From 20431115ff30fea4d1bca1d91cd7420a280fb564 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Tue, 22 Oct 2024 15:59:54 +0100
Subject: [PATCH] Trust openstackcontrolplane CAs in configgenerator

Add the openstackcontrolplane CAConfigMap CA certs to the trusted certs when
running the config generator job as it may need to connect to container
registries that use a custom CA (e.g to resolve image tags).
---
 .../openstackconfiggenerator_controller.go    | 25 ++++++++++++++++-
 pkg/openstackconfiggenerator/job.go           |  6 ++--
 pkg/openstackconfiggenerator/volumes.go       | 28 +++++++++++++++++--
 .../bin/create-playbooks.sh                   |  6 ++++
 4 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/controllers/openstackconfiggenerator_controller.go b/controllers/openstackconfiggenerator_controller.go
index c9d25e21..3b341cd1 100644
--- a/controllers/openstackconfiggenerator_controller.go
+++ b/controllers/openstackconfiggenerator_controller.go
@@ -222,6 +222,29 @@ func (r *OpenStackConfigGeneratorReconciler) Reconcile(ctx context.Context, req
 	}
 	templateParameters["OSPVersion"] = OSPVersion
 
+	//
+	// check CAConfigMap is there
+	//
+	if controlPlane.Spec.CAConfigMap != "" {
+		_, ctrlResult, err := common.GetConfigMap(
+			ctx,
+			r,
+			instance,
+			cond,
+			shared.ConditionDetails{
+				ConditionNotFoundType:   shared.CommonCondTypeWaiting,
+				ConditionNotFoundReason: shared.CommonCondReasonCAConfigMapMissing,
+				ConditionErrorType:      shared.CommonCondTypeError,
+				ConditionErrordReason:   shared.CommonCondReasonCAConfigMapError,
+			},
+			controlPlane.Spec.CAConfigMap,
+			20,
+		)
+		if (err != nil) || (ctrlResult != ctrl.Result{}) {
+			return ctrlResult, err
+		}
+	}
+
 	//
 	// check if heat-env-config (customizations provided by administrator) exist if it does not exist, requeue
 	//
@@ -403,7 +426,7 @@ func (r *OpenStackConfigGeneratorReconciler) Reconcile(ctx context.Context, req
 	}
 
 	// Define a new Job object
-	job := openstackconfiggenerator.ConfigJob(instance, configMapHash, OSPVersion)
+	job := openstackconfiggenerator.ConfigJob(instance, configMapHash, OSPVersion, controlPlane.Spec.CAConfigMap)
 
 	var exports string
 	if instance.Status.ConfigHash != configMapHash {
diff --git a/pkg/openstackconfiggenerator/job.go b/pkg/openstackconfiggenerator/job.go
index 5b260928..e5da97e8 100644
--- a/pkg/openstackconfiggenerator/job.go
+++ b/pkg/openstackconfiggenerator/job.go
@@ -26,7 +26,7 @@ import (
 )
 
 // ConfigJob -
-func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash string, ospVersion shared.OSPVersion) *batchv1.Job {
+func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash string, ospVersion shared.OSPVersion, caConfigMap string) *batchv1.Job {
 
 	runAsUser := int64(openstackclient.CloudAdminUID)
 	runAsGroup := int64(openstackclient.CloudAdminGID)
@@ -42,8 +42,8 @@ func ConfigJob(cr *ospdirectorv1beta1.OpenStackConfigGenerator, configHash strin
 	var backoffLimit int32 = 2
 
 	// Get volumes
-	volumeMounts := GetVolumeMounts(cr)
-	volumes := GetVolumes(cr)
+	volumeMounts := GetVolumeMounts(cr, caConfigMap)
+	volumes := GetVolumes(cr, caConfigMap)
 
 	cmd := []string{"/bin/bash", "/home/cloud-admin/create-playbooks.sh"}
 	if cr.Spec.Interactive {
diff --git a/pkg/openstackconfiggenerator/volumes.go b/pkg/openstackconfiggenerator/volumes.go
index fc2f8db6..95d7022a 100644
--- a/pkg/openstackconfiggenerator/volumes.go
+++ b/pkg/openstackconfiggenerator/volumes.go
@@ -23,7 +23,7 @@ import (
 )
 
 // GetVolumeMounts -
-func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.VolumeMount {
+func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator, caConfigMap string) []corev1.VolumeMount {
 	retVolMounts := []corev1.VolumeMount{
 		{
 			Name:      "tripleo-deploy-config-" + instance.Name,
@@ -75,11 +75,20 @@ func GetVolumeMounts(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []co
 			},
 		)
 	}
+
+	if caConfigMap != "" {
+		retVolMounts = append(retVolMounts, corev1.VolumeMount{
+			Name:      "ca-certs",
+			MountPath: "/mnt/ca-certs",
+			ReadOnly:  true,
+		})
+	}
+
 	return retVolMounts
 }
 
 // GetVolumes -
-func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.Volume {
+func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator, caConfigMap string) []corev1.Volume {
 	var config0600AccessMode int32 = 0600
 	var config0644AccessMode int32 = 0644
 	var config0755AccessMode int32 = 0755
@@ -174,5 +183,20 @@ func GetVolumes(instance *ospdirectorv1beta1.OpenStackConfigGenerator) []corev1.
 			},
 		)
 	}
+
+	if caConfigMap != "" {
+		retVolumes = append(retVolumes, corev1.Volume{
+			Name: "ca-certs",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					DefaultMode: &config0644AccessMode,
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: caConfigMap,
+					},
+				},
+			},
+		})
+	}
+
 	return retVolumes
 }
diff --git a/templates/openstackconfiggenerator/bin/create-playbooks.sh b/templates/openstackconfiggenerator/bin/create-playbooks.sh
index c825dc1f..2a27204d 100755
--- a/templates/openstackconfiggenerator/bin/create-playbooks.sh
+++ b/templates/openstackconfiggenerator/bin/create-playbooks.sh
@@ -5,6 +5,12 @@ umask 0022
 CHOWN_UID=$(id -u)
 CHOWN_GID=$(id -g)
 
+# Add any additional CA certs
+if [ -d /mnt/ca-certs ]; then
+  sudo cp -v /mnt/ca-certs/* /etc/pki/ca-trust/source/anchors/
+  sudo update-ca-trust
+fi
+
 # add cloud-admin ssh keys to $HOME/.ssh
 mkdir -p $HOME/.ssh
 sudo cp /mnt/ssh-config/* $HOME/.ssh/