Add AppCred types and controller support

Signed-off-by: Veronika Fisarova <[email protected]>

Author: Deydra71

api/bases/keystone.openstack.org_applicationcredentials.yaml

@@ -0,0 +1,153 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: applicationcredentials.keystone.openstack.org
+spec:
+  group: keystone.openstack.org
+  names:
+    kind: ApplicationCredential
+    listKind: ApplicationCredentialList
+    plural: applicationcredentials
+    shortNames:
+    - appcred
+    singular: applicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Keystone AC ID
+      jsonPath: .status.acID
+      name: ACID
+      type: string
+    - description: Secret holding AC secret
+      jsonPath: .status.secretName
+      name: SecretName
+      type: string
+    - description: Status
+      jsonPath: .status.conditions[0].status
+      name: Status
+      type: string
+    - description: Message
+      jsonPath: .status.conditions[0].message
+      name: Message
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ApplicationCredential is the Schema for the applicationcredentials
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ApplicationCredentialSpec defines what the user can set
+            properties:
+              expirationDays:
+                default: 14
+                description: ExpirationDays sets the lifetime in days for the AC
+                minimum: 2
+                type: integer
+              gracePeriodDays:
+                default: 7
+                description: GracePeriodDays sets how many days before expiration
+                  the AC should be rotated
+                minimum: 1
+                type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                type: string
+              secret:
+                default: osp-secret
+                description: Secret containing service user password
+                type: string
+              userName:
+                description: UserName - the Keystone user under which this AC is created
+                type: string
+            required:
+            - userName
+            type: object
+            x-kubernetes-validations:
+            - message: gracePeriodDays must be smaller than expirationDays
+              rule: self.gracePeriodDays < self.expirationDays
+          status:
+            description: ApplicationCredentialStatus defines the observed state
+            properties:
+              acID:
+                description: ACID - the ID in Keystone for this AC
+                type: string
+              conditions:
+                description: Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides a classification of Reason code, so the current situation is immediately
+                        understandable and could act accordingly.
+                        It is meant for situations where Status=False and it should be indicated if it is just
+                        informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue
+                        and no actions to automatically resolve the issue can/should be done).
+                        For conditions where Status=Unknown or Status=True the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdAt:
+                description: CreatedAt - timestap of creation
+                format: date-time
+                type: string
+              expiresAt:
+                description: ExpiresAt - time of validity expiration
+                format: date-time
+                type: string
+              secretName:
+                description: SecretName - name of the k8s Secret storing the AC secret
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

api/v1beta1/keystoneapi.go

@@ -92,6 +92,107 @@ func GetAdminServiceClient(
 	return os, ctrlResult, nil
 }
 
+// GetUserServiceClient - returns an *openstack.OpenStack object scoped as the given service user
+func GetUserServiceClient(
+	ctx context.Context,
+	h *helper.Helper,
+	keystoneAPI *KeystoneAPI,
+	userName string,
+	secretName string,
+	passwordSelector string,
+) (*openstack.OpenStack, ctrl.Result, error) {
+
+	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	parsedAuthURL, err := url.Parse(authURL)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	tlsConfig := &openstack.TLSConfig{}
+	if parsedAuthURL.Scheme == "https" && keystoneAPI.Spec.TLS.CaBundleSecretName != "" {
+		caCert, ctrlResult, err := secret.GetDataFromSecret(
+			ctx,
+			h,
+			keystoneAPI.Spec.TLS.CaBundleSecretName,
+			10*time.Second,
+			tls.InternalCABundleKey)
+		if err != nil {
+			return nil, ctrlResult, err
+		}
+		if (ctrlResult != ctrl.Result{}) {
+			return nil, ctrlResult,
+				fmt.Errorf("CABundleSecret %s not found",
+					keystoneAPI.Spec.TLS.CaBundleSecretName)
+		}
+
+		tlsConfig = &openstack.TLSConfig{
+			CACerts: []string{caCert},
+		}
+	}
+
+	password, err := getPasswordFromOSPSecret(ctx, h, secretName, passwordSelector)
+	if err != nil {
+		return nil, ctrl.Result{}, fmt.Errorf("failed to get password from osp-secret for user %q: %w", userName, err)
+	}
+
+	scope := &gophercloud.AuthScope{
+		ProjectName: "service",
+		DomainName:  "Default",
+	}
+
+	osClient, err := openstack.NewOpenStack(
+		h.GetLogger(),
+		openstack.AuthOpts{
+			AuthURL:    authURL,
+			Username:   userName,
+			Password:   password,
+			TenantName: "service",
+			DomainName: "Default",
+			Region:     keystoneAPI.Spec.Region,
+			TLS:        tlsConfig,
+			Scope:      scope,
+		},
+	)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	// DEBUG
+	logger := h.GetLogger()
+	logger.Info("GetUserServiceClient debug",
+		"authURL", authURL,
+		"region", keystoneAPI.Spec.Region,
+		"userName", userName,
+	)
+
+	return osClient, ctrl.Result{}, nil
+}
+
+func getPasswordFromOSPSecret(
+	ctx context.Context,
+	h *helper.Helper,
+	ospSecretName, passwordSelector string,
+) (string, error) {
+	data, res, err := secret.GetDataFromSecret(
+		ctx,
+		h,
+		ospSecretName,
+		10*time.Second,
+		passwordSelector,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to get %q from Secret/%s: %w", passwordSelector, ospSecretName, err)
+	}
+	if res != (ctrl.Result{}) {
+		return "", fmt.Errorf("secret/%s didn’t contain %q", ospSecretName, passwordSelector)
+	}
+	return data, nil
+}
+
 // GetScopedAdminServiceClient - get a scoped admin serviceClient for the keystoneAPI instance
 func GetScopedAdminServiceClient(
 	ctx context.Context,

api/v1beta1/keystoneapplicationcredential_types.go

@@ -0,0 +1,104 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:validation:XValidation:rule="self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
+// ApplicationCredentialSpec defines what the user can set
+type ApplicationCredentialSpec struct {
+
+	// Secret containing service user password
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=osp-secret
+	Secret string `json:"secret"`
+
+	// PasswordSelector for extracting the service password
+	// +kubebuilder:validation:Optional
+	PasswordSelector string `json:"passwordSelector"`
+
+	// UserName - the Keystone user under which this AC is created
+	UserName string `json:"userName"`
+
+	// ExpirationDays sets the lifetime in days for the AC
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=14
+	// +kubebuilder:validation:Minimum=2
+	ExpirationDays int `json:"expirationDays"`
+
+	// GracePeriodDays sets how many days before expiration the AC should be rotated
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=7
+	// +kubebuilder:validation:Minimum=1
+	GracePeriodDays int `json:"gracePeriodDays"`
+}
+
+// ApplicationCredentialStatus defines the observed state
+type ApplicationCredentialStatus struct {
+	// ACID - the ID in Keystone for this AC
+	ACID string `json:"acID,omitempty"`
+
+	// SecretName - name of the k8s Secret storing the AC secret
+	SecretName string `json:"secretName,omitempty"`
+
+	// Conditions
+	Conditions condition.Conditions `json:"conditions,omitempty"`
+
+	// CreatedAt - timestap of creation
+	CreatedAt *metav1.Time `json:"createdAt,omitempty"`
+
+	// ExpiresAt - time of validity expiration
+	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=appcred
+//+kubebuilder:printcolumn:name="ACID",type="string",JSONPath=".status.acID",description="Keystone AC ID"
+//+kubebuilder:printcolumn:name="SecretName",type="string",JSONPath=".status.secretName",description="Secret holding AC secret"
+//+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.conditions[0].status",description="Status"
+//+kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[0].message",description="Message"
+
+// ApplicationCredential is the Schema for the applicationcredentials API
+type ApplicationCredential struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ApplicationCredentialSpec   `json:"spec,omitempty"`
+	Status ApplicationCredentialStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ApplicationCredentialList contains a list of ApplicationCredential
+type ApplicationCredentialList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ApplicationCredential `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&ApplicationCredential{}, &ApplicationCredentialList{})
+}
+
+// IsReady - returns true if ApplicationCredential is reconciled successfully
+func (ac *ApplicationCredential) IsReady() bool {
+	return ac.Status.Conditions.IsTrue(condition.ReadyCondition)
+}