Merge pull request #7524 from zetaab/remove_insecure

remove default insecure from openstack
kubernetes · Sep 6, 2019 · 520b247 · 520b247
2 parents 5501724 + daac327
commit 520b247
Show file tree

Hide file tree

Showing 10 changed files with 55 additions and 17 deletions.
diff --git a/docs/tutorial/openstack.md b/docs/tutorial/openstack.md
@@ -149,3 +149,17 @@ kops create cluster \
 ```
 
 The biggest problem currently when installing without loadbalancer is that kubectl requests outside cluster is always going to first master. External loadbalancer is one option which can solve this issue.
+
+# Using with self-signed certificates in OpenStack
+
+Kops can be configured to use insecure mode towards OpenStack. However, this is **NOT** recommended as OpenStack cloudprovider in kubernetes does not support it.
+If you use insecure flag in kops - it might be that the cluster does not work correctly.
+
+```
+spec:
+  ...
+  cloudConfig:
+    openstack:
+      insecureSkipVerify: true
+  ...
+```
diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
@@ -609,10 +609,11 @@ type OpenstackRouter struct {
 
 // OpenstackConfiguration defines cloud config elements for the openstack cloud provider
 type OpenstackConfiguration struct {
-	Loadbalancer *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
-	Monitor      *OpenstackMonitor            `json:"monitor,omitempty"`
-	Router       *OpenstackRouter             `json:"router,omitempty"`
-	BlockStorage *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	Loadbalancer       *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
+	Monitor            *OpenstackMonitor            `json:"monitor,omitempty"`
+	Router             *OpenstackRouter             `json:"router,omitempty"`
+	BlockStorage       *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	InsecureSkipVerify *bool                        `json:"insecureSkipVerify,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go
@@ -609,10 +609,11 @@ type OpenstackRouter struct {
 
 // OpenstackConfiguration defines cloud config elements for the openstack cloud provider
 type OpenstackConfiguration struct {
-	Loadbalancer *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
-	Monitor      *OpenstackMonitor            `json:"monitor,omitempty"`
-	Router       *OpenstackRouter             `json:"router,omitempty"`
-	BlockStorage *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	Loadbalancer       *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
+	Monitor            *OpenstackMonitor            `json:"monitor,omitempty"`
+	Router             *OpenstackRouter             `json:"router,omitempty"`
+	BlockStorage       *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	InsecureSkipVerify *bool                        `json:"insecureSkipVerify,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -609,10 +609,11 @@ type OpenstackRouter struct {
 
 // OpenstackConfiguration defines cloud config elements for the openstack cloud provider
 type OpenstackConfiguration struct {
-	Loadbalancer *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
-	Monitor      *OpenstackMonitor            `json:"monitor,omitempty"`
-	Router       *OpenstackRouter             `json:"router,omitempty"`
-	BlockStorage *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	Loadbalancer       *OpenstackLoadbalancerConfig `json:"loadbalancer,omitempty"`
+	Monitor            *OpenstackMonitor            `json:"monitor,omitempty"`
+	Router             *OpenstackRouter             `json:"router,omitempty"`
+	BlockStorage       *OpenstackBlockStorageConfig `json:"blockStorage,omitempty"`
+	InsecureSkipVerify *bool                        `json:"insecureSkipVerify,omitempty"`
 }
 
 // CloudConfiguration defines the cloud provider configuration

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
diff --git a/upup/pkg/fi/cloudup/openstack/cloud.go b/upup/pkg/fi/cloudup/openstack/cloud.go
@@ -323,11 +323,13 @@ func NewOpenstackCloud(tags map[string]string, spec *kops.ClusterSpec) (Openstac
 		return nil, fmt.Errorf("error finding openstack region: %v", err)
 	}
 
-	tlsconfig := &tls.Config{}
-	tlsconfig.InsecureSkipVerify = true
-	transport := &http.Transport{TLSClientConfig: tlsconfig}
-	provider.HTTPClient = http.Client{
-		Transport: transport,
+	if spec != nil && spec.CloudConfig != nil && spec.CloudConfig.Openstack != nil && spec.CloudConfig.Openstack.InsecureSkipVerify != nil {
+		tlsconfig := &tls.Config{}
+		tlsconfig.InsecureSkipVerify = fi.BoolValue(spec.CloudConfig.Openstack.InsecureSkipVerify)
+		transport := &http.Transport{TLSClientConfig: tlsconfig}
+		provider.HTTPClient = http.Client{
+			Transport: transport,
+		}
 	}
 
 	klog.V(2).Info("authenticating to keystone")