tacker

SSL certificate is set incorrectly when init Kubernetes client in V2 InfraDriver

Bug #1979413 reported by Qibin Yao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tacker
Fix Released
Medium
Qibin Yao

Bug Description

When initialize Kubernetes client in V2 InfraDriver, the SSL CA certificate is set incorrectly.

The source code is shown as bellow.
tacker\sol_refactored\infra_drivers\kubernetes\kubernetes_utils.py
def init_k8s_api_client(vim_info):
  ...
  if 'ssl_ca_cert' in vim_info.accessInfo:
      k8s_config.ssl_ca_cert = vim_info.accessInfo['ssl_ca_cert'] *

First, 'ssl_ca_cert' is not in vim_info.accessInfo but in vim_info.interfaceInfo.
Second, k8s_config.ssl_ca_cert must be a file path.

See original description
Qibin Yao (yaoqb)
Changed in tacker:
assignee: nobody → Qibin Yao (yaoqb)
Yasufumi Ogawa (yasufum)
Changed in tacker:
importance: Undecided → Medium
Qibin Yao (yaoqb)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tacker (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tacker/+/848918

Changed in tacker:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tacker (master)

Reviewed: https://review.opendev.org/c/openstack/tacker/+/848918
Committed: https://opendev.org/openstack/tacker/commit/98d3f4bf31644b8ab79e2ebad1f73ece2fc83ed5
Submitter: "Zuul (22348)"
Branch: master

commit 98d3f4bf31644b8ab79e2ebad1f73ece2fc83ed5
Author: Qibin Yao <email address hidden>
Date: Thu Jul 7 11:33:46 2022 +0900

    Fix SSL certificate setting error

    When initializing k8s client in InfraDriverV2, the SSL CA
    certificate is set incorrectly.

    To fix the issue, the following modifies are made in this patch:

    * A temp file for ssl_ca_cert is created before initializing
      k8s client and the temp file path is set to k8s_config.ssl_ca_cert,
    * The temp file is deleted until the lifetime of k8s client ends.
    Note: This references the implementation in InfraDriverV1.

    If set the ssl_ca_cert in instantiate request, the validation of
    request is failed because of the length of ssl_ca_cert exceeds 1024.
    For this issue, add a new type `keyvalue_pairs_no_length_limit`
    which has no max length limitation to verify the request.
    And the interfaceInfo, accessInfo, extra are all set to the new type
    for unity.

    In Zuul test environment, when registering default vim, ssl_ca_cert
    is not set. So the case with ssl_ca_cert is not tested.
    In this patch ssl_ca_cert is set into the default vim.

    Closes-Bug: #1979413
    Change-Id: I61dbd70690b737a72fc619e5a08b4bab51160a27

Changed in tacker:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tacker 8.0.0.0rc1

This issue was fixed in the openstack/tacker 8.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.