Set dc adminep cert and root ca cert to secure system config
Extract admin endpoint cert and key pair from cert-manager to secure system config, for puppet to pick up and install. The cert and key are used to by haproxy to provide ssl termination on admin endpoints. Performed tests: Install DC, unlocked system controller 0 and 1 Unlocked SX subcloud controller 0. Story: 2007347 Task: 39429 Depends-on: https://review.opendev.org/#/c/720270 Depends-on: https://review.opendev.org/#/c/720224 Change-Id: Idb302fffe2b4c4ae36a901377d5089a91d26a3ba Signed-off-by: Bin Qian <bin.qian@windriver.com>
This commit is contained in:
parent
709115dcda
commit
1c77d66642
|
@ -1,6 +1,6 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright (c) 2013-2019 Wind River Systems, Inc.
|
||||
# Copyright (c) 2013-2020 Wind River Systems, Inc.
|
||||
# Copyright 2010 United States Government as represented by the
|
||||
# Administrator of the National Aeronautics and Space Administration.
|
||||
# All Rights Reserved.
|
||||
|
@ -1443,3 +1443,8 @@ class KubeUpgradeNotFound(NotFound):
|
|||
|
||||
class KubeVersionNotFound(NotFound):
|
||||
message = _("Kubernetes version %(version)s not found")
|
||||
|
||||
|
||||
class KubeNotConfigured(SysinvException):
|
||||
message = _("Kubernetes is not configured. API operations "
|
||||
"will not be available.")
|
||||
|
|
|
@ -133,9 +133,7 @@ class KubeOperator(object):
|
|||
|
||||
def _load_kube_config(self):
|
||||
if not is_k8s_configured():
|
||||
raise exception.SysinvException(
|
||||
"Kubernetes is not configured. API operations will not be "
|
||||
"available.")
|
||||
raise exception.KubeNotConfigured()
|
||||
|
||||
config.load_kube_config(KUBERNETES_ADMIN_CONF)
|
||||
|
||||
|
|
|
@ -3,11 +3,13 @@
|
|||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
import base64
|
||||
import keyring
|
||||
import os
|
||||
|
||||
from sysinv.common import constants
|
||||
from sysinv.common import exception
|
||||
from sysinv.common import kubernetes
|
||||
from sysinv.common import utils
|
||||
|
||||
from tsconfig import tsconfig
|
||||
|
@ -50,6 +52,7 @@ class PlatformPuppet(base.BasePuppet):
|
|||
def get_secure_system_config(self):
|
||||
config = {}
|
||||
config.update(self._get_user_config())
|
||||
config.update(self._get_dc_root_ca_config())
|
||||
return config
|
||||
|
||||
def get_host_config(self, host):
|
||||
|
@ -878,6 +881,44 @@ class PlatformPuppet(base.BasePuppet):
|
|||
|
||||
return config
|
||||
|
||||
def _get_dc_root_ca_config(self):
|
||||
config = {}
|
||||
system = self._get_system()
|
||||
if system.distributed_cloud_role == \
|
||||
constants.DISTRIBUTED_CLOUD_ROLE_SYSTEMCONTROLLER and \
|
||||
os.path.isfile(constants.ANSIBLE_BOOTSTRAP_COMPLETED_FLAG):
|
||||
|
||||
kube = kubernetes.KubeOperator()
|
||||
try:
|
||||
secret = kube.kube_get_secret('dc-adminep-root-ca-certificate', 'dc-cert')
|
||||
except exception.KubeNotConfigured:
|
||||
# kubernetes admin config file does not exist, skip
|
||||
return config
|
||||
|
||||
if not hasattr(secret, 'data'):
|
||||
raise Exception('Invalid secret dc-adminep-root-ca-certificate')
|
||||
|
||||
data = secret.data
|
||||
if 'ca.crt' not in data or \
|
||||
'tls.crt' not in data or 'tls.key' not in data:
|
||||
|
||||
raise Exception("Invalid admin endpoint certificate data.")
|
||||
|
||||
try:
|
||||
ca_crt = base64.b64decode(data['ca.crt'])
|
||||
tls_crt = base64.b64decode(data['tls.crt'])
|
||||
tls_key = base64.b64decode(data['tls.key'])
|
||||
except TypeError:
|
||||
raise Exception('admin endpoint root ca certification is invalid')
|
||||
|
||||
config.update({
|
||||
'platform::config::dccert::params::dc_root_ca_crt': ca_crt,
|
||||
'platform::config::dccert::params::dc_adminep_crt':
|
||||
"%s%s" % (tls_key, tls_crt)
|
||||
})
|
||||
|
||||
return config
|
||||
|
||||
def _get_platform_cpu_count(self, host):
|
||||
cpus = self._get_host_cpu_list(host, constants.PLATFORM_FUNCTION, True)
|
||||
return len(cpus)
|
||||
|
|
|
@ -80,7 +80,12 @@ def mock_load_kube_config(path):
|
|||
return
|
||||
|
||||
|
||||
def mock_os_path_isfile(path):
|
||||
return True
|
||||
|
||||
|
||||
@mock.patch('kubernetes.config.load_kube_config', mock_load_kube_config)
|
||||
@mock.patch('os.path.isfile', mock_os_path_isfile)
|
||||
@mock.patch('sysinv.common.kubernetes.get_kube_versions',
|
||||
mock_get_kube_versions)
|
||||
class TestKubeOperator(base.TestCase):
|
||||
|
|
Loading…
Reference in New Issue