openstack-k8s-operators · openshift-merge-bot · Jan 16, 2026 · Dec 4, 2025 · Dec 17, 2025 · Dec 18, 2025
diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml
@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files

diff --git a/api/v1beta1/conditions.go b/api/v1beta1/conditions.go
@@ -111,4 +111,25 @@ const (
 
 	// KeystoneServiceOSUserReadyErrorMessage
 	KeystoneServiceOSUserReadyErrorMessage = "Keystone Service user error occured %s"
+
+	//
+	// External Keystone API condition messages
+	//
+	// ExternalKeystoneAPIDBMessage
+	ExternalKeystoneAPIDBMessage = "External Keystone API configured - database is not managed by this operator"
+
+	// ExternalKeystoneAPIDBAccountMessage
+	ExternalKeystoneAPIDBAccountMessage = "External Keystone API configured - database account is not managed by this operator"
+
+	// ExternalKeystoneAPIRabbitMQTransportURLMessage
+	ExternalKeystoneAPIRabbitMQTransportURLMessage = "External Keystone API configured - RabbitMQ is not managed by this operator"
+
+	// ExternalKeystoneAPIMemcachedReadyMessage
+	ExternalKeystoneAPIMemcachedReadyMessage = "External Keystone API configured - memcached is not managed by this operator"
+
+	// ExternalKeystoneAPIServiceConfigReadyMessage
+	ExternalKeystoneAPIServiceMessage = "External Keystone API configured - service is not managed by this operator"
+
+	// ExternalKeystoneAPINetworkAttachmentsReadyMessage
+	ExternalKeystoneAPINetworkAttachmentsReadyMessage = "External Keystone API configured - network attachments are not managed by this operator"
 )
diff --git a/api/v1beta1/keystoneapi.go b/api/v1beta1/keystoneapi.go
@@ -26,7 +26,6 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
@@ -145,8 +144,13 @@ func GetScopedAdminServiceClient(
 	keystoneAPI *KeystoneAPI,
 	scope *gophercloud.AuthScope,
 ) (*openstack.OpenStack, ctrl.Result, error) {
-	// get public endpoint as authurl from keystone instance
-	authURL, err := keystoneAPI.GetEndpoint(endpoint.EndpointInternal)
+	// get endpoint as authurl from keystone instance
+	// default to internal endpoint if not specified
+	epInterface := endpoint.EndpointInternal
+	if keystoneAPI.Spec.ExternalKeystoneAPI {
+		epInterface = endpoint.Endpoint(endpoint.EndpointPublic)
+	}
+	authURL, err := keystoneAPI.GetEndpoint(epInterface)
 	if err != nil {
 		return nil, ctrl.Result{}, err
 	}
@@ -163,7 +167,7 @@ func GetScopedAdminServiceClient(
 			h,
 			keystoneAPI.Spec.TLS.CaBundleSecretName,
 			10*time.Second,
-			tls.InternalCABundleKey)
+			interfaceBundleKeys[epInterface])
 		if err != nil {
 			return nil, ctrl.Result{}, err
 		}

diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go
@@ -53,6 +53,14 @@ const (
 	APIDefaultTimeout = 60
 )
 
+var (
+	// interfaceBundleKeys maps endpoint winterfaces to their corresponding key in the CA bundle secret
+	interfaceBundleKeys = map[endpoint.Endpoint]string{
+		endpoint.EndpointInternal: tls.InternalCABundleKey,
+		endpoint.EndpointPublic:   tls.CABundleKey,
+	}
+)
+
 // KeystoneAPISpec defines the desired state of KeystoneAPI
 type KeystoneAPISpec struct {
 	KeystoneAPISpecCore `json:",inline"`
@@ -213,6 +221,11 @@ type KeystoneAPISpecCore struct {
 	// This is only needed when multiple realms are federated.
 	// Config files mount path is set to /var/lib/httpd/metadata/
 	FederatedRealmConfig string `json:"federatedRealmConfig"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// ExternalKeystoneAPI - Enable use of external Keystone API endpoints instead of deploying a local Keystone API
+	ExternalKeystoneAPI bool `json:"externalKeystoneAPI"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.

diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml
@@ -98,6 +98,11 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              externalKeystoneAPI:
+                default: false
+                description: ExternalKeystoneAPI - Enable use of external Keystone
+                  API endpoints instead of deploying a local Keystone API
+                type: boolean
               extraMounts:
                 default: []
                 description: ExtraMounts containing conf files