openstack-manila: Consume CA cert from credentials secret (controller)

Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>

Author: stephenfin

pkg/openstack-manila/client/openstack.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"time"
@@ -59,7 +59,7 @@ func (o *openStackClient) GetShareTypes() ([]sharetypes.ShareType, error) {
 	provider.UserAgent = ua
 
 	cert, err := getCloudProviderCert()
-	if err != nil && !os.IsNotExist(err) {
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, fmt.Errorf("failed to get cloud provider CA certificate: %w", err)
 	}
 
@@ -103,7 +103,7 @@ func (o *openStackClient) GetShareTypes() ([]sharetypes.ShareType, error) {
 }
 
 func getCloudFromFile(filename string) (*clientconfig.Cloud, error) {
-	cloudConfig, err := ioutil.ReadFile(filename)
+	cloudConfig, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
@@ -121,5 +121,11 @@ func getCloudFromFile(filename string) (*clientconfig.Cloud, error) {
 }
 
 func getCloudProviderCert() ([]byte, error) {
-	return ioutil.ReadFile(util.CertFile)
+	data, err := os.ReadFile(util.CertFile)
+	if err == nil || !errors.Is(err, os.ErrNotExist) {
+		return data, err
+	}
+
+	// legacy path; remove in 4.20
+	return os.ReadFile(util.LegacyCertFile)
 }

pkg/openstack-manila/secret/secretsync.go

@@ -35,9 +35,10 @@ type SecretSyncController struct {
 const (
 	// Name of key with clouds.yaml in Secret provided by cloud-credentials-operator.
 	cloudSecretKey = "clouds.yaml"
-	// Name of OpenStack in clouds.yaml
-	// Canonical path for custom ca certificates
-	cacertPath = "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
+	// Path for custom CA certificates when provided by cloud-credentials-operator.
+	defaultCACertPath = "/etc/openstack/ca.crt"
+	// Path for custom CA certificates when provided by Installer (legacy path).
+	legacyCACertPath = "/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem"
 )
 
 func NewSecretSyncController(
@@ -115,11 +116,29 @@ func (c *SecretSyncController) translateSecret(cloudSecret *v1.Secret) (*v1.Secr
 
 	data := cloudToConf(cloud)
 
-	// In the hypershift secret, the clouds.yaml field might not have the cacert defined. The content of the certificate
-	// is defined in the ca-bundle.pem field instead.
-	_, ok = cloudSecret.Data["ca-bundle.pem"]
-	if ok {
-		data["os-certAuthorityPath"] = []byte(cacertPath)
+	// Determine where our CA cert is stored.
+	// TODO(stephenfin): Remove most of this in 4.20+
+	var caCertPath string
+	if _, ok := cloudSecret.Data["cacert"]; ok {
+		// Option A: We have the CA cert in our credentials under the 'cacert'
+		// key which indicates a recent (>= 4.19) version of
+		// cluster-credential-operator (CCO) or hypershift
+		caCertPath = defaultCACertPath
+	} else if _, ok = cloudSecret.Data["ca-bundle.pem"]; ok {
+		// Option B: We have the CA cert in our credentials but under the
+		// 'ca-bundle.pem' key, which indicates an older (< 4.19) version of
+		// hypershift
+		caCertPath = legacyCACertPath
+	} else if cloud.CACertFile != "" {
+		// Option C: We have a non-empty 'cafile' field in our clouds.yaml.
+		// This means our root credential secret has this defined yet
+		// cloud-credential-operator (CCO) didn't populate the 'cacert' key of
+		// the secret. This indicates an older (< 4.19) version of CCO.
+		caCertPath = legacyCACertPath
+	}
+
+	if caCertPath != "" {
+		data["os-certAuthorityPath"] = []byte(caCertPath)
 	}
 
 	secret := v1.Secret{
@@ -182,10 +201,8 @@ func cloudToConf(cloud clientconfig.Cloud) map[string][]byte {
 		data["os-userDomainName"] = []byte(cloud.AuthInfo.UserDomainName)
 		data["os-domainName"] = []byte(cloud.AuthInfo.UserDomainName)
 	}
-	if cloud.CACertFile != "" {
-		// Replace the original cert authority path from clouds.yaml with the canonical one
-		data["os-certAuthorityPath"] = []byte(cacertPath)
-	}
+
+	// We don't set os-certAuthorityPath here as it's handled separately.
 
 	return data
 }

pkg/openstack-manila/util/const.go

@@ -11,7 +11,8 @@ const (
 
 	// OpenStack config file name (as present in the operator Deployment)
 	CloudConfigFilename = "/etc/openstack/clouds.yaml"
-	CertFile            = "/etc/openstack-ca/ca-bundle.pem"
+	CertFile            = "/etc/openstack/ca.crt"
+	LegacyCertFile      = "/etc/openstack-ca/ca-bundle.pem"
 
 	// Name of cloud in secret provided by cloud-credentials-operator
 	CloudName = "openstack"