Merge pull request #41309 from kars7e/add-cafile-openstack

Automatic merge from submit-queue (batch tested with PRs 40932, 41896, 41815, 41309, 41628) Add custom CA file to openstack cloud provider config **What this PR does / why we need it**: Adds ability to specify custom CA bundle file to verify OpenStack endpoint against. Useful in tests and PoC deployments. Similar to what kubernetes/kubernetes#35488 did for authentication. **Which issue this PR fixes**: None **Special notes for your reviewer**: Based on kubernetes/kubernetes#35488 which added support for custom CA file for authentication. **Release note**:
kubernetes · Feb 26, 2017 · 2c3d763 · 2c3d763
2 parents 22183d5 + 9642e0a
commit 2c3d763
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/BUILD b/BUILD
@@ -54,6 +54,8 @@ go_library(
         "//vendor:gopkg.in/gcfg.v1",
         "//vendor:k8s.io/apimachinery/pkg/api/resource",
         "//vendor:k8s.io/apimachinery/pkg/types",
+        "//vendor:k8s.io/apimachinery/pkg/util/net",
+        "//vendor:k8s.io/client-go/util/cert",
     ],
 )
 

diff --git a/openstack.go b/openstack.go
@@ -17,6 +17,7 @@ limitations under the License.
 package openstack
 
 import (
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -37,6 +38,8 @@ import (
 
 	"github.com/golang/glog"
 	"k8s.io/apimachinery/pkg/types"
+	netutil "k8s.io/apimachinery/pkg/util/net"
+	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/cloudprovider"
 )
@@ -116,6 +119,7 @@ type Config struct {
 		DomainId   string `gcfg:"domain-id"`
 		DomainName string `gcfg:"domain-name"`
 		Region     string
+		CAFile     string `gcfg:"ca-file"`
 	}
 	LoadBalancer LoadBalancerOpts
 	BlockStorage BlockStorageOpts
@@ -214,6 +218,16 @@ func newOpenStack(cfg Config) (*OpenStack, error) {
 	if err != nil {
 		return nil, err
 	}
+	if cfg.Global.CAFile != "" {
+		roots, err := certutil.NewPool(cfg.Global.CAFile)
+		if err != nil {
+			return nil, err
+		}
+		config := &tls.Config{}
+		config.RootCAs = roots
+		provider.HTTPClient.Transport = netutil.SetOldTransportDefaults(&http.Transport{TLSClientConfig: config})
+
+	}
 	if cfg.Global.TrustId != "" {
 		opts := cfg.toAuth3Options()
 		authOptsExt := trusts.AuthOptsExt{