Add AppCred types and controller support

Signed-off-by: Veronika Fisarova <[email protected]>

Author: Deydra71

api/bases/keystone.openstack.org_keystoneapplicationcredentials.yaml

@@ -0,0 +1,196 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: keystoneapplicationcredentials.keystone.openstack.org
+spec:
+  group: keystone.openstack.org
+  names:
+    kind: KeystoneApplicationCredential
+    listKind: KeystoneApplicationCredentialList
+    plural: keystoneapplicationcredentials
+    shortNames:
+    - appcred
+    singular: keystoneapplicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Keystone ApplicationCredential ID
+      jsonPath: .status.acID
+      name: ACID
+      type: string
+    - description: Secret holding ApplicationCredential secret
+      jsonPath: .status.secretName
+      name: SecretName
+      type: string
+    - description: Last rotation time
+      jsonPath: .status.lastRotated
+      name: LastRotated
+      type: date
+    - description: Status
+      jsonPath: .status.conditions[0].status
+      name: Status
+      type: string
+    - description: Message
+      jsonPath: .status.conditions[0].message
+      name: Message
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KeystoneApplicationCredential is the Schema for the applicationcredentials
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeystoneApplicationCredentialSpec defines what the user can
+              set
+            properties:
+              accessRules:
+                description: AccessRules defines which services the ApplicationCredential
+                  is permitted to access
+                items:
+                  description: ACRule defines a additional access rule for an ApplicationCredential
+                  properties:
+                    method:
+                      description: Method is the HTTP verb to allow (defaults to all
+                        if empty)
+                      type: string
+                    path:
+                      description: Path is the API path to allow
+                      type: string
+                    service:
+                      description: Service is the OpenStack service type
+                      type: string
+                  type: object
+                type: array
+              expirationDays:
+                default: 365
+                description: ExpirationDays sets the lifetime in days for the ApplicationCredential
+                minimum: 2
+                type: integer
+              gracePeriodDays:
+                default: 182
+                description: GracePeriodDays sets how many days before expiration
+                  the ApplicationCredential should be rotated
+                minimum: 1
+                type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                type: string
+              roles:
+                description: Roles to assign to the ApplicationCredential
+                items:
+                  type: string
+                minItems: 1
+                type: array
+              secret:
+                description: Secret containing service user password
+                type: string
+              unrestricted:
+                default: false
+                description: Unrestricted indicates whether the ApplicationCredential
+                  may be used to create or destroy other credentials or trusts
+                type: boolean
+              userName:
+                description: UserName - the Keystone user under which this ApplicationCredential
+                  is created
+                type: string
+            required:
+            - passwordSelector
+            - roles
+            - secret
+            - userName
+            type: object
+            x-kubernetes-validations:
+            - message: gracePeriodDays must be smaller than expirationDays
+              rule: self.gracePeriodDays < self.expirationDays
+          status:
+            description: KeystoneApplicationCredentialStatus defines the observed
+              state
+            properties:
+              acID:
+                description: ACID - the ID in Keystone for this ApplicationCredential
+                type: string
+              conditions:
+                description: Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides a classification of Reason code, so the current situation is immediately
+                        understandable and could act accordingly.
+                        It is meant for situations where Status=False and it should be indicated if it is just
+                        informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue
+                        and no actions to automatically resolve the issue can/should be done).
+                        For conditions where Status=Unknown or Status=True the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdAt:
+                description: CreatedAt - timestap of creation
+                format: date-time
+                type: string
+              expiresAt:
+                description: ExpiresAt - time of validity expiration
+                format: date-time
+                type: string
+              lastRotated:
+                description: LastRotated - timestamp when credentials were last rotated
+                format: date-time
+                type: string
+              secretName:
+                description: SecretName - name of the k8s Secret storing the ApplicationCredential
+                  secret
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

api/v1beta1/keystoneapi.go

@@ -139,6 +139,99 @@ func GetAdminServiceClient(
 	return os, ctrlResult, nil
 }
 
+// GetUserServiceClient - returns an *openstack.OpenStack object scoped as the given service user
+func GetUserServiceClient(
+	ctx context.Context,
+	h *helper.Helper,
+	keystoneAPI *KeystoneAPI,
+	userName string,
+	secretName string,
+	passwordSelector string,
+) (*openstack.OpenStack, ctrl.Result, error) {
+
+	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	parsedAuthURL, err := url.Parse(authURL)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	tlsConfig := &openstack.TLSConfig{}
+	if parsedAuthURL.Scheme == "https" && keystoneAPI.Spec.TLS.CaBundleSecretName != "" {
+		caCert, ctrlResult, err := secret.GetDataFromSecret(
+			ctx,
+			h,
+			keystoneAPI.Spec.TLS.CaBundleSecretName,
+			10*time.Second,
+			tls.InternalCABundleKey)
+		if err != nil {
+			return nil, ctrlResult, err
+		}
+		if (ctrlResult != ctrl.Result{}) {
+			return nil, ctrlResult,
+				fmt.Errorf("CABundleSecret %s not found",
+					keystoneAPI.Spec.TLS.CaBundleSecretName)
+		}
+
+		tlsConfig = &openstack.TLSConfig{
+			CACerts: []string{caCert},
+		}
+	}
+
+	password, err := getPasswordFromOSPSecret(ctx, h, secretName, passwordSelector)
+	if err != nil {
+		return nil, ctrl.Result{}, fmt.Errorf("failed to get password from osp-secret for user %q: %w", userName, err)
+	}
+
+	scope := &gophercloud.AuthScope{
+		ProjectName: "service",
+		DomainName:  "Default",
+	}
+
+	osClient, err := openstack.NewOpenStack(
+		h.GetLogger(),
+		openstack.AuthOpts{
+			AuthURL:    authURL,
+			Username:   userName,
+			Password:   password,
+			TenantName: "service",
+			DomainName: "Default",
+			Region:     keystoneAPI.Spec.Region,
+			TLS:        tlsConfig,
+			Scope:      scope,
+		},
+	)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	return osClient, ctrl.Result{}, nil
+}
+
+func getPasswordFromOSPSecret(
+	ctx context.Context,
+	h *helper.Helper,
+	ospSecretName, passwordSelector string,
+) (string, error) {
+	data, res, err := secret.GetDataFromSecret(
+		ctx,
+		h,
+		ospSecretName,
+		10*time.Second,
+		passwordSelector,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to get %q from Secret/%s: %w", passwordSelector, ospSecretName, err)
+	}
+	if res != (ctrl.Result{}) {
+		return "", fmt.Errorf("secret/%s didn’t contain %q", ospSecretName, passwordSelector)
+	}
+	return data, nil
+}
+
 // GetScopedAdminServiceClient - get a scoped admin serviceClient for the keystoneAPI instance
 func GetScopedAdminServiceClient(
 	ctx context.Context,

api/v1beta1/keystoneapplicationcredential.go

@@ -0,0 +1,80 @@
+/*
+Copyright 2025
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// ApplicationCredentialData contains AC ID/Secret extracted from a Secret
+// Used by service operators to get AC data from the Secret
+type ApplicationCredentialData struct {
+	ID     string
+	Secret string
+}
+
+// GetACSecretName returns the standard AC Secret name for a service
+func GetACSecretName(serviceName string) string {
+	return fmt.Sprintf("ac-%s-secret", serviceName)
+}
+
+// GetACCRName returns the standard AC CR name for a service
+func GetACCRName(serviceName string) string {
+	return fmt.Sprintf("ac-%s", serviceName)
+}
+
+var (
+	// ErrACIDMissing indicates AC_ID key missing or empty in the Secret
+	ErrACIDMissing = errors.New("applicationcredential secret missing AC_ID")
+	// ErrACSecretMissing indicates AC_SECRET key missing or empty in the Secret
+	ErrACSecretMissing = errors.New("applicationcredential secret missing AC_SECRET")
+)
+
+// GetApplicationCredentialFromSecret fetches and validates AC data from the Secret
+func GetApplicationCredentialFromSecret(
+	ctx context.Context,
+	c client.Client,
+	namespace string,
+	serviceName string,
+) (*ApplicationCredentialData, error) {
+	secret := &corev1.Secret{}
+	key := types.NamespacedName{Namespace: namespace, Name: GetACSecretName(serviceName)}
+	if err := c.Get(ctx, key, secret); err != nil {
+		if k8s_errors.IsNotFound(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("get applicationcredential secret %s: %w", key, err)
+	}
+
+	acID, okID := secret.Data["AC_ID"]
+	if !okID || len(acID) == 0 {
+		return nil, fmt.Errorf("%w: %s", ErrACIDMissing, key.String())
+	}
+	acSecret, okSecret := secret.Data["AC_SECRET"]
+	if !okSecret || len(acSecret) == 0 {
+		return nil, fmt.Errorf("%w: %s", ErrACSecretMissing, key.String())
+	}
+
+	return &ApplicationCredentialData{ID: string(acID), Secret: string(acSecret)}, nil
+}