openshiftpods: define ca_crt parameter if available

Reuse the CA certificate if one is available. CA certificate can be
defined in the kube/config file used by Nodepool service.

Fix the following error:

    DEBUG zuul.AnsibleJob.output: [...]
    Ansible output: b'fatal: [molecule]: FAILED! => {
        [...]
        "failed_modules": {
            "setup": {
                "failed": true,
                "module_stderr": "Unable to connect to the server: x509: certificate signed by unknown authority",
                "module_stdout": "",
                "msg": "MODULE FAILURE See stdout/stderr for the exact error",
                "rc": 1,
            }
        },
        "msg": "The following modules failed to execute: setup"
    }

Change-Id: Ic2b764e88d966a5c501e72ba3dfb46436979072c

nodepool/driver/openshiftpods/handler.py

@@ -40,6 +40,7 @@ class OpenshiftPodLauncher(OpenshiftLauncher):
             'pod': pod_name,
             'namespace': project,
             'host': k8s.api_client.configuration.host,
+            'ca_crt': self.handler.manager.ca_crt,
             'skiptls': not k8s.api_client.configuration.verify_ssl,
             'token': self.handler.manager.token,
             'user': 'zuul-worker',

nodepool/driver/openshiftpods/provider.py

@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import base64
 import logging
 import urllib3
 import time
@@ -34,7 +35,7 @@ class OpenshiftPodsProvider(OpenshiftProvider):
         self.provider = provider
         self.ready = False
         try:
-            self.token, self.k8s_client = self._get_client(
+            self.token, self.ca_crt, self.k8s_client = self._get_client(
                 provider.context)
         except kce.ConfigException:
             self.log.exception("Couldn't load client from config")
@@ -44,6 +45,7 @@ class OpenshiftPodsProvider(OpenshiftProvider):
                           "config.list_kube_config_contexts()[0]]))\"")
             self.token = None
             self.k8s_client = None
+            self.ca_crt = None
         self.pod_names = set()
         for pool in provider.pools.values():
             self.pod_names.update(pool.labels.keys())
@@ -51,7 +53,12 @@ class OpenshiftPodsProvider(OpenshiftProvider):
     def _get_client(self, context):
         conf = config.new_client_from_config(context=context)
         token = conf.configuration.api_key.get('authorization', '').split()[-1]
-        return (token, k8s_client.CoreV1Api(conf))
+        ca = None
+        if conf.configuration.ssl_ca_cert:
+            with open(conf.configuration.ssl_ca_cert) as ca_file:
+                ca = ca_file.read()
+                ca = base64.b64encode(ca.encode('utf-8')).decode('utf-8')
+        return (token, ca, k8s_client.CoreV1Api(conf))
 
     def start(self, zk_conn):
         self.log.debug("Starting")

nodepool/tests/unit/test_driver_openshiftpods.py

@@ -76,7 +76,7 @@ class TestDriverOpenshiftPods(tests.DBTestCase):
         self.fake_k8s_client = FakeCoreClient()
 
         def fake_get_client(*args):
-            return "fake-token", self.fake_k8s_client
+            return "fake-token", None, self.fake_k8s_client
 
         self.useFixture(fixtures.MockPatchObject(
             provider.OpenshiftPodsProvider, '_get_client',
@@ -103,6 +103,7 @@ class TestDriverOpenshiftPods(tests.DBTestCase):
         self.assertIsNotNone(node.launcher)
         self.assertEqual(node.connection_type, 'kubectl')
         self.assertEqual(node.connection_port.get('token'), 'fake-token')
+        self.assertIn('ca_crt', node.connection_port)
         self.assertEqual(node.attributes,
                          {'key1': 'value1', 'key2': 'value2'})