openstack-manila: Consume CA cert from credentials secret (assets)

Again, do what we already did for openstack-cinder but for
openstack-manila. Like the openstack-cinder change, we continue to allow
consuming from the old location to ease upgrades.

It's worth highlighting that this is a nice little step towards having
the Manila CSI driver and controller source their credentials from a
'clouds.yaml' rather than a 'cloud.conf' file, which would let us remove
a lot of logic currently found in the operator. Completing that effort
is a job best left to another day though so a TODO is included for now.

Changes to the generated assets are not included here to keep things
clear. Those will be added in a follow-up changes.

Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

assets/overlays/openstack-manila/generated/hypershift/controller.yaml

@@ -132,8 +132,10 @@ spec:
         volumeMounts:
         - mountPath: /plugin
           name: socket-dir
+        - mountPath: /etc/openstack
+          name: cloud-credentials
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
-          name: cacert
+          name: legacy-cacert
       - args:
         - --nodeid=$(NODE_ID)
         - --endpoint=unix://plugin/csi-nfs.sock
@@ -367,13 +369,19 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-controller-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: cacert
+            path: ca.crt
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem
             path: ca-bundle.pem
           name: openstack-cloud-config
           optional: true
-        name: cacert
+        name: legacy-cacert
       - name: hosted-kubeconfig
         secret:
           defaultMode: 420

assets/overlays/openstack-manila/generated/hypershift/node.yaml

@@ -81,8 +81,10 @@ spec:
           name: plugin-dir
         - mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
           name: fwd-plugin-dir
+        - mountPath: /etc/openstack
+          name: cloud-credentials
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
-          name: cacert
+          name: legacy-cacert
         - mountPath: /etc/selinux
           name: etc-selinux
         - mountPath: /sys/fs
@@ -188,13 +190,19 @@ spec:
           path: /var/lib/kubelet/plugins/csi-nfsplugin
           type: DirectoryOrCreate
         name: fwd-plugin-dir
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: cacert
+            path: ca.crt
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem
             path: ca-bundle.pem
           name: cloud-provider-config
           optional: true
-        name: cacert
+        name: legacy-cacert
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 10%

assets/overlays/openstack-manila/generated/standalone/controller.yaml

@@ -102,8 +102,10 @@ spec:
         volumeMounts:
         - mountPath: /plugin
           name: socket-dir
+        - mountPath: /etc/openstack
+          name: cloud-credentials
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
-          name: cacert
+          name: legacy-cacert
       - args:
         - --nodeid=$(NODE_ID)
         - --endpoint=unix://plugin/csi-nfs.sock
@@ -316,10 +318,16 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-controller-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: cacert
+            path: ca.crt
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem
             path: ca-bundle.pem
           name: cloud-provider-config
           optional: true
-        name: cacert
+        name: legacy-cacert

assets/overlays/openstack-manila/generated/standalone/node.yaml

@@ -81,8 +81,10 @@ spec:
           name: plugin-dir
         - mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
           name: fwd-plugin-dir
+        - mountPath: /etc/openstack
+          name: cloud-credentials
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
-          name: cacert
+          name: legacy-cacert
         - mountPath: /etc/selinux
           name: etc-selinux
         - mountPath: /sys/fs
@@ -188,13 +190,19 @@ spec:
           path: /var/lib/kubelet/plugins/csi-nfsplugin
           type: DirectoryOrCreate
         name: fwd-plugin-dir
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: cacert
+            path: ca.crt
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem
             path: ca-bundle.pem
           name: cloud-provider-config
           optional: true
-        name: cacert
+        name: legacy-cacert
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 10%

assets/overlays/openstack-manila/patches/controller_add_driver.yaml

@@ -74,7 +74,9 @@ spec:
           volumeMounts:
             - name: socket-dir
               mountPath: /plugin
-            - name: cacert
+            - name: cloud-credentials
+              mountPath: /etc/openstack
+            - name: legacy-cacert
               mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           resources:
             requests:
@@ -105,12 +107,20 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir: {}
-        - name: cacert
-          # If present, extract ca-bundle.pem to
-          # /etc/kubernetes/static-pod-resources/configmaps/cloud-config
+        - name: cloud-credentials
+          secret:
+            secretName: manila-cloud-credentials
+            # TODO(stephenfin): We should also mount the clouds.yaml file
+            # here and start consuming that rather than converting it into
+            # the cloud.conf format
+            items:
+              - key: cacert
+                path: ca.crt
+        - name: legacy-cacert
           # Let the pod start when the ConfigMap does not exist or the certificate
           # is not preset there. The certificate file will be created once the
-          # ConfigMap is created / the cerificate is added to it.
+          # ConfigMap is created / the certificate is added to it.
+          # TODO(stephenfin): Remove in 4.20
           configMap:
             name: cloud-provider-config
             items:

assets/overlays/openstack-manila/patches/controller_rename_config_map.yaml

@@ -2,10 +2,10 @@ spec:
   template:
     spec:
       volumes:
-      - configMap:
-          items:
-          - key: ca-bundle.pem
-            path: ca-bundle.pem
-          name: openstack-cloud-config
-          optional: true
-        name: cacert
+        - name: legacy-cacert
+          configMap:
+            items:
+            - key: ca-bundle.pem
+              path: ca-bundle.pem
+            name: openstack-cloud-config
+            optional: true

assets/overlays/openstack-manila/patches/node_add_driver.yaml

@@ -61,7 +61,9 @@ spec:
               mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
             - name: fwd-plugin-dir
               mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
-            - name: cacert
+            - name: cloud-credentials
+              mountPath: /etc/openstack
+            - name: legacy-cacert
               mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
             - name: etc-selinux
               mountPath: /etc/selinux
@@ -98,17 +100,6 @@ spec:
           hostPath:
             path: /var/lib/kubelet/plugins/csi-nfsplugin
             type: DirectoryOrCreate
-        - name: cacert
-          # Extract ca-bundle.pem to /etc/kubernetes/static-pod-resources/configmaps/cloud-config if present.
-          # Let the pod start when the ConfigMap does not exist or the certificate
-          # is not preset there. The certificate file will be created once the
-          # ConfigMap is created / the cerificate is added to it.
-          configMap:
-            name: cloud-provider-config
-            items:
-            - key: ca-bundle.pem
-              path: ca-bundle.pem
-            optional: true
         - name: etc-selinux
           hostPath:
             path: /etc/selinux
@@ -117,3 +108,23 @@ spec:
           hostPath:
             path: /sys/fs
             type: Directory
+        - name: cloud-credentials
+          secret:
+            secretName: manila-cloud-credentials
+            # TODO(stephenfin): We should also mount the clouds.yaml file
+            # here and start consuming that rather than converting it into
+            # the cloud.conf format
+            items:
+              - key: cacert
+                path: ca.crt
+        - name: legacy-cacert
+          # Let the pod start when the ConfigMap does not exist or the certificate
+          # is not preset there. The certificate file will be created once the
+          # ConfigMap is created / the certificate is added to it.
+          # TODO(stephenfin): Remove in 4.20
+          configMap:
+            name: cloud-provider-config
+            items:
+            - key: ca-bundle.pem
+              path: ca-bundle.pem
+            optional: true