls.Config{}
config.RootCAs = roots
provider.HTTPClient.Transport = netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
}
if cfg.Global.TrustId != "" {
opts := cfg.toAuth3Options()
authOptsExt := trusts.AuthOptsExt{