Add OIDC Federation Settings

api/bases/keystone.openstack.org_keystoneapis.yaml

@@ -134,6 +134,59 @@ spec:
                 description: NodeSelector to target subset of worker nodes running
                   this service
                 type: object
+              oidcFederation:
+                description: KeystoneFederationSpec to provide the configuration values
+                  for OIDC Federation
+                properties:
+                  keystoneFederationIdentityProviderName:
+                    default: ""
+                    description: KeystoneFederationIdentityProviderName
+                    type: string
+                  oidcCacheType:
+                    default: memcache
+                    description: OIDCCacheType
+                    type: string
+                  oidcClaimDelimiter:
+                    default: ;
+                    description: OIDCClaimDelimiter
+                    type: string
+                  oidcClaimPrefix:
+                    default: OIDC-
+                    description: OIDCClaimPrefix
+                    type: string
+                  oidcClientID:
+                    default: ""
+                    description: OIDCClientID
+                    type: string
+                  oidcIntrospectionEndpoint:
+                    default: ""
+                    description: OIDCIntrospectionEndpoint
+                    type: string
+                  oidcPassClaimsAs:
+                    default: both
+                    description: OIDCPassClaimsAs
+                    type: string
+                  oidcPassUserInfoAs:
+                    default: claims
+                    description: OIDCPassUserInfoAs
+                    type: string
+                  oidcProviderMetadataURL:
+                    default: ""
+                    description: OIDCProviderMetadataURL
+                    type: string
+                  oidcResponseType:
+                    default: id_token
+                    description: OIDCResponseType
+                    type: string
+                  oidcScope:
+                    default: openid email profile
+                    description: OIDCScope
+                    type: string
+                  remoteIDAttribute:
+                    default: HTTP_OIDC_ISS
+                    description: RemoteIDAttribute
+                    type: string
+                type: object
               override:
                 description: Override, provides the ability to override the generated
                   manifest of several child resources.
@@ -295,14 +348,27 @@ spec:
               passwordSelectors:
                 default:
                   admin: AdminPassword
-                description: PasswordSelectors - Selectors to identify the AdminUser
-                  password from the Secret
+                  keystoneOIDCClientSecret: KeystoneOIDCClientSecret
+                  keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase
+                description: PasswordSelectors - Selectors to identify the AdminUser,
+                  KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from
+                  the Secret
                 properties:
                   admin:
                     default: AdminPassword
                     description: Admin - Selector to get the keystone Admin password
                       from the Secret
                     type: string
+                  keystoneOIDCClientSecret:
+                    default: KeystoneOIDCClientSecret
+                    description: OIDCClientSecret - Selector to get the IdP client
+                      secret from the Secret
+                    type: string
+                  keystoneOIDCCryptoPassphrase:
+                    default: KeystoneOIDCCryptoPassphrase
+                    description: OIDCCryptoPassphrase - Selector to get the OIDC crypto
+                      passphrase from the Secret
+                    type: string
                 type: object
               preserveJobs:
                 default: false

api/v1beta1/keystoneapi_types.go

@@ -132,8 +132,8 @@ type KeystoneAPISpecCore struct {
 	FernetMaxActiveKeys *int32 `json:"fernetMaxActiveKeys"`
 
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={admin: AdminPassword}
-	// PasswordSelectors - Selectors to identify the AdminUser password from the Secret
+	// +kubebuilder:default={admin: AdminPassword, keystoneOIDCClientSecret: KeystoneOIDCClientSecret, keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase}
+	// PasswordSelectors - Selectors to identify the AdminUser, KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from the Secret
 	PasswordSelectors PasswordSelector `json:"passwordSelectors"`
 
 	// +kubebuilder:validation:Optional
@@ -184,6 +184,10 @@ type KeystoneAPISpecCore struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// TLS - Parameters related to the TLS
 	TLS tls.API `json:"tls,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +OIDCFederation - parameters to configure keystone for OIDC federation
+	OIDCFederation *KeystoneFederationSpec `json:"oidcFederation,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.
@@ -199,6 +203,79 @@ type PasswordSelector struct {
 	// +kubebuilder:default="AdminPassword"
 	// Admin - Selector to get the keystone Admin password from the Secret
 	Admin string `json:"admin"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="KeystoneOIDCClientSecret"
+	// OIDCClientSecret - Selector to get the IdP client secret from the Secret
+	KeystoneOIDCClientSecret string `json:"keystoneOIDCClientSecret"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="KeystoneOIDCCryptoPassphrase"
+	// OIDCCryptoPassphrase - Selector to get the OIDC crypto passphrase from the Secret
+	KeystoneOIDCCryptoPassphrase string `json:"keystoneOIDCCryptoPassphrase"`
+}
+
+// KeystoneFederationSpec to provide the configuration values for OIDC Federation
+type KeystoneFederationSpec struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="OIDC-"
+	// OIDCClaimPrefix
+	OIDCClaimPrefix string `json:"oidcClaimPrefix"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="id_token"
+	// OIDCResponseType
+	OIDCResponseType string `json:"oidcResponseType"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="openid email profile"
+	// OIDCScope
+	OIDCScope string `json:"oidcScope"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=""
+	// OIDCProviderMetadataURL
+	OIDCProviderMetadataURL string `json:"oidcProviderMetadataURL"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=""
+	// OIDCIntrospectionEndpoint
+	OIDCIntrospectionEndpoint string `json:"oidcIntrospectionEndpoint"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=""
+	// OIDCClientID
+	OIDCClientID string `json:"oidcClientID"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=";"
+	// OIDCClaimDelimiter
+	OIDCClaimDelimiter string `json:"oidcClaimDelimiter"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="claims"
+	// OIDCPassUserInfoAs
+	OIDCPassUserInfoAs string `json:"oidcPassUserInfoAs"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="both"
+	// OIDCPassClaimsAs
+	OIDCPassClaimsAs string `json:"oidcPassClaimsAs"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="memcache"
+	// OIDCCacheType
+	OIDCCacheType string `json:"oidcCacheType"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="HTTP_OIDC_ISS"
+	// RemoteIDAttribute
+	RemoteIDAttribute string `json:"remoteIDAttribute"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=""
+	// KeystoneFederationIdentityProviderName
+	KeystoneFederationIdentityProviderName string `json:"keystoneFederationIdentityProviderName"`
 }
 
 // HttpdCustomization - customize the httpd service
@@ -233,7 +310,7 @@ type KeystoneAPIStatus struct {
 	// TransportURLSecret - Secret containing RabbitMQ transportURL
 	TransportURLSecret string `json:"transportURLSecret,omitempty"`
 
-	//ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
+	// ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 }
 

config/crd/bases/keystone.openstack.org_keystoneapis.yaml

@@ -134,6 +134,59 @@ spec:
                 description: NodeSelector to target subset of worker nodes running
                   this service
                 type: object
+              oidcFederation:
+                description: KeystoneFederationSpec to provide the configuration values
+                  for OIDC Federation
+                properties:
+                  keystoneFederationIdentityProviderName:
+                    default: ""
+                    description: KeystoneFederationIdentityProviderName
+                    type: string
+                  oidcCacheType:
+                    default: memcache
+                    description: OIDCCacheType
+                    type: string
+                  oidcClaimDelimiter:
+                    default: ;
+                    description: OIDCClaimDelimiter
+                    type: string
+                  oidcClaimPrefix:
+                    default: OIDC-
+                    description: OIDCClaimPrefix
+                    type: string
+                  oidcClientID:
+                    default: ""
+                    description: OIDCClientID
+                    type: string
+                  oidcIntrospectionEndpoint:
+                    default: ""
+                    description: OIDCIntrospectionEndpoint
+                    type: string
+                  oidcPassClaimsAs:
+                    default: both
+                    description: OIDCPassClaimsAs
+                    type: string
+                  oidcPassUserInfoAs:
+                    default: claims
+                    description: OIDCPassUserInfoAs
+                    type: string
+                  oidcProviderMetadataURL:
+                    default: ""
+                    description: OIDCProviderMetadataURL
+                    type: string
+                  oidcResponseType:
+                    default: id_token
+                    description: OIDCResponseType
+                    type: string
+                  oidcScope:
+                    default: openid email profile
+                    description: OIDCScope
+                    type: string
+                  remoteIDAttribute:
+                    default: HTTP_OIDC_ISS
+                    description: RemoteIDAttribute
+                    type: string
+                type: object
               override:
                 description: Override, provides the ability to override the generated
                   manifest of several child resources.
@@ -295,14 +348,27 @@ spec:
               passwordSelectors:
                 default:
                   admin: AdminPassword
-                description: PasswordSelectors - Selectors to identify the AdminUser
-                  password from the Secret
+                  keystoneOIDCClientSecret: KeystoneOIDCClientSecret
+                  keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase
+                description: PasswordSelectors - Selectors to identify the AdminUser,
+                  KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from
+                  the Secret
                 properties:
                   admin:
                     default: AdminPassword
                     description: Admin - Selector to get the keystone Admin password
                       from the Secret
                     type: string
+                  keystoneOIDCClientSecret:
+                    default: KeystoneOIDCClientSecret
+                    description: OIDCClientSecret - Selector to get the IdP client
+                      secret from the Secret
+                    type: string
+                  keystoneOIDCCryptoPassphrase:
+                    default: KeystoneOIDCCryptoPassphrase
+                    description: OIDCCryptoPassphrase - Selector to get the OIDC crypto
+                      passphrase from the Secret
+                    type: string
                 type: object
               preserveJobs:
                 default: false

config/samples/keystone_v1beta1_keystoneapi_tls_federation.yaml

@@ -0,0 +1,43 @@
+apiVersion: keystone.openstack.org/v1beta1
+kind: KeystoneAPI
+metadata:
+  name: keystone
+spec:
+  adminProject: admin
+  adminUser: admin
+  customServiceConfig: |
+    [DEFAULT]
+    debug = true
+  databaseInstance: openstack
+  databaseAccount: keystone
+  preserveJobs: false
+  region: regionOne
+  secret: osp-secret
+  resources:
+    requests:
+      memory: "500Mi"
+      cpu: "1.0"
+  tls:
+    api:
+      # secret holding tls.crt and tls.key for the APIs internal k8s service
+      internal:
+        secretName: cert-keystone-internal-svc
+      # secret holding tls.crt and tls.key for the APIs public k8s service
+      public:
+        secretName: cert-keystone-public-svc
+    # secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
+    caBundleSecretName: combined-ca-bundle
+  oidcFederation:
+    keystoneFederationIdentityProviderName: my_federation_provider_name
+    oidcCacheType: memcache
+    oidcClaimDelimiter: ;
+    oidcClaimPrefix: OIDC-
+    oidcClientID: my_federation_client_id
+    oidcIntrospectionEndpoint: my_federation_introspection_endpoint
+    oidcMemCacheServers: ""
+    oidcPassClaimsAs: both
+    oidcPassUserInfoAs: claims
+    oidcProviderMetadataURL: my_federation_provider_metadata_url
+    oidcResponseType: id_token
+    oidcScope: openid email profile
+    remoteIDAttribute: HTTP_OIDC_ISS