AppCred controller support

[Deydra71]

Jira: OSPRH-14737

This PR introduces a new ApplicationCredential (AC) controller in the keystone-operator. It watches ApplicationCredential custom resources and performs these actions:

1. Creates Keystone ApplicationCredentials for each CR (authenticating as that user due to Keystone’s default policy)
2. Stores the AC’s ID and Secret in a k8s secret
3. Implements rotation logic based on expirationDays and gracePeriodDays:
   • Reconciles at least once a day, rotating any AC that’s within or past its grace window
   • If an AC is already in the grace period at the next reconcile, it rotates immediately
   • The old ApplicationCredential in Keystone is not revoked on rotation (it naturally expires)

Additionally:

• The controller waits for a KeystoneAPI resource to be Ready before proceeding with AC operations

Notes:

• CRD & RBAC for the ApplicationCredential resource are not automatically installed yet. These must be applied manually until openstack-operator integration is complete

To apply rbac permissions run oc edit clusterrole keystone-operator-manager-role and add:

- apiGroups:
  - keystone.openstack.org
  resources:
  - applicationcredentials
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

- apiGroups:
  - keystone.openstack.org
  resources:
  - applicationcredentials/finalizers
  verbs:
  - patch
  - update

- apiGroups:
  - keystone.openstack.org
  resources:
  - applicationcredentials/status
  verbs:
  - get
  - patch
  - update

Example AC CR for barbican service user:

apiVersion: keystone.openstack.org/v1beta1
kind: ApplicationCredential
metadata:
  name: ac-barbican
  namespace: openstack
spec:
  expirationDays: 365
  gracePeriodDays: 182
  passwordSelector: BarbicanPassword
  roles:
  - service
  secret: osp-secret
  userName: barbican

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[vakwetu]

We've discussed this - but basically we provide the ability for the operators to specify the secret that contains the admin user password. This is osp-secret by default - but it need not be. See https://github.com/openstack-k8s-operators/barbican-operator/blob/main/api/v1beta1/common_types.go#L44 for instance.

[mauricioharley]

Agreed, we should not hardcode any value like this. It could be part of the deployment YAML spec.

[vakwetu]

This may be a default, but its not what is specified. In barbican, for instance we have a PasswordSelectors field - https://github.com/openstack-k8s-operators/barbican-operator/blob/main/api/v1beta1/common_types.go#L49 which identifies the correct key. But, this needn't be the case.

Ultimately, I think you are going to need to have the AC specification include the name of the user, the name of the user secret and the relevant field. You can set these appropriately in openstack-operator.

[vakwetu]

This makes this controller less generic and therefore potentially less useful. Perhaps this is another parameter - like the access rules that should be passed in as part of the AC spec.

The same can also be said for the Unrestricted field.

[vakwetu]

I see there is support for all of Roles, Unrestricted and AccessRules in the gophercloud call - https://pkg.go.dev/github.com/gophercloud/gophercloud/openstack/identity/v3/applicationcredentials#CreateOpts

[vakwetu]

Shouldn't this be return rotateAt ?

[Deydra71]

rotateAt is a timestamp, we need return a duration

[vakwetu]

OK that makes sense. I (mis)understood this function when I first read it.

So if I understand this correctly now, we should be returning a recheck duration of 24 hours, unless we are already in the grace period - in which case we would be returning a 0 to immediately recheck.

[Deydra71]

Yes, that's exactly right

[vakwetu]

I'm curious - why would we want to requeue if the application credential does not expire?

[Deydra71]

I was thinking about this as an ultimate fallback to wake the controller at least once a day. If because of some error the status of the CR is not updated.

[vakwetu]

OK

[vakwetu]

Its unlikely, but should we check for collisions?

[Deydra71]

We could check if the AC with same suffix already exists, but unless we are creating millions of AC in short period the chance is basically zero. Or we can increase n.

[fmount]

should this function be a lib-common utility in the long term?

[vakwetu]

Its actually quite useful, I think, to have the delete revoke the application credential. This gives us a nice way to do a revocation.

The problem is, of course, that there will be some time between when the app cred is revoked and the new one is issued.

I wonder if there is a way to trigger a rotation without doing a delete. Could we implement a reconcileUpdate to do this instead? Then, the procedure when trying to revoke the cert would be to -

1. patch the AC so that we are within the grace period. This triggers the creation of a new AC.
2. Wait for the new AC to be propagated.
3. Revoke the old AC by deleting it.

[Deydra71]

I'm just concerned about step 2. - Wait for the new AC to be propagated. Because AC controller would need a feedback that the service deployment successfully rolled out with new credential, which would add another logic to watch the deployment status in AC controller. I’d prefer to leave revocation as a manual step for now.

[stuggi]

I have not finished my initial review, but probably won't have time today to do so. will continue tomorrow, and just wanted to add what I have so far.

[stuggi]

lets split this out into a func

[stuggi]

should set KeystoneAPIReadyCondition

[stuggi]

set a condition as in https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L186

[stuggi]

the ReadyCondition gets auto added in Init.

should init KeystoneAPIReadyCondition and set it when checking for the keystoneapi bellow

			condition.UnknownCondition(keystonev1.KeystoneAPIReadyCondition, condition.InitReason, keystonev1.KeystoneAPIReadyInitMessage),

I think we could just use the same condition init as in https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L111-L127 and just init it with what is used in this controller?

[stuggi]

https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L134-L165 is an example which sets the conditions

[stuggi]

mark the KeystoneAPIReadyCondition when we get here, https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L195

[stuggi]

also I'd move all the above tasks into the main reconcile func as these are also the steps done for handling deletion. then you won't need login to check for the keystoneapi in the cleanup method. like https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L225 where the admin client got checked before

[stuggi]

should set condition as in https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L197-L222

[stuggi]

this seems to be not the correct condition. the ReadyCondition is only set in the defer function based on the sub condition status during the reconcile

[stuggi]

I think we should keep the defer function, like we use in all the controllers https://github.com/openstack-k8s-operators/keystone-operator/blob/main/controllers/keystoneendpoint_controller.go#L91-L109

[stuggi]

I think we should try to reduce those amount of nested ifs.

what if there is an userErr, which is not "user not found"? is it ok continue and remove the finalizer? shouldn't we return the actual error if it is not "user not found" ?

can't we just do

userID, userErr := r.findUserIDAsAdmin(ctx, helperObj, keystoneAPI, instance.Spec.UserName)
if userErr != nil {
   return ctrl.Result{}, err
}
userOS, userRes, userErr2 := keystonev1.GetUserServiceClient(ctx, helperObj, keystoneAPI, instance.Spec.UserName)
...

[mauricioharley]

Agreed, we should not hardcode any value like this. It could be part of the deployment YAML spec.

[mauricioharley]

Why do you need to capitalize the username's first letter? Also, why are you harcoding "Password"?

[Deydra71]

This was just to filter user password from osp-secret. Now, passwordSelector will be passed to AC CR, so that will be used for filtering

[mauricioharley]

I don't get it. Can you elaborate?

[Deydra71]

The previous code assumed this password scheme in osp-secret:

BarbicanPassword: <secret_data>
CinderPassword: <secret_data>
GlancePassword: <secret_data>
…

So to pick the right field we had to:

1. Take the userName ("barbican")
2. Capitalize the first letter → "Barbican"
3. Append "Password" → "BarbicanPassword"

and then look up that key in the secret. Of course that'd force everyone to use that convention. So now openstack-operator extracts and passes into AC CR these as well:

spec:
  secret: # the Secret name (by default it's osp-secret)
  passwordSelector:  # how we extract this key, e.g. BarbicanPassword
  userName: # e.g. barbican, user can customize this in control plane spec
  …

[Deydra71]

The latest update makes the controller take into consideration the custom password secret, custom service user name, and password selectors. Continuing to address other reviews.

[Deydra71]

Latest update includes corrections based on some reviews (not all, will still continue), and also adds support for the Unrestricted, Roles and AccessRoles fields.

Currently AccessRoles field is not correctly passed to the AC CR by openstack-operator, so it's missing in the AC CR, and for services this field is specified in the openstackcontrolplane spec, ACs are not generated. We are continuing on Slack what should be in AccessRules fields in the first place.

And also automatic revocation is disabled for now for testing, based on what we will agree it will be enabled again.

[vakwetu]

I'm very wary about hard-coding stuff here. I think that;

1. there may be cases where either the service project or DomainName may be different
2. we might be interested in obtaining an app cred for a non-service user or for a different project. For example, I know that there is work ongoing upstream to do manila share encryption where the user would use app creds to retrieve a barbican secret.

In any case, I think it makes sense to make this function more generic - maybe call it GetUserClient() and pass in the domain and project name. You could then add these parameters to the app cred spec, and default to "service" and "Default". This will future-proof the interface a bit.

[Deydra71]

I understand, but right now we don't have any spec.ServiceProject or spec.ServiceDomain. So, that's why this serves as a mean to only get scoped token for our service.

Since FR3 is explicitly about wiring up service-account auth, I suggest we leave this helper as is for now, and add a // TODO pointing at the future work to extend the CRD with project/domain fields and refactor into a generic GetUserClient(…, project, domain…)

The domain name is actually hard coded for admin as well - https://github.com/openstack-k8s-operators/keystone-operator/blob/main/api/v1beta1/keystoneapi.go#L157

[Deydra71]

there may be cases where either the service project or DomainName may be different

Is this still true if we take into account only service users?

[stuggi]

I agree that hard coding is not good and we could do it like we did in the GetScopedAdminServiceClient, but can not comment on the need for this service client. there is just really little difference to the func GetScopedAdminServiceClient , maybe we could just make a generic GetScopedClient with parameters:
scope, TenantName, DomainName and Region and could deprecate the GetScopedAdminServiceClient

[fmount]

I agree about having a generic function, the old one can be deprecated and it might produce a warning, so we would know in the service operators that we need to update to the new function call (e.g. [1]).

[1] https://github.com/openstack-k8s-operators/glance-operator/blob/main/internal/controller/glance_controller.go#L1126

[vakwetu]

ditto comment as above.

[vakwetu]

The keystone-operator is somewhat unique in the operators in that there isn't a lot of documentation of what it does. Just looking at the code , for instance, it wasn't completely clear to me what the name of the ac would be, and the name of the secret etc. I'm sure I could figure it out - but I shouldn't have to work so hard.

It would be great if there were a small doc (maybe in a docs directory like the other operators) which contains a description of what we'd expect this operator to produce. It doesn't have to be fancy, but it will help future reviewers and coders who want to enhance this feature.

[Deydra71]

I added the doc dir and a new file describing basic functionality of the AC controller - will add more details soon.

[fmount]

@Deydra71 just wondering if VerifyApplicationCredentialsForService should be embedded here since we pass pretty much the same parameters and it would hide more details from the service operators that right now call both functions.
It would be nice to have a single entrypoint, and delegate keystone to do the verification, that of course can return an error we can handle.

[Deydra71]

Not sure it would be that much beneficial for service operators, because VerifyApplicationCredentialsForService just tracks the AC secret and add the hash to configVars, it doesn't read the actual credentials. The GetApplicationCredentialFromSecret then serves only to get the actual data from the secret during generating config at later stage. Separating the change tracking from credential extraction seems logical to me and makes the reconcile flow clearer to understand in my opinion. @stuggi What do you think?

[stuggi]

see my comment here https://github.com/openstack-k8s-operators/glance-operator/pull/812/files#r2609517115 I guess it depends on if we can do it in a single place for the service or not. I think we do not need a dedicated hash since the AC is part of the service config which we already hash. so there is probably no need to get a dedicated hash for it.

[Deydra71]

@stuggi @fmount hi! Could you please take a look again at the updated PR with the suggested changes? We’d like to merge it so we can proceed with kuttl and other testing in the service operators. I also updated the service operators that are supposed to use AppCred (telemetry still in progres) to use field indexers instead of custom watchers.

[stuggi]

I agree that hard coding is not good and we could do it like we did in the GetScopedAdminServiceClient, but can not comment on the need for this service client. there is just really little difference to the func GetScopedAdminServiceClient , maybe we could just make a generic GetScopedClient with parameters:
scope, TenantName, DomainName and Region and could deprecate the GetScopedAdminServiceClient

[stuggi]

do we need this message, the lib-common func already returns an error string depending on the condition it checks ( generic error, secret not there, key not found)

[stuggi]

do we need this? is an empty string a valid pwd in keystone? creating the authclient should fail.

[stuggi]

ni, table formating

[stuggi]

what happens when it expired. gets it removed from keystone db automatic, or do we need a cron which cleans them, like we have for the tokens?

[Deydra71]

that's a goo dpoint... I don't think they are deleted from the database. The expiration only makes the auth to fail. @vakwetu can you please confirm?

[stuggi]

lets add a KeystoneApplicationCredentialWaitingMessage

[stuggi]

since EnsureSecrets does not support adding a finalizer, its more efficient if you just use controllerutil.CreateOrPatch() to create/update the secret in a single request. could also enhance CreateOrPatchSecret for adding a finalizer if present in the secret passed in.

[stuggi]

nice! would be also good to set a warning condition https://github.com/openstack-k8s-operators/dev-docs/blob/main/conditions.md#severity on the ctlpane, that the controlplane flips to not ready?

[Deydra71]

@stuggi I'm not sure I udnerstand, could you please elaborate where specifically we should set the warning condition? On KeystoneApplicationCredential or else?

[stuggi]

yes that was my idea this morning, but thinking of it again, we probably can not, since we do not know when the edpm side got updated to flip it back to ready.

@slagle is there a way to check if a nodedataset (all nodes) got updated with the latest config?

[stuggi]

since it is on the instance itself and return afterwards, the patch is not required since we will do it in the defer func

[stuggi]

we usually use the format:

	return ctrlLog.FromContext(ctx).WithName("Controllers").WithName("KeystoneApplicationCredential")

[auniyal61]

the error msg created at L482 in storeACSecret do not start with "requeue"

return fmt.Errorf("%w: requeue: patch conflict on %s", err, secretName)

may use Contains instead or put %w at the end of msg

[auniyal61]

true and true or true
should it be true and (true or true)

so for first reconcide
not-deleted-yet and (able-to-add-finalizer-just-now or its-new-instance)

because AND has more precedence, for later reconciles it can be read as
not-deleted-yet and able-to-add-finalizer-just-now
true and false || false
which is never true as we cant add same finalizer again (as assumed already here on condition)

So I meant say seems fine for first reconcile may create issue in second and later reconciles because of condition precedent - need to test though.
true and (false or false)

[Deydra71]

wow, thanks for this , I realized with this comemnt that there are two cases where we could return too early -->

• if an instance is created and immediately deleted before first reconcile
• and if for some reason the instance looks new, because of the status wan't persisted yet, because of eg failed first reconcile

I think it will reconcile delete on the next event, but we can't assume that of course... I will add the parentess.

if instance.DeletionTimestamp.IsZero() &&
   (controllerutil.AddFinalizer(instance, finalizer) || isNewInstance) {
    return ctrl.Result{}, nil
}

[Deydra71]

/retest

[Deydra71]

ATM not sure why the functional test fails, locally the suite passes, and also the failure is connected to the MariaDB part, not our app cred changes https://github.com/openstack-k8s-operators/keystone-operator/blob/main/test/functional/keystoneapi_controller_test.go#L2246

[stuggi]

this is not the same as above L166 ? if we don't do any cleanup on the keystone side, I guess we can just remove it here?

[Deydra71]

oh, yes I forgot to remove it, it's redundant now

[fmount]

I agree about having a generic function, the old one can be deprecated and it might produce a warning, so we would know in the service operators that we need to update to the new function call (e.g. [1]).

[1] https://github.com/openstack-k8s-operators/glance-operator/blob/main/internal/controller/glance_controller.go#L1126

[fmount]

is this function used somewhere, perhaps in service operators?

[Deydra71]

Not in service operators, but in internal/controller/keystoneapplicationcredential_controller.go[1] to detect permission changes and trigge app cred rotation.

[1] https://github.com/openstack-k8s-operators/keystone-operator/pull/567/files#diff-bbfa4b5edb0132743cb1ad35d9483082d2cab3d6a16540023740f107ed3e1075R309

[fmount]

@Deydra71 @stuggi quick question here: should we add ObservedGeneration check before reaching the Ready state (we assign it on L124 iirc)?

[stuggi]

what check you are thinking about?

[fmount]

I was wondering if it makes sense to check that .Status.ObservedGenerations matches w/ instance.ObservedGeneration in case of multiple updated to the same CR but we probably don't need it as there aren't multiple controllers involved.
Let's put this aside for now as I'm not entirely sure it would change anything in the reconciliation (I didn't test it).

[stuggi]

/test keystone-operator-build-deploy-kuttl

[Deydra71]

@stuggi @fmount I refactored generic GetScopedClient + deprecate GetScopedAdminServiceClient based on your comments, can you please recheck it?

[auniyal61]

+1, this helps in events