diff --git a/api/bases/core.openstack.org_openstackcontrolplanes.yaml b/api/bases/core.openstack.org_openstackcontrolplanes.yaml index 35c1f0d08..0a883811e 100644 --- a/api/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/api/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -40,6 +40,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -166,6 +213,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -175,6 +266,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -674,6 +770,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -685,6 +825,11 @@ spec: type: integer cinderAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -1767,6 +1912,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -1797,6 +1986,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3646,6 +3840,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4191,6 +4429,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4570,6 +4813,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -6505,6 +6792,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6638,6 +6969,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -6899,6 +7235,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8165,6 +8506,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8709,6 +9094,11 @@ spec: type: array manilaAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9232,6 +9622,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9241,6 +9675,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10062,6 +10501,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10345,6 +10828,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11130,6 +11618,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11165,6 +11697,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11207,6 +11744,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11415,6 +11957,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11567,6 +12114,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11825,6 +12377,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12612,6 +13169,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12621,6 +13222,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13687,6 +14293,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -13843,6 +14493,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14334,6 +14989,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14603,6 +15390,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14771,6 +15563,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14859,6 +15656,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -16242,6 +17044,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16435,6 +17281,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/api/core/v1beta1/openstackcontrolplane_types.go b/api/core/v1beta1/openstackcontrolplane_types.go index e74e8d50a..516510708 100644 --- a/api/core/v1beta1/openstackcontrolplane_types.go +++ b/api/core/v1beta1/openstackcontrolplane_types.go @@ -225,6 +225,14 @@ type OpenStackControlPlaneSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // Watcher - Parameters related to the Watcher service Watcher WatcherSection `json:"watcher,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // ApplicationCredential - Global configuration for ApplicationCredentials. + // Both this global section AND the per-service applicationCredential section + // must be enabled for a service to use ApplicationCredentials. + // If omitted, defaults to enabled=false with standard expiration/grace periods. + ApplicationCredential ApplicationCredentialSection `json:"applicationCredential,omitempty"` } // TLSSection defines the desired state of TLS configuration @@ -419,6 +427,13 @@ type PlacementSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // GlanceSection defines the desired state of Glance service @@ -445,6 +460,13 @@ type GlanceSection struct { // Convenient to avoid podname (and thus hostname) collision between different deployments. // Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc. UniquePodNames bool `json:"uniquePodNames"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // CinderSection defines the desired state of Cinder service @@ -471,6 +493,13 @@ type CinderSection struct { // Convenient to avoid podname (and thus hostname) collision between different deployments. // Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc. UniquePodNames bool `json:"uniquePodNames"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // GaleraSection defines the desired state of Galera services @@ -564,6 +593,13 @@ type NeutronSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // NovaSection defines the desired state of Nova services @@ -590,6 +626,13 @@ type NovaSection struct { // for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed. // Providing an override for cell0 noVNCProxy does not have an effect. CellOverride map[string]NovaCellOverrideSpec `json:"cellOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // NovaCellOverrideSpec to override the generated manifest of several child resources. @@ -620,6 +663,13 @@ type HeatSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // CnfAPIOverride, provides the ability to override the generated manifest of several child resources. CnfAPIOverride Override `json:"cnfAPIOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // IronicSection defines the desired state of Ironic services @@ -644,6 +694,13 @@ type IronicSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // InspectorOverride, provides the ability to override the generated manifest of several child resources. InspectorOverride Override `json:"inspectorOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // ManilaSection defines the desired state of Manila service @@ -663,6 +720,13 @@ type ManilaSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // HorizonSection defines the desired state of Horizon services @@ -716,6 +780,27 @@ type TelemetrySection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // AlertmanagerOverride, provides the ability to override the generated manifest of several child resources. AlertmanagerOverride Override `json:"alertmanagerOverride,omitempty"` + + // ApplicationCredentialCeilometer allows service-specific overrides of the global AC configuration for Ceilometer. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialCeilometer *ServiceAppCredSection `json:"applicationCredentialCeilometer"` + + // ApplicationCredentialAodh allows service-specific overrides of the global AC configuration for Aodh. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialAodh *ServiceAppCredSection `json:"applicationCredentialAodh"` + + // ApplicationCredentialCloudKitty allows service-specific overrides of the global AC configuration for CloudKitty. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialCloudKitty *ServiceAppCredSection `json:"applicationCredentialCloudKitty"` } // SwiftSection defines the desired state of Swift service @@ -735,6 +820,13 @@ type SwiftSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // ProxyOverride, provides the ability to override the generated manifest of several child resources. ProxyOverride Override `json:"proxyOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // OctaviaSection defines the desired state of the Octavia service @@ -754,6 +846,13 @@ type OctaviaSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // DesignateSection defines the desired state of the Designate service @@ -773,6 +872,13 @@ type DesignateSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // BarbicanSection defines the desired state of Barbican service @@ -792,6 +898,13 @@ type BarbicanSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // RedisSection defines the desired state of the Redis service @@ -833,6 +946,97 @@ type WatcherSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` +} + +// +kubebuilder:validation:XValidation:rule="self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays" +// ApplicationCredentialSection defines the desired configuration for ApplicationCredentials +type ApplicationCredentialSection struct { + // Enabled indicates whether an ApplicationCredential should be created + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + Enabled bool `json:"enabled"` + + // ExpirationDays sets the lifetime in days for the AC + // +kubebuilder:validation:Optional + // +kubebuilder:default=730 + // +kubebuilder:validation:Minimum=2 + ExpirationDays *int `json:"expirationDays"` + + // GracePeriodDays sets how many days before expiration the AC should be rotated + // +kubebuilder:validation:Optional + // +kubebuilder:default=364 + // +kubebuilder:validation:Minimum=1 + GracePeriodDays *int `json:"gracePeriodDays"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default={"admin","service"} + // +kubebuilder:validation:MinItems=1 + // Roles to assign to the ApplicationCredential + Roles []string `json:"roles"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + // Whether the AC should be unrestricted + Unrestricted *bool `json:"unrestricted"` + + // AccessRules lets supply a custom list of rules + // If unset, no accessRules field is emitted + // +kubebuilder:validation:Optional + // +listType=atomic + AccessRules []ACRule `json:"accessRules,omitempty"` +} + +// +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays" +// ServiceAppCredSection allows service-specific overrides of the global AC configuration +type ServiceAppCredSection struct { + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + Enabled bool `json:"enabled"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Minimum=2 + ExpirationDays *int `json:"expirationDays,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Minimum=1 + GracePeriodDays *int `json:"gracePeriodDays,omitempty"` + + // +kubebuilder:validation:Optional + // Roles to assign to the ApplicationCredential + Roles []string `json:"roles,omitempty"` + + // +kubebuilder:validation:Optional + // Whether the AC should be unrestricted + Unrestricted *bool `json:"unrestricted,omitempty"` + + // AccessRules lets the service override the global AccessRules if specified + // +kubebuilder:validation:Optional + // +listType=atomic + AccessRules []ACRule `json:"accessRules,omitempty"` +} + +// ACRule describes a single access rule for an ApplicationCredential +// +k8s:openapi-gen=true +type ACRule struct { + // Service is the name of the service to target (e.g. "identity"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Service string `json:"service"` + // Path is the HTTP path (e.g. "/v3/auth/tokens"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Path string `json:"path"` + // Method is the HTTP method to allow (e.g. "POST"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Method string `json:"method"` } // OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane diff --git a/api/core/v1beta1/openstackcontrolplane_webhook.go b/api/core/v1beta1/openstackcontrolplane_webhook.go index 38b7c05bc..93aaebc29 100644 --- a/api/core/v1beta1/openstackcontrolplane_webhook.go +++ b/api/core/v1beta1/openstackcontrolplane_webhook.go @@ -844,6 +844,7 @@ func (r *OpenStackControlPlane) DefaultServices() { r.Spec.Glance.APIOverride = map[string]Override{} } for name, glanceAPI := range r.Spec.Glance.Template.GlanceAPIs { + var override Override var ok bool @@ -1151,7 +1152,7 @@ func (r *OpenStackControlPlane) ValidateNotificationsBusInstance(basePath *field // NotificationsBusInstance is set and must be equal to an existing // deployed rabbitmq instance, otherwise we should fail because it // does not represent a valid string - for k := range(*r.Spec.Rabbitmq.Templates) { + for k := range *r.Spec.Rabbitmq.Templates { if *r.Spec.NotificationsBusInstance == k { return nil } diff --git a/api/core/v1beta1/zz_generated.deepcopy.go b/api/core/v1beta1/zz_generated.deepcopy.go index 2af599dd5..950361fe3 100644 --- a/api/core/v1beta1/zz_generated.deepcopy.go +++ b/api/core/v1beta1/zz_generated.deepcopy.go @@ -51,6 +51,61 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACRule) DeepCopyInto(out *ACRule) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACRule. +func (in *ACRule) DeepCopy() *ACRule { + if in == nil { + return nil + } + out := new(ACRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationCredentialSection) DeepCopyInto(out *ApplicationCredentialSection) { + *out = *in + if in.ExpirationDays != nil { + in, out := &in.ExpirationDays, &out.ExpirationDays + *out = new(int) + **out = **in + } + if in.GracePeriodDays != nil { + in, out := &in.GracePeriodDays, &out.GracePeriodDays + *out = new(int) + **out = **in + } + if in.Roles != nil { + in, out := &in.Roles, &out.Roles + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Unrestricted != nil { + in, out := &in.Unrestricted, &out.Unrestricted + *out = new(bool) + **out = **in + } + if in.AccessRules != nil { + in, out := &in.AccessRules, &out.AccessRules + *out = make([]ACRule, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialSection. +func (in *ApplicationCredentialSection) DeepCopy() *ApplicationCredentialSection { + if in == nil { + return nil + } + out := new(ApplicationCredentialSection) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSection) DeepCopyInto(out *BarbicanSection) { *out = *in @@ -60,6 +115,11 @@ func (in *BarbicanSection) DeepCopyInto(out *BarbicanSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanSection. @@ -153,6 +213,11 @@ func (in *CinderSection) DeepCopyInto(out *CinderSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CinderSection. @@ -811,6 +876,11 @@ func (in *DesignateSection) DeepCopyInto(out *DesignateSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DesignateSection. @@ -864,6 +934,11 @@ func (in *GlanceSection) DeepCopyInto(out *GlanceSection) { (*out)[key] = *val.DeepCopy() } } + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlanceSection. @@ -886,6 +961,11 @@ func (in *HeatSection) DeepCopyInto(out *HeatSection) { } in.APIOverride.DeepCopyInto(&out.APIOverride) in.CnfAPIOverride.DeepCopyInto(&out.CnfAPIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeatSection. @@ -929,6 +1009,11 @@ func (in *IronicSection) DeepCopyInto(out *IronicSection) { } in.APIOverride.DeepCopyInto(&out.APIOverride) in.InspectorOverride.DeepCopyInto(&out.InspectorOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IronicSection. @@ -971,6 +1056,11 @@ func (in *ManilaSection) DeepCopyInto(out *ManilaSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManilaSection. @@ -1018,6 +1108,11 @@ func (in *NeutronSection) DeepCopyInto(out *NeutronSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NeutronSection. @@ -1062,6 +1157,11 @@ func (in *NovaSection) DeepCopyInto(out *NovaSection) { (*out)[key] = *val.DeepCopy() } } + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NovaSection. @@ -1083,6 +1183,11 @@ func (in *OctaviaSection) DeepCopyInto(out *OctaviaSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OctaviaSection. @@ -1221,6 +1326,7 @@ func (in *OpenStackControlPlaneSpec) DeepCopyInto(out *OpenStackControlPlaneSpec **out = **in } in.Watcher.DeepCopyInto(&out.Watcher) + in.ApplicationCredential.DeepCopyInto(&out.ApplicationCredential) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenStackControlPlaneSpec. @@ -1530,6 +1636,11 @@ func (in *PlacementSection) DeepCopyInto(out *PlacementSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementSection. @@ -1594,6 +1705,46 @@ func (in *RedisSection) DeepCopy() *RedisSection { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAppCredSection) DeepCopyInto(out *ServiceAppCredSection) { + *out = *in + if in.ExpirationDays != nil { + in, out := &in.ExpirationDays, &out.ExpirationDays + *out = new(int) + **out = **in + } + if in.GracePeriodDays != nil { + in, out := &in.GracePeriodDays, &out.GracePeriodDays + *out = new(int) + **out = **in + } + if in.Roles != nil { + in, out := &in.Roles, &out.Roles + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Unrestricted != nil { + in, out := &in.Unrestricted, &out.Unrestricted + *out = new(bool) + **out = **in + } + if in.AccessRules != nil { + in, out := &in.AccessRules, &out.AccessRules + *out = make([]ACRule, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAppCredSection. +func (in *ServiceAppCredSection) DeepCopy() *ServiceAppCredSection { + if in == nil { + return nil + } + out := new(ServiceAppCredSection) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceDefaults) DeepCopyInto(out *ServiceDefaults) { *out = *in @@ -1623,6 +1774,11 @@ func (in *SwiftSection) DeepCopyInto(out *SwiftSection) { (*in).DeepCopyInto(*out) } in.ProxyOverride.DeepCopyInto(&out.ProxyOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SwiftSection. @@ -1750,6 +1906,21 @@ func (in *TelemetrySection) DeepCopyInto(out *TelemetrySection) { in.CloudKittyAPIOverride.DeepCopyInto(&out.CloudKittyAPIOverride) in.PrometheusOverride.DeepCopyInto(&out.PrometheusOverride) in.AlertmanagerOverride.DeepCopyInto(&out.AlertmanagerOverride) + if in.ApplicationCredentialCeilometer != nil { + in, out := &in.ApplicationCredentialCeilometer, &out.ApplicationCredentialCeilometer + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } + if in.ApplicationCredentialAodh != nil { + in, out := &in.ApplicationCredentialAodh, &out.ApplicationCredentialAodh + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } + if in.ApplicationCredentialCloudKitty != nil { + in, out := &in.ApplicationCredentialCloudKitty, &out.ApplicationCredentialCloudKitty + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemetrySection. @@ -1771,6 +1942,11 @@ func (in *WatcherSection) DeepCopyInto(out *WatcherSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WatcherSection. diff --git a/api/go.mod b/api/go.mod index d04537a3e..8dcff7951 100644 --- a/api/go.mod +++ b/api/go.mod @@ -7,28 +7,28 @@ require ( github.com/go-playground/validator/v10 v10.30.1 github.com/onsi/ginkgo/v2 v2.27.5 github.com/onsi/gomega v1.39.0 - github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b - github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c - github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151 - github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b - github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e - github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911 + github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20251220125032-e46717ca376e + github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20251221204540-9ad70f8debbc + github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20251203145024-0f6b7a8e7dc5 + github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20251221170241-a5482a4f039a + github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20251213170654-5ce22bc3a2e9 + github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109 - github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb - github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba + github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20251213181601-3669e9f88d07 + github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260109123729-8c46aa6cb459 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251230215914-6ba873b49a35 - github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4 - github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d - github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046 - github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1 - github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1 - github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26 - github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26 - github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea - github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879 - github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce - github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851 + github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20251221204257-893591a14936 + github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f + github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20251125150830-633e42336356 + github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20251127143706-407c63ad016a + github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251127161151-38d49bbc1c5d + github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d + github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811 + github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251221210503-10057cebd870 + github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20251216163659-f7a35d4fc73b + github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20251222143830-69bf8ba39dff + github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20251222122818-fc7387823d0b github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.71.0-rhobs1 // indirect github.com/rhobs/observability-operator v0.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect @@ -143,3 +143,34 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging + +// appcred related changes +replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f + +replace github.com/openstack-k8s-operators/barbican-operator/api => github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438 + +replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5 + +replace github.com/openstack-k8s-operators/glance-operator/api => github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72 + +replace github.com/openstack-k8s-operators/swift-operator/api => github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d + +replace github.com/openstack-k8s-operators/manila-operator/api => github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416 + +replace github.com/openstack-k8s-operators/neutron-operator/api => github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e + +replace github.com/openstack-k8s-operators/placement-operator/api => github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59 + +replace github.com/openstack-k8s-operators/designate-operator/api => github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af + +replace github.com/openstack-k8s-operators/octavia-operator/api => github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221 + +replace github.com/openstack-k8s-operators/ironic-operator/api => github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739 + +replace github.com/openstack-k8s-operators/watcher-operator/api => github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a + +replace github.com/openstack-k8s-operators/nova-operator/api => github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476 + +replace github.com/openstack-k8s-operators/telemetry-operator/api => github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46 + +replace github.com/openstack-k8s-operators/heat-operator/api => github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a diff --git a/api/go.sum b/api/go.sum index 7df421b0f..1ca46e993 100644 --- a/api/go.sum +++ b/api/go.sum @@ -1,5 +1,35 @@ +github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438 h1:HJ5OXkYFCEdpTfFm7JXQf2IaHFyGK4myHmLob0+zM6Y= +github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438/go.mod h1:LNFXItaLYod750CjiMsml67rEwSgRv6wvANi2wWQPiA= +github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5 h1:rQL/Y18+Chr632Bx6V/5OcV+td4FmiPXlcDLXWTPvBI= +github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5/go.mod h1:IzsPB8GKDO7dkS4KSISodU0CqhBNUccSAgc/iNENZ3Y= +github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af h1:28+dU43DcynFpmz4oHGkhA4/NyIBosZtJsVBnOeCJJU= +github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af/go.mod h1:OepE3tH25UoiyG0zMZlmJ+qH+Jut421eyCZaKPXhmPw= +github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72 h1:WJmGFN0cyaQ/CzDDWRElrE/fi7EPN0djhRfzT8za2Ao= +github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72/go.mod h1:720uzNTkk+nZAhzAb1DewM3sDhf/gFZ1qruD2vAlEvk= +github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739 h1:iYHdftJgsplisE+Wv5qF0eHzTMdhl6klxIPOLWIEHxw= +github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739/go.mod h1:fHbvJtxq0tuqLORh2pLvbp1ZkJsrZf/jfsbfjgb8JsY= +github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f h1:cZNeZWT7OJw8ehZx6JFtJLrGRqrzmAamq9CGk/J3uVY= +github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0= +github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416 h1:g7zd1JlfCjR0nQnNzx1ZuNYXzrmCeiuVwVPTzM7jzw8= +github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416/go.mod h1:N9V9SZ8J4g6aIDxas9O8xsWDU5mcos/O7omgpWagdX4= +github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e h1:NtnueRdP0mV9OOkQtcyW/BF2r5EKPO1YokT7vqYrEiw= +github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e/go.mod h1:g107gk6VWVtLY7BE07ZcioogXD7lr7wEIZADaeQdOH0= +github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476 h1:8r7TjSxBEDshxDLK2S5OVJx2TOO9NOPyBoWxiAGcTfw= +github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476/go.mod h1:s9gEywJBEUnNWYHRNJeb2Xkajjsg220AYWFA4oh8Zwk= +github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221 h1:2xqv/imywdu06iavEprG6V4wYY27czr88Re5bNlJUo0= +github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221/go.mod h1:vYPgxmaojx08w77AX5zOuTl783XdP42wMDcx5RFLRrM= +github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59 h1:Ad9B3UahL16r2t7xyAYKpG/x5ckQI0iDwPQLM+VeqKE= +github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59/go.mod h1:x0UGoetq8vzIInHT5c1VHN9jtHx7PMVFqeoQkL+Yy1I= +github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d h1:dDQ5ehQVsiMDbtclQh3iEcUQbD814Thr3Rh5zXcZHnE= +github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d/go.mod h1:e7GTsfMeYlvJJJTdK+NydcsYT0qzqN9paxTTttgbLyU= +github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46 h1:otHmbfzAuPfCy6ttv0PIdfGVJnIuBAUzzl6c50mLDy4= +github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46/go.mod h1:Gq8pU5WOlizRSCzbWaj9hR3uZ+t0rem8lGsYRbckJ9s= +github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a h1:z3ufacMuoGtU1QgdzHTuBSliNO9aQLn+n1Qr9dgxdxo= +github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a/go.mod h1:2jbeEF2v1WZ8FBRgM5jyJpSaWPOiPQyPhE/Gnlvrxxo= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a h1:h/VpjKAAFEpdejoyA55ZmIi35m+s/0WFFGJCZp45+p4= +github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a/go.mod h1:iM7f03/fslaMRCNZg0q+3jrFQHm0mPREofeFS+J8s0U= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cert-manager/cert-manager v1.16.5 h1:XIhKoS4zQV9RHXAkqQW0NLivvoxAnWzbPsy9BG6cPVc= @@ -114,54 +144,24 @@ github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b h1:PSxwrn5pFgdTakOipOwST9QjNSU7kLZDn+edzGGtJcU= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b/go.mod h1:FbFRq2bJpei+BSQCwLrmzFGELavg1WLRv2yFYa0g8Po= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c h1:/T6TSiNuj40RJK87QqUEMieU8yhqd+sEW7Uz9OMhg4s= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c/go.mod h1:zGIXNYjHyRfNIEF9RJehBZ5Azd5AUtoHXx7FxpQOJ54= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151 h1:HFozpOv84PL+hlXFQfqtC39htH+Nsvy+0xFqJDpAmoU= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151/go.mod h1:X8ULjyhQmjJVZIH19etCLZf60/KPxc1i1YI9/osYQvw= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b h1:bTelVTmjxylpcJbtrnxBT1qtP4ziMjt2fUv7+ZEC3h8= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b/go.mod h1:ghegwjz1c0J8GSjZiM/qSIzg+qjZNCwUbwbPEbrcrno= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e h1:ynaKOj8sQcZBWXBmiB+TnxLKJ3oVEuBhfOvC/jwX4Ao= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e/go.mod h1:kZ/HozGVLmv4LrhsoxjjKT/zckenLznLQY1ud6z1CbY= -github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911 h1:yO+lHq/SGfFyGjKMcD6xgaqC19fHtrRfTQ/5MZpRo1M= -github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911/go.mod h1:j4xehAICMmNT/2VnRcOToMHZA9/Nj0SsiyETceUK7Pc= +github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851 h1:EfKq1oxaNVAkdz7vGyrvFKUA6juw9uLEI9ZPulIyCWU= +github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851/go.mod h1:0nsIeghZDuEgBfsT1Rlik+ZLBRsXoVrni2pTMP++OV0= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109 h1:S+A67nntHZrL1lIL3qr91CpJj+A67M/G4t1cTKzeGdo= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb h1:EfIsetORQ/wDeYArPt0NMECMVzkQe5MpaUCMNfs0O2k= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb/go.mod h1:pOMPE4BqDjla9JI8KFcRnM6yuIb/pkA8GnE6QY31FIs= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba h1:4VaDkZFawGCkzwvfijnFLz0Gduxh17buj9fIwk0WULo= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 h1:pF3mJ3nwq6r4qwom+rEWZNquZpcQW/iftHlJ1KPIDsk= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:kycZyoe7OZdW1HUghr2nI3N7wSJtNahXf6b/ypD14f4= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35 h1:IdcI8DFvW8rXtchONSzbDmhhRp1YyO2YaBJDBXr44Gk= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:zOX7Y05keiSppIvLabuyh42QHBMhCcoskAtxFRbwXKo= github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251230215914-6ba873b49a35 h1:8WZYfCt1VJHa5sJRX0UhpmoXud/fn8LHQhXsakdYXuQ= github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:H0aQANk8iJPRhS2Bg9n6cYb/IHF0Cks9g7+uZG04Rhk= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4 h1:wYoCaC7r00+BsuYfetXJc6+a4uDs5Qp/tGWiA3zzWCM= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4/go.mod h1:VKrN8rmHVOZsJXtvCw+fRtlhDmel3bi6wzGzUMScuOc= -github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d h1:cbQpEHW404M+QBrevqh+MyrtPRUFlHTLmSAHflEth6U= -github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d/go.mod h1:X6W8pIULiWUc6smaTqiNocjxoXaRLgXediwpI/dxD9s= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046 h1:eWUkbFvPbZfhzMl6KwUrSY30rg0MG3LTKKpiv69+LG0= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046/go.mod h1:CNJF0ekxqVqrEMLGL/hV489p0RrVoB3alMhjE9cxv1o= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1 h1:fWk7A2V+lB8HeZjTRM4ir1ThWPjf1yC2mejyBJK4kuo= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1/go.mod h1:ylEKFn6OOoHsV1fdu21PvJpG3oeTSpDvh2rZLrJyFNo= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1 h1:UGgAP+3Ye8B8U+18kPeGu6gvn4VK+LLCCXHtkeSb4pw= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1/go.mod h1:5/igDRSb+efFtzZBU/jNpPAnaUMwM1kliC0C/cDcooE= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26 h1:zijwoA7LwSl4s6RfgN6GqFpt0+IKnUnZdlHe4eKDhgc= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26/go.mod h1:OFvUyXC2TekOk3ZlTOo8YzEneQV5W5Ob7X54yOgaf18= -github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26 h1:g0q8+sFU1aTLsNvh1DaH+JgBhZr5UNtkj8gf9GI8kHk= -github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26/go.mod h1:LTrCp/cf4HFozb0ZhblhQKO0jUmmBnvD8zFocOsasAM= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea h1:FLYCExfJbPqeaP7ukoqgIeBZA4J1AcodO/EUyLK2pyI= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea/go.mod h1:JoWcJYo7glD3/XaghQcw/FH1nbYfAY/XWCeq/tBCEO8= +github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f h1:Lrt+Bo/mTncK8kdd+hT1o/X6oCGl2uUMdBe+X3lrKrk= +github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f/go.mod h1:KbToF6BJ5oO1/MapNRhMHED/C/OGfCPMXmIJm/G3tLg= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d h1:vBmv0vvDVf5/V0bZUoed2TNQ+t0Z0ExPZgUyWLoXDw4= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d/go.mod h1:IguVL02aJlDXM9zRvSdZfcOL5aMsF3/YH5ywX6sUoNk= +github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811 h1:H1b2RlE9EsemU/dbtV96xIXxmGBLS2UcBtdSS0bYucw= +github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811/go.mod h1:LTrCp/cf4HFozb0ZhblhQKO0jUmmBnvD8zFocOsasAM= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879 h1:uMUl7bYUa7Co5EX1pqwG2+A7bXaylLtoHMzr7YYXjCU= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879/go.mod h1:xNCpStWGnZNSC0Y8FTOqEdDXE+iCe82MnlAbx9i78kk= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce h1:qCrUvl64Emoob4cXc3f+6o8lzMRHhEJLCb4tDgW9dqk= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce/go.mod h1:sVND1JTB9Da9X1fX+Q2W2aOynH3+vf9cFGkisPuE9Yg= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851 h1:CBNSYymiZ6WZTU1712DZ7wG3jtArZFJ+O4WJ1FE8jrc= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851/go.mod h1:JQIRwXW/xX4e7XPEWhY8GgjHeySGulO/6E53LL+/neo= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/bindata/crds/barbican.openstack.org_barbicans.yaml b/bindata/crds/barbican.openstack.org_barbicans.yaml index 0fd776709..54d73b245 100644 --- a/bindata/crds/barbican.openstack.org_barbicans.yaml +++ b/bindata/crds/barbican.openstack.org_barbicans.yaml @@ -53,6 +53,15 @@ spec: description: Barbican API timeout minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication for all Barbican + services + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object barbicanAPI: description: BarbicanAPI - Spec definition for the API services of this Barbican deployment diff --git a/bindata/crds/cinder.openstack.org_cinderapis.yaml b/bindata/crds/cinder.openstack.org_cinderapis.yaml index 3764c62fb..a72db7eb5 100644 --- a/bindata/crds/cinder.openstack.org_cinderapis.yaml +++ b/bindata/crds/cinder.openstack.org_cinderapis.yaml @@ -52,6 +52,14 @@ spec: spec: description: CinderAPISpec defines the desired state of CinderAPI properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Cinder Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/cinder.openstack.org_cinders.yaml b/bindata/crds/cinder.openstack.org_cinders.yaml index 0cc855df2..8bbb4d2ba 100644 --- a/bindata/crds/cinder.openstack.org_cinders.yaml +++ b/bindata/crds/cinder.openstack.org_cinders.yaml @@ -57,6 +57,14 @@ spec: description: CinderAPI - Spec definition for the API service of this Cinder deployment properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Cinder Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/crds.yaml b/bindata/crds/crds.yaml index bd9492d35..c420de46c 100644 --- a/bindata/crds/crds.yaml +++ b/bindata/crds/crds.yaml @@ -305,6 +305,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -431,6 +478,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -440,6 +531,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -939,6 +1035,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -950,6 +1090,11 @@ spec: type: integer cinderAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -2032,6 +2177,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -2062,6 +2251,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3911,6 +4105,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4456,6 +4694,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4835,6 +5078,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -6770,6 +7057,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6903,6 +7234,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -7164,6 +7500,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8430,6 +8771,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8974,6 +9359,11 @@ spec: type: array manilaAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9497,6 +9887,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9506,6 +9940,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10327,6 +10766,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10610,6 +11093,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11395,6 +11883,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11430,6 +11962,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11472,6 +12009,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11680,6 +12222,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11832,6 +12379,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12090,6 +12642,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12877,6 +13434,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12886,6 +13487,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13952,6 +14558,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -14108,6 +14758,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14599,6 +15254,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14868,6 +15655,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -15036,6 +15828,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -15124,6 +15921,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -16507,6 +17309,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16700,6 +17546,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/bindata/crds/designate.openstack.org_designateapis.yaml b/bindata/crds/designate.openstack.org_designateapis.yaml index e1bb6331e..24a581334 100644 --- a/bindata/crds/designate.openstack.org_designateapis.yaml +++ b/bindata/crds/designate.openstack.org_designateapis.yaml @@ -56,6 +56,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to DesignateSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object backendMdnsServerProtocol: description: |- BackendTypeProtocol - Defines the backend protocol to be used between the designate-worker & diff --git a/bindata/crds/designate.openstack.org_designates.yaml b/bindata/crds/designate.openstack.org_designates.yaml index 43902724c..70a37dfe3 100644 --- a/bindata/crds/designate.openstack.org_designates.yaml +++ b/bindata/crds/designate.openstack.org_designates.yaml @@ -102,6 +102,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to DesignateSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object backendMdnsServerProtocol: description: |- BackendTypeProtocol - Defines the backend protocol to be used between the designate-worker & diff --git a/bindata/crds/glance.openstack.org_glanceapis.yaml b/bindata/crds/glance.openstack.org_glanceapis.yaml index e87c060f3..23baebac7 100644 --- a/bindata/crds/glance.openstack.org_glanceapis.yaml +++ b/bindata/crds/glance.openstack.org_glanceapis.yaml @@ -65,6 +65,14 @@ spec: - single - edge type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - GlanceAPI Container Image URL type: string diff --git a/bindata/crds/glance.openstack.org_glances.yaml b/bindata/crds/glance.openstack.org_glances.yaml index 199595a62..732a319e1 100644 --- a/bindata/crds/glance.openstack.org_glances.yaml +++ b/bindata/crds/glance.openstack.org_glances.yaml @@ -1229,6 +1229,14 @@ spec: APITimeout minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, diff --git a/bindata/crds/ironic.openstack.org_ironicapis.yaml b/bindata/crds/ironic.openstack.org_ironicapis.yaml index 88e4370e6..525b98fc7 100644 --- a/bindata/crds/ironic.openstack.org_ironicapis.yaml +++ b/bindata/crds/ironic.openstack.org_ironicapis.yaml @@ -57,6 +57,15 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Ironic API Container Image type: string @@ -276,6 +285,9 @@ spec: from the Secret type: string type: object + region: + description: Region - OpenStack region name + type: string replicas: default: 1 description: Replicas - diff --git a/bindata/crds/ironic.openstack.org_ironicconductors.yaml b/bindata/crds/ironic.openstack.org_ironicconductors.yaml index 02d2493a0..7da22e51b 100644 --- a/bindata/crds/ironic.openstack.org_ironicconductors.yaml +++ b/bindata/crds/ironic.openstack.org_ironicconductors.yaml @@ -52,6 +52,15 @@ spec: spec: description: IronicConductorSpec defines the desired state of IronicConductor properties: + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object conductorGroup: description: ConductorGroup - Ironic Conductor conductor group. type: string @@ -176,6 +185,9 @@ spec: pxeContainerImage: description: PxeContainerImage - Ironic DHCP/TFTP/HTTP Container Image type: string + region: + description: Region - OpenStack region name + type: string replicas: default: 1 description: Replicas - diff --git a/bindata/crds/ironic.openstack.org_ironicinspectors.yaml b/bindata/crds/ironic.openstack.org_ironicinspectors.yaml index 13f04d4ab..56ef2e10b 100644 --- a/bindata/crds/ironic.openstack.org_ironicinspectors.yaml +++ b/bindata/crds/ironic.openstack.org_ironicinspectors.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Ironic Inspector Container Image type: string diff --git a/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml b/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml index cf005e341..5bf614b75 100644 --- a/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml +++ b/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml @@ -54,6 +54,15 @@ spec: description: IronicNeutronAgentSpec defines the desired state of ML2 baremetal - ironic-neutron-agent agents properties: + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - ML2 baremtal - Ironic Neutron Agent Image diff --git a/bindata/crds/ironic.openstack.org_ironics.yaml b/bindata/crds/ironic.openstack.org_ironics.yaml index 9ea91472c..4cea34122 100644 --- a/bindata/crds/ironic.openstack.org_ironics.yaml +++ b/bindata/crds/ironic.openstack.org_ironics.yaml @@ -53,6 +53,15 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (shared by + IronicAPI, IronicConductor, and IronicNeutronAgent) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- @@ -621,6 +630,14 @@ spec: description: IronicInspector - Spec definition for the inspector service of this Ironic deployment properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- diff --git a/bindata/crds/manila.openstack.org_manilaapis.yaml b/bindata/crds/manila.openstack.org_manilaapis.yaml index 2dd27791f..61134afdf 100644 --- a/bindata/crds/manila.openstack.org_manilaapis.yaml +++ b/bindata/crds/manila.openstack.org_manilaapis.yaml @@ -52,6 +52,14 @@ spec: spec: description: ManilaAPISpec defines the desired state of ManilaAPI properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Manila API Container Image URL type: string diff --git a/bindata/crds/manila.openstack.org_manilas.yaml b/bindata/crds/manila.openstack.org_manilas.yaml index d1a3cc4c4..51cdb7b0f 100644 --- a/bindata/crds/manila.openstack.org_manilas.yaml +++ b/bindata/crds/manila.openstack.org_manilas.yaml @@ -1223,6 +1223,14 @@ spec: description: ManilaAPI - Spec definition for the API service of this Manila deployment properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Manila API Container Image URL type: string diff --git a/bindata/crds/neutron.openstack.org_neutronapis.yaml b/bindata/crds/neutron.openstack.org_neutronapis.yaml index 945531b89..bbef3ca2b 100644 --- a/bindata/crds/neutron.openstack.org_neutronapis.yaml +++ b/bindata/crds/neutron.openstack.org_neutronapis.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: NeutronAPI Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/nova.openstack.org_nova.yaml b/bindata/crds/nova.openstack.org_nova.yaml index 99311a735..13b3b428c 100644 --- a/bindata/crds/nova.openstack.org_nova.yaml +++ b/bindata/crds/nova.openstack.org_nova.yaml @@ -371,6 +371,16 @@ spec: description: APITimeout for Route and Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (shared by + all Nova services) + properties: + applicationCredentialSecret: + description: |- + ApplicationCredentialSecret - the name of the k8s Secret that contains the + application credential data used for authentication + type: string + type: object cellTemplates: additionalProperties: description: |- diff --git a/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml b/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml index a2d1a1b44..6f8416a68 100644 --- a/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml +++ b/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml @@ -82,6 +82,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL type: string diff --git a/bindata/crds/octavia.openstack.org_octaviaapis.yaml b/bindata/crds/octavia.openstack.org_octaviaapis.yaml index 8ab4cdb82..f36b90742 100644 --- a/bindata/crds/octavia.openstack.org_octaviaapis.yaml +++ b/bindata/crds/octavia.openstack.org_octaviaapis.yaml @@ -56,6 +56,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to OctaviaSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: Octavia Container Image URL type: string diff --git a/bindata/crds/octavia.openstack.org_octavias.yaml b/bindata/crds/octavia.openstack.org_octavias.yaml index 24e72afc6..ef07cef32 100644 --- a/bindata/crds/octavia.openstack.org_octavias.yaml +++ b/bindata/crds/octavia.openstack.org_octavias.yaml @@ -83,6 +83,15 @@ spec: default: 120 description: Octavia API timeout type: integer + auth: + description: Auth - Parameters related to authentication (shared by + all Octavia components) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- @@ -162,6 +171,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to OctaviaSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: Octavia Container Image URL type: string @@ -582,6 +599,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL @@ -830,6 +855,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL @@ -1254,6 +1287,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL diff --git a/bindata/crds/placement.openstack.org_placementapis.yaml b/bindata/crds/placement.openstack.org_placementapis.yaml index ba8d46b6f..a3a875237 100644 --- a/bindata/crds/placement.openstack.org_placementapis.yaml +++ b/bindata/crds/placement.openstack.org_placementapis.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: PlacementAPI Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/swift.openstack.org_swiftproxies.yaml b/bindata/crds/swift.openstack.org_swiftproxies.yaml index 6259000e0..7b4e7a0a3 100644 --- a/bindata/crds/swift.openstack.org_swiftproxies.yaml +++ b/bindata/crds/swift.openstack.org_swiftproxies.yaml @@ -58,6 +58,14 @@ spec: 60 seconds minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object ceilometerEnabled: default: false description: Enables ceilometer in the swift proxy and creates required diff --git a/bindata/crds/swift.openstack.org_swifts.yaml b/bindata/crds/swift.openstack.org_swifts.yaml index c4620f62e..5a98bf38b 100644 --- a/bindata/crds/swift.openstack.org_swifts.yaml +++ b/bindata/crds/swift.openstack.org_swifts.yaml @@ -92,6 +92,14 @@ spec: to 60 seconds minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object ceilometerEnabled: default: false description: Enables ceilometer in the swift proxy and creates diff --git a/bindata/crds/telemetry.openstack.org_autoscalings.yaml b/bindata/crds/telemetry.openstack.org_autoscalings.yaml index f63c24d7d..c92a5b1ee 100644 --- a/bindata/crds/telemetry.openstack.org_autoscalings.yaml +++ b/bindata/crds/telemetry.openstack.org_autoscalings.yaml @@ -70,6 +70,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files diff --git a/bindata/crds/telemetry.openstack.org_ceilometers.yaml b/bindata/crds/telemetry.openstack.org_ceilometers.yaml index 23ad22146..8f8a86876 100644 --- a/bindata/crds/telemetry.openstack.org_ceilometers.yaml +++ b/bindata/crds/telemetry.openstack.org_ceilometers.yaml @@ -116,6 +116,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object centralImage: type: string computeImage: diff --git a/bindata/crds/telemetry.openstack.org_cloudkitties.yaml b/bindata/crds/telemetry.openstack.org_cloudkitties.yaml index 0af21e5a2..7a6b919c6 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkitties.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkitties.yaml @@ -14,16 +14,7 @@ spec: singular: cloudkitty scope: Namespaced versions: - - additionalPrinterColumns: - - description: Status - jsonPath: .status.conditions[0].status - name: Status - type: string - - description: Message - jsonPath: .status.conditions[0].message - name: Message - type: string - name: v1beta1 + - name: v1beta1 schema: openAPIV3Schema: description: CloudKitty is the Schema for the cloudkitties API @@ -52,6 +43,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml b/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml index 4227545ae..9b685c348 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml @@ -14,16 +14,7 @@ spec: singular: cloudkittyapi scope: Namespaced versions: - - additionalPrinterColumns: - - description: Status - jsonPath: .status.conditions[0].status - name: Status - type: string - - description: Message - jsonPath: .status.conditions[0].message - name: Message - type: string - name: v1beta1 + - name: v1beta1 schema: openAPIV3Schema: description: CloudKittyAPI is the Schema for the cloudkittyapis API @@ -48,6 +39,14 @@ spec: spec: description: CloudKittyAPISpec defines the desired state of CloudKittyAPI properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml b/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml index 9cb6cf681..831c38f10 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml @@ -53,6 +53,14 @@ spec: description: CloudKittyProcSpec defines the desired state of CloudKitty Processor properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/telemetry.openstack.org_telemetries.yaml b/bindata/crds/telemetry.openstack.org_telemetries.yaml index 1d98e9498..33665a024 100644 --- a/bindata/crds/telemetry.openstack.org_telemetries.yaml +++ b/bindata/crds/telemetry.openstack.org_telemetries.yaml @@ -73,6 +73,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name + for application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files @@ -439,6 +447,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object centralImage: type: string computeImage: @@ -614,6 +630,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/bindata/crds/test.openstack.org_ansibletests.yaml b/bindata/crds/test.openstack.org_ansibletests.yaml index 58e4edd44..3bb89f8d9 100644 --- a/bindata/crds/test.openstack.org_ansibletests.yaml +++ b/bindata/crds/test.openstack.org_ansibletests.yaml @@ -1706,14 +1706,6 @@ spec: type: array description: NetworkAttachments status of the deployment pods type: object - observedGeneration: - description: |- - ObservedGeneration - the most recent generation observed for this - service. If the observed generation is less than the spec generation, - then the controller has not processed the latest changes injected by - the opentack-operator in the top-level CR (e.g. the ContainerImage) - format: int64 - type: integer type: object type: object served: true diff --git a/bindata/crds/test.openstack.org_horizontests.yaml b/bindata/crds/test.openstack.org_horizontests.yaml index 33f983190..43dc544f0 100644 --- a/bindata/crds/test.openstack.org_horizontests.yaml +++ b/bindata/crds/test.openstack.org_horizontests.yaml @@ -1505,14 +1505,6 @@ spec: type: array description: NetworkAttachments status of the deployment pods type: object - observedGeneration: - description: |- - ObservedGeneration - the most recent generation observed for this - service. If the observed generation is less than the spec generation, - then the controller has not processed the latest changes injected by - the opentack-operator in the top-level CR (e.g. the ContainerImage) - format: int64 - type: integer type: object type: object served: true diff --git a/bindata/crds/test.openstack.org_tempests.yaml b/bindata/crds/test.openstack.org_tempests.yaml index 978eaa58d..4088fd0c4 100644 --- a/bindata/crds/test.openstack.org_tempests.yaml +++ b/bindata/crds/test.openstack.org_tempests.yaml @@ -2348,14 +2348,6 @@ spec: type: array description: NetworkAttachments status of the deployment pods type: object - observedGeneration: - description: |- - ObservedGeneration - the most recent generation observed for this - service. If the observed generation is less than the spec generation, - then the controller has not processed the latest changes injected by - the opentack-operator in the top-level CR (e.g. the ContainerImage) - format: int64 - type: integer type: object type: object served: true diff --git a/bindata/crds/test.openstack.org_tobikoes.yaml b/bindata/crds/test.openstack.org_tobikoes.yaml index 552f2f9a6..daa28cb40 100644 --- a/bindata/crds/test.openstack.org_tobikoes.yaml +++ b/bindata/crds/test.openstack.org_tobikoes.yaml @@ -1715,14 +1715,6 @@ spec: type: array description: NetworkAttachments status of the deployment pods type: object - observedGeneration: - description: |- - ObservedGeneration - the most recent generation observed for this - service. If the observed generation is less than the spec generation, - then the controller has not processed the latest changes injected by - the opentack-operator in the top-level CR (e.g. the ContainerImage) - format: int64 - type: integer type: object type: object served: true diff --git a/bindata/crds/watcher.openstack.org_watchers.yaml b/bindata/crds/watcher.openstack.org_watchers.yaml index a91bdf91e..8c20f5a2f 100644 --- a/bindata/crds/watcher.openstack.org_watchers.yaml +++ b/bindata/crds/watcher.openstack.org_watchers.yaml @@ -460,6 +460,15 @@ spec: type: string type: object type: object + auth: + description: Auth - Parameters related to authentication (shared by + all Watcher components) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, diff --git a/bindata/rbac/rbac.yaml b/bindata/rbac/rbac.yaml index 7aed4290f..a006df8fa 100644 --- a/bindata/rbac/rbac.yaml +++ b/bindata/rbac/rbac.yaml @@ -413,6 +413,7 @@ rules: - keystone.openstack.org resources: - keystoneapis + - keystoneapplicationcredentials verbs: - create - delete @@ -421,6 +422,14 @@ rules: - patch - update - watch +- apiGroups: + - keystone.openstack.org + resources: + - keystoneapplicationcredentials/status + verbs: + - get + - patch + - update - apiGroups: - machineconfiguration.openshift.io resources: diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index 35c1f0d08..0a883811e 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -40,6 +40,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -166,6 +213,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -175,6 +266,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -674,6 +770,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -685,6 +825,11 @@ spec: type: integer cinderAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -1767,6 +1912,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -1797,6 +1986,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3646,6 +3840,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4191,6 +4429,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4570,6 +4813,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -6505,6 +6792,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6638,6 +6969,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -6899,6 +7235,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8165,6 +8506,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8709,6 +9094,11 @@ spec: type: array manilaAPI: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9232,6 +9622,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9241,6 +9675,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10062,6 +10501,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10345,6 +10828,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11130,6 +11618,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11165,6 +11697,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11207,6 +11744,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11415,6 +11957,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11567,6 +12114,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11825,6 +12377,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12612,6 +13169,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12621,6 +13222,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13687,6 +14293,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -13843,6 +14493,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14334,6 +14989,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14603,6 +15390,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14771,6 +15563,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14859,6 +15656,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -16242,6 +17044,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16435,6 +17281,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml index a1bee6c67..0d8ae4b2a 100644 --- a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml @@ -38,6 +38,13 @@ spec: kind: OpenStackControlPlane name: openstackcontrolplanes.core.openstack.org specDescriptors: + - description: |- + ApplicationCredential - Global configuration for ApplicationCredentials. + Both this global section AND the per-service applicationCredential section + must be enabled for a service to use ApplicationCredentials. + If omitted, defaults to enabled=false with standard expiration/grace periods. + displayName: Application Credential + path: applicationCredential - description: Barbican - Parameters related to the Barbican service displayName: Barbican path: barbican @@ -48,6 +55,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: barbican.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: barbican.applicationCredential - description: Enabled - Whether Barbican service should be deployed and managed displayName: Enabled path: barbican.enabled @@ -66,6 +77,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: cinder.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: cinder.applicationCredential - description: Enabled - Whether Cinder service should be deployed and managed displayName: Enabled path: cinder.enabled @@ -84,6 +99,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: designate.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: designate.applicationCredential - description: Enabled - Whether the Designate service should be deployed and managed displayName: Enabled @@ -131,6 +150,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: glance.apiOverrides.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: glance.applicationCredential - description: Enabled - Whether Glance service should be deployed and managed displayName: Enabled path: glance.enabled @@ -149,6 +172,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: heat.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: heat.applicationCredential - description: CnfAPIOverride, provides the ability to override the generated manifest of several child resources. displayName: Cnf APIOverride @@ -192,6 +219,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: ironic.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: ironic.applicationCredential - description: Enabled - Whether Ironic services should be deployed and managed displayName: Enabled path: ironic.enabled @@ -235,6 +266,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: manila.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: manila.applicationCredential - description: Enabled - Whether Manila service should be deployed and managed displayName: Enabled path: manila.enabled @@ -264,6 +299,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: neutron.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: neutron.applicationCredential - description: Enabled - Whether Neutron service should be deployed and managed displayName: Enabled path: neutron.enabled @@ -286,6 +325,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: nova.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: nova.applicationCredential - description: |- CellOverride, provides the ability to override the generated manifest of several child resources for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed. @@ -313,6 +356,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: octavia.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: octavia.applicationCredential - description: Enabled - Whether the Octavia service should be deployed and managed displayName: Enabled @@ -329,9 +376,6 @@ spec: Resource displayName: Template path: openstackclient.template - - description: List of environment variables to set in the container. - displayName: Env - path: openstackclient.template.env - description: Ovn - Overrides to use when creating the OVN Services displayName: Ovn path: ovn @@ -364,6 +408,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: placement.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: placement.applicationCredential - description: Enabled - Whether Placement service should be deployed and managed displayName: Enabled path: placement.enabled @@ -404,6 +452,10 @@ spec: - description: Swift - Parameters related to the Swift service displayName: Swift path: swift + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: swift.applicationCredential - description: Enabled - Whether Swift service should be deployed and managed displayName: Enabled path: swift.enabled @@ -436,6 +488,18 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: telemetry.aodhApiOverride.tls + - description: ApplicationCredentialAodh allows service-specific overrides of + the global AC configuration for Aodh. + displayName: Application Credential Aodh + path: telemetry.applicationCredentialAodh + - description: ApplicationCredentialCeilometer allows service-specific overrides + of the global AC configuration for Ceilometer. + displayName: Application Credential Ceilometer + path: telemetry.applicationCredentialCeilometer + - description: ApplicationCredentialCloudKitty allows service-specific overrides + of the global AC configuration for CloudKitty. + displayName: Application Credential Cloud Kitty + path: telemetry.applicationCredentialCloudKitty - description: CloudKittyAPIOverride, provides the ability to override the generated manifest of several child resources. displayName: Cloud Kitty APIOverride @@ -524,6 +588,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: watcher.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: watcher.applicationCredential - description: Enabled - Whether Watcher service should be deployed and managed displayName: Enabled path: watcher.enabled diff --git a/config/operator/deployment/kustomization.yaml b/config/operator/deployment/kustomization.yaml index c0f1e3f50..f505492db 100644 --- a/config/operator/deployment/kustomization.yaml +++ b/config/operator/deployment/kustomization.yaml @@ -26,4 +26,4 @@ patches: target: kind: Deployment name: openstack-operator-controller-init - namespace: system + namespace: system \ No newline at end of file diff --git a/config/operator/manager_operator_images.yaml b/config/operator/manager_operator_images.yaml index 0bfb81cd6..8269d67d1 100644 --- a/config/operator/manager_operator_images.yaml +++ b/config/operator/manager_operator_images.yaml @@ -14,46 +14,46 @@ spec: - name: operator env: - name: RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/barbican-operator@sha256:e5e017be64edd679623ea1b7e6a1ae780fdcee4ef79be989b93d8c1d082da15b + value: quay.io/rh-ee-vfisarov/barbican-operator@sha256:629a757905fe676f15ebab2186532d8af43fb17ff289dad5df34fddfd54a4731 - name: RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/cinder-operator@sha256:e950ac2df7be78ae0cbcf62fe12ee7a06b628f1903da6fcb741609e857eb1a7f + value: quay.io/rh-ee-vfisarov/cinder-operator@sha256:4432c6643faeccbbd949b4ba54d7bc7efbe39a255e57300af67b51a2b03eb5e8 - name: RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/designate-operator@sha256:6c88312afa9673f7b72c558368034d7a488ead73080cdcdf581fe85b99263ece + value: quay.io/rh-ee-vfisarov/designate-operator@sha256:9a27f561c9f23884b67f4fab9c8d2615b46cf4d324003a623470aa85771187d9 - name: RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/glance-operator@sha256:9caae9b3ee328df678baa26454e45e47693acdadb27f9c635680597aaec43337 + value: quay.io/rh-ee-vfisarov/glance-operator@sha256:4c59d19ce794050a8020a079843ad2281bd76bc943d577efd7bd59c4ee52e29b - name: RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/heat-operator@sha256:2f9a2f064448faebbae58f52d564dc0e8e39bed0fc12bd6b9fe925e42f1b5492 + value: quay.io/openstack-k8s-operators/heat-operator@sha256:573d7dba212cbc32101496a7cbe01e391af9891bed3bec717f16bed4d6c23e04 - name: RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/horizon-operator@sha256:3311e627bcb860d9443592a2c67078417318c9eb77d8ef4d07f9aa7027d46822 + value: quay.io/openstack-k8s-operators/horizon-operator@sha256:b7111c690e8fda3cb0c5969bcfa68308907fd0cf05f73ecdcb9ac1423aa7bba3 - name: RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/infra-operator@sha256:2eac1b9dadaddf4734f35e3dd1996dca960e97d2f304cbd48254b900a840a84a - name: RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/ironic-operator@sha256:d3c55b59cb192799f8d31196c55c9e9bb3cd38aef7ec51ef257dabf1548e8b30 + value: quay.io/rh-ee-vfisarov/ironic-operator@sha256:d7e1674896885701c5fd0a234d8fccb00d90066e46de4901642413f4b221c7ae - name: RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/keystone-operator@sha256:8e340ff11922b38e811261de96982e1aff5f4eb8f225d1d9f5973025a4fe8349 + value: quay.io/rh-ee-vfisarov/keystone-operator@sha256:3f07fd90b18820601ae78f45a9fbef53bf9e3ed131d5cfa1d424ae0145862dd6 - name: RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/manila-operator@sha256:8bee4480babd6fd8f686e0ba52a304acb6ffb90f09c7c57e7f5df5f7658836d8 + value: quay.io/rh-ee-vfisarov/manila-operator@sha256:a81133a26aeb26d2ef1a73d063733e595349b2e94969abcb8bc100f8668ee702 - name: RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/mariadb-operator@sha256:ff0b6c27e2d96afccd73fbbb5b5297a3f60c7f4f1dfd2a877152466697018d71 + value: quay.io/openstack-k8s-operators/mariadb-operator@sha256:c10647131e6fa6afeb11ea28e513b60f22dbfbb4ddc3727850b1fe5799890c41 - name: RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/neutron-operator@sha256:b57d65d2a968705b9067192a7cb33bd4a12489db87e1d05de78c076f2062cab4 + value: quay.io/rh-ee-vfisarov/neutron-operator@sha256:949870b350604b04062be6d035099ea54982d663328fe1604123fbadfad20a89 - name: RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/nova-operator@sha256:4e995cfa360a9d595a01b9c0541ab934692f2374203cb5738127dd784f793831 + value: quay.io/rh-ee-vfisarov/nova-operator@sha256:59aed9d7b656128cd3b1f96445cff8930179e36cc695a9e0ec3dfebb8372605a - name: RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/octavia-operator@sha256:a8fc8f9d445b1232f446119015b226008b07c6a259f5bebc1fcbb39ec310afe5 + value: quay.io/rh-ee-vfisarov/octavia-operator@sha256:c71c081c53239338b69dc68bde59707ecafa147c81489fd755b82a9f1af402bd - name: RELATED_IMAGE_OPENSTACK_BAREMETAL_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:dae767a3ae652ffc70ba60c5bf2b5bf72c12d939353053e231b258948ededb22 + value: quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:5d09c9ffa6ee479724f6da786cb35902b87578365dac2035c222f5e4f752d208 - name: RELATED_IMAGE_OVN_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/ovn-operator@sha256:8b3bfb9e86618b7ac69443939b0968fae28a22cd62ea1e429b599ff9f8a5f8cf + value: quay.io/openstack-k8s-operators/ovn-operator@sha256:635a4aef9d6f0b799e8ec91333dbb312160c001d05b3c63f614c124e0b67cb59 - name: RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/placement-operator@sha256:65cfe5b9d5b0571aaf8ff9840b12cc56e90ca4cef162dd260c3a9fa2b52c6dd0 + value: quay.io/rh-ee-vfisarov/placement-operator@sha256:a40693d0a2ee7b50ff5b2bd339bc0ce358ccc16309e803e40d8b26e189a2b4c0 - name: RELATED_IMAGE_RABBITMQ_CLUSTER_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/rabbitmq-cluster-operator@sha256:893e66303c1b0bc1d00a299a3f0380bad55c8dc813c8a1c6a4aab379f5aa12a2 - name: RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/swift-operator@sha256:445e951df2f21df6d33a466f75917e0f6103052ae751ae11887136e8ab165922 + value: quay.io/rh-ee-vfisarov/swift-operator@sha256:018ae1352a061ad22a0d4ac5764eb7e19cf5a1d6c2e554f61ae0bd82ebe62e29 - name: RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/telemetry-operator@sha256:e02722d7581bfe1c5fc13e2fa6811d8665102ba86635c77547abf6b933cde127 + value: quay.io/rh-ee-vfisarov/telemetry-operator@sha256:578ea6a6c68040cb54e0160462dc2b97226594621a5f441fa1d58f429cf0e010 - name: RELATED_IMAGE_TEST_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/test-operator@sha256:c8dde42dafd41026ed2e4cfc26efc0fff63c4ba9d31326ae7dc644ccceaafa9d + value: quay.io/openstack-k8s-operators/test-operator@sha256:4e3d234c1398039c2593611f7b0fd2a6b284cafb1563e6737876a265b9af42b6 - name: RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/watcher-operator@sha256:2d6d13b3c28e45c6bec980b8808dda8da4723ae87e66d04f53d52c3b3c51612b + value: quay.io/rh-ee-vfisarov/watcher-operator@sha256:611e4fb8bf6cd263664ccb437637105fba633ba8f701c228fd525a7a7b3c8d74 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 574879be7..f16b520df 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -364,6 +364,7 @@ rules: - keystone.openstack.org resources: - keystoneapis + - keystoneapplicationcredentials verbs: - create - delete @@ -372,6 +373,14 @@ rules: - patch - update - watch +- apiGroups: + - keystone.openstack.org + resources: + - keystoneapplicationcredentials/status + verbs: + - get + - patch + - update - apiGroups: - machineconfiguration.openshift.io resources: diff --git a/config/samples/applicationcredentials/kustomization.yaml b/config/samples/applicationcredentials/kustomization.yaml new file mode 100644 index 000000000..c7cbe3ecf --- /dev/null +++ b/config/samples/applicationcredentials/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- ../base/openstackcontrolplane + +patches: +- target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack +- target: + kind: OpenStackControlPlane + path: patch.yaml diff --git a/config/samples/applicationcredentials/patch.yaml b/config/samples/applicationcredentials/patch.yaml new file mode 100644 index 000000000..c16d4747d --- /dev/null +++ b/config/samples/applicationcredentials/patch.yaml @@ -0,0 +1,77 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + # Test only services that are enabled by default in basic deployment. + # + applicationCredential: + enabled: true + + # barbican: inherits kubebuilder defaults (no overrides) + # Expected: expirationDays=730, gracePeriodDays=364, roles=[admin,service], unrestricted=false + barbican: + applicationCredential: + enabled: true + + # cinder: custom service-specific overrides + # Tests: all fields customized + cinder: + applicationCredential: + enabled: true + expirationDays: 10 + gracePeriodDays: 5 + roles: + - admin + - service + unrestricted: true + + # glance: partial overrides (only expiration values) + # Tests: partial override, inherits default roles + glance: + applicationCredential: + enabled: true + expirationDays: 180 + gracePeriodDays: 60 + + # swift: only roles override + # Tests: role customization, inherits default expiration values + swift: + applicationCredential: + enabled: true + roles: + - service + + # neutron: minimal override (only enabled) + # Tests: inherits all defaults + neutron: + applicationCredential: + enabled: true + + # placement: custom expiration only + # Tests: single field override + placement: + applicationCredential: + enabled: true + expirationDays: 90 + gracePeriodDays: 30 + + # nova: custom roles with multiple values + # Tests: multiple role assignment + nova: + applicationCredential: + enabled: true + roles: + - admin + - service + - member + + # telemetry/ceilometer: enabled by default in the base sample (telemetry.enabled=true, ceilometer.enabled=true) + # Tests: telemetry-specific AC override path + telemetry: + applicationCredentialCeilometer: + enabled: true + expirationDays: 45 + gracePeriodDays: 20 + roles: + - service diff --git a/go.mod b/go.mod index c2f635291..d6f5d9431 100644 --- a/go.mod +++ b/go.mod @@ -12,33 +12,33 @@ require ( github.com/onsi/ginkgo/v2 v2.27.5 github.com/onsi/gomega v1.39.0 github.com/openshift/api v3.9.0+incompatible - github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b - github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c - github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151 - github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b - github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e - github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911 + github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20251220125032-e46717ca376e + github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20251221204540-9ad70f8debbc + github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20251203145024-0f6b7a8e7dc5 + github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20251221170241-a5482a4f039a + github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20251213170654-5ce22bc3a2e9 + github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109 - github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb - github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba - github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251230215914-6ba873b49a35 - github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251230215914-6ba873b49a35 + github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20251213181601-3669e9f88d07 + github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260109123729-8c46aa6cb459 + github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251215094837-5c05ea64c324 + github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251215094837-5c05ea64c324 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251230215914-6ba873b49a35 github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20251230215914-6ba873b49a35 - github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4 - github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d - github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046 - github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1 - github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1 - github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26 - github.com/openstack-k8s-operators/openstack-operator/api v0.0.0-00010101000000-000000000000 - github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26 - github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea - github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879 - github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce - github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260120112029-0c8a715f5185 - github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851 + github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20251221204257-893591a14936 + github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f + github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20251125150830-633e42336356 + github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20251127143706-407c63ad016a + github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20251127161151-38d49bbc1c5d + github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d + github.com/openstack-k8s-operators/openstack-operator/api v0.0.0-20251202072739-b102924657dd + github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811 + github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20251221210503-10057cebd870 + github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20251216163659-f7a35d4fc73b + github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20251222143830-69bf8ba39dff + github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20251220223050-cc44551aa6e9 + github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20251222122818-fc7387823d0b github.com/pkg/errors v0.9.1 github.com/rabbitmq/cluster-operator/v2 v2.16.0 github.com/stretchr/testify v1.11.1 @@ -181,3 +181,34 @@ replace k8s.io/code-generator => k8s.io/code-generator v0.31.14 //allow-merging replace k8s.io/component-base => k8s.io/component-base v0.31.14 //allow-merging replace github.com/cert-manager/cmctl/v2 => github.com/cert-manager/cmctl/v2 v2.1.2-0.20241127223932-88edb96860cf //allow-merging + +// appcred related changes +replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f + +replace github.com/openstack-k8s-operators/barbican-operator/api => github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438 + +replace github.com/openstack-k8s-operators/cinder-operator/api => github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5 + +replace github.com/openstack-k8s-operators/glance-operator/api => github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72 + +replace github.com/openstack-k8s-operators/swift-operator/api => github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d + +replace github.com/openstack-k8s-operators/manila-operator/api => github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416 + +replace github.com/openstack-k8s-operators/neutron-operator/api => github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e + +replace github.com/openstack-k8s-operators/placement-operator/api => github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59 + +replace github.com/openstack-k8s-operators/designate-operator/api => github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af + +replace github.com/openstack-k8s-operators/octavia-operator/api => github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221 + +replace github.com/openstack-k8s-operators/ironic-operator/api => github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739 + +replace github.com/openstack-k8s-operators/watcher-operator/api => github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a + +replace github.com/openstack-k8s-operators/nova-operator/api => github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476 + +replace github.com/openstack-k8s-operators/telemetry-operator/api => github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46 + +replace github.com/openstack-k8s-operators/heat-operator/api => github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a diff --git a/go.sum b/go.sum index 480baac94..916dde031 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,35 @@ +github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438 h1:HJ5OXkYFCEdpTfFm7JXQf2IaHFyGK4myHmLob0+zM6Y= +github.com/Deydra71/barbican-operator/api v0.0.0-20260122143302-441c30d1c438/go.mod h1:LNFXItaLYod750CjiMsml67rEwSgRv6wvANi2wWQPiA= +github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5 h1:rQL/Y18+Chr632Bx6V/5OcV+td4FmiPXlcDLXWTPvBI= +github.com/Deydra71/cinder-operator/api v0.0.0-20260122142851-3c5a4a2215f5/go.mod h1:IzsPB8GKDO7dkS4KSISodU0CqhBNUccSAgc/iNENZ3Y= +github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af h1:28+dU43DcynFpmz4oHGkhA4/NyIBosZtJsVBnOeCJJU= +github.com/Deydra71/designate-operator/api v0.0.0-20260122154149-aeef545db0af/go.mod h1:OepE3tH25UoiyG0zMZlmJ+qH+Jut421eyCZaKPXhmPw= +github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72 h1:WJmGFN0cyaQ/CzDDWRElrE/fi7EPN0djhRfzT8za2Ao= +github.com/Deydra71/glance-operator/api v0.0.0-20260123074844-53feda93ba72/go.mod h1:720uzNTkk+nZAhzAb1DewM3sDhf/gFZ1qruD2vAlEvk= +github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739 h1:iYHdftJgsplisE+Wv5qF0eHzTMdhl6klxIPOLWIEHxw= +github.com/Deydra71/ironic-operator/api v0.0.0-20260121092824-e02c23e47739/go.mod h1:fHbvJtxq0tuqLORh2pLvbp1ZkJsrZf/jfsbfjgb8JsY= +github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f h1:cZNeZWT7OJw8ehZx6JFtJLrGRqrzmAamq9CGk/J3uVY= +github.com/Deydra71/keystone-operator/api v0.0.0-20260119142142-e3bd4fb9750f/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0= +github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416 h1:g7zd1JlfCjR0nQnNzx1ZuNYXzrmCeiuVwVPTzM7jzw8= +github.com/Deydra71/manila-operator/api v0.0.0-20260123075332-e123b69b3416/go.mod h1:N9V9SZ8J4g6aIDxas9O8xsWDU5mcos/O7omgpWagdX4= +github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e h1:NtnueRdP0mV9OOkQtcyW/BF2r5EKPO1YokT7vqYrEiw= +github.com/Deydra71/neutron-operator/api v0.0.0-20260123083955-69c5aba4972e/go.mod h1:g107gk6VWVtLY7BE07ZcioogXD7lr7wEIZADaeQdOH0= +github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476 h1:8r7TjSxBEDshxDLK2S5OVJx2TOO9NOPyBoWxiAGcTfw= +github.com/Deydra71/nova-operator/api v0.0.0-20260121084006-035337c15476/go.mod h1:s9gEywJBEUnNWYHRNJeb2Xkajjsg220AYWFA4oh8Zwk= +github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221 h1:2xqv/imywdu06iavEprG6V4wYY27czr88Re5bNlJUo0= +github.com/Deydra71/octavia-operator/api v0.0.0-20260123083319-2d305c284221/go.mod h1:vYPgxmaojx08w77AX5zOuTl783XdP42wMDcx5RFLRrM= +github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59 h1:Ad9B3UahL16r2t7xyAYKpG/x5ckQI0iDwPQLM+VeqKE= +github.com/Deydra71/placement-operator/api v0.0.0-20260123080709-541dfe920e59/go.mod h1:x0UGoetq8vzIInHT5c1VHN9jtHx7PMVFqeoQkL+Yy1I= +github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d h1:dDQ5ehQVsiMDbtclQh3iEcUQbD814Thr3Rh5zXcZHnE= +github.com/Deydra71/swift-operator/api v0.0.0-20260122143236-575c5d72d81d/go.mod h1:e7GTsfMeYlvJJJTdK+NydcsYT0qzqN9paxTTttgbLyU= +github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46 h1:otHmbfzAuPfCy6ttv0PIdfGVJnIuBAUzzl6c50mLDy4= +github.com/Deydra71/telemetry-operator/api v0.0.0-20260115114909-fad545af8c46/go.mod h1:Gq8pU5WOlizRSCzbWaj9hR3uZ+t0rem8lGsYRbckJ9s= +github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a h1:z3ufacMuoGtU1QgdzHTuBSliNO9aQLn+n1Qr9dgxdxo= +github.com/Deydra71/watcher-operator/api v0.0.0-20260123084421-09981612ac4a/go.mod h1:2jbeEF2v1WZ8FBRgM5jyJpSaWPOiPQyPhE/Gnlvrxxo= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a h1:h/VpjKAAFEpdejoyA55ZmIi35m+s/0WFFGJCZp45+p4= +github.com/afaranha/heat-operator/api v0.0.0-20260120135610-287803d0838a/go.mod h1:iM7f03/fslaMRCNZg0q+3jrFQHm0mPREofeFS+J8s0U= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= @@ -138,28 +168,14 @@ github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b h1:PSxwrn5pFgdTakOipOwST9QjNSU7kLZDn+edzGGtJcU= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260116212320-64032e7fd88b/go.mod h1:FbFRq2bJpei+BSQCwLrmzFGELavg1WLRv2yFYa0g8Po= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c h1:/T6TSiNuj40RJK87QqUEMieU8yhqd+sEW7Uz9OMhg4s= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260117104330-07a1ec4fd99c/go.mod h1:zGIXNYjHyRfNIEF9RJehBZ5Azd5AUtoHXx7FxpQOJ54= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151 h1:HFozpOv84PL+hlXFQfqtC39htH+Nsvy+0xFqJDpAmoU= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260116130311-be0d2af32151/go.mod h1:X8ULjyhQmjJVZIH19etCLZf60/KPxc1i1YI9/osYQvw= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b h1:bTelVTmjxylpcJbtrnxBT1qtP4ziMjt2fUv7+ZEC3h8= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260120080045-1c470da1ed9b/go.mod h1:ghegwjz1c0J8GSjZiM/qSIzg+qjZNCwUbwbPEbrcrno= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e h1:ynaKOj8sQcZBWXBmiB+TnxLKJ3oVEuBhfOvC/jwX4Ao= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260110225157-5b3bf0296d6e/go.mod h1:kZ/HozGVLmv4LrhsoxjjKT/zckenLznLQY1ud6z1CbY= -github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911 h1:yO+lHq/SGfFyGjKMcD6xgaqC19fHtrRfTQ/5MZpRo1M= -github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260111154931-be9fdcb15911/go.mod h1:j4xehAICMmNT/2VnRcOToMHZA9/Nj0SsiyETceUK7Pc= +github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851 h1:EfKq1oxaNVAkdz7vGyrvFKUA6juw9uLEI9ZPulIyCWU= +github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20251213062730-e339ac2f2851/go.mod h1:0nsIeghZDuEgBfsT1Rlik+ZLBRsXoVrni2pTMP++OV0= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109 h1:S+A67nntHZrL1lIL3qr91CpJj+A67M/G4t1cTKzeGdo= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260115124008-0121df869109/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb h1:EfIsetORQ/wDeYArPt0NMECMVzkQe5MpaUCMNfs0O2k= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260113170151-9d29139352bb/go.mod h1:pOMPE4BqDjla9JI8KFcRnM6yuIb/pkA8GnE6QY31FIs= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba h1:4VaDkZFawGCkzwvfijnFLz0Gduxh17buj9fIwk0WULo= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260120112029-cd452f0497ba/go.mod h1:xqvebn9DqLavxp2z8Rz/7i1S6M9MJhxmZVHC+S1uHX0= -github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251230215914-6ba873b49a35 h1:TNEUTF0Yj8qmIRgUppbzH0MuYtVcgT4+EdMdTYP/kI0= -github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs= -github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251230215914-6ba873b49a35 h1:087A4QSgeXtTLrAkI5lRZhyrOxp9bRM0ivjhcwSQUUg= -github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:DXZa8jn1R4GNDNBvKJhOFEFjg/6v8TRu9J1AHKj5TJc= +github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251215094837-5c05ea64c324 h1:erFyZoCaLBcDfEmuILVQcRC1IA1Q43oKMWZ/kkquQZ0= +github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251215094837-5c05ea64c324/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs= +github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251215094837-5c05ea64c324 h1:YCi8k03hjF/mUwt5GLf5CxBYNuMzY9wVOpyIWWdaLZk= +github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20251215094837-5c05ea64c324/go.mod h1:3zDlaWh4PKwFAhYM6zcKe+bAnCggnSB94v4unP4snUM= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35 h1:pF3mJ3nwq6r4qwom+rEWZNquZpcQW/iftHlJ1KPIDsk= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:kycZyoe7OZdW1HUghr2nI3N7wSJtNahXf6b/ypD14f4= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35 h1:IdcI8DFvW8rXtchONSzbDmhhRp1YyO2YaBJDBXr44Gk= @@ -168,32 +184,16 @@ github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.202512302 github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:H0aQANk8iJPRhS2Bg9n6cYb/IHF0Cks9g7+uZG04Rhk= github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20251230215914-6ba873b49a35 h1:8rQc4Fsfe6yqRU5Xjt9lWXqUqfBjRubr0utnUpUBKTE= github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:QWzyC+tTBB2OGuYyIiLLo1oA0+I/0NUMXD+dj4Quv4M= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4 h1:wYoCaC7r00+BsuYfetXJc6+a4uDs5Qp/tGWiA3zzWCM= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260119144421-0c24d784b5c4/go.mod h1:VKrN8rmHVOZsJXtvCw+fRtlhDmel3bi6wzGzUMScuOc= -github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d h1:cbQpEHW404M+QBrevqh+MyrtPRUFlHTLmSAHflEth6U= -github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260105160121-f7a8ef85ce8d/go.mod h1:X6W8pIULiWUc6smaTqiNocjxoXaRLgXediwpI/dxD9s= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046 h1:eWUkbFvPbZfhzMl6KwUrSY30rg0MG3LTKKpiv69+LG0= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260116082728-d39936b42046/go.mod h1:CNJF0ekxqVqrEMLGL/hV489p0RrVoB3alMhjE9cxv1o= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1 h1:fWk7A2V+lB8HeZjTRM4ir1ThWPjf1yC2mejyBJK4kuo= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260113080058-6dba625f41a1/go.mod h1:ylEKFn6OOoHsV1fdu21PvJpG3oeTSpDvh2rZLrJyFNo= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1 h1:UGgAP+3Ye8B8U+18kPeGu6gvn4VK+LLCCXHtkeSb4pw= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260116134432-df49a23ff7a1/go.mod h1:5/igDRSb+efFtzZBU/jNpPAnaUMwM1kliC0C/cDcooE= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26 h1:zijwoA7LwSl4s6RfgN6GqFpt0+IKnUnZdlHe4eKDhgc= -github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260111155522-06cd1004cb26/go.mod h1:OFvUyXC2TekOk3ZlTOo8YzEneQV5W5Ob7X54yOgaf18= -github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26 h1:g0q8+sFU1aTLsNvh1DaH+JgBhZr5UNtkj8gf9GI8kHk= -github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260110163153-032238f53c26/go.mod h1:LTrCp/cf4HFozb0ZhblhQKO0jUmmBnvD8zFocOsasAM= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea h1:FLYCExfJbPqeaP7ukoqgIeBZA4J1AcodO/EUyLK2pyI= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260111213949-0dcd5c93e1ea/go.mod h1:JoWcJYo7glD3/XaghQcw/FH1nbYfAY/XWCeq/tBCEO8= +github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f h1:Lrt+Bo/mTncK8kdd+hT1o/X6oCGl2uUMdBe+X3lrKrk= +github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251220223619-1df7af154c0f/go.mod h1:KbToF6BJ5oO1/MapNRhMHED/C/OGfCPMXmIJm/G3tLg= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d h1:vBmv0vvDVf5/V0bZUoed2TNQ+t0Z0ExPZgUyWLoXDw4= +github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20251208195928-7a740b4f921d/go.mod h1:IguVL02aJlDXM9zRvSdZfcOL5aMsF3/YH5ywX6sUoNk= +github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811 h1:H1b2RlE9EsemU/dbtV96xIXxmGBLS2UcBtdSS0bYucw= +github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251127135801-f3d54911d811/go.mod h1:LTrCp/cf4HFozb0ZhblhQKO0jUmmBnvD8zFocOsasAM= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879 h1:uMUl7bYUa7Co5EX1pqwG2+A7bXaylLtoHMzr7YYXjCU= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260114150411-6838d5edd879/go.mod h1:xNCpStWGnZNSC0Y8FTOqEdDXE+iCe82MnlAbx9i78kk= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce h1:qCrUvl64Emoob4cXc3f+6o8lzMRHhEJLCb4tDgW9dqk= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260120104652-eb64f15362ce/go.mod h1:sVND1JTB9Da9X1fX+Q2W2aOynH3+vf9cFGkisPuE9Yg= -github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260120112029-0c8a715f5185 h1:Xcat2I7I9l9Ik5uQg8oZq1NGFoPRhYLWJrzOaVoTwYo= -github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260120112029-0c8a715f5185/go.mod h1:/qj7w2jLkTXj34Q1CYnl4FJRyr3RYDlzVq5NM1KQFzQ= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851 h1:CBNSYymiZ6WZTU1712DZ7wG3jtArZFJ+O4WJ1FE8jrc= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260113110118-a6915bd1d851/go.mod h1:JQIRwXW/xX4e7XPEWhY8GgjHeySGulO/6E53LL+/neo= +github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20251220223050-cc44551aa6e9 h1:GvysIvrxBdCTnNZxsWz6eDVLDM/DMaXkFL6xY/fXciU= +github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20251220223050-cc44551aa6e9/go.mod h1:U+zhsnBhMbC42Xt4ptV3HPVgItI7i5tgPvwlauxgXPE= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= diff --git a/hack/export_operator_related_images.sh b/hack/export_operator_related_images.sh index 185760e88..b9ad34a7f 100644 --- a/hack/export_operator_related_images.sh +++ b/hack/export_operator_related_images.sh @@ -1,24 +1,24 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! -export RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/barbican-operator@sha256:e5e017be64edd679623ea1b7e6a1ae780fdcee4ef79be989b93d8c1d082da15b -export RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/cinder-operator@sha256:e950ac2df7be78ae0cbcf62fe12ee7a06b628f1903da6fcb741609e857eb1a7f -export RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/designate-operator@sha256:6c88312afa9673f7b72c558368034d7a488ead73080cdcdf581fe85b99263ece -export RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/glance-operator@sha256:9caae9b3ee328df678baa26454e45e47693acdadb27f9c635680597aaec43337 -export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/heat-operator@sha256:2f9a2f064448faebbae58f52d564dc0e8e39bed0fc12bd6b9fe925e42f1b5492 -export RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/horizon-operator@sha256:3311e627bcb860d9443592a2c67078417318c9eb77d8ef4d07f9aa7027d46822 +export RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/barbican-operator@sha256:629a757905fe676f15ebab2186532d8af43fb17ff289dad5df34fddfd54a4731 +export RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/cinder-operator@sha256:4432c6643faeccbbd949b4ba54d7bc7efbe39a255e57300af67b51a2b03eb5e8 +export RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/designate-operator@sha256:9a27f561c9f23884b67f4fab9c8d2615b46cf4d324003a623470aa85771187d9 +export RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/glance-operator@sha256:4c59d19ce794050a8020a079843ad2281bd76bc943d577efd7bd59c4ee52e29b +export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/heat-operator@sha256:573d7dba212cbc32101496a7cbe01e391af9891bed3bec717f16bed4d6c23e04 +export RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/horizon-operator@sha256:b7111c690e8fda3cb0c5969bcfa68308907fd0cf05f73ecdcb9ac1423aa7bba3 export RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/infra-operator@sha256:2eac1b9dadaddf4734f35e3dd1996dca960e97d2f304cbd48254b900a840a84a -export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ironic-operator@sha256:d3c55b59cb192799f8d31196c55c9e9bb3cd38aef7ec51ef257dabf1548e8b30 -export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:8e340ff11922b38e811261de96982e1aff5f4eb8f225d1d9f5973025a4fe8349 -export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/manila-operator@sha256:8bee4480babd6fd8f686e0ba52a304acb6ffb90f09c7c57e7f5df5f7658836d8 -export RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/mariadb-operator@sha256:ff0b6c27e2d96afccd73fbbb5b5297a3f60c7f4f1dfd2a877152466697018d71 -export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/neutron-operator@sha256:b57d65d2a968705b9067192a7cb33bd4a12489db87e1d05de78c076f2062cab4 -export RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/nova-operator@sha256:4e995cfa360a9d595a01b9c0541ab934692f2374203cb5738127dd784f793831 -export RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/octavia-operator@sha256:a8fc8f9d445b1232f446119015b226008b07c6a259f5bebc1fcbb39ec310afe5 -export RELATED_IMAGE_OPENSTACK_BAREMETAL_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:dae767a3ae652ffc70ba60c5bf2b5bf72c12d939353053e231b258948ededb22 -export RELATED_IMAGE_OVN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ovn-operator@sha256:8b3bfb9e86618b7ac69443939b0968fae28a22cd62ea1e429b599ff9f8a5f8cf -export RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/placement-operator@sha256:65cfe5b9d5b0571aaf8ff9840b12cc56e90ca4cef162dd260c3a9fa2b52c6dd0 +export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/ironic-operator@sha256:d7e1674896885701c5fd0a234d8fccb00d90066e46de4901642413f4b221c7ae +export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/keystone-operator@sha256:3f07fd90b18820601ae78f45a9fbef53bf9e3ed131d5cfa1d424ae0145862dd6 +export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/manila-operator@sha256:a81133a26aeb26d2ef1a73d063733e595349b2e94969abcb8bc100f8668ee702 +export RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/mariadb-operator@sha256:c10647131e6fa6afeb11ea28e513b60f22dbfbb4ddc3727850b1fe5799890c41 +export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/neutron-operator@sha256:949870b350604b04062be6d035099ea54982d663328fe1604123fbadfad20a89 +export RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/nova-operator@sha256:59aed9d7b656128cd3b1f96445cff8930179e36cc695a9e0ec3dfebb8372605a +export RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/octavia-operator@sha256:c71c081c53239338b69dc68bde59707ecafa147c81489fd755b82a9f1af402bd +export RELATED_IMAGE_OPENSTACK_BAREMETAL_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:5d09c9ffa6ee479724f6da786cb35902b87578365dac2035c222f5e4f752d208 +export RELATED_IMAGE_OVN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ovn-operator@sha256:635a4aef9d6f0b799e8ec91333dbb312160c001d05b3c63f614c124e0b67cb59 +export RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/placement-operator@sha256:a40693d0a2ee7b50ff5b2bd339bc0ce358ccc16309e803e40d8b26e189a2b4c0 export RELATED_IMAGE_RABBITMQ_CLUSTER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/rabbitmq-cluster-operator@sha256:893e66303c1b0bc1d00a299a3f0380bad55c8dc813c8a1c6a4aab379f5aa12a2 -export RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/swift-operator@sha256:445e951df2f21df6d33a466f75917e0f6103052ae751ae11887136e8ab165922 -export RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/telemetry-operator@sha256:e02722d7581bfe1c5fc13e2fa6811d8665102ba86635c77547abf6b933cde127 -export RELATED_IMAGE_TEST_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/test-operator@sha256:c8dde42dafd41026ed2e4cfc26efc0fff63c4ba9d31326ae7dc644ccceaafa9d -export RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/watcher-operator@sha256:2d6d13b3c28e45c6bec980b8808dda8da4723ae87e66d04f53d52c3b3c51612b +export RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/swift-operator@sha256:018ae1352a061ad22a0d4ac5764eb7e19cf5a1d6c2e554f61ae0bd82ebe62e29 +export RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/telemetry-operator@sha256:578ea6a6c68040cb54e0160462dc2b97226594621a5f441fa1d58f429cf0e010 +export RELATED_IMAGE_TEST_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/test-operator@sha256:4e3d234c1398039c2593611f7b0fd2a6b284cafb1563e6737876a265b9af42b6 +export RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL=quay.io/rh-ee-vfisarov/watcher-operator@sha256:611e4fb8bf6cd263664ccb437637105fba633ba8f701c228fd525a7a7b3c8d74 diff --git a/internal/controller/core/openstackcontrolplane_controller.go b/internal/controller/core/openstackcontrolplane_controller.go index 909316acb..a25ace2da 100644 --- a/internal/controller/core/openstackcontrolplane_controller.go +++ b/internal/controller/core/openstackcontrolplane_controller.go @@ -92,6 +92,8 @@ func (r *OpenStackControlPlaneReconciler) GetLogger(ctx context.Context) logr.Lo // +kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=horizon.openstack.org,resources=horizons,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials/status,verbs=get;patch;update // +kubebuilder:rbac:groups=placement.openstack.org,resources=placementapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=glance.openstack.org,resources=glances,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=heat.openstack.org,resources=heats,verbs=get;list;watch;create;update;patch;delete @@ -705,6 +707,7 @@ func (r *OpenStackControlPlaneReconciler) SetupWithManager( Owns(&mariadbv1.Galera{}). Owns(&memcachedv1.Memcached{}). Owns(&keystonev1.KeystoneAPI{}). + Owns(&keystonev1.KeystoneApplicationCredential{}). Owns(&placementv1.PlacementAPI{}). Owns(&glancev1.Glance{}). Owns(&cinderv1.Cinder{}). diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go new file mode 100644 index 000000000..02d402ba9 --- /dev/null +++ b/internal/openstack/applicationcredential.go @@ -0,0 +1,208 @@ +package openstack + +import ( + "context" + "time" + + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" + "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1" + k8s_errors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" +) + +// mergeAppCred returns a new ApplicationCredentialSection by overlaying +// service-specific values on top of the global defaults. +func mergeAppCred( + global corev1beta1.ApplicationCredentialSection, + svc *corev1beta1.ServiceAppCredSection, +) corev1beta1.ApplicationCredentialSection { + out := global + if svc != nil { + out.Enabled = svc.Enabled + + // only override expiry/grace if specified + if svc.ExpirationDays != nil { + out.ExpirationDays = svc.ExpirationDays + } + if svc.GracePeriodDays != nil { + out.GracePeriodDays = svc.GracePeriodDays + } + + // only override Roles if user set them + if len(svc.Roles) > 0 { + out.Roles = svc.Roles + } + // only override Unrestricted if user set it + if svc.Unrestricted != nil { + out.Unrestricted = svc.Unrestricted + } + // only override AccessRules if user set them + if len(svc.AccessRules) > 0 { + out.AccessRules = svc.AccessRules + } + } + + return out +} + +// isACEnabled checks if AC should be enabled for a given service configuration +func isACEnabled(globalAC corev1beta1.ApplicationCredentialSection, serviceAC *corev1beta1.ServiceAppCredSection) bool { + // Global AC must be enabled + if !globalAC.Enabled { + return false + } + // Service AC must be enabled + return serviceAC != nil && serviceAC.Enabled +} + +// EnsureApplicationCredentialForService handles AC creation for a single service. +// If service is not ready, AC creation is deferred +// If AC already exists and is ready, it's used immediately +// If AC doesn't exist and service is ready, AC is created +// +// Returns: +// - acSecretName: name of the AC secret (from status), empty if not ready +// - result: ctrl.Result with requeue if AC is being created/not ready +// - err: any error that occurred +func EnsureApplicationCredentialForService( + ctx context.Context, + helper *helper.Helper, + instance *corev1beta1.OpenStackControlPlane, + serviceName string, + serviceReady bool, + secretName string, + passwordSelector string, + serviceUser string, + acConfig *corev1beta1.ServiceAppCredSection, +) (acSecretName string, result ctrl.Result, err error) { + Log := GetLogger(ctx) + + // Generate AC CR name + acName := keystonev1.GetACCRName(serviceName) + + // Check if AC CR exists + acCR := &keystonev1.KeystoneApplicationCredential{ + ObjectMeta: metav1.ObjectMeta{ + Name: acName, + Namespace: instance.Namespace, + }, + } + err = helper.GetClient().Get(ctx, types.NamespacedName{Name: acName, Namespace: instance.Namespace}, acCR) + + if err != nil && !k8s_errors.IsNotFound(err) { + return "", ctrl.Result{}, err + } + acExists := err == nil + + // Check if AC is enabled for this service + if !isACEnabled(instance.Spec.ApplicationCredential, acConfig) { + // AC disabled for this service - delete AC CR if it exists + if acExists { + Log.Info("Application Credential disabled, deleting existing KeystoneApplicationCredential CR", "service", serviceName, "acName", acName) + if err := helper.GetClient().Delete(ctx, acCR); err != nil && !k8s_errors.IsNotFound(err) { + return "", ctrl.Result{}, err + } + } + return "", ctrl.Result{}, nil + } + + // Validate required fields are not empty + if secretName == "" || passwordSelector == "" || serviceUser == "" { + Log.Info("Skipping Application Credential creation: required fields not yet defaulted", + "service", serviceName, + "secretName", secretName, + "passwordSelector", passwordSelector, + "serviceUser", serviceUser) + return "", ctrl.Result{}, nil + } + + // Merge global and service-specific AC configuration + merged := mergeAppCred(instance.Spec.ApplicationCredential, acConfig) + + // Check if AC CR exists and is ready + if acExists { + if acCR.IsReady() { + Log.Info("Application Credential is ready", "service", serviceName, "acName", acName, "secretName", acCR.Status.SecretName) + return acCR.Status.SecretName, ctrl.Result{}, nil + } + // Application Credential exists but not ready yet + Log.Info("Application Credential not ready yet, requeuing", "service", serviceName, "acName", acName) + return "", ctrl.Result{RequeueAfter: time.Second * 10}, nil + } + + // AC doesn't exist + if !serviceReady { + // Service not ready, don't create Application Credential yet + Log.Info("Service not ready, deferring Application Credential creation", "service", serviceName) + return "", ctrl.Result{}, nil + } + + // Service is ready, create Application Credential CR + Log.Info("Service is ready, creating Application Credential", "service", serviceName, "acName", acName) + + err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged) + if err != nil { + return "", ctrl.Result{}, err + } + + // AC created, but not ready yet - requeue to check readiness + return "", ctrl.Result{RequeueAfter: time.Second * 5}, nil +} + +// reconcileApplicationCredential creates or updates a single ApplicationCredential CR +func reconcileApplicationCredential( + ctx context.Context, + helper *helper.Helper, + instance *corev1beta1.OpenStackControlPlane, + acName string, + userName string, + secretName string, + passwordSelector string, + effective corev1beta1.ApplicationCredentialSection, +) error { + log := GetLogger(ctx) + + acObj := &keystonev1.KeystoneApplicationCredential{ + ObjectMeta: metav1.ObjectMeta{ + Name: acName, + Namespace: instance.Namespace, + }, + } + + op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), acObj, func() error { + acObj.Spec.UserName = userName + acObj.Spec.ExpirationDays = *effective.ExpirationDays + acObj.Spec.GracePeriodDays = *effective.GracePeriodDays + acObj.Spec.Secret = secretName + acObj.Spec.PasswordSelector = passwordSelector + acObj.Spec.Roles = effective.Roles + acObj.Spec.Unrestricted = *effective.Unrestricted + + if len(effective.AccessRules) > 0 { + kr := make([]keystonev1.ACRule, 0, len(effective.AccessRules)) + for _, r := range effective.AccessRules { + kr = append(kr, keystonev1.ACRule{ + Service: r.Service, + Path: r.Path, + Method: r.Method, + }) + } + acObj.Spec.AccessRules = kr + } + + return controllerutil.SetControllerReference( + helper.GetBeforeObject(), acObj, helper.GetScheme(), + ) + }) + if err != nil { + return err + } + if op != controllerutil.OperationResultNone { + log.Info("Reconciled Application Credential", "name", acName, "user", userName, "operation", op) + } + return nil +} diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go index a4a29151f..60ccf7369 100644 --- a/internal/openstack/barbican.go +++ b/internal/openstack/barbican.go @@ -61,6 +61,45 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr } } + // Application Credential Management (Day-2 operation) + barbicanReady := barbican.Status.ObservedGeneration == barbican.Generation && barbican.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + barbicanSecret := instance.Spec.Barbican.Template.Secret + if barbicanSecret == "" { + barbicanSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Barbican.ApplicationCredential) || + instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + barbican.Name, + barbicanReady, + barbicanSecret, + instance.Spec.Barbican.Template.PasswordSelectors.Service, + instance.Spec.Barbican.Template.ServiceUser, + instance.Spec.Barbican.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Barbican.Template.BarbicanAPI.TLS = barbican.Spec.BarbicanAPI.TLS diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go index d85d0b891..42af1c9e0 100644 --- a/internal/openstack/cinder.go +++ b/internal/openstack/cinder.go @@ -76,6 +76,45 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + cinderReady := cinder.Status.ObservedGeneration == cinder.Generation && cinder.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + cinderSecret := instance.Spec.Cinder.Template.Secret + if cinderSecret == "" { + cinderSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Cinder.ApplicationCredential) || + instance.Spec.Cinder.Template.CinderAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + cinder.Name, + cinderReady, + cinderSecret, + instance.Spec.Cinder.Template.PasswordSelectors.Service, + instance.Spec.Cinder.Template.ServiceUser, + instance.Spec.Cinder.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Cinder.Template.CinderAPI.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs,set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Cinder.Template.CinderAPI.TLS = cinder.Spec.CinderAPI.TLS diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go index ee7ab703d..364b7822d 100644 --- a/internal/openstack/designate.go +++ b/internal/openstack/designate.go @@ -73,6 +73,45 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont } } + // Application Credential Management (Day-2 operation) + designateReady := designate.Status.ObservedGeneration == designate.Generation && designate.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + designateSecret := instance.Spec.Designate.Template.Secret + if designateSecret == "" { + designateSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Designate.ApplicationCredential) || + instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + designate.Name, + designateReady, + designateSecret, + instance.Spec.Designate.Template.PasswordSelectors.Service, + instance.Spec.Designate.Template.ServiceUser, + instance.Spec.Designate.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go index 57dd2ca86..e9dca69cf 100644 --- a/internal/openstack/glance.go +++ b/internal/openstack/glance.go @@ -87,6 +87,57 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + // Check if AC should be enabled and manage it accordingly + glanceReady := glance.Status.ObservedGeneration == glance.Generation && glance.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + glanceSecret := instance.Spec.Glance.Template.Secret + if glanceSecret == "" { + glanceSecret = instance.Spec.Secret + } + + // Check if any GlanceAPI has AC configured + hasACConfigured := false + for _, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { + if glanceAPI.Auth.ApplicationCredentialSecret != "" { + hasACConfigured = true + break + } + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Glance.ApplicationCredential) || hasACConfigured { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + glance.Name, + glanceReady, + glanceSecret, + instance.Spec.Glance.Template.PasswordSelectors.Service, + instance.Spec.Glance.Template.ServiceUser, + instance.Spec.Glance.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret for all GlanceAPIs based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + for name, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { + glanceAPI.Auth.ApplicationCredentialSecret = acSecretName + instance.Spec.Glance.Template.GlanceAPIs[name] = glanceAPI + } + } + // add selector to service overrides for name, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { eps := []service.Endpoint{service.EndpointPublic, service.EndpointInternal} diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go index b80f3a37a..16d493d5b 100644 --- a/internal/openstack/heat.go +++ b/internal/openstack/heat.go @@ -93,6 +93,41 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Heat.Template.HeatAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName instance.Spec.Heat.Template.HeatCfnAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + heatReady := heat.Status.ObservedGeneration == heat.Generation && heat.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + heatSecret := instance.Spec.Heat.Template.Secret + if heatSecret == "" { + heatSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Heat.ApplicationCredential) || + instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret != "" { + + heatACSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, helper, instance, heat.Name, heatReady, + heatSecret, + instance.Spec.Heat.Template.PasswordSelectors.Service, + instance.Spec.Heat.Template.ServiceUser, + instance.Spec.Heat.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret = heatACSecretName + } + // Heat API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go index b42bd6551..c922b0580 100644 --- a/internal/openstack/ironic.go +++ b/internal/openstack/ironic.go @@ -93,6 +93,75 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Ironic.Template.IronicAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName instance.Spec.Ironic.Template.IronicInspector.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + // Ironic has 2 users: ironic (main service) and ironic-inspector + ironicReady := ironic.Status.ObservedGeneration == ironic.Generation && ironic.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + // Both ironic and ironic-inspector share the same secret + ironicSecret := instance.Spec.Ironic.Template.Secret + if ironicSecret == "" { + ironicSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Ironic.ApplicationCredential) || + instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret != "" || + instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret != "" { + + // AC for main ironic service + ironicACSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + ironic.Name, + ironicReady, + ironicSecret, + instance.Spec.Ironic.Template.PasswordSelectors.Service, + instance.Spec.Ironic.Template.ServiceUser, + instance.Spec.Ironic.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret for main ironic service based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret = ironicACSecretName + + // AC for ironic-inspector (separate user, separate AC, but shares the same secret as ironic) + inspectorACSecretName, inspectorACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "ironic-inspector", + ironicReady, + ironicSecret, // Inspector shares the same secret as ironic + instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service, + instance.Spec.Ironic.Template.IronicInspector.ServiceUser, + instance.Spec.Ironic.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (inspectorACResult != ctrl.Result{}) { + return inspectorACResult, nil + } + + // Set ApplicationCredentialSecret for ironic-inspector based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret = inspectorACSecretName + } + // Ironic API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go index 08d01e031..0c8d95060 100644 --- a/internal/openstack/manila.go +++ b/internal/openstack/manila.go @@ -63,6 +63,45 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + manilaReady := manila.Status.ObservedGeneration == manila.Generation && manila.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + manilaSecret := instance.Spec.Manila.Template.Secret + if manilaSecret == "" { + manilaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Manila.ApplicationCredential) || + instance.Spec.Manila.Template.ManilaAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + manila.Name, + manilaReady, + manilaSecret, + instance.Spec.Manila.Template.PasswordSelectors.Service, + instance.Spec.Manila.Template.ServiceUser, + instance.Spec.Manila.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Manila.Template.ManilaAPI.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Manila.Template.ManilaAPI.TLS = manila.Spec.ManilaAPI.TLS diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go index af2e697ab..cf33dadd5 100644 --- a/internal/openstack/neutron.go +++ b/internal/openstack/neutron.go @@ -107,6 +107,45 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro } instance.Spec.Neutron.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + neutronReady := neutronAPI.Status.ObservedGeneration == neutronAPI.Generation && neutronAPI.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + neutronSecret := instance.Spec.Neutron.Template.Secret + if neutronSecret == "" { + neutronSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Neutron.ApplicationCredential) || + instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + neutronAPI.Name, + neutronReady, + neutronSecret, + instance.Spec.Neutron.Template.PasswordSelectors.Service, + instance.Spec.Neutron.Template.ServiceUser, + instance.Spec.Neutron.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go index fd4e97671..0837f4c75 100644 --- a/internal/openstack/nova.go +++ b/internal/openstack/nova.go @@ -155,6 +155,45 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate } + // Application Credential Management (Day-2 operation) + novaReady := nova.Status.ObservedGeneration == nova.Generation && nova.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + novaSecret := instance.Spec.Nova.Template.Secret + if novaSecret == "" { + novaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Nova.ApplicationCredential) || + instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + nova.Name, + novaReady, + novaSecret, + instance.Spec.Nova.Template.PasswordSelectors.Service, + instance.Spec.Nova.Template.ServiceUser, + instance.Spec.Nova.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // Nova API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go index 076996f75..49aed0fc4 100644 --- a/internal/openstack/octavia.go +++ b/internal/openstack/octavia.go @@ -139,6 +139,45 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro } } + // Application Credential Management (Day-2 operation) + octaviaReady := octavia.Status.ObservedGeneration == octavia.Generation && octavia.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + octaviaSecret := instance.Spec.Octavia.Template.Secret + if octaviaSecret == "" { + octaviaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Octavia.ApplicationCredential) || + instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + octavia.Name, + octaviaReady, + octaviaSecret, + instance.Spec.Octavia.Template.PasswordSelectors.Service, + instance.Spec.Octavia.Template.ServiceUser, + instance.Spec.Octavia.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go index 7d59f4b3e..960eeb4bd 100644 --- a/internal/openstack/placement.go +++ b/internal/openstack/placement.go @@ -70,6 +70,45 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } } + // Application Credential Management (Day-2 operation) + placementReady := placementAPI.Status.ObservedGeneration == placementAPI.Generation && placementAPI.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + placementSecret := instance.Spec.Placement.Template.Secret + if placementSecret == "" { + placementSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Placement.ApplicationCredential) || + instance.Spec.Placement.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + placementAPI.Name, + placementReady, + placementSecret, + instance.Spec.Placement.Template.PasswordSelectors.Service, + instance.Spec.Placement.Template.ServiceUser, + instance.Spec.Placement.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Placement.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // set CA cert and preserve any previously set TLS certs if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go index 5c0651ea2..d965214e6 100644 --- a/internal/openstack/swift.go +++ b/internal/openstack/swift.go @@ -76,6 +76,45 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP } } + // Application Credential Management (Day-2 operation) + swiftReady := swift.Status.ObservedGeneration == swift.GetGeneration() && swift.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + swiftSecret := instance.Spec.Swift.Template.SwiftProxy.Secret + if swiftSecret == "" { + swiftSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Swift.ApplicationCredential) || + instance.Spec.Swift.Template.SwiftProxy.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + swift.Name, + swiftReady, + swiftSecret, + instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service, + instance.Spec.Swift.Template.SwiftProxy.ServiceUser, + instance.Spec.Swift.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Swift.Template.SwiftProxy.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs,set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Swift.Template.SwiftProxy.TLS = swift.Spec.SwiftProxy.TLS diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go index 5c9e3d377..fd7a697ef 100644 --- a/internal/openstack/telemetry.go +++ b/internal/openstack/telemetry.go @@ -98,6 +98,136 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont telemetry.Name) } + // Application Credential Management (Day-2 operation) + // Telemetry has 3 separate services with 3 different users: aodh, ceilometer, cloudkitty + telemetryReady := telemetry.Status.ObservedGeneration == telemetry.Generation && telemetry.IsReady() + + // AC for Aodh (if service enabled) + if instance.Spec.Telemetry.Template.Autoscaling.Enabled != nil && *instance.Spec.Telemetry.Template.Autoscaling.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialAodh) || + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + aodhSecret := instance.Spec.Telemetry.Template.Autoscaling.Aodh.Secret + if aodhSecret == "" { + aodhSecret = instance.Spec.Secret + } + + aodhACSecretName, aodhACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "aodh", + telemetryReady, + aodhSecret, + instance.Spec.Telemetry.Template.Autoscaling.Aodh.PasswordSelectors.AodhService, + instance.Spec.Telemetry.Template.Autoscaling.Aodh.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialAodh, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (aodhACResult != ctrl.Result{}) { + return aodhACResult, nil + } + + // Set ApplicationCredentialSecret for Aodh based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = aodhACSecretName + } + } else { + // Aodh service disabled, clear the field + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = "" + } + + // AC for Ceilometer (if service enabled) + if instance.Spec.Telemetry.Template.Ceilometer.Enabled != nil && *instance.Spec.Telemetry.Template.Ceilometer.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCeilometer) || + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + ceilometerSecret := instance.Spec.Telemetry.Template.Ceilometer.Secret + if ceilometerSecret == "" { + ceilometerSecret = instance.Spec.Secret + } + + ceilometerACSecretName, ceilometerACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "ceilometer", + telemetryReady, + ceilometerSecret, + instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService, + instance.Spec.Telemetry.Template.Ceilometer.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialCeilometer, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (ceilometerACResult != ctrl.Result{}) { + return ceilometerACResult, nil + } + + // Set ApplicationCredentialSecret for Ceilometer based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = ceilometerACSecretName + } + } else { + // Ceilometer service disabled, clear the field + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = "" + } + + // AC for CloudKitty (if service enabled) + if instance.Spec.Telemetry.Template.CloudKitty.Enabled != nil && *instance.Spec.Telemetry.Template.CloudKitty.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCloudKitty) || + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + cloudkittySecret := instance.Spec.Telemetry.Template.CloudKitty.Secret + if cloudkittySecret == "" { + cloudkittySecret = instance.Spec.Secret + } + + cloudkittyACSecretName, cloudkittyACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "cloudkitty", + telemetryReady, + cloudkittySecret, + instance.Spec.Telemetry.Template.CloudKitty.PasswordSelectors.CloudKittyService, + instance.Spec.Telemetry.Template.CloudKitty.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialCloudKitty, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (cloudkittyACResult != ctrl.Result{}) { + return cloudkittyACResult, nil + } + + // Set ApplicationCredentialSecret for CloudKitty based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = cloudkittyACSecretName + } + } else { + // CloudKitty service disabled, clear the field + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = "" + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS = telemetry.Spec.Autoscaling.Aodh.TLS diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go index 1519ef3c6..7298d6eb2 100644 --- a/internal/openstack/watcher.go +++ b/internal/openstack/watcher.go @@ -60,6 +60,61 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro } } + // Application Credential Management (Day-2 operation) + // Watcher uses pointer fields, safely extract values + watcherReady := watcher.Status.ObservedGeneration == watcher.Generation && watcher.IsReady() + + // Helper to get Watcher values (which are pointers) with fallback logic + getWatcherSecret := func() string { + if instance.Spec.Watcher.Template.Secret != nil && *instance.Spec.Watcher.Template.Secret != "" { + return *instance.Spec.Watcher.Template.Secret + } + // Apply same fallback as in CreateOrPatch + return instance.Spec.Secret + } + getWatcherServiceUser := func() string { + if instance.Spec.Watcher.Template.ServiceUser != nil { + return *instance.Spec.Watcher.Template.ServiceUser + } + return "" + } + getWatcherPasswordSelector := func() string { + if instance.Spec.Watcher.Template.PasswordSelectors.Service != nil { + return *instance.Spec.Watcher.Template.PasswordSelectors.Service + } + return "" + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Watcher.ApplicationCredential) || + instance.Spec.Watcher.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + watcher.Name, + watcherReady, + getWatcherSecret(), + getWatcherPasswordSelector(), + getWatcherServiceUser(), + instance.Spec.Watcher.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Watcher.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Watcher.Template.APIServiceTemplate.TLS = watcher.Spec.APIServiceTemplate.TLS diff --git a/test/functional/ctlplane/openstackoperator_controller_test.go b/test/functional/ctlplane/openstackoperator_controller_test.go index 58318df1f..9acb6f474 100644 --- a/test/functional/ctlplane/openstackoperator_controller_test.go +++ b/test/functional/ctlplane/openstackoperator_controller_test.go @@ -4063,7 +4063,253 @@ var _ = Describe("OpenStackOperator controller nova cell deletion", func() { g.Expect(k8s_errors.IsNotFound(err)).To(BeTrue()) }, timeout, interval).Should(Succeed()) }) + }) + }) +}) + +var _ = Describe("Application Credentials configuration in control plane", func() { + When("global application credentials are enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + "roles": []string{"service", "admin"}, + "unrestricted": false, + } + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + "expirationDays": 100, + "gracePeriodDays": 50, + "roles": []string{"custom", "role"}, + "unrestricted": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should fill defaults correctly", func() { + Eventually(func(g Gomega) { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + g.Expect(cp.Spec.ApplicationCredential.Enabled).To(BeTrue()) + g.Expect(*cp.Spec.ApplicationCredential.ExpirationDays).To(Equal(730)) + g.Expect(*cp.Spec.ApplicationCredential.GracePeriodDays).To(Equal(364)) + g.Expect(cp.Spec.ApplicationCredential.Roles).To(ConsistOf("admin", "service")) + g.Expect(*cp.Spec.ApplicationCredential.Unrestricted).To(BeFalse()) + + ac := cp.Spec.Cinder.ApplicationCredential + g.Expect(ac).NotTo(BeNil()) + g.Expect(*ac.ExpirationDays).To(Equal(100)) + g.Expect(*ac.GracePeriodDays).To(Equal(50)) + g.Expect(ac.Roles).To(ConsistOf("custom", "role")) + g.Expect(*ac.Unrestricted).To(BeTrue()) + }, timeout, interval).Should(Succeed()) + }) + + It("should configure ApplicationCredential with service-specific overrides and global defaults", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // Verify global AC configuration + global := cp.Spec.ApplicationCredential + Expect(global.Enabled).To(BeTrue()) + Expect(*global.ExpirationDays).To(Equal(730)) + Expect(*global.GracePeriodDays).To(Equal(364)) + Expect(global.Roles).To(ConsistOf("admin", "service")) + Expect(*global.Unrestricted).To(BeFalse()) + + // Verify Cinder has service-specific overrides + Expect(cp.Spec.Cinder.Enabled).To(BeTrue()) + Expect(cp.Spec.Cinder.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Cinder.ApplicationCredential.Enabled).To(BeTrue()) + cinderAC := cp.Spec.Cinder.ApplicationCredential + Expect(*cinderAC.ExpirationDays).To(Equal(100)) + Expect(*cinderAC.GracePeriodDays).To(Equal(50)) + Expect(cinderAC.Roles).To(ConsistOf("custom", "role")) + Expect(*cinderAC.Unrestricted).To(BeTrue()) + + // Verify Glance and Manila inherit global defaults (no service-specific AC overrides) + // The service specific values are nil/empty, they inherit the global defaults with mergeAppCred function + Expect(cp.Spec.Glance.Enabled).To(BeTrue()) + Expect(cp.Spec.Manila.Enabled).To(BeTrue()) + Expect(cp.Spec.Manila.Template).NotTo(BeNil()) + + if cp.Spec.Glance.ApplicationCredential != nil { + glanceAC := cp.Spec.Glance.ApplicationCredential + Expect(glanceAC.ExpirationDays).To(BeNil()) + Expect(glanceAC.GracePeriodDays).To(BeNil()) + Expect(glanceAC.Roles).To(BeEmpty()) + Expect(glanceAC.Unrestricted).To(BeNil()) + } + + if cp.Spec.Manila.ApplicationCredential != nil { + manilaAC := cp.Spec.Manila.ApplicationCredential + Expect(manilaAC.ExpirationDays).To(BeNil()) + Expect(manilaAC.GracePeriodDays).To(BeNil()) + Expect(manilaAC.Roles).To(BeEmpty()) + Expect(manilaAC.Unrestricted).To(BeNil()) + } + }) + }) + + When("global application credentials are disabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{"enabled": false} + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + spec["glance"] = map[string]interface{}{ + "enabled": true, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should have global AC disabled in spec", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.ApplicationCredential.Enabled).To(BeFalse()) + }) + }) + + When("service-specific application credentials are disabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{"enabled": true} + spec["glance"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": false, + }, + } + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should have service-specific AC disabled in spec", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // Glance is disabled + Expect(cp.Spec.Glance.Enabled).To(BeTrue()) + Expect(cp.Spec.Glance.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Glance.ApplicationCredential.Enabled).To(BeFalse()) + + // Cidner is enabled + Expect(cp.Spec.Cinder.Enabled).To(BeTrue()) + Expect(cp.Spec.Cinder.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Cinder.ApplicationCredential.Enabled).To(BeTrue()) + }) + + It("should NOT set ApplicationCredentialSecret field before services are ready", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // In functional tests, no actual services are deployed, so they never become "Ready" + // The reconciler should NOT set ApplicationCredentialSecret until service is ready (Day-2) + // This verifies the new dynamic behavior where AC is only applied after service readiness + + if cp.Spec.Cinder.Template != nil { + Expect(cp.Spec.Cinder.Template.CinderAPI.Auth.ApplicationCredentialSecret).To(BeEmpty(), + "ApplicationCredentialSecret should be empty when service is not ready") + } + + if cp.Spec.Glance.Template != nil && len(cp.Spec.Glance.Template.GlanceAPIs) > 0 { + for apiName, glanceAPI := range cp.Spec.Glance.Template.GlanceAPIs { + Expect(glanceAPI.Auth.ApplicationCredentialSecret).To(BeEmpty(), + "ApplicationCredentialSecret for Glance API %s should be empty when service is not ready", apiName) + } + } + }) + }) + + When("Heat service with application credentials enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + } + spec["heat"] = map[string]interface{}{ + "enabled": true, + "template": map[string]interface{}{ + "databaseInstance": "openstack", + "secret": "osp-secret", + "apiTimeout": 60, + }, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should configure ApplicationCredential in spec for Heat service", func() { + // Verify the spec is configured correctly for Heat AC + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.Heat.Enabled).To(BeTrue()) + Expect(cp.Spec.Heat.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Heat.ApplicationCredential.Enabled).To(BeTrue()) + Expect(cp.Spec.Heat.Template).NotTo(BeNil()) + }) + }) + + When("Ironic service with application credentials enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + } + spec["ironic"] = map[string]interface{}{ + "enabled": true, + "template": map[string]interface{}{ + "databaseInstance": "openstack", + "secret": "osp-secret", + "ironicConductors": []map[string]interface{}{ + { + "replicas": 1, + }, + }, + }, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + It("should configure ApplicationCredential in spec for Ironic service", func() { + // Verify the spec is configured correctly for Ironic AC + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.Ironic.Enabled).To(BeTrue()) + Expect(cp.Spec.Ironic.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Ironic.ApplicationCredential.Enabled).To(BeTrue()) + Expect(cp.Spec.Ironic.Template).NotTo(BeNil()) }) }) }) diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml new file mode 120000 index 000000000..762a8cf31 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml @@ -0,0 +1 @@ +../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml new file mode 100644 index 000000000..6c9d0887d --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml new file mode 100644 index 000000000..7453d5b13 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml @@ -0,0 +1,141 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: |- + set -euo pipefail + NS="${NAMESPACE}" + + wait_ready() { + echo "Waiting for appcred/ac-$1 to be Ready..." + oc wait appcred/ac-$1 -n "$NS" --for=condition=Ready --timeout=180s + } + + check_field() { + local name=$1 field=$2 expected=$3 + local actual=$(oc get appcred ac-$name -n "$NS" -o jsonpath="{.spec.$field}" 2>/dev/null || echo "") + if [ "$actual" != "$expected" ]; then + echo "ERROR: ac-$name.$field: expected '$expected', got '$actual'" + exit 1 + fi + echo "✓ ac-$name.$field = $expected" + } + + check_roles() { + local name=$1 + shift + local expected_roles=("$@") + local roles=$(oc get appcred ac-$name -n "$NS" -o jsonpath='{.spec.roles[*]}') + + # Check each expected role is present + for role in "${expected_roles[@]}"; do + if [[ ! " $roles " =~ " $role " ]]; then + echo "ERROR: ac-$name: Role '$role' not found. Got: $roles" + exit 1 + fi + done + + # Check role count matches + local role_count=$(echo "$roles" | wc -w) + if [ "$role_count" -ne "${#expected_roles[@]}" ]; then + echo "ERROR: ac-$name: Expected ${#expected_roles[@]} roles, got $role_count: $roles" + exit 1 + fi + + echo "✓ ac-$name.roles = [${expected_roles[*]}]" + } + + echo "=========================================" + echo "Testing Application Credential CRs" + echo "=========================================" + echo + + echo "=== Checking global ApplicationCredential is enabled ===" + global_enabled=$(oc get openstackcontrolplane openstack -n "$NS" -o jsonpath='{.spec.applicationCredential.enabled}') + if [ "$global_enabled" != "true" ]; then + echo "ERROR: OpenStackControlPlane.spec.applicationCredential.enabled expected 'true', got '$global_enabled'" + exit 1 + fi + echo "✓ OpenStackControlPlane.spec.applicationCredential.enabled = true" + echo + + # ---- ac-barbican ---- + # Pure defaults: expirationDays=730, gracePeriodDays=364, roles=[admin,service], unrestricted=false + echo "=== Testing ac-barbican (pure defaults) ===" + wait_ready barbican + check_field barbican expirationDays 730 + check_field barbican gracePeriodDays 364 + check_roles barbican "admin" "service" + check_field barbican unrestricted "false" + echo + + # ---- ac-cinder ---- + # Full custom overrides + echo "=== Testing ac-cinder (full custom overrides) ===" + wait_ready cinder + check_field cinder expirationDays 10 + check_field cinder gracePeriodDays 5 + check_roles cinder "admin" "service" + check_field cinder unrestricted "true" + echo + + # ---- ac-glance ---- + # Partial overrides (expiration values only) + echo "=== Testing ac-glance (partial overrides) ===" + wait_ready glance + check_field glance expirationDays 180 + check_field glance gracePeriodDays 60 + check_roles glance "admin" "service" + check_field glance unrestricted "false" + echo + + # ---- ac-swift ---- + # Role override only + echo "=== Testing ac-swift (roles override) ===" + wait_ready swift + check_field swift expirationDays 730 + check_field swift gracePeriodDays 364 + check_roles swift "service" + check_field swift unrestricted "false" + echo + + # ---- ac-neutron ---- + # Inherits all defaults + echo "=== Testing ac-neutron (inherits defaults) ===" + wait_ready neutron + check_field neutron expirationDays 730 + check_field neutron gracePeriodDays 364 + check_roles neutron "admin" "service" + check_field neutron unrestricted "false" + echo + + # ---- ac-placement ---- + # Custom expiration only + echo "=== Testing ac-placement (expiration override) ===" + wait_ready placement + check_field placement expirationDays 90 + check_field placement gracePeriodDays 30 + check_roles placement "admin" "service" + check_field placement unrestricted "false" + echo + + # ---- ac-nova ---- + # Multiple roles + echo "=== Testing ac-nova (multiple roles) ===" + wait_ready nova + check_field nova expirationDays 730 + check_field nova gracePeriodDays 364 + check_roles nova "admin" "service" "member" + check_field nova unrestricted "false" + echo + + # ---- ac-ceilometer ---- + # Telemetry/Ceilometer component (enabled by default in base sample) + echo "=== Testing ac-ceilometer (telemetry/ceilometer) ===" + wait_ready ceilometer + check_field ceilometer expirationDays 45 + check_field ceilometer gracePeriodDays 20 + check_roles ceilometer "service" + check_field ceilometer unrestricted "false" + echo + + echo "All ApplicationCredential CRs validated successfully" diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml new file mode 100644 index 000000000..3cb5652ca --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/applicationcredentials | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml new file mode 100644 index 000000000..df9df9fe0 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: core.openstack.org/v1beta1 + kind: OpenStackControlPlane + name: openstack +commands: +- script: | + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml new file mode 120000 index 000000000..4d7b8362e --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_openstack.yaml \ No newline at end of file