Merge pull request openstack-k8s-operators#346 from dmendiza/enable-secure-rbac

openshift-merge-bot[bot] · web-flow · commit 70a29a03b9fa · 2024-02-19T18:06:02.000Z
Enable Secure RBAC by default
diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml
@@ -86,6 +86,11 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              enableSecureRBAC:
+                default: true
+                description: EnableSecureRBAC - Enable Consistent and Secure RBAC
+                  policies
+                type: boolean
               memcachedInstance:
                 default: memcached
                 description: Memcached instance name.
diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go
@@ -96,6 +96,11 @@ type KeystoneAPISpec struct {
 	// Secret containing OpenStack password information for keystone KeystoneDatabasePassword, AdminPassword
 	Secret string `json:"secret"`
 
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	// EnableSecureRBAC - Enable Consistent and Secure RBAC policies
+	EnableSecureRBAC bool `json:"enableSecureRBAC"`
+
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=""
 	// TrustFlushArgs - Arguments added to keystone-manage trust_flush command
diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml
@@ -86,6 +86,11 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              enableSecureRBAC:
+                default: true
+                description: EnableSecureRBAC - Enable Consistent and Secure RBAC
+                  policies
+                type: boolean
               memcachedInstance:
                 default: memcached
                 description: Memcached instance name.
diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go
@@ -1198,6 +1198,7 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps(
 			instance.Status.DatabaseHostname,
 			keystone.DatabaseName,
 		),
+		"enableSecureRBAC": instance.Spec.EnableSecureRBAC,
 	}
 
 	// create httpd  vhost template parameters
diff --git a/templates/keystoneapi/config/keystone.conf b/templates/keystoneapi/config/keystone.conf
@@ -11,6 +11,10 @@ max_retries=-1
 db_max_retries=-1
 connection={{ .DatabaseConnection }}
 
+[oslo_policy]
+enforce_new_defaults = {{ .enableSecureRBAC }}
+enforce_scope = {{ .enableSecureRBAC }}
+
 [fernet_tokens]
 key_repository=/etc/keystone/fernet-keys
 max_active_keys=2

Original file line number	Diff line number	Diff line change
`@@ -1198,6 +1198,7 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps(`
`1198`	`1198`	`instance.Status.DatabaseHostname,`
`1199`	`1199`	`keystone.DatabaseName,`
`1200`	`1200`	`),`
	`1201`	`+ "enableSecureRBAC": instance.Spec.EnableSecureRBAC,`
`1201`	`1202`	`}`
`1202`	`1203`
`1203`	`1204`	`// create httpd vhost template parameters`