AppCred service operator support

[Deydra71]

Jira: OSPRH-16622

This PR adds end-to-end support for consuming Keystone ApplicationCredentials (AC) in the Barbican operator, enabling Barbican API pods to use AC-based authentication when available.

Reconcile:

On each reconcile, the Barbican API controller checks for an AC Secret (ac-{service}-secret) using the GetApplicationCredentialFromSecret() helper from keystone-operator API:

• If the secret is missing or incomplete, continues using password authentication
• Once the AC Secret is ready with valid AC_ID and AC_SECRET fields, templates AC credentials into Barbican configuration
• Computes hash of Secret contents and stores in configVars to trigger rolling updates when credentials rotate

Depends-On: openstack-k8s-operators/keystone-operator#567

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Deydra71
Once this PR has been reviewed and has the lgtm label, please assign olliewalsh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 248,b0e9d4fae44e44f06d0163b269a79d9932b5896a

[vakwetu]

How do we handle the case where we are unable to retrieve the ACSecret? Looks like we simply continue and use password auth instead. But maybe we should requeue? Or at the very least log the error?

[vakwetu]

Why do we need this logic? It appears to be different from all the other secret checks above. I'm referring to lines 639-642.

[vakwetu]

Should we be checking for both the admin secret and also the application credential (if it exists)?
Seems to me that if you are using appCreds - then you no longer need to watch the admin secret - and no longer need to reconcile if it changes.

Maybe the logic here should be more like:
check if app cred exists
if app_cred_exists {
get app_cred_secret()
if ! exists requeue
verify app_cred_secret
} else {
verify_admin_secre
}

Feels like this is long enough to warrant a new method verify_service_credentials()

[vakwetu]

Also, the check below needs to be in barbican_controller too. See https://github.com/openstack-k8s-operators/barbican-operator/blob/main/controllers/barbican_controller.go#L257

[Deydra71]

I added the verifyApplicationCredentials() func that implements this, see the comment below

[vakwetu]

Same comments as above, but actually, we should think about whether we need this logic at all. I don't think that the barbican-keystone-listener actually talks to keystone or uses the keystone creds. In which case, maybe we don't need to verify these parameters at all.

[vakwetu]

Same comments as above, but actually, we should think about whether we need this logic at all. I don't think that the barbican-worker actually talks to keystone or uses the keystone creds. In which case, maybe we don't need to verify these parameters at all.

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 248,3dbd65fc819acdd835d20669373e653155820ad1

[softwarefactory-project-zuul]

This change depends on a change that failed to merge.

Change openstack-k8s-operators/keystone-operator#567 is needed.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6fce923fcd80456aa51169a94b122b46

❌ openstack-k8s-operators-content-provider FAILURE in 5m 40s
⚠️ barbican-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ barbican-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

[Deydra71]

Update:
Created verifyApplicationCredentials() that checks for AC readiness and that it contains all necessary fields (no more redundant admin secret check, that's already being done sooner in the reconciliation).

Added missing condition.RequestedReason, following the TransportURL pattern, so now it is clear why reconciliation is waiting.

Note:
Even tho keystone-listener and worker services are not using external keystone auth (so they don't need to use AC), all three barbican child services share the same 00-default.conf file where authentication is configured. That means that even if only the barbicanapi_controller has AC reconciliaiton logic and watcher, then the parent barbican_controller updates shared config leading to all child controllers detecting shared config changes and all pods restart.

Edit: worker and KL pods don't restart, because their controllers don't add AC to configVars, so the hash never changes, and there's no need to trigger new pod rollout.

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 248,506faa12b035a1ae873faec6414a82fbba7a9b32

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6b11f1080b6f447b85a4c0e86b3b923d

❌ openstack-k8s-operators-content-provider FAILURE in 9m 07s
⚠️ barbican-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ barbican-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e385cc4d105f4ba1a97d159f49487abe

❌ openstack-k8s-operators-content-provider FAILURE in 9m 33s
⚠️ barbican-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ barbican-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

[softwarefactory-project-zuul]

Merge Failed.

This change or one of its cross-repo dependencies was unable to be automatically merged with the current state of its repository. Please rebase the change and upload a new patchset.
Warning:
Error merging github.com/openstack-k8s-operators/barbican-operator for 248,9c65a73c256cd4fa056a745cc55a0714b5c6d80c