Merge "Propagate cloud_provider_enabled correctly"

2 years ago · 9c55bcba91
4 changed files with 16 additions and 9 deletions
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@ -386,7 +386,7 @@ the table are linked to more details elsewhere in the user guide.
 | `cgroup_driver`_                      | - systemd          | "cgroupfs"    |
 |                                       | - cgroupfs         |               |
 +---------------------------------------+--------------------+---------------+
-| `cloud_provider_enabled`_             | - true             | true          |
+| `cloud_provider_enabled`_             | - true             | see below     |
 |                                       | - false            |               |
 +---------------------------------------+--------------------+---------------+
 | `service_cluster_ip_range`            | IPv4 CIDR for k8s  | 10.254.0.0/16 |
@ -1284,9 +1284,12 @@ _`cgroup_driver`

 _`cloud_provider_enabled`
  Add 'cloud_provider_enabled' label for the k8s_fedora_atomic driver. Defaults
-  to true. For specific kubernetes versions if 'cinder' is selected as a
-  'volume_driver', it is implied that the cloud provider will be enabled since
-  they are combined.
+  to the value of 'cluster_user_trust' (default: 'false' unless explicitly set
+  to 'true' in magnum.conf due to CVE-2016-7404). Consequently,
+  'cloud_provider_enabled' label cannot be overridden to 'true' when
+  'cluster_user_trust' resolves to 'false'. For specific kubernetes versions,
+  if 'cinder' is selected as a 'volume_driver', it is implied that the cloud
+  provider will be enabled since they are combined.

 _`keystone_auth_enabled`
  If this label is set to True, Kubernetes will support use Keystone for
--- a/magnum/drivers/heat/k8s_fedora_template_def.py
+++ b/magnum/drivers/heat/k8s_fedora_template_def.py
@ -108,17 +108,18 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
        # the cloud provider needs to be enabled.
        cloud_provider_enabled = cluster.labels.get(
            'cloud_provider_enabled',
-            'true' if CONF.trust.cluster_user_trust else 'false').lower()
+            'true' if CONF.trust.cluster_user_trust else 'false')
        if (not CONF.trust.cluster_user_trust
-                and cloud_provider_enabled == 'true'):
+                and cloud_provider_enabled.lower() == 'true'):
            raise exception.InvalidParameterValue(_(
                '"cluster_user_trust" must be set to True in magnum.conf when '
                '"cloud_provider_enabled" label is set to true.'))
        if (cluster_template.volume_driver == 'cinder'
-                and cloud_provider_enabled == 'false'):
+                and cloud_provider_enabled.lower() == 'false'):
            raise exception.InvalidParameterValue(_(
                '"cinder" volume driver needs "cloud_provider_enabled" label '
                'to be true or unset.'))
+        extra_params['cloud_provider_enabled'] = cloud_provider_enabled

        extra_params['master_image'] = cluster_template.image_id
        extra_params['minion_image'] = cluster_template.image_id
@ -130,7 +131,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
                      'calico_tag',
                      'calico_kube_controllers_tag', 'calico_ipv4pool',
                      'etcd_tag', 'flannel_tag', 'flannel_cni_tag',
-                      'cloud_provider_enabled', 'cloud_provider_tag',
+                      'cloud_provider_tag',
                      'prometheus_tag', 'grafana_tag',
                      'heat_container_agent_tag',
                      'keystone_auth_enabled', 'k8s_keystone_auth_tag',
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@ -382,7 +382,6 @@ parameters:
  cloud_provider_enabled:
    type: boolean
    description: Enable or disable the openstack kubernetes cloud provider
-    default: true

  etcd_tag:
    type: string
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@ -290,6 +290,7 @@ class TestClusterConductorWithK8s(base.TestCase):
            'insecure_registry': '10.0.0.1:5000',
        }
        expected = {
+            'cloud_provider_enabled': 'false',
            'ssh_key_name': 'keypair_id',
            'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
            'fixed_network': 'fixed_network',
@ -432,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):

        expected = {
            'auth_url': 'http://192.168.10.10:5000/v3',
+            'cloud_provider_enabled': 'true',
            'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52',
            'discovery_url': 'https://discovery.etcd.io/test',
            'dns_nameserver': 'dns_nameserver',
@ -567,6 +569,7 @@ class TestClusterConductorWithK8s(base.TestCase):

        expected = {
            'auth_url': 'http://192.168.10.10:5000/v3',
+            'cloud_provider_enabled': 'false',
            'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52',
            'discovery_url': 'https://discovery.etcd.io/test',
            'docker_volume_size': 20,
@ -994,6 +997,7 @@ class TestClusterConductorWithK8s(base.TestCase):
                                                                 cluster)

        expected = {
+            'cloud_provider_enabled': 'false',
            'ssh_key_name': 'keypair_id',
            'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e',
            'fixed_network': 'fixed_network',