openstack-k8s-operators
diff --git a/‎api/bases/core.openstack.org_openstackcontrolplanes.yaml‎
Lines changed: 658 additions & 0 deletions b/‎api/bases/core.openstack.org_openstackcontrolplanes.yaml‎
Lines changed: 658 additions & 0 deletions
diff --git a/‎api/core/v1beta1/openstackcontrolplane_types.go‎
Lines changed: 194 additions & 0 deletions b/‎api/core/v1beta1/openstackcontrolplane_types.go‎
Lines changed: 194 additions & 0 deletions
diff --git a/‎api/core/v1beta1/openstackcontrolplane_webhook.go‎
Lines changed: 7 additions & 1 deletion b/‎api/core/v1beta1/openstackcontrolplane_webhook.go‎
Lines changed: 7 additions & 1 deletion
@@ -225,6 +225,14 @@ type OpenStackControlPlaneSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// Watcher - Parameters related to the Watcher service
 	Watcher WatcherSection `json:"watcher,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// ApplicationCredential - Global configuration for ApplicationCredentials.
+	// Both this global section AND the per-service applicationCredential section
+	// must be enabled for a service to use ApplicationCredentials.
+	// If omitted, defaults to enabled=false with standard expiration/grace periods.
+	ApplicationCredential ApplicationCredentialSection `json:"applicationCredential,omitempty"`
 }
 
 // TLSSection defines the desired state of TLS configuration
@@ -419,6 +427,13 @@ type PlacementSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // GlanceSection defines the desired state of Glance service
@@ -445,6 +460,13 @@ type GlanceSection struct {
 	// Convenient to avoid podname (and thus hostname) collision between different deployments.
 	// Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc.
 	UniquePodNames bool `json:"uniquePodNames"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // CinderSection defines the desired state of Cinder service
@@ -471,6 +493,13 @@ type CinderSection struct {
 	// Convenient to avoid podname (and thus hostname) collision between different deployments.
 	// Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc.
 	UniquePodNames bool `json:"uniquePodNames"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // GaleraSection defines the desired state of Galera services
@@ -564,6 +593,13 @@ type NeutronSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // NovaSection defines the desired state of Nova services
@@ -590,6 +626,13 @@ type NovaSection struct {
 	// for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed.
 	// Providing an override for cell0 noVNCProxy does not have an effect.
 	CellOverride map[string]NovaCellOverrideSpec `json:"cellOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // NovaCellOverrideSpec to override the generated manifest of several child resources.
@@ -620,6 +663,13 @@ type HeatSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// CnfAPIOverride, provides the ability to override the generated manifest of several child resources.
 	CnfAPIOverride Override `json:"cnfAPIOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // IronicSection defines the desired state of Ironic services
@@ -644,6 +694,13 @@ type IronicSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// InspectorOverride, provides the ability to override the generated manifest of several child resources.
 	InspectorOverride Override `json:"inspectorOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // ManilaSection defines the desired state of Manila service
@@ -663,6 +720,13 @@ type ManilaSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // HorizonSection defines the desired state of Horizon services
@@ -716,6 +780,20 @@ type TelemetrySection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// AlertmanagerOverride, provides the ability to override the generated manifest of several child resources.
 	AlertmanagerOverride Override `json:"alertmanagerOverride,omitempty"`
+
+	// ApplicationCredentialCeilometer allows service-specific overrides of the global AC configuration for Ceilometer.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredentialCeilometer *ServiceAppCredSection `json:"applicationCredentialCeilometer"`
+
+	// ApplicationCredentialAodh allows service-specific overrides of the global AC configuration for Aodh.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredentialAodh *ServiceAppCredSection `json:"applicationCredentialAodh"`
 }
 
 // SwiftSection defines the desired state of Swift service
@@ -735,6 +813,13 @@ type SwiftSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// ProxyOverride, provides the ability to override the generated manifest of several child resources.
 	ProxyOverride Override `json:"proxyOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // OctaviaSection defines the desired state of the Octavia service
@@ -754,6 +839,13 @@ type OctaviaSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // DesignateSection defines the desired state of the Designate service
@@ -773,6 +865,13 @@ type DesignateSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // BarbicanSection defines the desired state of Barbican service
@@ -792,6 +891,13 @@ type BarbicanSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // RedisSection defines the desired state of the Redis service
@@ -833,6 +939,94 @@ type WatcherSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
+}
+
+// +kubebuilder:validation:XValidation:rule="self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
+// ApplicationCredentialSection defines the desired configuration for ApplicationCredentials
+type ApplicationCredentialSection struct {
+	// Enabled indicates whether an ApplicationCredential should be created
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// ExpirationDays sets the lifetime in days for the AC
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=365
+	// +kubebuilder:validation:Minimum=2
+	ExpirationDays *int `json:"expirationDays"`
+
+	// GracePeriodDays sets how many days before expiration the AC should be rotated
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=182
+	// +kubebuilder:validation:Minimum=1
+	GracePeriodDays *int `json:"gracePeriodDays"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={"service"}
+	// +kubebuilder:validation:MinItems=1
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted"`
+
+	// AccessRules lets supply a custom list of rules
+	// If unset, no accessRules field is emitted
+	// +kubebuilder:validation:Optional
+	// +listType=atomic
+	AccessRules []ACRule `json:"accessRules,omitempty"`
+}
+
+// +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
+// ServiceAppCredSection allows service-specific overrides of the global AC configuration
+type ServiceAppCredSection struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=2
+	ExpirationDays *int `json:"expirationDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=1
+	GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// AccessRules lets the service override either the global rules
+	// +kubebuilder:validation:Optional
+	// +listType=atomic
+	AccessRules []ACRule `json:"accessRules,omitempty"`
+}
+
+// ACRule describes a single access rule for an ApplicationCredential
+// +k8s:openapi-gen=true
+type ACRule struct {
+	// Service is the name of the service to target (e.g. "identity").
+	// +kubebuilder:validation:Required
+	Service string `json:"service"`
+	// Path is the HTTP path (e.g. "/v3/auth/tokens").
+	// +kubebuilder:validation:Required
+	Path string `json:"path"`
+	// Method is the HTTP method to allow (e.g. "POST").
+	// +kubebuilder:validation:Required
+	Method string `json:"method"`
 }
 
 // OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane
 
@@ -1081,6 +1081,12 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		}
 	}
 
+	// Initialize ApplicationCredential (watcher specific) field to avoid null value
+	// This ensures consistent behavior with other services.
+	if r.Spec.Watcher.ApplicationCredential == nil {
+		r.Spec.Watcher.ApplicationCredential = &ServiceAppCredSection{Enabled: false}
+	}
+
 }
 
 // DefaultLabel - adding default label to the OpenStackControlPlane
@@ -1147,7 +1153,7 @@ func (r *OpenStackControlPlane) ValidateNotificationsBusInstance(basePath *field
 	// NotificationsBusInstance is set and must be equal to an existing
 	// deployed rabbitmq instance, otherwise we should fail because it
 	// does not represent a valid string
-	for k := range(*r.Spec.Rabbitmq.Templates) {
+	for k := range *r.Spec.Rabbitmq.Templates {
 		if *r.Spec.NotificationsBusInstance == k {
 			return nil
 		}
Original file line number	Diff line number	Diff line change
`@@ -1081,6 +1081,12 @@ func (r *OpenStackControlPlane) DefaultServices() {`
`1081`	`1081`	`}`
`1082`	`1082`	`}`
`1083`	`1083`
	`1084`	`+ // Initialize ApplicationCredential (watcher specific) field to avoid null value`
	`1085`	`+ // This ensures consistent behavior with other services.`
	`1086`	`+ if r.Spec.Watcher.ApplicationCredential == nil {`
	`1087`	`+ r.Spec.Watcher.ApplicationCredential = &ServiceAppCredSection{Enabled: false}`
	`1088`	`+ }`
	`1089`	`+`
`1084`	`1090`	`}`
`1085`	`1091`
`1086`	`1092`	`// DefaultLabel - adding default label to the OpenStackControlPlane`
`@@ -1147,7 +1153,7 @@ func (r OpenStackControlPlane) ValidateNotificationsBusInstance(basePath field`
`1147`	`1153`	`// NotificationsBusInstance is set and must be equal to an existing`
`1148`	`1154`	`// deployed rabbitmq instance, otherwise we should fail because it`
`1149`	`1155`	`// does not represent a valid string`
`1150`		`- for k := range(*r.Spec.Rabbitmq.Templates) {`
	`1156`	`+ for k := range *r.Spec.Rabbitmq.Templates {`
`1151`	`1157`	`if *r.Spec.NotificationsBusInstance == k {`
`1152`	`1158`	`return nil`
`1153`	`1159`	`}`