From a0470fcbcc95d7c10df5fd764329ee09c5670c4e Mon Sep 17 00:00:00 2001
From: okozachenko1203 <okozachenko1203@gmail.com>
Date: Fri, 22 Sep 2023 15:22:05 +0200
Subject: [PATCH] feat: Support endpoint configuration for cluster-api

---
 docs/user/configs.md            | 20 ++++++++++++++++++++
 magnum_cluster_api/conf.py      | 19 +++++++++++++++++++
 magnum_cluster_api/driver.py    |  2 +-
 magnum_cluster_api/resources.py | 18 ++++++++++++------
 magnum_cluster_api/utils.py     | 26 ++++++++++++++++++++++----
 5 files changed, 74 insertions(+), 11 deletions(-)

diff --git a/docs/user/configs.md b/docs/user/configs.md
index c87fc3eb..9cb1c5a9 100644
--- a/docs/user/configs.md
+++ b/docs/user/configs.md
@@ -88,3 +88,23 @@ Options under this group are used for configuring Manila client.
 :   If set, then the server's certificate will not be verified.
     **Type**: `boolean`
     **Default value**: `False`
+
+## capi_client
+Options under this group are used for configuring Openstack authentication for CAPO.
+
+`endpoint_type`
+
+:   Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
+    **Type**: `string`
+    **Default value**: `publicURL`
+
+`ca_file`
+
+:   Optional CA cert file to use in SSL connections.
+    **Type**: `string`
+
+`insecure`
+
+:   If set, then the server's certificate will not be verified.
+    **Type**: `boolean`
+    **Default value**: `False`
diff --git a/magnum_cluster_api/conf.py b/magnum_cluster_api/conf.py
index 62537091..f32a1bc6 100644
--- a/magnum_cluster_api/conf.py
+++ b/magnum_cluster_api/conf.py
@@ -17,6 +17,10 @@
 
 auto_scaling_group = cfg.OptGroup(name="auto_scaling", title="Options for auto scaling")
 
+capi_client_group = cfg.OptGroup(
+    name="capi_client", title="Options for the Cluster API client"
+)
+
 manila_client_group = cfg.OptGroup(
     name="manila_client", title="Options for the Manila client"
 )
@@ -61,6 +65,18 @@
 ]
 
 
+capi_client_opts = [
+    cfg.StrOpt(
+        "endpoint_type",
+        default="publicURL",
+        help=_(
+            "Type of endpoint in Identity service catalog to use "
+            "for communication with the OpenStack service."
+        ),
+    ),
+]
+
+
 manila_client_opts = [
     cfg.StrOpt(
         "region_name",
@@ -100,7 +116,10 @@
 
 CONF = cfg.CONF
 CONF.register_group(auto_scaling_group)
+CONF.register_group(capi_client_group)
 CONF.register_group(manila_client_group)
 CONF.register_opts(auto_scaling_opts, group=auto_scaling_group)
+CONF.register_opts(capi_client_opts, group=capi_client_group)
+CONF.register_opts(common_security_opts, group=capi_client_group)
 CONF.register_opts(manila_client_opts, group=manila_client_group)
 CONF.register_opts(common_security_opts, group=manila_client_group)
diff --git a/magnum_cluster_api/driver.py b/magnum_cluster_api/driver.py
index 19a26e19..3bdfd156 100644
--- a/magnum_cluster_api/driver.py
+++ b/magnum_cluster_api/driver.py
@@ -44,9 +44,9 @@ def create_cluster(self, context, cluster, cluster_create_timeout):
         )
 
         resources.CloudConfigSecret(
+            context,
             self.k8s_api,
             cluster,
-            osc.url_for(service_type="identity", interface="public"),
             osc.cinder_region_name(),
             credential,
         ).apply()
diff --git a/magnum_cluster_api/resources.py b/magnum_cluster_api/resources.py
index f198c3c6..8f31f85e 100644
--- a/magnum_cluster_api/resources.py
+++ b/magnum_cluster_api/resources.py
@@ -260,6 +260,7 @@ def get_object(self) -> pykube.ConfigMap:
                                 "namespace": "kube-system",
                             },
                             "stringData": utils.generate_manila_csi_cloud_config(
+                                self.context,
                                 self.api,
                                 self.cluster,
                             ),
@@ -469,19 +470,24 @@ def get_certificate(self) -> cert_manager.Cert:
 class CloudConfigSecret(ClusterBase):
     def __init__(
         self,
+        context: context.RequestContext,
         api: pykube.HTTPClient,
         cluster: any,
-        auth_url: str = None,
         region_name: str = None,
         credential: any = types.SimpleNamespace(id=None, secret=None),
     ):
         super().__init__(api, cluster)
-        self.auth_url = auth_url
+        self.context = context
+        osc = clients.get_openstack_api(self.context)
+        self.auth_url = osc.url_for(
+            service_type="identity",
+            interface=CONF.capi_client.endpoint_type.replace("URL", ""),
+        )
         self.region_name = region_name
         self.credential = credential
 
     def get_object(self) -> pykube.Secret:
-        ca_certificate = magnum_utils.get_openstack_ca()
+        ca_certificate = utils.get_capi_client_ca_cert()
 
         return pykube.Secret(
             self.api,
@@ -504,11 +510,11 @@ def get_object(self) -> pykube.Secret:
                             "clouds": {
                                 "default": {
                                     "region_name": self.region_name,
-                                    "interface": CONF.nova_client.endpoint_type.replace(
+                                    "interface": CONF.capi_client.endpoint_type.replace(
                                         "URL", ""
                                     ),
                                     "identity_api_version": 3,
-                                    "verify": CONF.drivers.verify_ca,
+                                    "verify": not CONF.capi_client.insecure,
                                     "auth": {
                                         "auth_url": self.auth_url,
                                         "application_credential_id": self.credential.id,
@@ -1758,7 +1764,7 @@ def get_object(self) -> objects.Cluster:
                                 "name": "cloudControllerManagerConfig",
                                 "value": base64.encode_as_text(
                                     utils.generate_cloud_controller_manager_config(
-                                        self.api, self.cluster
+                                        self.context, self.api, self.cluster
                                     )
                                 ),
                             },
diff --git a/magnum_cluster_api/utils.py b/magnum_cluster_api/utils.py
index 503988ec..07c9a7b6 100644
--- a/magnum_cluster_api/utils.py
+++ b/magnum_cluster_api/utils.py
@@ -22,6 +22,7 @@
 from magnum import objects as magnum_objects
 from magnum.common import context, exception, octavia
 from magnum.common import utils as magnum_utils
+from oslo_config import cfg
 from oslo_serialization import base64
 from oslo_utils import strutils
 from tenacity import retry, retry_if_exception_type
@@ -30,6 +31,8 @@
 from magnum_cluster_api import exceptions as mcapi_exceptions
 from magnum_cluster_api import image_utils, images, objects
 
+CONF = cfg.CONF
+
 
 def get_cluster_api_cloud_config_secret_name(cluster: magnum_objects.Cluster) -> str:
     return f"{cluster.stack_id}-cloud-config"
@@ -63,7 +66,18 @@ def get_cloud_ca_cert() -> str:
     return magnum_utils.get_openstack_ca()
 
 
+def get_capi_client_ca_cert() -> str:
+    ca_file = CONF.capi_client.ca_file
+
+    if ca_file:
+        with open(ca_file) as fd:
+            return fd.read()
+    else:
+        return ''
+
+
 def generate_cloud_controller_manager_config(
+    ctx: context.RequestContext,
     api: pykube.HTTPClient,
     cluster: magnum_objects.Cluster,
 ) -> str:
@@ -71,6 +85,8 @@ def generate_cloud_controller_manager_config(
     Generate coniguration for openstack-cloud-controller-manager if it does
     already exist.
     """
+
+    osc = clients.get_openstack_api(ctx)
     data = pykube.Secret.objects(api, namespace="magnum-system").get_by_name(
         get_cluster_api_cloud_config_secret_name(cluster)
     )
@@ -80,23 +96,25 @@ def generate_cloud_controller_manager_config(
     return textwrap.dedent(
         f"""\
         [Global]
-        auth-url={cloud_config["clouds"]["default"]["auth"]["auth_url"]}
+        auth-url={osc.url_for(service_type="identity", interface="public")}
         region={cloud_config["clouds"]["default"]["region_name"]}
         application-credential-id={cloud_config["clouds"]["default"]["auth"]["application_credential_id"]}
         application-credential-secret={cloud_config["clouds"]["default"]["auth"]["application_credential_secret"]}
-        tls-insecure={"false" if cloud_config["clouds"]["default"]["verify"] else "true"}
+        tls-insecure={"false" if CONF.drivers.verify_ca else "true"}
         {"ca-file=/etc/config/ca.crt" if get_cloud_ca_cert() else ""}
         """
     )
 
 
 def generate_manila_csi_cloud_config(
+    ctx: context.RequestContext,
     api: pykube.HTTPClient,
     cluster: magnum_objects.Cluster,
 ) -> str:
     """
     Generate coniguration of Openstack authentication  for manila csi
     """
+    osc = clients.get_openstack_api(ctx)
     data = pykube.Secret.objects(api, namespace="magnum-system").get_by_name(
         get_cluster_api_cloud_config_secret_name(cluster)
     )
@@ -104,7 +122,7 @@ def generate_manila_csi_cloud_config(
     cloud_config = yaml.safe_load(clouds_yaml)
 
     return {
-        "os-authURL": cloud_config["clouds"]["default"]["auth"]["auth_url"],
+        "os-authURL": osc.url_for(service_type="identity", interface="public"),
         "os-region": cloud_config["clouds"]["default"]["region_name"],
         "os-applicationCredentialID": cloud_config["clouds"]["default"]["auth"][
             "application_credential_id"
@@ -112,7 +130,7 @@ def generate_manila_csi_cloud_config(
         "os-applicationCredentialSecret": cloud_config["clouds"]["default"]["auth"][
             "application_credential_secret"
         ],
-        "os-TLSInsecure": "false"
+        "os-TLSInsecure": {"false" if CONF.drivers.verify_ca else "true"}
         if cloud_config["clouds"]["default"]["verify"]
         else "true",
         "os-certAuthorityPath": "/etc/config/ca.crt",