external_cloud_provider openstack can't work with username and password

[MartLTB]

I'm trying to deploy the external_cloud_provider for openstack via the external_cloud_controller/openstack role and noticed that this won't work when using auth via simple username and password from a sourced Openstack RC file instead of application credentials. The openstack-cloud-controller-manager pod(s) always failed to come up with the message

1 controllermanager.go:124] Cloud provider could not be initialized: could not init cloud provider "openstack": You must provide a password to authenticate

I took a closer look and could trace it down to the following line:

kubespray/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2

Line 3 in 69b67a2

{% if external_openstack_application_credential_id is not defined and external_openstack_application_credential_name is not defined %}

As the variables checked in the above if statement are always defined in the defaults/main.yml, no matter if the corresponding envvars are actually set, the if statement can never be true and so external_openstack_username and external_openstack_username never make it into the external-openstack-cloud-config secret which causes the pod fail.

kubespray/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml

Line 8 in 69b67a2

external_openstack_application_credential_id: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_ID') }}"

kubespray/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml

Line 9 in 69b67a2

external_openstack_application_credential_name: "{{ lookup('env','OS_APPLICATION_CREDENTIAL_NAME') }}"

Environment:

• Cloud provider or hardware configuration:
  Openstack

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
  Linux 5.11.0-22-generic x86_64
  NAME="Ubuntu"
  VERSION="21.04 (Hirsute Hippo)"
  ID=ubuntu
  ID_LIKE=debian
  PRETTY_NAME="Ubuntu 21.04"
  VERSION_ID="21.04"
  HOME_URL="https://www.ubuntu.com/"
  SUPPORT_URL="https://help.ubuntu.com/"
  BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
  PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
  VERSION_CODENAME=hirsute
  UBUNTU_CODENAME=hirsute

• Version of Ansible (ansible --version):
  ansible 2.10.11

• Version of Python (python --version):
  Python 3.9.5

Kubespray version (commit) (git rev-parse --short HEAD):
7e4b176

Network plugin used:
calico

Full inventory with variables (ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"):
Should not be neccessary but I'll gladly supply if needed.
Command used to invoke ansible:
Should not be necessary but I'll gladly supply if needed.
Output of ansible run:
Should not be necessary but I'll gladly supply if needed.
Anything else do we need to know:
I fixed this locally by checking for the empty string in the if statement instead of checking for the vars being defined but it might be safer checking for the respective envvars being set in the defaults/main.yml

[nleconte-csgroup]

Same here. Same versions but for :

Pyton :
Python 3.8.10

OS :
Linux 5.4.0-84-generic x86_64
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Kubespray version (commit) :
aa00c1d

Edit :
The work around proposed by the author works. Edit line 3 of the file roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2 :

{% if external_openstack_application_credential_id == "" and external_openstack_application_credential_name == "" %}