Add Application Credential API types, AC-controller support and helper functions for service operators.

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Author: Deydra71

api/bases/keystone.openstack.org_keystoneapplicationcredentials.yaml

@@ -0,0 +1,232 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+  name: keystoneapplicationcredentials.keystone.openstack.org
+spec:
+  group: keystone.openstack.org
+  names:
+    kind: KeystoneApplicationCredential
+    listKind: KeystoneApplicationCredentialList
+    plural: keystoneapplicationcredentials
+    shortNames:
+    - appcred
+    singular: keystoneapplicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Keystone ApplicationCredential ID
+      jsonPath: .status.acID
+      name: ACID
+      type: string
+    - description: Secret holding ApplicationCredential secret
+      jsonPath: .status.secretName
+      name: SecretName
+      type: string
+    - description: Last rotation time
+      format: date-time
+      jsonPath: .status.lastRotated
+      name: LastRotated
+      type: string
+    - description: When rotation becomes eligible
+      format: date-time
+      jsonPath: .status.rotationEligibleAt
+      name: RotationEligible
+      type: string
+    - description: Status
+      jsonPath: .status.conditions[0].status
+      name: Status
+      type: string
+    - description: Message
+      jsonPath: .status.conditions[0].message
+      name: Message
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KeystoneApplicationCredential is the Schema for the applicationcredentials
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: KeystoneApplicationCredentialSpec defines what the user can
+              set
+            properties:
+              accessRules:
+                description: AccessRules defines which services the ApplicationCredential
+                  is permitted to access
+                items:
+                  description: ACRule defines an access rule for an ApplicationCredential
+                  properties:
+                    method:
+                      description: Method is the HTTP verb to allow
+                      enum:
+                      - GET
+                      - HEAD
+                      - POST
+                      - PUT
+                      - PATCH
+                      - DELETE
+                      type: string
+                    path:
+                      description: Path is the API path to allow
+                      minLength: 1
+                      type: string
+                    service:
+                      description: Service is the OpenStack service type
+                      minLength: 1
+                      type: string
+                  required:
+                  - method
+                  - path
+                  - service
+                  type: object
+                type: array
+              expirationDays:
+                default: 365
+                description: ExpirationDays sets the lifetime in days for the ApplicationCredential
+                minimum: 2
+                type: integer
+              gracePeriodDays:
+                default: 182
+                description: GracePeriodDays sets how many days before expiration
+                  the ApplicationCredential should be rotated
+                minimum: 1
+                type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                minLength: 1
+                type: string
+              roles:
+                description: Roles to assign to the ApplicationCredential
+                items:
+                  type: string
+                minItems: 1
+                type: array
+              secret:
+                description: Secret containing service user password
+                minLength: 1
+                type: string
+              unrestricted:
+                default: false
+                description: Unrestricted indicates whether the ApplicationCredential
+                  may be used to create or destroy other credentials or trusts
+                type: boolean
+              userName:
+                description: UserName - the Keystone user under which this ApplicationCredential
+                  is created
+                type: string
+            required:
+            - passwordSelector
+            - roles
+            - secret
+            - userName
+            type: object
+            x-kubernetes-validations:
+            - message: gracePeriodDays must be smaller than expirationDays
+              rule: self.gracePeriodDays < self.expirationDays
+          status:
+            description: KeystoneApplicationCredentialStatus defines the observed
+              state
+            properties:
+              acID:
+                description: ACID - the ID in Keystone for this ApplicationCredential
+                type: string
+              conditions:
+                description: Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides a classification of Reason code, so the current situation is immediately
+                        understandable and could act accordingly.
+                        It is meant for situations where Status=False and it should be indicated if it is just
+                        informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue
+                        and no actions to automatically resolve the issue can/should be done).
+                        For conditions where Status=Unknown or Status=True the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdAt:
+                description: CreatedAt - timestap of creation
+                format: date-time
+                type: string
+              expiresAt:
+                description: ExpiresAt - time of validity expiration
+                format: date-time
+                type: string
+              lastRotated:
+                description: LastRotated - timestamp when credentials were last rotated
+                format: date-time
+                type: string
+              observedGeneration:
+                description: ObservedGeneration - the most recent generation observed
+                  for this ApplicationCredential.
+                format: int64
+                type: integer
+              rotationEligibleAt:
+                description: |-
+                  RotationEligibleAt indicates when rotation becomes eligible (start of grace period window).
+                  Computed as ExpiresAt - GracePeriodDays. The AC can be rotated after this timestamp.
+                format: date-time
+                type: string
+              secretName:
+                description: SecretName - name of the k8s Secret storing the ApplicationCredential
+                  secret
+                type: string
+              securityHash:
+                description: |-
+                  SecurityHash tracks the hash of security-critical spec fields (roles, accessRules, unrestricted).
+                  Used to detect when these fields change and trigger immediate rotation.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

api/v1beta1/conditions.go

@@ -35,6 +35,9 @@ const (
 
 	// KeystoneServiceOSUserReadyCondition Status=True condition which indicates if the service user got created in the keystone instance is ready/was successful
 	KeystoneServiceOSUserReadyCondition condition.Type = "KeystoneServiceOSUserReady"
+
+	// KeystoneApplicationCredentialReadyCondition Status=True condition which indicates if the ApplicationCredential has been created and is ready
+	KeystoneApplicationCredentialReadyCondition condition.Type = "KeystoneApplicationCredentialReady"
 )
 
 // Common Messages used by API objects.
@@ -111,4 +114,19 @@ const (
 
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
+
+	//
+	// KeystoneApplicationCredentialReady condition messages
+	//
+	// KeystoneApplicationCredentialReadyInitMessage
+	KeystoneApplicationCredentialReadyInitMessage = "ApplicationCredential not yet created"
+
+	// KeystoneApplicationCredentialReadyMessage
+	KeystoneApplicationCredentialReadyMessage = "ApplicationCredential ready"
+
+	// KeystoneApplicationCredentialWaitingMessage
+	KeystoneApplicationCredentialWaitingMessage = "ApplicationCredential waiting for secret %s to be available"
+
+	// KeystoneApplicationCredentialReadyErrorMessage
+	KeystoneApplicationCredentialReadyErrorMessage = "ApplicationCredential error occurred: %s"
 )

api/v1beta1/keystoneapi.go

@@ -138,6 +138,103 @@ func GetAdminServiceClient(
 	return os, ctrlResult, nil
 }
 
+// GetUserServiceClient - returns an *openstack.OpenStack object scoped as the given service user
+func GetUserServiceClient(
+	ctx context.Context,
+	h *helper.Helper,
+	keystoneAPI *KeystoneAPI,
+	userName string,
+	secretName string,
+	passwordSelector string,
+) (*openstack.OpenStack, ctrl.Result, error) {
+
+	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	parsedAuthURL, err := url.Parse(authURL)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	tlsConfig := &openstack.TLSConfig{}
+	if parsedAuthURL.Scheme == "https" && keystoneAPI.Spec.TLS.CaBundleSecretName != "" {
+		caCert, ctrlResult, err := secret.GetDataFromSecret(
+			ctx,
+			h,
+			keystoneAPI.Spec.TLS.CaBundleSecretName,
+			10*time.Second,
+			tls.InternalCABundleKey)
+		if err != nil {
+			return nil, ctrlResult, err
+		}
+		if (ctrlResult != ctrl.Result{}) {
+			return nil, ctrlResult,
+				fmt.Errorf("CABundleSecret %s not found",
+					keystoneAPI.Spec.TLS.CaBundleSecretName)
+		}
+
+		tlsConfig = &openstack.TLSConfig{
+			CACerts: []string{caCert},
+		}
+	}
+
+	password, res, err := getPasswordFromOSPSecret(ctx, h, secretName, passwordSelector)
+	if err != nil {
+		return nil, ctrl.Result{}, fmt.Errorf("failed to get password from osp-secret for user %q: %w", userName, err)
+	}
+	if res != (ctrl.Result{}) {
+		return nil, res, nil
+	}
+
+	scope := &gophercloud.AuthScope{
+		ProjectName: "service",
+		DomainName:  "Default",
+	}
+
+	osClient, err := openstack.NewOpenStack(
+		ctx,
+		h.GetLogger(),
+		openstack.AuthOpts{
+			AuthURL:    authURL,
+			Username:   userName,
+			Password:   password,
+			TenantName: "service",
+			DomainName: "Default",
+			Region:     keystoneAPI.Spec.Region,
+			TLS:        tlsConfig,
+			Scope:      scope,
+		},
+	)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	return osClient, ctrl.Result{}, nil
+}
+
+func getPasswordFromOSPSecret(
+	ctx context.Context,
+	h *helper.Helper,
+	ospSecretName, passwordSelector string,
+) (string, ctrl.Result, error) {
+	data, res, err := secret.GetDataFromSecret(
+		ctx,
+		h,
+		ospSecretName,
+		10*time.Second,
+		passwordSelector,
+	)
+	if err != nil {
+		return "", ctrl.Result{}, err
+	}
+	if res != (ctrl.Result{}) {
+		return "", res, nil
+	}
+	return data, ctrl.Result{}, nil
+}
+
 // GetScopedAdminServiceClient - get a scoped admin serviceClient for the keystoneAPI instance
 func GetScopedAdminServiceClient(
 	ctx context.Context,