Alternative cloud configuration.

This requires
SovereignCloudStack/cluster-stacks#225 to land.

With it, we don't create cloud.conf using the
openstack-csp-helper helm charts, but create a clouds.yaml file that
capo understands anyway and that OCCM can process with the right
settings (use-clouds = true and create: true).

Does not work yet.
* Somehow the secret is not transferred to the workload cluster, despite
  our clusterresourceset magic
* If we transfer it, OCCM still does not seem to process it.

Signed-off-by: Kurt Garloff <[email protected]>

Author: garloff

_04-clouds-yaml.sh

@@ -64,38 +64,106 @@ echo "# Generating ~/tmp/clouds-$OS_CLOUD.yaml ..."
 OLD_UMASK=$(umask)
 umask 0177
 INJECTSUB="$SECRETS" INJECTSUBKWD="auth" RMVCOMMENT=1 extract_yaml clouds.$OS_CLOUD < $CLOUDS_YAML | sed "s/^\\(\\s*\\)\\($OS_CLOUD\\):/\\1openstack:/" > ~/tmp/clouds-$OS_CLOUD.yaml
-sed -i 's@^\(\s*cacert:\).*@\1 /etc/openstack/cacert.pem@' ~/tmp/clouds-$OS_CLOUD.yaml
+sed -i 's@^\(\s*cacert:\).*@\1 /etc/certs/cacert@' ~/tmp/clouds-$OS_CLOUD.yaml
+#echo "octavia_ovn: true" >> ~/tmp/clouds-$OS_CLOUD.yaml
 CL_YAML=$(ls ~/tmp/clouds-$OS_CLOUD.yaml)
 CL_YAML_B64=$(base64 -w0 < "$CL_YAML")
+CL_NAME_B64=$(echo -n openstack | base64 -w0)
 #kubectl create secret -n $CS_NAMESPACE generic clouds-yaml --from-file=$CL_YAML 
+
 umask $OLD_UMASK
 if test -n "$OS_CACERT"; then
 	OS_CACERT=${OS_CACERT/\~/$HOME}
 	CACERT_B64=$(base64 -w0 < $OS_CACERT)
-	cat | kubectl apply -f - << EOT
+	# For OCCM and CSI, the location of cacert is /etc/config
+	CL_YAML_ALT_B64=$(base64 -w0 < <(sed 's@/etc/certs/cacert@/etc/openstacǩ/cacert@' "$CL_YAML"))
+	CLCONF_B64=$(base64 -w0 <<EOT
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: clouds-yaml
+  namespace: kube-system
+data:
+  clouds.yaml: $CL_YAML_ALT_B64
+  cacert: $CACERT_B64
+  cloudName: $CL_NAME_B64
+EOT
+)
+	# For CAPO
+	kubectl apply -f - << EOT
 apiVersion: v1
 data:
   clouds.yaml: $CL_YAML_B64
-  cacert.pem: $CACERT_B64
+  cacert: $CACERT_B64
+  cloudName: $CL_NAME_B64
 kind: Secret
 metadata:
   name: openstack
-  namespace: $CS_NAMESPACCE
+  namespace: $CS_NAMESPACE
+  labels:
+    clusterctl.cluster.x-k8s.io/move: "true"
 type: Opaque
 EOT
 else
-	cat | kubectl apply -f << EOT
+	CLCONF_B64=$(base64 -w0 <<EOT
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: clouds-yaml
+  namespace: kube-system
+data:
+  clouds.yaml: $CL_YAML_B64
+  cloudName: $CL_NAME_B64
+EOT
+)
+	# For CAPO
+	kubectl apply -f - << EOT
 apiVersion: v1
 data:
   clouds.yaml: $CL_YAML_B64
+  cloudName: $CL_NAME_B64
 kind: Secret
 metadata:
   name: openstack
-  namespace: $CS_NAMESPACCE
+  namespace: $CS_NAMESPACE
+  labels:
+    clusterctl.cluster.x-k8s.io/move: "true"
 type: Opaque
 EOT
 fi
 # FIXME: We will provide more settings in cluster-settings.env later, hardcode it for now
 #if test "$CS_CCMLB=octavia-ovn"; then OCTOVN="--set octavia_ovn=true"; else unset OCTOVN; fi
 # FIXME: How to pass the information that we want OVN loadbalancers???
-
+# Workload cluster secret (for OCCM, CSI)
+kubectl apply -f - <<EOT
+apiVersion: v1
+data:
+  clouds-yaml-secret: $CLCONF_B64
+kind: Secret
+metadata:
+  name: openstack-workload-cluster-secret
+  namespace: $CS_NAMESPACE
+  labels:
+    clusterctl.cluster.x-k8s.io/move: "true"
+type: addons.cluster.x-k8s.io/resource-set
+EOT
+# Create CRS
+kubectl apply -f - <<EOT
+apiVersion: addons.cluster.x-k8s.io/v1beta1
+kind: ClusterResourceSet
+metadata:
+  name: crs-openstack-secret
+  namespace: $CS_NAMESPACE
+  labels:
+    clusterctl.cluster.x-k8s.io/move: "true"
+spec:
+  strategy: "Reconcile"
+  clusterSelector:
+    matchLabels:
+      managed-secret: clouds-yaml
+  resources:
+    - name: openstack-workload-cluster-secret
+      kind: Secret
+EOT