Add support for External Keystone Service

This patch adds a new `ExternalKeystoneAPI` property to KeystoneAPI to
enable the use of an existing Keystone Service that is external to the
OpenShift environment used to run this operator.

For example, a multi-region deployment where one region is running a
centralized Keystone service can use this to deploy additional regions
that can use the centralized Keystone service without the need to run
their own instance of Keystone.

Assisted-by: Cursor (Auto Model)

Author: dmendiza

api/bases/keystone.openstack.org_keystoneapis.yaml

@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files

api/v1beta1/conditions.go

@@ -111,4 +111,25 @@ const (
 
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
+
+	//
+	// External Keystone API condition messages
+	//
+	// ExternalKeystoneAPIDBMessage
+	ExternalKeystoneAPIDBMessage = "External Keystone API configured - database is not managed by this operator"
+
+	// ExternalKeystoneAPIDBAccountMessage
+	ExternalKeystoneAPIDBAccountMessage = "External Keystone API configured - database account is not managed by this operator"
+
+	// ExternalKeystoneAPIRabbitMQTransportURLMessage
+	ExternalKeystoneAPIRabbitMQTransportURLMessage = "External Keystone API configured - RabbitMQ is not managed by this operator"
+
+	// ExternalKeystoneAPIMemcachedReadyMessage
+	ExternalKeystoneAPIMemcachedReadyMessage = "External Keystone API configured - memcached is not managed by this operator"
+
+	// ExternalKeystoneAPIServiceConfigReadyMessage
+	ExternalKeystoneAPIServiceMessage = "External Keystone API configured - service is not managed by this operator"
+
+	// ExternalKeystoneAPINetworkAttachmentsReadyMessage
+	ExternalKeystoneAPINetworkAttachmentsReadyMessage = "External Keystone API configured - network attachments are not managed by this operator"
 )

api/v1beta1/keystoneapi.go

@@ -26,6 +26,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -122,6 +123,7 @@ func GetAdminServiceClient(
 	ctx context.Context,
 	h *helper.Helper,
 	keystoneAPI *KeystoneAPI,
+	endpointInterface ...service.Endpoint,
 ) (*openstack.OpenStack, ctrl.Result, error) {
 	os, ctrlResult, err := GetScopedAdminServiceClient(
 		ctx,
@@ -130,6 +132,7 @@ func GetAdminServiceClient(
 		&gophercloud.AuthScope{
 			System: true,
 		},
+		endpointInterface...,
 	)
 	if err != nil {
 		return nil, ctrlResult, err
@@ -144,9 +147,15 @@ func GetScopedAdminServiceClient(
 	h *helper.Helper,
 	keystoneAPI *KeystoneAPI,
 	scope *gophercloud.AuthScope,
+	endpointInterface ...service.Endpoint,
 ) (*openstack.OpenStack, ctrl.Result, error) {
-	// get public endpoint as authurl from keystone instance
-	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	// get endpoint as authurl from keystone instance
+	// default to internal endpoint if not specified
+	epInterface := endpoint.EndpointInternal
+	if len(endpointInterface) > 0 {
+		epInterface = endpoint.Endpoint(endpointInterface[0])
+	}
+	authURL, err := keystoneAPI.GetEndpoint(epInterface)
 	if err != nil {
 		return nil, ctrl.Result{}, err
 	}

api/v1beta1/keystoneapi_types.go

@@ -213,6 +213,18 @@ type KeystoneAPISpecCore struct {
 	// This is only needed when multiple realms are federated.
 	// Config files mount path is set to /var/lib/httpd/metadata/
 	FederatedRealmConfig string `json:"federatedRealmConfig"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// ExternalKeystoneAPI - Enable use of external Keystone API endpoints instead of deploying a local Keystone API
+	ExternalKeystoneAPI bool `json:"externalKeystoneAPI"`
+}
+
+// ExternalKeystoneAPI defines the configuration for an external Keystone API
+type ExternalKeystoneAPI struct {
+	// +kubebuilder:validation:Optional
+	// Endpoints - Endpoint URLs for the external Keystone API
+	Endpoints map[string]string `json:"endpoints,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

api/v1beta1/zz_generated.deepcopy.go

@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files