From 48b85899a03fb82d64db8a512ec7b834e82cfba6 Mon Sep 17 00:00:00 2001 From: Ricardo Rocha Date: Mon, 16 Jul 2018 15:24:21 +0200 Subject: [PATCH] [k8s] Add embed certs to config Add embed certs to kubernetes config file to cluster config Add option --output-certs to cluster config enabling the output of the certificates files (ca, key, cert). This is for compatibility with tools that require the certificates in separate files. Change-Id: I595d243bc9f30d813af06aad46a9037afe383ab5 Story: 1774643 Task: 21668 --- magnumclient/common/utils.py | 30 ++++++++++++++++++------------ magnumclient/osc/v1/clusters.py | 26 +++++++++++++++++--------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/magnumclient/common/utils.py b/magnumclient/common/utils.py index af5642fa..99676da7 100644 --- a/magnumclient/common/utils.py +++ b/magnumclient/common/utils.py @@ -15,6 +15,7 @@ # License for the specific language governing permissions and limitations # under the License. +import base64 import json import os @@ -158,21 +159,23 @@ def handle_json_from_file(json_arg): return json_arg -def config_cluster(cluster, cluster_template, cfg_dir, force=False): +def config_cluster(cluster, cluster_template, cfg_dir, force=False, + certs=None): """Return and write configuration for the given cluster.""" if cluster_template.coe == 'kubernetes': - return _config_cluster_kubernetes(cluster, cluster_template, - cfg_dir, force) + return _config_cluster_kubernetes(cluster, cluster_template, cfg_dir, + force, certs) elif (cluster_template.coe == 'swarm' or cluster_template.coe == 'swarm-mode'): - return _config_cluster_swarm(cluster, cluster_template, cfg_dir, force) + return _config_cluster_swarm(cluster, cluster_template, cfg_dir, + force, certs) -def _config_cluster_kubernetes(cluster, cluster_template, - cfg_dir, force=False): +def _config_cluster_kubernetes(cluster, cluster_template, cfg_dir, + force=False, certs=None): """Return and write configuration for the given kubernetes cluster.""" cfg_file = "%s/config" % cfg_dir - if cluster_template.tls_disabled: + if cluster_template.tls_disabled or certs is None: cfg = ("apiVersion: v1\n" "clusters:\n" "- cluster:\n" @@ -193,7 +196,7 @@ def _config_cluster_kubernetes(cluster, cluster_template, cfg = ("apiVersion: v1\n" "clusters:\n" "- cluster:\n" - " certificate-authority: %(cfg_dir)s/ca.pem\n" + " certificate-authority-data: %(ca)s\n" " server: %(api_address)s\n" " name: %(name)s\n" "contexts:\n" @@ -207,11 +210,13 @@ def _config_cluster_kubernetes(cluster, cluster_template, "users:\n" "- name: admin\n" " user:\n" - " client-certificate: %(cfg_dir)s/cert.pem\n" - " client-key: %(cfg_dir)s/key.pem\n" + " client-certificate-data: %(cert)s\n" + " client-key-data: %(key)s\n" % {'name': cluster.name, 'api_address': cluster.api_address, - 'cfg_dir': cfg_dir}) + 'key': base64.b64encode(certs['key']), + 'cert': base64.b64encode(certs['cert']), + 'ca': base64.b64encode(certs['ca'])}) if os.path.exists(cfg_file) and not force: raise exc.CommandError("File %s exists, aborting." % cfg_file) @@ -225,7 +230,8 @@ def _config_cluster_kubernetes(cluster, cluster_template, return "export KUBECONFIG=%s\n" % cfg_file -def _config_cluster_swarm(cluster, cluster_template, cfg_dir, force=False): +def _config_cluster_swarm(cluster, cluster_template, cfg_dir, + force=False, certs=None): """Return and write configuration for the given swarm cluster.""" tls = "" if cluster_template.tls_disabled else True if 'csh' in os.environ['SHELL']: diff --git a/magnumclient/osc/v1/clusters.py b/magnumclient/osc/v1/clusters.py index c6857b73..8e85b96f 100644 --- a/magnumclient/osc/v1/clusters.py +++ b/magnumclient/osc/v1/clusters.py @@ -293,6 +293,12 @@ class ConfigCluster(command.Command): dest='force', default=False, help=_('Overwrite files if existing.')) + parser.add_argument( + '--output-certs', + action='store_true', + dest='output_certs', + default=False, + help=_('Output certificates in separate files.')) return parser @@ -319,21 +325,23 @@ class ConfigCluster(command.Command): 'cluster_uuid': cluster.uuid, } + tls = None if not cluster_template.tls_disabled: tls = magnum_utils.generate_csr_and_key() tls['ca'] = mag_client.certificates.get(**opts).pem opts['csr'] = tls['csr'] tls['cert'] = mag_client.certificates.create(**opts).pem - for k in ('key', 'cert', 'ca'): - fname = "%s/%s.pem" % (parsed_args.dir, k) - if os.path.exists(fname) and not parsed_args.force: - raise Exception("File %s exists, aborting." % fname) - else: - f = open(fname, "w") - f.write(tls[k]) - f.close() + if parsed_args.output_certs: + for k in ('key', 'cert', 'ca'): + fname = "%s/%s.pem" % (parsed_args.dir, k) + if os.path.exists(fname) and not parsed_args.force: + raise Exception("File %s exists, aborting." % fname) + else: + with open(fname, "w") as f: + f.write(tls[k]) print(magnum_utils.config_cluster(cluster, cluster_template, parsed_args.dir, - force=parsed_args.force)) + force=parsed_args.force, + certs=tls))