Add AppCred types and controller support

Signed-off-by: Veronika Fisarova <[email protected]>

Author: Deydra71

api/bases/keystone.openstack.org_applicationcredentials.yaml

@@ -0,0 +1,185 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: applicationcredentials.keystone.openstack.org
+spec:
+  group: keystone.openstack.org
+  names:
+    kind: ApplicationCredential
+    listKind: ApplicationCredentialList
+    plural: applicationcredentials
+    shortNames:
+    - appcred
+    singular: applicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Keystone AC ID
+      jsonPath: .status.acID
+      name: ACID
+      type: string
+    - description: Secret holding AC secret
+      jsonPath: .status.secretName
+      name: SecretName
+      type: string
+    - description: Status
+      jsonPath: .status.conditions[0].status
+      name: Status
+      type: string
+    - description: Message
+      jsonPath: .status.conditions[0].message
+      name: Message
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ApplicationCredential is the Schema for the applicationcredentials
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ApplicationCredentialSpec defines what the user can set
+            properties:
+              accessRules:
+                description: AccessRules defines which services the AC is permitted
+                  to access
+                items:
+                  description: ACRule defines a service-only access rule for an ApplicationCredential
+                  properties:
+                    method:
+                      description: Method is the HTTP verb to allow (defaults to all
+                        if empty)
+                      type: string
+                    path:
+                      description: Path is the API path to allow
+                      type: string
+                    service:
+                      description: Service is the OpenStack service type
+                      type: string
+                  type: object
+                type: array
+              expirationDays:
+                default: 365
+                description: ExpirationDays sets the lifetime in days for the AC
+                minimum: 2
+                type: integer
+              gracePeriodDays:
+                default: 182
+                description: GracePeriodDays sets how many days before expiration
+                  the AC should be rotated
+                minimum: 1
+                type: integer
+              passwordSelector:
+                description: PasswordSelector for extracting the service password
+                type: string
+              roles:
+                default:
+                - admin
+                - service
+                description: Roles to assign to the ApplicationCredential
+                items:
+                  type: string
+                minItems: 1
+                type: array
+              secret:
+                default: osp-secret
+                description: Secret containing service user password
+                type: string
+              unrestricted:
+                default: false
+                description: Unrestricted indicates whether the AC may be used to
+                  create or destroy other credentials or trusts
+                type: boolean
+              userName:
+                description: UserName - the Keystone user under which this AC is created
+                type: string
+            required:
+            - userName
+            type: object
+            x-kubernetes-validations:
+            - message: gracePeriodDays must be smaller than expirationDays
+              rule: self.gracePeriodDays < self.expirationDays
+          status:
+            description: ApplicationCredentialStatus defines the observed state
+            properties:
+              acID:
+                description: ACID - the ID in Keystone for this AC
+                type: string
+              conditions:
+                description: Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides a classification of Reason code, so the current situation is immediately
+                        understandable and could act accordingly.
+                        It is meant for situations where Status=False and it should be indicated if it is just
+                        informational, warning (next reconciliation might fix it) or an error (e.g. DB create issue
+                        and no actions to automatically resolve the issue can/should be done).
+                        For conditions where Status=Unknown or Status=True the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              createdAt:
+                description: CreatedAt - timestap of creation
+                format: date-time
+                type: string
+              expiresAt:
+                description: ExpiresAt - time of validity expiration
+                format: date-time
+                type: string
+              secretName:
+                description: SecretName - name of the k8s Secret storing the AC secret
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

api/v1beta1/keystoneapi.go

@@ -92,6 +92,107 @@ func GetAdminServiceClient(
 	return os, ctrlResult, nil
 }
 
+// GetUserServiceClient - returns an *openstack.OpenStack object scoped as the given service user
+func GetUserServiceClient(
+	ctx context.Context,
+	h *helper.Helper,
+	keystoneAPI *KeystoneAPI,
+	userName string,
+	secretName string,
+	passwordSelector string,
+) (*openstack.OpenStack, ctrl.Result, error) {
+
+	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	parsedAuthURL, err := url.Parse(authURL)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	tlsConfig := &openstack.TLSConfig{}
+	if parsedAuthURL.Scheme == "https" && keystoneAPI.Spec.TLS.CaBundleSecretName != "" {
+		caCert, ctrlResult, err := secret.GetDataFromSecret(
+			ctx,
+			h,
+			keystoneAPI.Spec.TLS.CaBundleSecretName,
+			10*time.Second,
+			tls.InternalCABundleKey)
+		if err != nil {
+			return nil, ctrlResult, err
+		}
+		if (ctrlResult != ctrl.Result{}) {
+			return nil, ctrlResult,
+				fmt.Errorf("CABundleSecret %s not found",
+					keystoneAPI.Spec.TLS.CaBundleSecretName)
+		}
+
+		tlsConfig = &openstack.TLSConfig{
+			CACerts: []string{caCert},
+		}
+	}
+
+	password, err := getPasswordFromOSPSecret(ctx, h, secretName, passwordSelector)
+	if err != nil {
+		return nil, ctrl.Result{}, fmt.Errorf("failed to get password from osp-secret for user %q: %w", userName, err)
+	}
+
+	scope := &gophercloud.AuthScope{
+		ProjectName: "service",
+		DomainName:  "Default",
+	}
+
+	osClient, err := openstack.NewOpenStack(
+		h.GetLogger(),
+		openstack.AuthOpts{
+			AuthURL:    authURL,
+			Username:   userName,
+			Password:   password,
+			TenantName: "service",
+			DomainName: "Default",
+			Region:     keystoneAPI.Spec.Region,
+			TLS:        tlsConfig,
+			Scope:      scope,
+		},
+	)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	// DEBUG
+	logger := h.GetLogger()
+	logger.Info("GetUserServiceClient debug",
+		"authURL", authURL,
+		"region", keystoneAPI.Spec.Region,
+		"userName", userName,
+	)
+
+	return osClient, ctrl.Result{}, nil
+}
+
+func getPasswordFromOSPSecret(
+	ctx context.Context,
+	h *helper.Helper,
+	ospSecretName, passwordSelector string,
+) (string, error) {
+	data, res, err := secret.GetDataFromSecret(
+		ctx,
+		h,
+		ospSecretName,
+		10*time.Second,
+		passwordSelector,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to get %q from Secret/%s: %w", passwordSelector, ospSecretName, err)
+	}
+	if res != (ctrl.Result{}) {
+		return "", fmt.Errorf("secret/%s didn’t contain %q", ospSecretName, passwordSelector)
+	}
+	return data, nil
+}
+
 // GetScopedAdminServiceClient - get a scoped admin serviceClient for the keystoneAPI instance
 func GetScopedAdminServiceClient(
 	ctx context.Context,