k8s/OKD Provider: Don't Set ca_cert if TLS verification is skipped

Kubernetes does not allow to set a ca_cert in a kubeconfig if TLS certificate verifiaction is disabled. Doing so results in an error message: `error: specifying a root certificates file with the insecure flag is not allowed` This change makes sure we skip the ca_cert option nodepool-launcher generates for the Zuul executor if nodepools kubeconfig is set to skip TLS cert verification. Change-Id: I458c054fc9fae340d187ce40ea1236efdf65d50f
2020-04-08 13:22:30 +02:00
parent 2779a61a10
commit bc172f0471
2 changed files with 8 additions and 2 deletions
--- a/nodepool/driver/kubernetes/provider.py
+++ b/nodepool/driver/kubernetes/provider.py
@@ -259,9 +259,12 @@ class KubernetesProvider(Provider):
            'host': self.k8s_client.api_client.configuration.host,
            'skiptls': not self.k8s_client.api_client.configuration.verify_ssl,
            'token': token,
-            'ca_crt': ca_crt,
            'user': user,
        }
+
+        if not resource['skiptls']:
+            resource['ca_crt'] = ca_crt
+
        self.log.info("%s: namespace created" % namespace)
        return resource

--- a/nodepool/driver/openshift/provider.py
+++ b/nodepool/driver/openshift/provider.py
@@ -193,9 +193,12 @@ class OpenshiftProvider(Provider):
            'host': self.os_client.api_client.configuration.host,
            'skiptls': not self.os_client.api_client.configuration.verify_ssl,
            'token': token,
-            'ca_crt': ca_crt,
            'user': user,
        }
+
+        if not resource['skiptls']:
+            resource['ca_crt'] = ca_crt
+
        self.log.info("%s: project created" % project)
        return resource