diff --git a/api/bases/telemetry.openstack.org_autoscalings.yaml b/api/bases/telemetry.openstack.org_autoscalings.yaml index f5702b288..0a4627cfc 100644 --- a/api/bases/telemetry.openstack.org_autoscalings.yaml +++ b/api/bases/telemetry.openstack.org_autoscalings.yaml @@ -70,6 +70,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files diff --git a/api/bases/telemetry.openstack.org_ceilometers.yaml b/api/bases/telemetry.openstack.org_ceilometers.yaml index c17fe87a9..a1bd6e565 100644 --- a/api/bases/telemetry.openstack.org_ceilometers.yaml +++ b/api/bases/telemetry.openstack.org_ceilometers.yaml @@ -116,6 +116,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object centralImage: type: string computeImage: diff --git a/api/bases/telemetry.openstack.org_cloudkitties.yaml b/api/bases/telemetry.openstack.org_cloudkitties.yaml index 23eca9719..62066c6aa 100644 --- a/api/bases/telemetry.openstack.org_cloudkitties.yaml +++ b/api/bases/telemetry.openstack.org_cloudkitties.yaml @@ -43,6 +43,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/api/bases/telemetry.openstack.org_cloudkittyapis.yaml b/api/bases/telemetry.openstack.org_cloudkittyapis.yaml index d26728cbd..9aa1c8cf8 100644 --- a/api/bases/telemetry.openstack.org_cloudkittyapis.yaml +++ b/api/bases/telemetry.openstack.org_cloudkittyapis.yaml @@ -39,6 +39,14 @@ spec: spec: description: CloudKittyAPISpec defines the desired state of CloudKittyAPI properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/api/bases/telemetry.openstack.org_cloudkittyprocs.yaml b/api/bases/telemetry.openstack.org_cloudkittyprocs.yaml index 4ca1cc422..3899c9a40 100644 --- a/api/bases/telemetry.openstack.org_cloudkittyprocs.yaml +++ b/api/bases/telemetry.openstack.org_cloudkittyprocs.yaml @@ -53,6 +53,14 @@ spec: description: CloudKittyProcSpec defines the desired state of CloudKitty Processor properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/api/bases/telemetry.openstack.org_telemetries.yaml b/api/bases/telemetry.openstack.org_telemetries.yaml index 114989db9..41b45153c 100644 --- a/api/bases/telemetry.openstack.org_telemetries.yaml +++ b/api/bases/telemetry.openstack.org_telemetries.yaml @@ -73,6 +73,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name + for application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files @@ -439,6 +447,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object centralImage: type: string computeImage: @@ -614,6 +630,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/api/go.mod b/api/go.mod index 61f7d97df..2c015b117 100644 --- a/api/go.mod +++ b/api/go.mod @@ -3,11 +3,12 @@ module github.com/openstack-k8s-operators/telemetry-operator/api go 1.24.4 require ( - github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e - github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077 + github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3 + github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251027074845-ed8154b20ad1 + github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef github.com/rhobs/observability-operator v0.3.1 - k8s.io/api v0.31.13 - k8s.io/apimachinery v0.31.13 + k8s.io/api v0.31.14 + k8s.io/apimachinery v0.31.14 sigs.k8s.io/controller-runtime v0.19.7 ) @@ -16,7 +17,6 @@ require ( github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.12.2 // indirect - github.com/evanphx/json-patch v5.9.11+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect @@ -31,6 +31,7 @@ require ( github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect + github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -38,7 +39,9 @@ require ( github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.27.1 // indirect + github.com/openshift/api v3.9.0+incompatible // indirect + github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef // indirect + github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.22.0 // indirect github.com/prometheus/client_model v0.6.2 // indirect @@ -52,16 +55,16 @@ require ( golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect golang.org/x/net v0.43.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.35.0 // indirect - golang.org/x/term v0.34.0 // indirect - golang.org/x/text v0.28.0 // indirect + golang.org/x/sys v0.36.0 // indirect + golang.org/x/term v0.35.0 // indirect + golang.org/x/text v0.29.0 // indirect golang.org/x/time v0.12.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/protobuf v1.36.7 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.33.2 // indirect - k8s.io/client-go v0.31.13 // indirect + k8s.io/client-go v0.31.14 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250902184714-7fc278399c7f // indirect k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // indirect @@ -92,3 +95,5 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging + +replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81 diff --git a/api/go.sum b/api/go.sum index eb99dd834..95c836eac 100644 --- a/api/go.sum +++ b/api/go.sum @@ -1,3 +1,5 @@ +github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81 h1:plax+NFgJJL1SrERyXAnf3jOHRhLTtBlJ2oc7d84EoU= +github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81/go.mod h1:b98Jl8eyUw8V07l9YiuQnoMlnWC748oV8IhXH15NCC4= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -48,6 +50,8 @@ github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo= +github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -74,14 +78,20 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.27.1 h1:0LJC8MpUSQnfnp4n/3W3GdlmJP3ENGF0ZPzjQGLPP7s= -github.com/onsi/ginkgo/v2 v2.27.1/go.mod h1:wmy3vCqiBjirARfVhAqFpYt8uvX0yaFe+GudAqqcCqA= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= -github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e h1:5q47hHT53v0PnNj2pwHHQ1+ZWC3kQLu1jtulTUrJ2cE= -github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e/go.mod h1:LfqzznghLpo+b9jVgyvqUoOZMcc3Ff0gXSmLLtFsj9w= -github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077 h1:missBxDwEfOdkHVKd6zyCyaQjSObw9Ge1O4A7WU5EuM= -github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077/go.mod h1:CjsYQ/dUr4eUmBEvM3UFUxvYvl2bAhGfGflaD+N4fWA= +github.com/openshift/api v3.9.0+incompatible h1:fJ/KsefYuZAjmrr3+5U9yZIZbTOpVkDDLDLFresAeYs= +github.com/openshift/api v3.9.0+incompatible/go.mod h1:dh9o4Fs58gpFXGSYfnVxGR9PnV53I8TW84pQaJDdGiY= +github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3 h1:gKazSLpq0Ytn4OLzNtSKQpLswAdki8u8mXZgpJy83bE= +github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3/go.mod h1:Y9LqOS1wYhn7RT4jFknINdWa+ziYEIOU1jLNxkxiCsw= +github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef h1:1j7kk+D4ZdIXm6C/IwEjuTzIuvWUytxO39E/x94JY7k= +github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:kUT/SyuxZiOcX8ZuvpFN3PaQa2V8uQon8YwY+1RoQWM= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef h1:Ql4G7sRHpqWFGwXypN7MorDGUWv4jz5n34ayzVt3R9E= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:yf13jWb60XV26eA7A8o86ZCXNWBLNK9dPkTSWFaTPCw= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef h1:VMwP0988m1VCjpVn+MxHt7i3B0OuBhQnM5akKt4taVA= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:jl+SNs7K7XBx5jVbUJwWV0NRDfM8LyeV4AsGAroP8XA= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -111,14 +121,12 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= -go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= +go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= @@ -143,19 +151,19 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= -golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= -golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= -golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= +golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= +golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= +golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= -golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/api/v1beta1/autoscaling_types.go b/api/v1beta1/autoscaling_types.go index 4199cd475..3c21c089b 100644 --- a/api/v1beta1/autoscaling_types.go +++ b/api/v1beta1/autoscaling_types.go @@ -142,6 +142,11 @@ type AodhCore struct { // from this secret will get copied into /etc/aodh/ and they'll // overwrite any default files already present there. CustomConfigsSecretName string `json:"customConfigsSecretName,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // Auth - authentication settings for keystone integration + Auth AuthSpec `json:"auth,omitempty"` } // AutoscalingSpec defines the desired state of Autoscaling diff --git a/api/v1beta1/autoscaling_webhook.go b/api/v1beta1/autoscaling_webhook.go index 903aa7319..968892b04 100644 --- a/api/v1beta1/autoscaling_webhook.go +++ b/api/v1beta1/autoscaling_webhook.go @@ -19,6 +19,7 @@ package v1beta1 import ( "fmt" + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" "k8s.io/apimachinery/pkg/runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -76,6 +77,10 @@ func (spec *AodhCore) Default() { if spec.MemcachedInstance == "" { spec.MemcachedInstance = "memcached" } + // Default Auth fields for Application Credentials + if spec.Auth.ApplicationCredentialSecret == "" { + spec.Auth.ApplicationCredentialSecret = keystonev1.GetACSecretName("aodh") + } } // SetDefaultRouteAnnotations sets HAProxy timeout values of the route diff --git a/api/v1beta1/ceilometer_types.go b/api/v1beta1/ceilometer_types.go index d6d20995a..35530a96e 100644 --- a/api/v1beta1/ceilometer_types.go +++ b/api/v1beta1/ceilometer_types.go @@ -19,10 +19,10 @@ package v1beta1 import ( topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/validation/field" "github.com/openstack-k8s-operators/lib-common/modules/common/tls" "github.com/openstack-k8s-operators/lib-common/modules/common/util" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/validation/field" ) const ( @@ -161,6 +161,11 @@ type CeilometerSpecCore struct { // from this secret will get copied into /etc/ceilometer/ and they'll // overwrite any default files already present there. CustomConfigsSecretName string `json:"customConfigsSecretName,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // Auth - authentication settings for keystone integration + Auth AuthSpec `json:"auth,omitempty"` } // CeilometerStatus defines the observed state of Ceilometer diff --git a/api/v1beta1/ceilometer_webhook.go b/api/v1beta1/ceilometer_webhook.go index be2e3351b..1b59ebbc1 100644 --- a/api/v1beta1/ceilometer_webhook.go +++ b/api/v1beta1/ceilometer_webhook.go @@ -17,6 +17,7 @@ limitations under the License. package v1beta1 import ( + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" "k8s.io/apimachinery/pkg/runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/webhook" @@ -83,6 +84,13 @@ func (spec *CeilometerSpec) Default() { } } +func (spec *CeilometerSpecCore) Default() { + // Default Auth fields for Application Credentials + if spec.Auth.ApplicationCredentialSecret == "" { + spec.Auth.ApplicationCredentialSecret = keystonev1.GetACSecretName("ceilometer") + } +} + var _ webhook.Validator = &Ceilometer{} // ValidateCreate implements webhook.Validator so a webhook will be registered for the type diff --git a/api/v1beta1/cloudkitty_types.go b/api/v1beta1/cloudkitty_types.go index 717a7061b..ce66cab2a 100644 --- a/api/v1beta1/cloudkitty_types.go +++ b/api/v1beta1/cloudkitty_types.go @@ -254,6 +254,11 @@ type CloudKittyTemplate struct { // +kubebuilder:default={cloudKittyService: CloudKittyPassword} // PasswordsSelectors - Selectors to identify the ServiceUser password from the Secret PasswordSelectors PasswordsSelector `json:"passwordSelector"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // Auth - authentication settings for keystone integration + Auth AuthSpec `json:"auth,omitempty"` } // CloudKittyServiceTemplate defines the input parameters that can be defined for a given diff --git a/api/v1beta1/cloudkitty_webhook.go b/api/v1beta1/cloudkitty_webhook.go index f69c5b5b4..e8489c1f4 100644 --- a/api/v1beta1/cloudkitty_webhook.go +++ b/api/v1beta1/cloudkitty_webhook.go @@ -20,6 +20,7 @@ import ( "fmt" "slices" + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -63,7 +64,15 @@ func (spec *CloudKittySpec) Default() { if spec.CloudKittyProc.ContainerImage == "" { spec.CloudKittyProc.ContainerImage = cloudKittyDefaults.ProcContainerImageURL } +} +// Default - note only *Template* versions like this will have validations that are called from the +// Controlplane webhook +func (spec *CloudKittyTemplate) Default() { + // Default Auth fields for Application Credentials + if spec.Auth.ApplicationCredentialSecret == "" { + spec.Auth.ApplicationCredentialSecret = keystonev1.GetACSecretName("cloudkitty") + } } var _ webhook.Validator = &CloudKitty{} diff --git a/api/v1beta1/telemetry_types.go b/api/v1beta1/telemetry_types.go index 9b11a6e85..012a19956 100644 --- a/api/v1beta1/telemetry_types.go +++ b/api/v1beta1/telemetry_types.go @@ -50,6 +50,14 @@ type PasswordsSelector struct { CloudKittyService string `json:"cloudKittyService"` } +// AuthSpec - authentication settings for keystone integration +type AuthSpec struct { + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // ApplicationCredentialSecret - secret name for application credential + ApplicationCredentialSecret string `json:"applicationCredentialSecret,omitempty"` +} + // TelemetrySpec defines the desired state of Telemetry type TelemetrySpec struct { TelemetrySpecBase `json:",inline"` diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 3a99ea0fd..59312fcd7 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -102,6 +102,7 @@ func (in *AodhCore) DeepCopyInto(out *AodhCore) { *out = new(topologyv1beta1.TopoRef) **out = **in } + out.Auth = in.Auth } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AodhCore. @@ -114,6 +115,21 @@ func (in *AodhCore) DeepCopy() *AodhCore { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthSpec) DeepCopyInto(out *AuthSpec) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthSpec. +func (in *AuthSpec) DeepCopy() *AuthSpec { + if in == nil { + return nil + } + out := new(AuthSpec) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Autoscaling) DeepCopyInto(out *Autoscaling) { *out = *in @@ -523,6 +539,7 @@ func (in *CeilometerSpecCore) DeepCopyInto(out *CeilometerSpecCore) { *out = new(topologyv1beta1.TopoRef) **out = **in } + out.Auth = in.Auth } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CeilometerSpecCore. @@ -1237,6 +1254,7 @@ func (in *CloudKittyStatus) DeepCopy() *CloudKittyStatus { func (in *CloudKittyTemplate) DeepCopyInto(out *CloudKittyTemplate) { *out = *in out.PasswordSelectors = in.PasswordSelectors + out.Auth = in.Auth } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudKittyTemplate. diff --git a/config/crd/bases/telemetry.openstack.org_autoscalings.yaml b/config/crd/bases/telemetry.openstack.org_autoscalings.yaml index f5702b288..0a4627cfc 100644 --- a/config/crd/bases/telemetry.openstack.org_autoscalings.yaml +++ b/config/crd/bases/telemetry.openstack.org_autoscalings.yaml @@ -70,6 +70,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files diff --git a/config/crd/bases/telemetry.openstack.org_ceilometers.yaml b/config/crd/bases/telemetry.openstack.org_ceilometers.yaml index c17fe87a9..a1bd6e565 100644 --- a/config/crd/bases/telemetry.openstack.org_ceilometers.yaml +++ b/config/crd/bases/telemetry.openstack.org_ceilometers.yaml @@ -116,6 +116,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object centralImage: type: string computeImage: diff --git a/config/crd/bases/telemetry.openstack.org_cloudkitties.yaml b/config/crd/bases/telemetry.openstack.org_cloudkitties.yaml index 23eca9719..62066c6aa 100644 --- a/config/crd/bases/telemetry.openstack.org_cloudkitties.yaml +++ b/config/crd/bases/telemetry.openstack.org_cloudkitties.yaml @@ -43,6 +43,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/config/crd/bases/telemetry.openstack.org_cloudkittyapis.yaml b/config/crd/bases/telemetry.openstack.org_cloudkittyapis.yaml index d26728cbd..9aa1c8cf8 100644 --- a/config/crd/bases/telemetry.openstack.org_cloudkittyapis.yaml +++ b/config/crd/bases/telemetry.openstack.org_cloudkittyapis.yaml @@ -39,6 +39,14 @@ spec: spec: description: CloudKittyAPISpec defines the desired state of CloudKittyAPI properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/config/crd/bases/telemetry.openstack.org_cloudkittyprocs.yaml b/config/crd/bases/telemetry.openstack.org_cloudkittyprocs.yaml index 4ca1cc422..3899c9a40 100644 --- a/config/crd/bases/telemetry.openstack.org_cloudkittyprocs.yaml +++ b/config/crd/bases/telemetry.openstack.org_cloudkittyprocs.yaml @@ -53,6 +53,14 @@ spec: description: CloudKittyProcSpec defines the desired state of CloudKitty Processor properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/config/crd/bases/telemetry.openstack.org_telemetries.yaml b/config/crd/bases/telemetry.openstack.org_telemetries.yaml index 114989db9..41b45153c 100644 --- a/config/crd/bases/telemetry.openstack.org_telemetries.yaml +++ b/config/crd/bases/telemetry.openstack.org_telemetries.yaml @@ -73,6 +73,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name + for application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files @@ -439,6 +447,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object centralImage: type: string computeImage: @@ -614,6 +630,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment diff --git a/go.mod b/go.mod index 09cba609c..0d5440bff 100644 --- a/go.mod +++ b/go.mod @@ -10,20 +10,20 @@ require ( github.com/grafana/loki/operator/api/loki v0.0.0-20250910094332-a082b8a061ba github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7 github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20251004062530-e48be5cc4d68 - github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e + github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251027074845-ed8154b20ad1 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250929092825-4c2402451077 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.0 - github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077 + github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251002102126-84fdf59cb2fb github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251002145853-52dcb63c343b github.com/openstack-k8s-operators/telemetry-operator/api v0.3.1-0.20240529090522-c780bd90b147 github.com/rabbitmq/cluster-operator v1.14.0 github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.71.0-rhobs1 github.com/rhobs/observability-operator v0.3.1 - k8s.io/api v0.31.13 - k8s.io/apimachinery v0.31.13 - k8s.io/client-go v0.31.13 + k8s.io/api v0.31.14 + k8s.io/apimachinery v0.31.14 + k8s.io/client-go v0.31.14 k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d sigs.k8s.io/controller-runtime v0.19.7 ) @@ -65,8 +65,8 @@ require ( github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/openshift/api v3.9.0+incompatible // indirect - github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251021145236-2b84ec9fd9bb // indirect - github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250929092825-4c2402451077 // indirect + github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef // indirect + github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.22.0 // indirect github.com/prometheus/client_model v0.6.2 // indirect @@ -87,17 +87,16 @@ require ( go.opentelemetry.io/otel/trace v1.34.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.27.0 // indirect + go.uber.org/zap v1.27.1 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect - golang.org/x/mod v0.27.0 // indirect golang.org/x/net v0.43.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sync v0.16.0 // indirect - golang.org/x/sys v0.35.0 // indirect - golang.org/x/term v0.34.0 // indirect - golang.org/x/text v0.28.0 // indirect + golang.org/x/sync v0.17.0 // indirect + golang.org/x/sys v0.36.0 // indirect + golang.org/x/term v0.35.0 // indirect + golang.org/x/text v0.29.0 // indirect golang.org/x/time v0.12.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect @@ -145,3 +144,5 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging + +replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81 diff --git a/go.sum b/go.sum index 129ec51c9..232ec569c 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81 h1:plax+NFgJJL1SrERyXAnf3jOHRhLTtBlJ2oc7d84EoU= +github.com/Deydra71/keystone-operator/api v0.0.0-20251211085602-3e1a3e022c81/go.mod h1:b98Jl8eyUw8V07l9YiuQnoMlnWC748oV8IhXH15NCC4= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= @@ -105,28 +107,26 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWu github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.27.1 h1:0LJC8MpUSQnfnp4n/3W3GdlmJP3ENGF0ZPzjQGLPP7s= -github.com/onsi/ginkgo/v2 v2.27.1/go.mod h1:wmy3vCqiBjirARfVhAqFpYt8uvX0yaFe+GudAqqcCqA= +github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= +github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20251004062530-e48be5cc4d68 h1:wiP9mtrOKc4jzj026ln1AWPc1RIDr7LDmqshLQRZbpE= github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20251004062530-e48be5cc4d68/go.mod h1:jeO3FcGj38TheKGtsA64EWaHOM6GhAB0GN+2pc1w3hQ= -github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e h1:5q47hHT53v0PnNj2pwHHQ1+ZWC3kQLu1jtulTUrJ2cE= -github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251002120642-c2d58c6fc03e/go.mod h1:LfqzznghLpo+b9jVgyvqUoOZMcc3Ff0gXSmLLtFsj9w= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251027074845-ed8154b20ad1 h1:QohvX44nxoV2GwvvOURGXYyDuCn4SCrnwubTKJtzehY= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251027074845-ed8154b20ad1/go.mod h1:FMFoO4MjEQ85JpdLtDHxYSZxvJ9KzHua+HdKhpl0KRI= +github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3 h1:gKazSLpq0Ytn4OLzNtSKQpLswAdki8u8mXZgpJy83bE= +github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251110170511-c2d4a351a7c3/go.mod h1:Y9LqOS1wYhn7RT4jFknINdWa+ziYEIOU1jLNxkxiCsw= github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250929092825-4c2402451077 h1:wAonK5ng4dZdQPdBGnLRLQ0zYu5cQ0OmDO46iiN+Quw= github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250929092825-4c2402451077/go.mod h1:/t8UOevAIOdAu7SAkfwfyZj6p2pkuupl3mZJPMNqNOo= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.0 h1:cFOyP37qQ9T1D6mVTCwuPGt86LB4sTErpHT+L1e+VKY= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.0/go.mod h1:jgfvFeljXxot0LODLYCmjESxoMXbClXcBcf0DaX4zA0= -github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077 h1:missBxDwEfOdkHVKd6zyCyaQjSObw9Ge1O4A7WU5EuM= -github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250929092825-4c2402451077/go.mod h1:CjsYQ/dUr4eUmBEvM3UFUxvYvl2bAhGfGflaD+N4fWA= -github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251021145236-2b84ec9fd9bb h1:wToXqX7AS1JV3Kna7RcJfkRart8rSGun2biKNfyY6Zg= -github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251021145236-2b84ec9fd9bb/go.mod h1:yf13jWb60XV26eA7A8o86ZCXNWBLNK9dPkTSWFaTPCw= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250929092825-4c2402451077 h1:9tpPDBV2RLXMDgt13ec8XR2OatFriItseqg+Oyvx9GA= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250929092825-4c2402451077/go.mod h1:JPQHkExlxeT6MU3DNJgXXJJG0NMQHlZwxxfbYRaP3eg= +github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef h1:1j7kk+D4ZdIXm6C/IwEjuTzIuvWUytxO39E/x94JY7k= +github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:kUT/SyuxZiOcX8ZuvpFN3PaQa2V8uQon8YwY+1RoQWM= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef h1:Ql4G7sRHpqWFGwXypN7MorDGUWv4jz5n34ayzVt3R9E= +github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:yf13jWb60XV26eA7A8o86ZCXNWBLNK9dPkTSWFaTPCw= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef h1:VMwP0988m1VCjpVn+MxHt7i3B0OuBhQnM5akKt4taVA= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20251103072528-9eb684fef4ef/go.mod h1:jl+SNs7K7XBx5jVbUJwWV0NRDfM8LyeV4AsGAroP8XA= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251002102126-84fdf59cb2fb h1:QOEsifnJzqSl+6wFy3Lx81g/qk2bOx/LtXahERd67KM= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20251002102126-84fdf59cb2fb/go.mod h1:yQRH2BR1S59QxsrbV9jOZ5cDkM7hV+qGlKaxWpcGYGA= github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20251002145853-52dcb63c343b h1:sQGgOoyUjfZjwG61/vtnkJr/H+EQ9ZU4WjhjARHPDhI= @@ -195,14 +195,12 @@ go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= -go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= +go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= @@ -227,19 +225,19 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw= -golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug= +golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= -golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4= -golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw= +golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= +golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ= +golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= -golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk= +golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/internal/controller/autoscaling_controller.go b/internal/controller/autoscaling_controller.go index 769f83759..24bc00da1 100644 --- a/internal/controller/autoscaling_controller.go +++ b/internal/controller/autoscaling_controller.go @@ -221,12 +221,13 @@ func (r *AutoscalingReconciler) Reconcile(ctx context.Context, req ctrl.Request) // fields to index to reconcile when change const ( - autoscalingPasswordSecretField = ".spec.aodh.secret" //nolint:gosec // G101: Not actual credentials, just field path - autoscalingCaBundleSecretNameField = ".spec.aodh.tls.caBundleSecretName" //nolint:gosec // G101: Not actual credentials, just field path + autoscalingPasswordSecretField = ".spec.aodh.secret" //nolint:gosec // G101: Not actual credentials, just field path + autoscalingCaBundleSecretNameField = ".spec.aodh.tls.caBundleSecretName" //nolint:gosec // G101: Not actual credentials, just field path autoscalingTLSAPIInternalField = ".spec.aodh.tls.api.internal.secretName" + autoscalingAuthAppCredSecretField = ".spec.aodh.auth.applicationCredentialSecret" //nolint:gosec // G101: Not actual credentials, just field path autoscalingTLSAPIPublicField = ".spec.aodh.tls.api.public.secretName" topologyField = ".spec.aodh.topologyRef.Name" - autoscalingCustomConfigsSecretField = ".spec.aodh.customConfigsSecretName" //nolint:gosec // G101: Not actual credentials, just field path + autoscalingCustomConfigsSecretField = ".spec.aodh.customConfigsSecretName" //nolint:gosec // G101: Not actual credentials, just field path ) var ( @@ -235,6 +236,7 @@ var ( autoscalingCaBundleSecretNameField, autoscalingTLSAPIInternalField, autoscalingTLSAPIPublicField, + autoscalingAuthAppCredSecretField, topologyField, autoscalingCustomConfigsSecretField, } @@ -612,6 +614,16 @@ func (r *AutoscalingReconciler) reconcileNormal( } // run check custom configs secret - end + // + // check for Application Credential secret and add hash to the vars map + // + if instance.Spec.Aodh.Auth.ApplicationCredentialSecret != "" { + ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Aodh.Auth.ApplicationCredentialSecret, keystonev1.ACIDSecretKey, &configMapVars) + if err != nil { + return ctrlResult, err + } + } + inputHash, hashChanged, err := r.createHashOfInputHashes(ctx, instance, configMapVars) if err != nil { @@ -686,6 +698,7 @@ func (r *AutoscalingReconciler) generateServiceConfig( mc *memcachedv1.Memcached, db *mariadbv1.Database, ) error { + Log := r.GetLogger(ctx) cmLabels := labels.GetLabels(instance, labels.GetGroupLabel(autoscaling.ServiceName), map[string]string{}) var tlsCfg *tls.Service @@ -737,6 +750,25 @@ func (r *AutoscalingReconciler) generateServiceConfig( "Timeout": instance.Spec.Aodh.APITimeout, } + // Try to get Application Credential from the secret specified in the CR + if instance.Spec.Aodh.Auth.ApplicationCredentialSecret != "" { + acSecret := &corev1.Secret{} + key := types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Aodh.Auth.ApplicationCredentialSecret} + if err := r.Get(ctx, key, acSecret); err != nil { + if !k8s_errors.IsNotFound(err) { + Log.Error(err, "Failed to get ApplicationCredential secret", "secret", key) + } + } else { + acID, okID := acSecret.Data[keystonev1.ACIDSecretKey] + acSecretData, okSecret := acSecret.Data[keystonev1.ACSecretSecretKey] + if okID && len(acID) > 0 && okSecret && len(acSecretData) > 0 { + templateParameters["ACID"] = string(acID) + templateParameters["ACSecret"] = string(acSecretData) + Log.Info("Using ApplicationCredentials auth", "secret", key) + } + } + } + prometheusParams := map[string]any{ "Host": instance.Status.PrometheusHost, "Port": instance.Status.PrometheusPort, @@ -1034,6 +1066,18 @@ func (r *AutoscalingReconciler) SetupWithManager(ctx context.Context, mgr ctrl.M return err } + // index autoscalingAuthAppCredSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &telemetryv1.Autoscaling{}, autoscalingAuthAppCredSecretField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*telemetryv1.Autoscaling) + if cr.Spec.Aodh.Auth.ApplicationCredentialSecret == "" { + return nil + } + return []string{cr.Spec.Aodh.Auth.ApplicationCredentialSecret} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&telemetryv1.Autoscaling{}). Owns(&appsv1.StatefulSet{}). diff --git a/internal/controller/ceilometer_controller.go b/internal/controller/ceilometer_controller.go index f39376c91..ebcfda84f 100644 --- a/internal/controller/ceilometer_controller.go +++ b/internal/controller/ceilometer_controller.go @@ -241,6 +241,7 @@ const ( ceilometerTLSField = ".spec.tls.secretName" ksmCaBundleSecretNameField = ".spec.ksmTls.caBundleSecretName" //nolint:gosec // G101: Not actual credentials, just field path ksmTLSField = ".spec.ksmTls.secretName" + ceilometerAuthAppCredSecretField = ".spec.auth.applicationCredentialSecret" //nolint:gosec // G101: Not actual credentials, just field path mysqldExporterCaBundleSecretNameField = ".spec.mysqldExporterTls.caBundleSecretName" //nolint:gosec // G101: Not actual credentials, just field path mysqldExporterTLSField = ".spec.mysqldExporterTls.secretName" customConfigsSecretNameField = ".spec.customConfigsSecretName" //nolint:gosec // G101: Not actual credentials, just field path @@ -251,6 +252,7 @@ var ( ceilometerPasswordSecretField, ceilometerCaBundleSecretNameField, ceilometerTLSField, + ceilometerAuthAppCredSecretField, ksmCaBundleSecretNameField, ksmTLSField, mysqldExporterCaBundleSecretNameField, @@ -716,6 +718,16 @@ func (r *CeilometerReconciler) reconcileCeilometer( } configMapVars["endpointurls"] = env.SetValue(hash) + // + // check for Application Credential secret and add hash to the vars map + // + if instance.Spec.Auth.ApplicationCredentialSecret != "" { + ctrlResult, err := r.getSecret(ctx, helper, instance, instance.Spec.Auth.ApplicationCredentialSecret, keystonev1.ACIDSecretKey, &configMapVars) + if err != nil { + return ctrlResult, err + } + } + // // create hash over all the different input resources to identify if any those changed // and a restart/recreate is required. @@ -1277,6 +1289,25 @@ func (r *CeilometerReconciler) generateServiceConfig( "Timeout": instance.Spec.APITimeout, } + // Try to get Application Credential from the secret specified in the CR + if instance.Spec.Auth.ApplicationCredentialSecret != "" { + acSecret := &corev1.Secret{} + key := types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Auth.ApplicationCredentialSecret} + if err := r.Get(ctx, key, acSecret); err != nil { + if !k8s_errors.IsNotFound(err) { + h.GetLogger().Error(err, "Failed to get ApplicationCredential secret", "secret", key) + } + } else { + acID, okID := acSecret.Data[keystonev1.ACIDSecretKey] + acSecretData, okSecret := acSecret.Data[keystonev1.ACSecretSecretKey] + if okID && len(acID) > 0 && okSecret && len(acSecretData) > 0 { + templateParameters["ACID"] = string(acID) + templateParameters["ACSecret"] = string(acSecretData) + h.GetLogger().Info("Using ApplicationCredentials auth", "secret", key) + } + } + } + // create httpd vhost template parameters endptConfig := map[string]any{} endptConfig["ServerName"] = fmt.Sprintf("%s-internal.%s.svc", ceilometer.ServiceName, instance.Namespace) @@ -1364,6 +1395,25 @@ func (r *CeilometerReconciler) generateComputeServiceConfig( "TLS": false, } + // Try to get Application Credential from the secret specified in the CR + if instance.Spec.Auth.ApplicationCredentialSecret != "" { + acSecret := &corev1.Secret{} + key := types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Auth.ApplicationCredentialSecret} + if err := r.Get(ctx, key, acSecret); err != nil { + if !k8s_errors.IsNotFound(err) { + h.GetLogger().Error(err, "Failed to get ApplicationCredential secret", "secret", key) + } + } else { + acID, okID := acSecret.Data[keystonev1.ACIDSecretKey] + acSecretData, okSecret := acSecret.Data[keystonev1.ACSecretSecretKey] + if okID && len(acID) > 0 && okSecret && len(acSecretData) > 0 { + templateParameters["ACID"] = string(acID) + templateParameters["ACSecret"] = string(acSecretData) + h.GetLogger().Info("Using ApplicationCredentials auth", "secret", key) + } + } + } + if instance.Spec.TLS.Enabled() { templateParameters["TLS"] = true templateParameters["TlsCert"] = "/etc/ceilometer/tls/tls.crt" @@ -1850,6 +1900,18 @@ func (r *CeilometerReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma return err } + // index ceilometerAuthAppCredSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &telemetryv1.Ceilometer{}, ceilometerAuthAppCredSecretField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*telemetryv1.Ceilometer) + if cr.Spec.Auth.ApplicationCredentialSecret == "" { + return nil + } + return []string{cr.Spec.Auth.ApplicationCredentialSecret} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&telemetryv1.Ceilometer{}). Owns(&keystonev1.KeystoneService{}). diff --git a/internal/controller/cloudkitty_controller.go b/internal/controller/cloudkitty_controller.go index 2daa7c9dc..6d8ac9af5 100644 --- a/internal/controller/cloudkitty_controller.go +++ b/internal/controller/cloudkitty_controller.go @@ -240,6 +240,7 @@ const ( cloudKittyCaBundleSecretNameField = ".spec.tls.caBundleSecretName" cloudKittyTLSAPIInternalField = ".spec.tls.api.internal.secretName" cloudKittyTLSAPIPublicField = ".spec.tls.api.public.secretName" + cloudKittyAuthAppCredSecretField = ".spec.auth.applicationCredentialSecret" //nolint:gosec // G101: Not actual credentials, just field path cloudKittyTopologyField = ".spec.topologyRef.Name" cloudKittyCustomConfigsSecretField = ".spec.customConfigsSecretName" //nolint:gosec // G101: Not actual credentials, just field path ) @@ -248,6 +249,7 @@ var ( cloudKittyProcWatchFields = []string{ cloudKittyPasswordSecretField, cloudKittyCaBundleSecretNameField, + cloudKittyAuthAppCredSecretField, cloudKittyTopologyField, cloudKittyCustomConfigsSecretField, } @@ -256,6 +258,7 @@ var ( cloudKittyCaBundleSecretNameField, cloudKittyTLSAPIInternalField, cloudKittyTLSAPIPublicField, + cloudKittyAuthAppCredSecretField, cloudKittyTopologyField, cloudKittyCustomConfigsSecretField, } @@ -922,6 +925,28 @@ func (r *CloudKittyReconciler) reconcileNormal(ctx context.Context, instance *te instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) // run check OpenStack secret - end + // + // check for Application Credential secret and add hash to the vars map + // + if instance.Spec.Auth.ApplicationCredentialSecret != "" { + result, err := cloudkitty.VerifyServiceSecret( + ctx, + types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Auth.ApplicationCredentialSecret}, + []string{ + keystonev1.ACIDSecretKey, + }, + helper.GetClient(), + &instance.Status.Conditions, + cloudkitty.NormalDuration, + &configVars, + ) + if err != nil { + return result, err + } else if (result != ctrl.Result{}) { + return result, nil + } + } + db, result, err := r.ensureDB(ctx, helper, instance) if err != nil { return ctrl.Result{}, err @@ -1104,6 +1129,7 @@ func (r *CloudKittyReconciler) generateServiceConfigs( memcached *memcachedv1.Memcached, db *mariadbv1.Database, ) error { + Log := r.GetLogger(ctx) // // create Secret required for cloudkitty input // - %-scripts holds scripts to e.g. bootstrap the service @@ -1198,6 +1224,25 @@ func (r *CloudKittyReconciler) generateServiceConfigs( templateParameters["ServiceUser"] = instance.Spec.ServiceUser templateParameters["ServicePassword"] = string(ospSecret.Data[instance.Spec.PasswordSelectors.CloudKittyService]) templateParameters["KeystoneInternalURL"] = keystoneInternalURL + + // Try to get Application Credential from the secret specified in the CR + if instance.Spec.Auth.ApplicationCredentialSecret != "" { + acSecret := &corev1.Secret{} + key := types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Auth.ApplicationCredentialSecret} + if err := r.Get(ctx, key, acSecret); err != nil { + if !k8s_errors.IsNotFound(err) { + Log.Error(err, "Failed to get ApplicationCredential secret", "secret", key) + } + } else { + acID, okID := acSecret.Data[keystonev1.ACIDSecretKey] + acSecretData, okSecret := acSecret.Data[keystonev1.ACSecretSecretKey] + if okID && len(acID) > 0 && okSecret && len(acSecretData) > 0 { + templateParameters["ACID"] = string(acID) + templateParameters["ACSecret"] = string(acSecretData) + Log.Info("Using ApplicationCredentials auth", "secret", key) + } + } + } templateParameters["KeystonePublicURL"] = keystonePublicURL templateParameters["TransportURL"] = string(transportURLSecret.Data["transport_url"]) templateParameters["PrometheusHost"] = instance.Status.PrometheusHost diff --git a/internal/controller/cloudkittyapi_controller.go b/internal/controller/cloudkittyapi_controller.go index 846c88c46..2e113960a 100644 --- a/internal/controller/cloudkittyapi_controller.go +++ b/internal/controller/cloudkittyapi_controller.go @@ -19,6 +19,7 @@ package controller import ( "context" "fmt" + telemetryv1 "github.com/openstack-k8s-operators/telemetry-operator/api/v1beta1" "github.com/openstack-k8s-operators/telemetry-operator/internal/cloudkitty" "github.com/openstack-k8s-operators/telemetry-operator/internal/cloudkittyapi" @@ -419,6 +420,18 @@ func (r *CloudKittyAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl return err } + // index authAppCredSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &telemetryv1.CloudKittyAPI{}, cloudKittyAuthAppCredSecretField, func(rawObj client.Object) []string { + // Extract the AC secret name from the spec, if one is provided + cr := rawObj.(*telemetryv1.CloudKittyAPI) + if cr.Spec.Auth.ApplicationCredentialSecret == "" { + return nil + } + return []string{cr.Spec.Auth.ApplicationCredentialSecret} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&telemetryv1.CloudKittyAPI{}). Owns(&keystonev1.KeystoneService{}). diff --git a/internal/controller/cloudkittyproc_controller.go b/internal/controller/cloudkittyproc_controller.go index 944acb2be..319737c14 100644 --- a/internal/controller/cloudkittyproc_controller.go +++ b/internal/controller/cloudkittyproc_controller.go @@ -370,6 +370,18 @@ func (r *CloudKittyProcReconciler) SetupWithManager(ctx context.Context, mgr ctr return err } + // index authAppCredSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &telemetryv1.CloudKittyProc{}, cloudKittyAuthAppCredSecretField, func(rawObj client.Object) []string { + // Extract the AC secret name from the spec, if one is provided + cr := rawObj.(*telemetryv1.CloudKittyProc) + if cr.Spec.Auth.ApplicationCredentialSecret == "" { + return nil + } + return []string{cr.Spec.Auth.ApplicationCredentialSecret} + }); err != nil { + return err + } + return ctrl.NewControllerManagedBy(mgr). For(&telemetryv1.CloudKittyProc{}). Owns(&appsv1.StatefulSet{}). diff --git a/templates/autoscaling/config/aodh.conf b/templates/autoscaling/config/aodh.conf index e53c7ac15..369a0c0e6 100644 --- a/templates/autoscaling/config/aodh.conf +++ b/templates/autoscaling/config/aodh.conf @@ -45,6 +45,12 @@ memcache_tls_keyfile = {{ .MemcachedAuthKey }} memcache_tls_cafile = {{ .MemcachedAuthCa }} memcache_tls_enabled = true {{- end }} +{{ if (index . "ACID") }} +auth_type = v3applicationcredential +auth_url = {{ .KeystoneInternalURL }} +application_credential_id = {{ .ACID }} +application_credential_secret = {{ .ACSecret }} +{{- else }} auth_type = password auth_url = {{ .KeystoneInternalURL }} username = {{ .AodhUser }} @@ -52,9 +58,16 @@ password = {{ .AodhPassword }} user_domain_name = Default project_name = service project_domain_name = Default +{{- end }} service_token_roles_required = True [service_credentials] +{{ if (index . "ACID") }} +auth_type=v3applicationcredential +auth_url={{ .KeystoneInternalURL }} +application_credential_id={{ .ACID }} +application_credential_secret={{ .ACSecret }} +{{- else }} auth_type=password auth_url={{ .KeystoneInternalURL }} project_name=service @@ -62,6 +75,7 @@ project_domain_name=Default username={{ .AodhUser }} user_domain_name=Default password={{ .AodhPassword }} +{{- end }} interface = internalURL [healthcheck] diff --git a/templates/ceilometercentral/config/ceilometer.conf b/templates/ceilometercentral/config/ceilometer.conf index 05e1388c1..b1d374db8 100644 --- a/templates/ceilometercentral/config/ceilometer.conf +++ b/templates/ceilometercentral/config/ceilometer.conf @@ -8,6 +8,12 @@ polling_namespaces=central transport_url={{ .TransportURL }} [service_credentials] +{{ if (index . "ACID") }} +auth_type=v3applicationcredential +auth_url={{ .KeystoneInternalURL }} +application_credential_id={{ .ACID }} +application_credential_secret={{ .ACSecret }} +{{- else }} auth_type=password auth_url={{ .KeystoneInternalURL }} project_name=service @@ -15,6 +21,7 @@ project_domain_name=Default username=ceilometer user_domain_name=Default password={{ .CeilometerPassword }} +{{- end }} interface = internalURL {{- if .TLS }} cafile = {{ .CAFile }} diff --git a/templates/ceilometercompute/config/ceilometer.conf b/templates/ceilometercompute/config/ceilometer.conf index e923c4882..33f278169 100644 --- a/templates/ceilometercompute/config/ceilometer.conf +++ b/templates/ceilometercompute/config/ceilometer.conf @@ -6,6 +6,12 @@ rpc_response_timeout=60 polling_namespaces=compute [service_credentials] +{{ if (index . "ACID") }} +auth_type=v3applicationcredential +auth_url={{ .KeystoneInternalURL }} +application_credential_id={{ .ACID }} +application_credential_secret={{ .ACSecret }} +{{- else }} auth_type=password auth_url={{ .KeystoneInternalURL }} project_name=service @@ -13,6 +19,7 @@ project_domain_name=Default username=ceilometer user_domain_name=Default password={{ .CeilometerPassword }} +{{- end }} interface = internalURL [compute] diff --git a/templates/ceilometeripmi/config/ceilometer.conf b/templates/ceilometeripmi/config/ceilometer.conf index 91d35b811..713ec08ad 100644 --- a/templates/ceilometeripmi/config/ceilometer.conf +++ b/templates/ceilometeripmi/config/ceilometer.conf @@ -7,6 +7,12 @@ polling_namespaces=ipmi [service_credentials] +{{ if (index . "ACID") }} +auth_type=v3applicationcredential +auth_url={{ .KeystoneInternalURL }} +application_credential_id={{ .ACID }} +application_credential_secret={{ .ACSecret }} +{{- else }} auth_type=password auth_url={{ .KeystoneInternalURL }} project_name=service @@ -14,6 +20,7 @@ project_domain_name=Default username=ceilometer user_domain_name=Default password={{ .CeilometerPassword }} +{{- end }} interface = internalURL [coordination] diff --git a/templates/cloudkitty/config/cloudkitty.conf b/templates/cloudkitty/config/cloudkitty.conf index 80ba122e1..e026402a2 100644 --- a/templates/cloudkitty/config/cloudkitty.conf +++ b/templates/cloudkitty/config/cloudkitty.conf @@ -9,6 +9,12 @@ transport_url = {{ .TransportURL }} [authinfos] debug = True +{{ if (index . "ACID") }} +auth_type = v3applicationcredential +auth_url = {{ .KeystoneInternalURL }} +application_credential_id = {{ .ACID }} +application_credential_secret = {{ .ACSecret }} +{{- else }} project_domain_name = default user_domain_name = default region_name = RegionOne @@ -20,6 +26,7 @@ identity_uri = {{ .KeystoneInternalURL }} auth_url = {{ .KeystoneInternalURL }} auth_protocol = http auth_type = v3password +{{- end }} {{- if .TLS }} cafile = {{ .CAFile }} {{- end }} @@ -70,14 +77,21 @@ connection = {{ .DatabaseConnection }} memcached_servers = {{ .MemcachedServersWithInet }} # memcache_pool_dead_retry = 10 # memcache_pool_conn_get_timeout = 2 +{{ if (index . "ACID") }} +auth_type = v3applicationcredential +auth_url = {{ .KeystoneInternalURL }} +application_credential_id = {{ .ACID }} +application_credential_secret = {{ .ACSecret }} +{{- else }} project_domain_name = Default project_name = service user_domain_name = Default password = {{ .ServicePassword }} username = {{ .ServiceUser }} auth_url = {{ .KeystoneInternalURL }} -interface = internal auth_type = password +{{- end }} +interface = internal {{- if .TLS }} cafile = {{ .CAFile }} {{- end }}