kubernetes-sigs
diff --git a/‎PROJECT‎
Lines changed: 3 additions & 0 deletions b/‎PROJECT‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/v1alpha1/openstackclusteridentity_types.go‎
Lines changed: 68 additions & 0 deletions b/‎api/v1alpha1/openstackclusteridentity_types.go‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 99 additions & 4 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 99 additions & 4 deletions
diff --git a/‎api/v1beta1/identity_types.go‎
Lines changed: 12 additions & 3 deletions b/‎api/v1beta1/identity_types.go‎
Lines changed: 12 additions & 3 deletions
@@ -23,5 +23,8 @@ resources:
 - group: infrastructure
   kind: OpenStackServer
   version: v1alpha1
+- group: infrastructure
+  kind: OpenStackClusterIdentity
+  version: v1alpha1
 - group: infrastructure
 version: "2"
@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OpenStackCredentialSecretReference references a Secret containing OpenStack credentials.
+type OpenStackCredentialSecretReference struct {
+	// Name of the Secret which contains a `clouds.yaml` key (and optionally `cacert`).
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// Namespace where the Secret resides.
+	// +kubebuilder:validation:Required
+	Namespace string `json:"namespace"`
+}
+
+// OpenStackClusterIdentitySpec defines the desired state for an OpenStackClusterIdentity.
+type OpenStackClusterIdentitySpec struct {
+	// SecretRef references the credentials Secret containing a `clouds.yaml` file.
+	// +kubebuilder:validation:Required
+	SecretRef OpenStackCredentialSecretReference `json:"secretRef"`
+
+	// NamespaceSelector limits which namespaces may use this identity. If nil, all namespaces are allowed.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=openstackclusteridentities,scope=Cluster,categories=cluster-api,shortName=osci
+
+// OpenStackClusterIdentity is a cluster-scoped identity that centralizes OpenStack credentials.
+type OpenStackClusterIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec OpenStackClusterIdentitySpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// OpenStackClusterIdentityList contains a list of OpenStackClusterIdentity.
+type OpenStackClusterIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OpenStackClusterIdentity `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OpenStackClusterIdentity{}, &OpenStackClusterIdentityList{})
+}
@@ -19,10 +19,19 @@ package v1beta1
 // OpenStackIdentityReference is a reference to an infrastructure
 // provider identity to be used to provision cluster resources.
 // +kubebuilder:validation:XValidation:rule="(!has(self.region) && !has(oldSelf.region)) || self.region == oldSelf.region",message="region is immutable"
+// +kubebuilder:validation:XValidation:rule="has(self.name)",message="name is required"
+// +kubebuilder:validation:XValidation:rule="has(self.cloudName)",message="cloudName is required"
 type OpenStackIdentityReference struct {
-	// Name is the name of a secret in the same namespace as the resource being provisioned.
-	// The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
-	// The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
+	// Type specifies the identity reference type. Defaults to Secret for backward compatibility.
+	// +kubebuilder:validation:Enum=Secret;ClusterIdentity
+	// +kubebuilder:default=Secret
+	// +kubebuilder:validation:Required
+	Type string `json:"type,omitempty"`
+
+	// Name is the name of a Secret (type=Secret) in the same namespace as the resource being provisioned,
+	// or the name of an OpenStackClusterIdentity (type=ClusterIdentity).
+	// The Secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
+	// The Secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`