Merge pull request #9194 from shiftstack/OSASINFRA-3657

openshift-merge-bot[bot] · web-flow · commit 2376a18f6fdc · 2025-03-28T20:31:13.000Z
OSASINFRA-3730: Add support for storing OpenStack CA bundles
diff --git a/data/data/manifests/openshift/cloud-creds-secret.yaml.template b/data/data/manifests/openshift/cloud-creds-secret.yaml.template
@@ -16,8 +16,11 @@ data:
 {{- else if .CloudCreds.IBMCloud}}
   ibmcloud_api_key: {{.CloudCreds.IBMCloud.Base64encodeAPIKey}}
 {{- else if .CloudCreds.OpenStack}}
-  clouds.yaml: {{.CloudCreds.OpenStack.Base64encodeCloudCreds}}
-  clouds.conf: {{.CloudCreds.OpenStack.Base64encodeCloudCredsINI}}
+  clouds.yaml: {{.CloudCreds.OpenStack.Base64encodeCloudsYAML}}
+  clouds.conf: {{.CloudCreds.OpenStack.Base64encodeCloudsConf}}
+{{- if .CloudCreds.OpenStack.Base64encodeCACert}}
+  cacert: {{.CloudCreds.OpenStack.Base64encodeCACert}}
+{{- end}}
 {{- else if .CloudCreds.VSphere}}
 {{- range .CloudCreds.VSphere}}
   {{.VCenter}}.username: {{.Base64encodeUsername}}
diff --git a/pkg/asset/manifests/openshift.go b/pkg/asset/manifests/openshift.go
@@ -158,8 +158,14 @@ func (o *Openshift) Generate(ctx context.Context, dependencies asset.Parents) er
 			return err
 		}
 
-		// We need to replace the local cacert path with one that is used in OpenShift
+		var caCert []byte
 		if cloud.CACertFile != "" {
+			var err error
+			caCert, err = os.ReadFile(cloud.CACertFile)
+			if err != nil {
+				return err
+			}
+			// We need to replace the local cacert path with one that is used in OpenShift
 			cloud.CACertFile = "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
 		}
 
@@ -189,11 +195,13 @@ func (o *Openshift) Generate(ctx context.Context, dependencies asset.Parents) er
 		}
 
 		credsEncoded := base64.StdEncoding.EncodeToString(marshalled)
-		credsINIEncoded := base64.StdEncoding.EncodeToString(cloudProviderConf)
+		cloudProviderConfEncoded := base64.StdEncoding.EncodeToString(cloudProviderConf)
+		caCertEncoded := base64.StdEncoding.EncodeToString(caCert)
 		cloudCreds = cloudCredsSecretData{
 			OpenStack: &OpenStackCredsSecretData{
-				Base64encodeCloudCreds:    credsEncoded,
-				Base64encodeCloudCredsINI: credsINIEncoded,
+				Base64encodeCloudsYAML: credsEncoded,
+				Base64encodeCloudsConf: cloudProviderConfEncoded,
+				Base64encodeCACert:     caCertEncoded,
 			},
 		}
 	case vspheretypes.Name:
diff --git a/pkg/asset/manifests/openstack/cloudproviderconfig.go b/pkg/asset/manifests/openstack/cloudproviderconfig.go
@@ -27,6 +27,7 @@ func (e Error) Unwrap() error { return e.err }
 
 // CloudProviderConfigSecret generates the cloud provider config for the OpenStack
 // platform, that will be stored in the system secret.
+// TODO: I think this is crud for the legacy cloud-provider and is no longer needed. Burn it with fire?
 func CloudProviderConfigSecret(cloud *clientconfig.Cloud) ([]byte, error) {
 	domainID := cloud.AuthInfo.DomainID
 	if domainID == "" {
diff --git a/pkg/asset/manifests/template.go b/pkg/asset/manifests/template.go
@@ -34,8 +34,9 @@ type IBMCloudCredsSecretData struct {
 
 // OpenStackCredsSecretData holds encoded credentials and is used to generate cloud-creds secret
 type OpenStackCredsSecretData struct {
-	Base64encodeCloudCreds    string
-	Base64encodeCloudCredsINI string
+	Base64encodeCloudsYAML string
+	Base64encodeCloudsConf string
+	Base64encodeCACert     string
 }
 
 // VSphereCredsSecretData holds encoded credentials and is used to generated cloud-creds secret
