From 459e27e688d4cd9209060c277e17823c698ee5ac Mon Sep 17 00:00:00 2001 From: Bharat Kunwar Date: Fri, 20 Sep 2019 15:14:00 +0000 Subject: [PATCH] Propagate cloud_provider_enabled correctly The derived cloud_provider_enabled is placed inside extra_params so that openstack-cloud-controller-manager gets applied correctly. This required change was unfortulately missed in https://review.opendev.org/681922. Additionally improve the docs related to cloud_provider_enabled label. Story: 2006531 Task: 36740 Change-Id: I4a89d25b467edd2c4be608c37055706e4e62d78b --- doc/source/user/index.rst | 11 +++++++---- magnum/drivers/heat/k8s_fedora_template_def.py | 9 +++++---- .../k8s_fedora_atomic_v1/templates/kubecluster.yaml | 1 - .../conductor/handlers/test_k8s_cluster_conductor.py | 4 ++++ 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst index 1392f1f384..bad379a228 100644 --- a/doc/source/user/index.rst +++ b/doc/source/user/index.rst @@ -380,7 +380,7 @@ the table are linked to more details elsewhere in the user guide. | `cgroup_driver`_ | - systemd | "cgroupfs" | | | - cgroupfs | | +---------------------------------------+--------------------+---------------+ -| `cloud_provider_enabled`_ | - true | true | +| `cloud_provider_enabled`_ | - true | see below | | | - false | | +---------------------------------------+--------------------+---------------+ | `service_cluster_ip_range` | IPv4 CIDR for k8s | 10.254.0.0/16 | @@ -1262,9 +1262,12 @@ _`cgroup_driver` _`cloud_provider_enabled` Add 'cloud_provider_enabled' label for the k8s_fedora_atomic driver. Defaults - to true. For specific kubernetes versions if 'cinder' is selected as a - 'volume_driver', it is implied that the cloud provider will be enabled since - they are combined. + to the value of 'cluster_user_trust' (default: 'false' unless explicitly set + to 'true' in magnum.conf due to CVE-2016-7404). Consequently, + 'cloud_provider_enabled' label cannot be overridden to 'true' when + 'cluster_user_trust' resolves to 'false'. For specific kubernetes versions, + if 'cinder' is selected as a 'volume_driver', it is implied that the cloud + provider will be enabled since they are combined. _`keystone_auth_enabled` If this label is set to True, Kubernetes will support use Keystone for diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py index 58135242de..eb9d4941f5 100644 --- a/magnum/drivers/heat/k8s_fedora_template_def.py +++ b/magnum/drivers/heat/k8s_fedora_template_def.py @@ -111,17 +111,18 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): # the cloud provider needs to be enabled. cloud_provider_enabled = cluster.labels.get( 'cloud_provider_enabled', - 'true' if CONF.trust.cluster_user_trust else 'false').lower() + 'true' if CONF.trust.cluster_user_trust else 'false') if (not CONF.trust.cluster_user_trust - and cloud_provider_enabled == 'true'): + and cloud_provider_enabled.lower() == 'true'): raise exception.InvalidParameterValue(_( '"cluster_user_trust" must be set to True in magnum.conf when ' '"cloud_provider_enabled" label is set to true.')) if (cluster_template.volume_driver == 'cinder' - and cloud_provider_enabled == 'false'): + and cloud_provider_enabled.lower() == 'false'): raise exception.InvalidParameterValue(_( '"cinder" volume driver needs "cloud_provider_enabled" label ' 'to be true or unset.')) + extra_params['cloud_provider_enabled'] = cloud_provider_enabled extra_params['master_image'] = cluster_template.image_id extra_params['minion_image'] = cluster_template.image_id @@ -133,7 +134,7 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition): 'calico_tag', 'calico_cni_tag', 'calico_kube_controllers_tag', 'calico_ipv4pool', 'etcd_tag', 'flannel_tag', 'flannel_cni_tag', - 'cloud_provider_enabled', 'cloud_provider_tag', + 'cloud_provider_tag', 'prometheus_tag', 'grafana_tag', 'heat_container_agent_tag', 'keystone_auth_enabled', 'k8s_keystone_auth_tag', diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml index f961616676..08ff85ec7b 100644 --- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml +++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml @@ -367,7 +367,6 @@ parameters: cloud_provider_enabled: type: boolean description: Enable or disable the openstack kubernetes cloud provider - default: true etcd_tag: type: string diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py index f4789e8af6..15bd2fa987 100644 --- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py +++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py @@ -283,6 +283,7 @@ class TestClusterConductorWithK8s(base.TestCase): 'insecure_registry': '10.0.0.1:5000', } expected = { + 'cloud_provider_enabled': 'false', 'ssh_key_name': 'keypair_id', 'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e', 'fixed_network': 'fixed_network', @@ -422,6 +423,7 @@ class TestClusterConductorWithK8s(base.TestCase): expected = { 'auth_url': 'http://192.168.10.10:5000/v3', + 'cloud_provider_enabled': 'true', 'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52', 'discovery_url': 'https://discovery.etcd.io/test', 'dns_nameserver': 'dns_nameserver', @@ -554,6 +556,7 @@ class TestClusterConductorWithK8s(base.TestCase): expected = { 'auth_url': 'http://192.168.10.10:5000/v3', + 'cloud_provider_enabled': 'false', 'cluster_uuid': '5d12f6fd-a196-4bf0-ae4c-1f639a523a52', 'discovery_url': 'https://discovery.etcd.io/test', 'docker_volume_size': 20, @@ -978,6 +981,7 @@ class TestClusterConductorWithK8s(base.TestCase): cluster) expected = { + 'cloud_provider_enabled': 'false', 'ssh_key_name': 'keypair_id', 'external_network': 'e2a6c8b0-a3c2-42a3-b3f4-01400a30896e', 'fixed_network': 'fixed_network',