Merge "Propagate cloud_provider_enabled correctly"

doc/source/user/index.rst

@@ -386,7 +386,7 @@ the table are linked to more details elsewhere in the user guide.
 | `cgroup_driver`_                      | - systemd          | "cgroupfs"    |
 |                                       | - cgroupfs         |               |
 +---------------------------------------+--------------------+---------------+
-| `cloud_provider_enabled`_             | - true             | true          |
+| `cloud_provider_enabled`_             | - true             | see below     |
 |                                       | - false            |               |
 +---------------------------------------+--------------------+---------------+
 | `service_cluster_ip_range`            | IPv4 CIDR for k8s  | 10.254.0.0/16 |
@@ -1284,9 +1284,12 @@ _`cgroup_driver`
 
 _`cloud_provider_enabled`
   Add 'cloud_provider_enabled' label for the k8s_fedora_atomic driver. Defaults
-  to true. For specific kubernetes versions if 'cinder' is selected as a
-  'volume_driver', it is implied that the cloud provider will be enabled since
-  they are combined.
+  to the value of 'cluster_user_trust' (default: 'false' unless explicitly set
+  to 'true' in magnum.conf due to CVE-2016-7404). Consequently,
+  'cloud_provider_enabled' label cannot be overridden to 'true' when
+  'cluster_user_trust' resolves to 'false'. For specific kubernetes versions,
+  if 'cinder' is selected as a 'volume_driver', it is implied that the cloud
+  provider will be enabled since they are combined.
 
 _`keystone_auth_enabled`
   If this label is set to True, Kubernetes will support use Keystone for

magnum/drivers/heat/k8s_fedora_template_def.py

@@ -108,17 +108,18 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
         # the cloud provider needs to be enabled.
         cloud_provider_enabled = cluster.labels.get(
             'cloud_provider_enabled',
-            'true' if CONF.trust.cluster_user_trust else 'false').lower()
+            'true' if CONF.trust.cluster_user_trust else 'false')
         if (not CONF.trust.cluster_user_trust
-                and cloud_provider_enabled == 'true'):
+                and cloud_provider_enabled.lower() == 'true'):
             raise exception.InvalidParameterValue(_(
                 '"cluster_user_trust" must be set to True in magnum.conf when '
                 '"cloud_provider_enabled" label is set to true.'))
         if (cluster_template.volume_driver == 'cinder'
-                and cloud_provider_enabled == 'false'):
+                and cloud_provider_enabled.lower() == 'false'):
             raise exception.InvalidParameterValue(_(
                 '"cinder" volume driver needs "cloud_provider_enabled" label '
                 'to be true or unset.'))
+        extra_params['cloud_provider_enabled'] = cloud_provider_enabled
 
         extra_params['master_image'] = cluster_template.image_id
         extra_params['minion_image'] = cluster_template.image_id
@@ -130,7 +131,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
                       'calico_tag',
                       'calico_kube_controllers_tag', 'calico_ipv4pool',
                       'etcd_tag', 'flannel_tag', 'flannel_cni_tag',
-                      'cloud_provider_enabled', 'cloud_provider_tag',
+                      'cloud_provider_tag',
                       'prometheus_tag', 'grafana_tag',
                       'heat_container_agent_tag',
                       'keystone_auth_enabled', 'k8s_keystone_auth_tag',

magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@@ -382,7 +382,6 @@ parameters:
   cloud_provider_enabled:
     type: boolean
     description: Enable or disable the openstack kubernetes cloud provider
-    default: true
 
   etcd_tag:
     type: string

magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py

@@ -290,6 +290,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'insecure_registry': '10.0.0.1:5000',
         }
         expected = {
+            'cloud_provider_enabled': 'false',
             'ssh_key_name': 'keypair_id',
             'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
             'fixed_network': 'fixed_network',
@@ -432,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
 
         expected = {
             'auth_url': 'http://192.168.10.10:5000/v3',
+            'cloud_provider_enabled': 'true',
             'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52',
             'discovery_url': 'https://discovery.etcd.io/test',
             'dns_nameserver': 'dns_nameserver',
@@ -567,6 +569,7 @@ class TestClusterConductorWithK8s(base.TestCase):
 
         expected = {
             'auth_url': 'http://192.168.10.10:5000/v3',
+            'cloud_provider_enabled': 'false',
             'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52',
             'discovery_url': 'https://discovery.etcd.io/test',
             'docker_volume_size': 20,
@@ -994,6 +997,7 @@ class TestClusterConductorWithK8s(base.TestCase):
                                                                  cluster)
 
         expected = {
+            'cloud_provider_enabled': 'false',
             'ssh_key_name': 'keypair_id',
             'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
             'fixed_network': 'fixed_network',