WIP: Add support for External Keystone Service

dmendiza · dmendiza · commit 3ccee68af5e3 · 2025-12-08T13:25:09.000-05:00
This patch adds a new `ExternalKeystoneAPI` property to KeystoneAPI to
enable the use of an existing Keystone Service that is external to the
OpenShift environment used to run this operator.

For example, a multi-region deployment where one region is running a
centralized Keystone service can use this to deploy additional regions
that can use the centralized Keystone service without the need to run
their own instance of Keystone.

Assisted-by: Cursor (Auto Model)
diff --git a/api/v1beta1/conditions.go b/api/v1beta1/conditions.go
@@ -111,4 +111,25 @@ const (
 
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
+
+	//
+	// External Keystone API condition messages
+	//
+	// ExternalKeystoneAPIDBMessage
+	ExternalKeystoneAPIDBMessage = "External Keystone API configured - database is not managed by this operator"
+
+	// ExternalKeystoneAPIDBAccountMessage
+	ExternalKeystoneAPIDBAccountMessage = "External Keystone API configured - database account is not managed by this operator"
+
+	// ExternalKeystoneAPIRabbitMQTransportURLMessage
+	ExternalKeystoneAPIRabbitMQTransportURLMessage = "External Keystone API configured - RabbitMQ is not managed by this operator"
+
+	// ExternalKeystoneAPIMemcachedReadyMessage
+	ExternalKeystoneAPIMemcachedReadyMessage = "External Keystone API configured - memcached is not managed by this operator"
+
+	// ExternalKeystoneAPIServiceConfigReadyMessage
+	ExternalKeystoneAPIServiceMessage = "External Keystone API configured - service is not managed by this operator"
+
+	// ExternalKeystoneAPINetworkAttachmentsReadyMessage
+	ExternalKeystoneAPINetworkAttachmentsReadyMessage = "External Keystone API configured - network attachments are not managed by this operator"
 )
diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go
@@ -213,6 +213,17 @@ type KeystoneAPISpecCore struct {
 	// This is only needed when multiple realms are federated.
 	// Config files mount path is set to /var/lib/httpd/metadata/
 	FederatedRealmConfig string `json:"federatedRealmConfig"`
+
+	// +kubebuilder:validation:Optional
+	// ExternalKeystoneAPI - Configuration for external Keystone API endpoints
+	ExternalKeystoneAPI *ExternalKeystoneAPI `json:"externalKeystoneAPI,omitempty"`
+}
+
+// ExternalKeystoneAPI defines the configuration for an external Keystone API
+type ExternalKeystoneAPI struct {
+	// +kubebuilder:validation:Optional
+	// Endpoints - Endpoint URLs for the external Keystone API
+	Endpoints map[string]string `json:"endpoints,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.
diff --git a/internal/controller/keystoneapi_controller.go b/internal/controller/keystoneapi_controller.go
@@ -244,6 +244,11 @@ func (r *KeystoneAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return r.reconcileDelete(ctx, instance, helper)
 	}
 
+	// Check if external Keystone API is configured
+	if instance.Spec.ExternalKeystoneAPI != nil {
+		return r.reconcileExternalKeystoneAPI(ctx, instance, helper)
+	}
+
 	// Handle non-deleted clusters
 	return r.reconcileNormal(ctx, instance, helper)
 }
@@ -451,6 +456,14 @@ func (r *KeystoneAPIReconciler) reconcileDelete(ctx context.Context, instance *k
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Service delete")
 
+	// If using external Keystone API, we don't have any resources to clean up
+	if instance.Spec.ExternalKeystoneAPI != nil {
+		// Just remove the finalizer
+		controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
+		Log.Info("Reconciled External Keystone API delete successfully")
+		return ctrl.Result{}, nil
+	}
+
 	// We need to allow all KeystoneEndpoint and KeystoneService processing to finish
 	// in the case of a delete before we remove the finalizers.  For instance, in the
 	// case of the Memcached dependency, if Memcached is deleted before all Keystone
@@ -747,6 +760,172 @@ func (r *KeystoneAPIReconciler) reconcileInit(
 	return ctrl.Result{}, nil
 }
 
+func (r *KeystoneAPIReconciler) reconcileExternalKeystoneAPI(
+	ctx context.Context,
+	instance *keystonev1.KeystoneAPI,
+	helper *helper.Helper,
+) (ctrl.Result, error) {
+	Log := r.GetLogger(ctx)
+	Log.Info("Reconciling External Keystone API")
+
+	// When using external Keystone API, we skip all deployment logic
+	// and just use the endpoints from the spec
+
+	// serviceLabels?
+
+	configMapVars := make(map[string]env.Setter)
+
+	// Verify secret is available (needed for admin client operations)
+	ctrlResult, err := r.verifySecret(ctx, instance, helper, configMapVars)
+	if err != nil {
+		return ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
+	}
+
+	// service DB is not needed
+	instance.Status.Conditions.MarkTrue(mariadbv1.MariaDBAccountReadyCondition, keystonev1.ExternalKeystoneAPIDBAccountMessage)
+	instance.Status.Conditions.MarkTrue(condition.DBReadyCondition, keystonev1.ExternalKeystoneAPIDBMessage)
+	instance.Status.Conditions.MarkTrue(condition.DBSyncReadyCondition, keystonev1.ExternalKeystoneAPIDBMessage)
+
+	// RabbitMQ transportURL is not needed
+	instance.Status.Conditions.MarkTrue(condition.RabbitMqTransportURLReadyCondition, keystonev1.ExternalKeystoneAPIRabbitMQTransportURLMessage)
+
+	// memcached is not needed
+	instance.Status.Conditions.MarkTrue(condition.MemcachedReadyCondition, keystonev1.ExternalKeystoneAPIMemcachedReadyMessage)
+
+	// Mark service conditions as ready since they're being managed externally
+	instance.Status.Conditions.MarkTrue(condition.ServiceAccountReadyCondition, "External Keystone API - no service account needed")
+	instance.Status.Conditions.MarkTrue(condition.RoleReadyCondition, "External Keystone API - no role needed")
+	instance.Status.Conditions.MarkTrue(condition.RoleBindingReadyCondition, "External Keystone API - no role binding needed")
+	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, keystonev1.ExternalKeystoneAPIServiceMessage)
+	instance.Status.Conditions.MarkTrue(condition.BootstrapReadyCondition, keystonev1.ExternalKeystoneAPIServiceMessage)
+	instance.Status.Conditions.MarkTrue(condition.CreateServiceReadyCondition, keystonev1.ExternalKeystoneAPIServiceMessage)
+	instance.Status.Conditions.MarkTrue(condition.DeploymentReadyCondition, keystonev1.ExternalKeystoneAPIServiceMessage)
+	instance.Status.Conditions.MarkTrue(condition.CronJobReadyCondition, keystonev1.ExternalKeystoneAPIServiceMessage)
+	// Set ready count to 0 since we're not deploying anything
+	instance.Status.ReadyCount = 0
+
+	// Verify TLS input (CA cert secret if provided)
+	ctrlResult, err = r.verifyTLSInput(ctx, instance, helper, configMapVars)
+	if err != nil {
+		return ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
+	}
+	instance.Status.Conditions.MarkTrue(condition.TLSInputReadyCondition, condition.InputReadyMessage)
+
+	// TODO: Do we need network annotations if we we dont have Keystone API?
+	instance.Status.Conditions.MarkTrue(condition.NetworkAttachmentsReadyCondition, keystonev1.ExternalKeystoneAPINetworkAttachmentsReadyMessage)
+
+	// Add endpoints
+
+	// Set API endpoints from externalKeystoneAPI spec
+	if instance.Status.APIEndpoints == nil {
+		instance.Status.APIEndpoints = map[string]string{}
+	}
+
+	// Copy endpoints from spec to status
+	// TODO: check instance.Spec.Override.Service?
+	for key, value := range instance.Spec.ExternalKeystoneAPI.Endpoints {
+		instance.Status.APIEndpoints[key] = value
+	}
+
+	// Set region if specified
+	if instance.Spec.Region != "" {
+		instance.Status.Region = instance.Spec.Region
+	}
+
+	Log.Info("Reconciled External Keystone API successfully")
+	return ctrl.Result{}, nil
+}
+
+// verifySecret verifies the OpenStack secret exists and adds its hash to configMapVars
+func (r *KeystoneAPIReconciler) verifySecret(
+	ctx context.Context,
+	instance *keystonev1.KeystoneAPI,
+	helper *helper.Helper,
+	configMapVars map[string]env.Setter,
+) (ctrl.Result, error) {
+	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
+	// NOTE: VerifySecret handles the "not found" error and returns RequeueAfter ctrl.Result if so, so we don't
+	//       need to check the error type here
+	hash, result, err := oko_secret.VerifySecret(ctx, types.NamespacedName{Name: instance.Spec.Secret, Namespace: instance.Namespace}, []string{"AdminPassword"}, helper.GetClient(), time.Second*10)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.InputReadyErrorMessage,
+			err.Error()))
+		return ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		// This case is "secret not found".  VerifySecret already logs a message for it.
+		// We treat this as a warning because it means that the service will not be able to start
+		// while we are waiting for the secret to be created manually by the user.
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.InputReadyWaitingMessage))
+		return result, nil
+	}
+
+	// Add hash to configMapVars if provided
+	if configMapVars != nil {
+		configMapVars[instance.Spec.Secret] = env.SetValue(hash)
+	}
+
+	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
+
+	return ctrl.Result{}, nil
+}
+func (r *KeystoneAPIReconciler) verifyTLSInput(
+	ctx context.Context,
+	instance *keystonev1.KeystoneAPI,
+	helper *helper.Helper,
+	configMapVars map[string]env.Setter,
+) (ctrl.Result, error) {
+	// Validate the CA cert secret if provided
+	if instance.Spec.TLS.CaBundleSecretName != "" {
+		hash, err := tls.ValidateCACertSecret(
+			ctx,
+			helper.GetClient(),
+			types.NamespacedName{
+				Name:      instance.Spec.TLS.CaBundleSecretName,
+				Namespace: instance.Namespace,
+			},
+		)
+		if err != nil {
+			if k8s_errors.IsNotFound(err) {
+				// Since the CA cert secret should have been manually created by the user and provided in the spec,
+				// we treat this as a warning because it means that the service will not be able to start.
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					condition.TLSInputReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					condition.TLSInputReadyWaitingMessage,
+					instance.Spec.TLS.CaBundleSecretName))
+				return ctrl.Result{}, nil
+			}
+			instance.Status.Conditions.Set(condition.FalseCondition(
+				condition.TLSInputReadyCondition,
+				condition.ErrorReason,
+				condition.SeverityWarning,
+				condition.TLSInputErrorMessage,
+				err.Error()))
+			return ctrl.Result{}, err
+		}
+
+		if hash != "" {
+			if configMapVars != nil {
+				configMapVars[tls.CABundleKey] = env.SetValue(hash)
+			}
+		}
+	}
+
+	return ctrl.Result{}, nil
+}
 func (r *KeystoneAPIReconciler) reconcileUpdate(ctx context.Context) (ctrl.Result, error) {
 	Log := r.GetLogger(ctx)
 	Log.Info("Reconciling Service update")
@@ -787,32 +966,13 @@ func (r *KeystoneAPIReconciler) reconcileNormal(
 
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
-	// NOTE: VerifySecret handles the "not found" error and returns RequeueAfter ctrl.Result if so, so we don't
-	//       need to check the error type here
 	//
-	hash, result, err := oko_secret.VerifySecret(ctx, types.NamespacedName{Name: instance.Spec.Secret, Namespace: instance.Namespace}, []string{"AdminPassword"}, helper.GetClient(), time.Second*10)
+	ctrlResult, err := r.verifySecret(ctx, instance, helper, configMapVars)
 	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.InputReadyErrorMessage,
-			err.Error()))
-		return ctrl.Result{}, err
-	} else if (result != ctrl.Result{}) {
-		// This case is "secret not found".  VerifySecret already logs a message for it.
-		// We treat this as a warning because it means that the service will not be able to start
-		// while we are waiting for the secret to be created manually by the user.
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			condition.InputReadyWaitingMessage))
-		return result, nil
+		return ctrlResult, err
+	} else if (ctrlResult != ctrl.Result{}) {
+		return ctrlResult, nil
 	}
-	configMapVars[instance.Spec.Secret] = env.SetValue(hash)
-
-	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 
 	// run check OpenStack secret - end
 
@@ -1089,7 +1249,7 @@ func (r *KeystoneAPIReconciler) reconcileNormal(
 	}
 
 	// Handle service init
-	ctrlResult, err := r.reconcileInit(ctx, instance, helper, serviceLabels, serviceAnnotations, memcached)
+	ctrlResult, err = r.reconcileInit(ctx, instance, helper, serviceLabels, serviceAnnotations, memcached)
 	if err != nil {
 		return ctrlResult, err
 	} else if (ctrlResult != ctrl.Result{}) {
