diff --git a/.prow_ci.env b/.prow_ci.env index 48fc5e272..d0fa90e2a 100644 --- a/.prow_ci.env +++ b/.prow_ci.env @@ -1,3 +1,4 @@ export USE_IMAGE_DIGESTS=true export BUNDLE_DOCKERFILE=bundle.Dockerfile export FAIL_FIPS_CHECK=true +export TIMEOUT=1200s diff --git a/api/bases/core.openstack.org_openstackcontrolplanes.yaml b/api/bases/core.openstack.org_openstackcontrolplanes.yaml index 99b2419c0..b6bf0f89c 100644 --- a/api/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/api/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -40,6 +40,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -166,6 +213,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -175,6 +266,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -674,6 +770,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -685,6 +825,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cinderAPI: properties: customServiceConfig: @@ -1769,6 +1914,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -1799,6 +1988,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3648,6 +3842,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4195,6 +4433,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4574,6 +4817,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -4707,6 +4994,11 @@ spec: default: 600 minimum: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -6519,6 +6811,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6652,6 +6988,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -6913,6 +7254,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8179,6 +8525,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8188,6 +8578,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9246,6 +9641,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9255,6 +9694,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10076,6 +10520,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10359,6 +10847,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11144,6 +11637,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11179,6 +11716,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11221,6 +11763,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11429,6 +11976,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11581,6 +12133,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11839,6 +12396,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12626,6 +13188,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12635,6 +13241,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13701,6 +14312,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -13857,6 +14512,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14348,6 +15008,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14617,6 +15409,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14785,6 +15582,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14873,6 +15675,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -15093,6 +15900,9 @@ spec: enabled: default: false type: boolean + lokiRetentionDays: + default: 95 + type: integer lokiStackSize: default: 1x.demo enum: @@ -16256,6 +17066,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16449,6 +17303,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/api/core/v1beta1/openstackcontrolplane_types.go b/api/core/v1beta1/openstackcontrolplane_types.go index af5299529..937d030b1 100644 --- a/api/core/v1beta1/openstackcontrolplane_types.go +++ b/api/core/v1beta1/openstackcontrolplane_types.go @@ -235,6 +235,14 @@ type OpenStackControlPlaneSpec struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // Watcher - Parameters related to the Watcher service Watcher WatcherSection `json:"watcher,omitempty"` + + // +kubebuilder:validation:Optional + // +operator-sdk:csv:customresourcedefinitions:type=spec + // ApplicationCredential - Global configuration for ApplicationCredentials. + // Both this global section AND the per-service applicationCredential section + // must be enabled for a service to use ApplicationCredentials. + // If omitted, defaults to enabled=false with standard expiration/grace periods. + ApplicationCredential ApplicationCredentialSection `json:"applicationCredential,omitempty"` } // TLSSection defines the desired state of TLS configuration @@ -429,6 +437,13 @@ type PlacementSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // GlanceSection defines the desired state of Glance service @@ -461,6 +476,13 @@ type GlanceSection struct { // This field preserves the service name (with UID suffix) across reconciliations and restores, // ensuring consistent resource naming even when the CR is recreated. Should not be manually set. ServiceName string `json:"serviceName,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // CinderSection defines the desired state of Cinder service @@ -493,6 +515,13 @@ type CinderSection struct { // This field preserves the service name (with UID suffix) across reconciliations and restores, // ensuring consistent resource naming even when the CR is recreated. Should not be manually set. ServiceName string `json:"serviceName,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // GaleraSection defines the desired state of Galera services @@ -586,6 +615,13 @@ type NeutronSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // NovaSection defines the desired state of Nova services @@ -612,6 +648,13 @@ type NovaSection struct { // for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed. // Providing an override for cell0 noVNCProxy does not have an effect. CellOverride map[string]NovaCellOverrideSpec `json:"cellOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // NovaCellOverrideSpec to override the generated manifest of several child resources. @@ -642,6 +685,13 @@ type HeatSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // CnfAPIOverride, provides the ability to override the generated manifest of several child resources. CnfAPIOverride Override `json:"cnfAPIOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // IronicSection defines the desired state of Ironic services @@ -666,6 +716,13 @@ type IronicSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // InspectorOverride, provides the ability to override the generated manifest of several child resources. InspectorOverride Override `json:"inspectorOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // ManilaSection defines the desired state of Manila service @@ -685,6 +742,13 @@ type ManilaSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // HorizonSection defines the desired state of Horizon services @@ -738,6 +802,27 @@ type TelemetrySection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // AlertmanagerOverride, provides the ability to override the generated manifest of several child resources. AlertmanagerOverride Override `json:"alertmanagerOverride,omitempty"` + + // ApplicationCredentialCeilometer allows service-specific overrides of the global AC configuration for Ceilometer. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialCeilometer *ServiceAppCredSection `json:"applicationCredentialCeilometer"` + + // ApplicationCredentialAodh allows service-specific overrides of the global AC configuration for Aodh. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialAodh *ServiceAppCredSection `json:"applicationCredentialAodh"` + + // ApplicationCredentialCloudKitty allows service-specific overrides of the global AC configuration for CloudKitty. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredentialCloudKitty *ServiceAppCredSection `json:"applicationCredentialCloudKitty"` } // SwiftSection defines the desired state of Swift service @@ -757,6 +842,13 @@ type SwiftSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // ProxyOverride, provides the ability to override the generated manifest of several child resources. ProxyOverride Override `json:"proxyOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // OctaviaSection defines the desired state of the Octavia service @@ -776,6 +868,13 @@ type OctaviaSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // DesignateSection defines the desired state of the Designate service @@ -795,6 +894,13 @@ type DesignateSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // BarbicanSection defines the desired state of Barbican service @@ -814,6 +920,13 @@ type BarbicanSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` } // RedisSection defines the desired state of the Redis service @@ -855,6 +968,97 @@ type WatcherSection struct { // +operator-sdk:csv:customresourcedefinitions:type=spec // APIOverride, provides the ability to override the generated manifest of several child resources. APIOverride Override `json:"apiOverride,omitempty"` + + // ApplicationCredential allows service-specific overrides of the global AC configuration. + // +operator-sdk:csv:customresourcedefinitions:type=spec + // +kubebuilder:validation:Optional + // +nullable + // +kubebuilder:default={enabled:false} + ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"` +} + +// +kubebuilder:validation:XValidation:rule="self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays" +// ApplicationCredentialSection defines the desired configuration for ApplicationCredentials +type ApplicationCredentialSection struct { + // Enabled indicates whether an ApplicationCredential should be created + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + Enabled bool `json:"enabled"` + + // ExpirationDays sets the lifetime in days for the AC + // +kubebuilder:validation:Optional + // +kubebuilder:default=730 + // +kubebuilder:validation:Minimum=2 + ExpirationDays *int `json:"expirationDays"` + + // GracePeriodDays sets how many days before expiration the AC should be rotated + // +kubebuilder:validation:Optional + // +kubebuilder:default=364 + // +kubebuilder:validation:Minimum=1 + GracePeriodDays *int `json:"gracePeriodDays"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default={"admin","service"} + // +kubebuilder:validation:MinItems=1 + // Roles to assign to the ApplicationCredential + Roles []string `json:"roles"` + + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + // Whether the AC should be unrestricted + Unrestricted *bool `json:"unrestricted"` + + // AccessRules lets supply a custom list of rules + // If unset, no accessRules field is emitted + // +kubebuilder:validation:Optional + // +listType=atomic + AccessRules []ACRule `json:"accessRules,omitempty"` +} + +// +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays" +// ServiceAppCredSection allows service-specific overrides of the global AC configuration +type ServiceAppCredSection struct { + // +kubebuilder:validation:Optional + // +kubebuilder:default=false + Enabled bool `json:"enabled"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Minimum=2 + ExpirationDays *int `json:"expirationDays,omitempty"` + + // +kubebuilder:validation:Optional + // +kubebuilder:validation:Minimum=1 + GracePeriodDays *int `json:"gracePeriodDays,omitempty"` + + // +kubebuilder:validation:Optional + // Roles to assign to the ApplicationCredential + Roles []string `json:"roles,omitempty"` + + // +kubebuilder:validation:Optional + // Whether the AC should be unrestricted + Unrestricted *bool `json:"unrestricted,omitempty"` + + // AccessRules lets the service override the global AccessRules if specified + // +kubebuilder:validation:Optional + // +listType=atomic + AccessRules []ACRule `json:"accessRules,omitempty"` +} + +// ACRule describes a single access rule for an ApplicationCredential +// +k8s:openapi-gen=true +type ACRule struct { + // Service is the name of the service to target (e.g. "identity"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Service string `json:"service"` + // Path is the HTTP path (e.g. "/v3/auth/tokens"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Path string `json:"path"` + // Method is the HTTP method to allow (e.g. "POST"). + // +kubebuilder:validation:Required + // +kubebuilder:validation:MinLength=1 + Method string `json:"method"` } // OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane diff --git a/api/core/v1beta1/openstackcontrolplane_webhook.go b/api/core/v1beta1/openstackcontrolplane_webhook.go index 3766fb184..ff0f2c879 100644 --- a/api/core/v1beta1/openstackcontrolplane_webhook.go +++ b/api/core/v1beta1/openstackcontrolplane_webhook.go @@ -937,6 +937,7 @@ func (r *OpenStackControlPlane) DefaultServices() { r.Spec.Glance.APIOverride = map[string]Override{} } for name, glanceAPI := range r.Spec.Glance.Template.GlanceAPIs { + var override Override var ok bool @@ -1244,7 +1245,7 @@ func (r *OpenStackControlPlane) ValidateNotificationsBusInstance(basePath *field // NotificationsBusInstance is set and must be equal to an existing // deployed rabbitmq instance, otherwise we should fail because it // does not represent a valid string - for k := range(*r.Spec.Rabbitmq.Templates) { + for k := range *r.Spec.Rabbitmq.Templates { if *r.Spec.NotificationsBusInstance == k { return nil } diff --git a/api/core/v1beta1/zz_generated.deepcopy.go b/api/core/v1beta1/zz_generated.deepcopy.go index 2af599dd5..950361fe3 100644 --- a/api/core/v1beta1/zz_generated.deepcopy.go +++ b/api/core/v1beta1/zz_generated.deepcopy.go @@ -51,6 +51,61 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ACRule) DeepCopyInto(out *ACRule) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACRule. +func (in *ACRule) DeepCopy() *ACRule { + if in == nil { + return nil + } + out := new(ACRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ApplicationCredentialSection) DeepCopyInto(out *ApplicationCredentialSection) { + *out = *in + if in.ExpirationDays != nil { + in, out := &in.ExpirationDays, &out.ExpirationDays + *out = new(int) + **out = **in + } + if in.GracePeriodDays != nil { + in, out := &in.GracePeriodDays, &out.GracePeriodDays + *out = new(int) + **out = **in + } + if in.Roles != nil { + in, out := &in.Roles, &out.Roles + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Unrestricted != nil { + in, out := &in.Unrestricted, &out.Unrestricted + *out = new(bool) + **out = **in + } + if in.AccessRules != nil { + in, out := &in.AccessRules, &out.AccessRules + *out = make([]ACRule, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialSection. +func (in *ApplicationCredentialSection) DeepCopy() *ApplicationCredentialSection { + if in == nil { + return nil + } + out := new(ApplicationCredentialSection) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BarbicanSection) DeepCopyInto(out *BarbicanSection) { *out = *in @@ -60,6 +115,11 @@ func (in *BarbicanSection) DeepCopyInto(out *BarbicanSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BarbicanSection. @@ -153,6 +213,11 @@ func (in *CinderSection) DeepCopyInto(out *CinderSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CinderSection. @@ -811,6 +876,11 @@ func (in *DesignateSection) DeepCopyInto(out *DesignateSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DesignateSection. @@ -864,6 +934,11 @@ func (in *GlanceSection) DeepCopyInto(out *GlanceSection) { (*out)[key] = *val.DeepCopy() } } + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlanceSection. @@ -886,6 +961,11 @@ func (in *HeatSection) DeepCopyInto(out *HeatSection) { } in.APIOverride.DeepCopyInto(&out.APIOverride) in.CnfAPIOverride.DeepCopyInto(&out.CnfAPIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeatSection. @@ -929,6 +1009,11 @@ func (in *IronicSection) DeepCopyInto(out *IronicSection) { } in.APIOverride.DeepCopyInto(&out.APIOverride) in.InspectorOverride.DeepCopyInto(&out.InspectorOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IronicSection. @@ -971,6 +1056,11 @@ func (in *ManilaSection) DeepCopyInto(out *ManilaSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManilaSection. @@ -1018,6 +1108,11 @@ func (in *NeutronSection) DeepCopyInto(out *NeutronSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NeutronSection. @@ -1062,6 +1157,11 @@ func (in *NovaSection) DeepCopyInto(out *NovaSection) { (*out)[key] = *val.DeepCopy() } } + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NovaSection. @@ -1083,6 +1183,11 @@ func (in *OctaviaSection) DeepCopyInto(out *OctaviaSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OctaviaSection. @@ -1221,6 +1326,7 @@ func (in *OpenStackControlPlaneSpec) DeepCopyInto(out *OpenStackControlPlaneSpec **out = **in } in.Watcher.DeepCopyInto(&out.Watcher) + in.ApplicationCredential.DeepCopyInto(&out.ApplicationCredential) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenStackControlPlaneSpec. @@ -1530,6 +1636,11 @@ func (in *PlacementSection) DeepCopyInto(out *PlacementSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementSection. @@ -1594,6 +1705,46 @@ func (in *RedisSection) DeepCopy() *RedisSection { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ServiceAppCredSection) DeepCopyInto(out *ServiceAppCredSection) { + *out = *in + if in.ExpirationDays != nil { + in, out := &in.ExpirationDays, &out.ExpirationDays + *out = new(int) + **out = **in + } + if in.GracePeriodDays != nil { + in, out := &in.GracePeriodDays, &out.GracePeriodDays + *out = new(int) + **out = **in + } + if in.Roles != nil { + in, out := &in.Roles, &out.Roles + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Unrestricted != nil { + in, out := &in.Unrestricted, &out.Unrestricted + *out = new(bool) + **out = **in + } + if in.AccessRules != nil { + in, out := &in.AccessRules, &out.AccessRules + *out = make([]ACRule, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAppCredSection. +func (in *ServiceAppCredSection) DeepCopy() *ServiceAppCredSection { + if in == nil { + return nil + } + out := new(ServiceAppCredSection) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ServiceDefaults) DeepCopyInto(out *ServiceDefaults) { *out = *in @@ -1623,6 +1774,11 @@ func (in *SwiftSection) DeepCopyInto(out *SwiftSection) { (*in).DeepCopyInto(*out) } in.ProxyOverride.DeepCopyInto(&out.ProxyOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SwiftSection. @@ -1750,6 +1906,21 @@ func (in *TelemetrySection) DeepCopyInto(out *TelemetrySection) { in.CloudKittyAPIOverride.DeepCopyInto(&out.CloudKittyAPIOverride) in.PrometheusOverride.DeepCopyInto(&out.PrometheusOverride) in.AlertmanagerOverride.DeepCopyInto(&out.AlertmanagerOverride) + if in.ApplicationCredentialCeilometer != nil { + in, out := &in.ApplicationCredentialCeilometer, &out.ApplicationCredentialCeilometer + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } + if in.ApplicationCredentialAodh != nil { + in, out := &in.ApplicationCredentialAodh, &out.ApplicationCredentialAodh + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } + if in.ApplicationCredentialCloudKitty != nil { + in, out := &in.ApplicationCredentialCloudKitty, &out.ApplicationCredentialCloudKitty + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemetrySection. @@ -1771,6 +1942,11 @@ func (in *WatcherSection) DeepCopyInto(out *WatcherSection) { (*in).DeepCopyInto(*out) } in.APIOverride.DeepCopyInto(&out.APIOverride) + if in.ApplicationCredential != nil { + in, out := &in.ApplicationCredential, &out.ApplicationCredential + *out = new(ServiceAppCredSection) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WatcherSection. diff --git a/api/go.mod b/api/go.mod index 9661a9b4c..1092e7927 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,36 +5,36 @@ go 1.24.4 require ( github.com/cert-manager/cert-manager v1.16.5 github.com/go-playground/validator/v10 v10.30.1 - github.com/onsi/ginkgo/v2 v2.27.5 - github.com/onsi/gomega v1.39.0 - github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c - github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504 - github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61 - github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a - github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951 + github.com/onsi/ginkgo/v2 v2.28.1 + github.com/onsi/gomega v1.39.1 + github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035 + github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df + github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49 + github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77 + github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a - github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e + github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260205083029-d03e9df035ef - github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb - github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48 + github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a + github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4 github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb - github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151 - github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf - github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465 + github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5 + github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7 + github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8 - github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87 - github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c - github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71 - github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0 + github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d + github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931 + github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4 + github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff github.com/rhobs/obo-prometheus-operator/pkg/apis/monitoring v0.71.0-rhobs1 // indirect github.com/rhobs/observability-operator v0.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.1 // indirect golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 - golang.org/x/tools v0.40.0 // indirect + golang.org/x/tools v0.41.0 // indirect k8s.io/api v0.31.14 k8s.io/apimachinery v0.31.14 k8s.io/client-go v0.31.14 @@ -66,7 +66,7 @@ require ( github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect + github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect github.com/imdario/mergo v0.3.16 // indirect @@ -92,9 +92,9 @@ require ( github.com/x448/float16 v0.8.4 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.46.0 // indirect - golang.org/x/mod v0.31.0 // indirect - golang.org/x/net v0.48.0 // indirect + golang.org/x/crypto v0.47.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/sys v0.40.0 // indirect diff --git a/api/go.sum b/api/go.sum index 669c176b7..30fa1eba7 100644 --- a/api/go.sum +++ b/api/go.sum @@ -64,8 +64,8 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo= @@ -108,60 +108,60 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.27.5 h1:ZeVgZMx2PDMdJm/+w5fE/OyG6ILo1Y3e+QX4zSR0zTE= -github.com/onsi/ginkgo/v2 v2.27.5/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= -github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= -github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI= +github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c h1:7/1IZQQp6FDu3fXM641kq2XfWqmTUip9/O84l6evg2s= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c/go.mod h1:tfNU2Cy1ofpDtVj+afn0u79/RDQPc7OrRE4RjurwAEQ= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504 h1:qRljZd79/o7PIYtgvBr7OSOjnbxJ+6IJf09qLkgByGM= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504/go.mod h1:dGW+9S6trLzIW4WN5CMwXOUjdc1X7ODxqxObfARP8UA= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61 h1:yW+hlDOVfOCH4TQPRrSC7s/m+0Hb7uovCwGRoRNxOo4= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61/go.mod h1:rTrAkG8KR+P+UVXwJjrlTAuxwx3HKMPmrb24qrxLHpM= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a h1:G8yaUi3XadpPp0C0UNc6D6Xk+L0I+CqANDxbt6M+DEU= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a/go.mod h1:ghegwjz1c0J8GSjZiM/qSIzg+qjZNCwUbwbPEbrcrno= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951 h1:fToObXb6NkXBw3sjWHh0+HhbUr23aDd908fHSBcPM7c= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951/go.mod h1:mScOSRv5YDbjEPfirc2K+L7kJYZE4PoueTkFoU+BRQ0= +github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035 h1:ZbEYqSRTtyXbOATlY1bDYBa0Rp3MMZjcaR0yHSgLW24= +github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035/go.mod h1:tfNU2Cy1ofpDtVj+afn0u79/RDQPc7OrRE4RjurwAEQ= +github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df h1:ry1fl+Sp4dXjt+nTe2PkCm0ZpTpiKkqStzjoPq68tuc= +github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df/go.mod h1:j0JH8VRZHOP6pNkKSWK1Zfj8ov1yVkUwNNheu1xLbwE= +github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49 h1:wSG2ZEorUADT8VOUmKB7cOXmvYOwZMvy6ERd+6PehPg= +github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49/go.mod h1:rTrAkG8KR+P+UVXwJjrlTAuxwx3HKMPmrb24qrxLHpM= +github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77 h1:qQF4eugVDwMIFSivIq/mcsO/rDNgWZO3nEUdEEivN40= +github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77/go.mod h1:SHocUrLIilw67T26C2wMbJs6IXSWIv1PF/1VqFGxe4Q= +github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57 h1:zTujRvfAMy0o/OyebVaMhv+8wn+/8C5QvVeMmlXFdDI= +github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57/go.mod h1:mScOSRv5YDbjEPfirc2K+L7kJYZE4PoueTkFoU+BRQ0= github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5 h1:Rhqx9iFaZgC2VhE2IiCGqPxJtc5A4hoz/5Rv8a+gtDY= github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5/go.mod h1:x8muLIctcCLObcdeynPgycfQ+6ddWIDlSOQ9NElG43M= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a h1:uJL923hT6ZJE1fKq+/FA0mVX46AgE3H+OClpL2DXq4Y= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e h1:atOsI5KAXuAD1C5fHPjyVWc7nyQrzk9eLJPSkwYTitw= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e/go.mod h1:6Y/hPIhXYgV0NHe7ZWIo+bdBxhnWkjbv7VLZbFnLNrc= +github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6 h1:NOo/jBBjvIufuuWS0ve7jsnSPH8lxJnyDJrNR0eoQ8c= +github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6/go.mod h1:tsE9DPDd7XKJPYfH+cts6cbo084rargXgmeFWtw3FwA= github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959 h1:8FSpTYAoLq27ElDGe3igPl2QUq9IYD6RJGu2Xu+Ymus= github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959/go.mod h1:pN/s+czXvApiE9nxeTtDeRTXWcaaCLZSrtoyOSUb37k= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260205083029-d03e9df035ef h1:SgzLekXtZuApbRylC3unCXnMaUClT5FPuqsxzIjt3Go= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260205083029-d03e9df035ef/go.mod h1:ndqfy1KbVorHH6+zlUFPIrCRhMSxO3ImYJUGaooE0x0= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35 h1:IdcI8DFvW8rXtchONSzbDmhhRp1YyO2YaBJDBXr44Gk= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:zOX7Y05keiSppIvLabuyh42QHBMhCcoskAtxFRbwXKo= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb h1:0kP9V1pKfRno6ss7qAy3GcfVK29CobWym6WA7AYA7wY= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb/go.mod h1:jofj+VqDszxLCZSBYo794KGkCjMo01xzhQ/gffYzf3I= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48 h1:PtBSN6ZHkaDRkjsK17e4h4mUGHh5VVDcXojbwdXy2io= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48/go.mod h1:BDSKDGu90NqHmLWRAyC3Dg++/xTkatoceEs7nhN3NCI= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a h1:teKxfVLDxJD9ahjeh29GlKHiXNUFDkVRmkpJdeKAvGE= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a/go.mod h1:jofj+VqDszxLCZSBYo794KGkCjMo01xzhQ/gffYzf3I= +github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4 h1:Ynrdr1X4RE0gDcgyAlos39AYFKV4I2WfTaZ2oAjU7d0= +github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4/go.mod h1:xOLjSMU4f5F05L0DiCu6Uvz0dOIDmCyQmSVS+ZHaam0= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb h1:Zv7GXyG1wND4wNzCmfMI8oAWsDlrU2QFxq8tsnIKFs0= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb/go.mod h1:X6W8pIULiWUc6smaTqiNocjxoXaRLgXediwpI/dxD9s= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151 h1:SK7HCTL8CSS8lHWjW40WgS5AKWilLrtvxIgq8yeTfXM= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151/go.mod h1:Uu/8M93x55zd7amJpRKGJz4vCmvZvBfzaN6CwnOjDNY= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf h1:Z4dpSajjkeXJzeR3ISnRMReWKVM60yi+FK+Gtbe8OSc= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf/go.mod h1:Id8njTmOl1EayJk8dTeiGetySuhPXqZp7gWgbo+luME= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465 h1:gQ6muqCfHtjdJO9selzjs0MBVIp6AqeJCq3V+Fx2KzY= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465/go.mod h1:Phcw9t23H4RbOpUqBhFldFBKEbkx+f4c0QGnfFOPh50= +github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5 h1:VswZKlc2SGulbTNITVfddofnXLHGMqpUHjZabRU2V+8= +github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5/go.mod h1:Uu/8M93x55zd7amJpRKGJz4vCmvZvBfzaN6CwnOjDNY= +github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7 h1:oWCSoyfvh87ueqU3yMSoDR6pW+nWptXGsARK+ypIky8= +github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7/go.mod h1:bo00y0fC762qzXbn3tgpTT35n0CpSPxkZq7jCyE7LYQ= +github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044 h1:IWidpe8G47CpthKIGKVUP0DmtpsCnYn1q4pDB8/pjhM= +github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044/go.mod h1:Phcw9t23H4RbOpUqBhFldFBKEbkx+f4c0QGnfFOPh50= github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c h1:5gY2Y9OjgHWltvw0jtQWDaoXnfJRObRNozC0dBLz0GQ= github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c/go.mod h1:8Ge7K0IfcMSpoyp9p0lnW36f3nvCf6lnoc4TWoIlazw= github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8 h1:70ennIUokh4YvGdzE7zzRYIHVJ0xnYRNvmrO/f0wk9A= github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8/go.mod h1:o4YQPtgdeJLUBEizUjSSvTMxXsQgivgSul61Vq47/jw= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87 h1:NZWcEwyw13o0592iwtjy6qckFSOeLSATl7m59s3q3kI= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87/go.mod h1:eWED9YYc2NLXutgocqK5m3LsnQ+aT0MeWgmnsqi6A0Y= +github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d h1:/0ngJXXGiAbMn4SHxpam4CtVGPDHXW8d1yT+PWJRw/U= +github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d/go.mod h1:eWED9YYc2NLXutgocqK5m3LsnQ+aT0MeWgmnsqi6A0Y= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c h1:aJsyz/wHFe/LeoPxa/B3+FpYFu6ovy54kmgj4DbJT5o= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c/go.mod h1:/2Qd/Xr1bPLaddKmKxhqHP5Zsj7YYz3TkzWOM8miaK0= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71 h1:3dCKtRbLmyrq5sXW9rkfROB8DbIsE++8LkhLoYC/s/I= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71/go.mod h1:sVND1JTB9Da9X1fX+Q2W2aOynH3+vf9cFGkisPuE9Yg= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0 h1:7tyMpFvBUa1lvok9COBOvA3dFTj2p1Ard6LFGn0+8g8= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0/go.mod h1:1DeGo19yp7py2C+D98Mbv8P8UHYARmPTvfBAuTNXj5Q= +github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931 h1:iAa/ahDlWAHFa2WUQJ07SEyzFtYUBkEwtt8vZNQ1V9A= +github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931/go.mod h1:/2Qd/Xr1bPLaddKmKxhqHP5Zsj7YYz3TkzWOM8miaK0= +github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4 h1:kygc6YDl7kPwj1Ol2wMC6pLuhmpBK2IqULwlaZ7k/rA= +github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4/go.mod h1:l/jz/k6Al6GSleFlcbfuLjEkZynJZKvI/H4ZlyMCqAg= +github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff h1:45zoZ6GbBbTsd/WK0G4MxrxzHIkjQ+5m6ayv+QRX29c= +github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff/go.mod h1:1DeGo19yp7py2C+D98Mbv8P8UHYARmPTvfBAuTNXj5Q= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -214,20 +214,20 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= -golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= +golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo= golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -252,8 +252,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= -golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/bindata/crds/barbican.openstack.org_barbicans.yaml b/bindata/crds/barbican.openstack.org_barbicans.yaml index 0fd776709..54d73b245 100644 --- a/bindata/crds/barbican.openstack.org_barbicans.yaml +++ b/bindata/crds/barbican.openstack.org_barbicans.yaml @@ -53,6 +53,15 @@ spec: description: Barbican API timeout minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication for all Barbican + services + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object barbicanAPI: description: BarbicanAPI - Spec definition for the API services of this Barbican deployment diff --git a/bindata/crds/cinder.openstack.org_cinders.yaml b/bindata/crds/cinder.openstack.org_cinders.yaml index 0cc855df2..c74415046 100644 --- a/bindata/crds/cinder.openstack.org_cinders.yaml +++ b/bindata/crds/cinder.openstack.org_cinders.yaml @@ -53,6 +53,14 @@ spec: description: APITimeout for HAProxy, Apache, and rpc_response_timeout minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object cinderAPI: description: CinderAPI - Spec definition for the API service of this Cinder deployment diff --git a/bindata/crds/crds.yaml b/bindata/crds/crds.yaml index 60dea9a04..53c111dee 100644 --- a/bindata/crds/crds.yaml +++ b/bindata/crds/crds.yaml @@ -305,6 +305,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -431,6 +478,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -440,6 +531,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -939,6 +1035,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -950,6 +1090,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cinderAPI: properties: customServiceConfig: @@ -2034,6 +2179,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -2064,6 +2253,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3913,6 +4107,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4460,6 +4698,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4839,6 +5082,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -4972,6 +5259,11 @@ spec: default: 600 minimum: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -6784,6 +7076,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6917,6 +7253,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -7178,6 +7519,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8444,6 +8790,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8453,6 +8843,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9511,6 +9906,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9520,6 +9959,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10341,6 +10785,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10624,6 +11112,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11409,6 +11902,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11444,6 +11981,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11486,6 +12028,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11694,6 +12241,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11846,6 +12398,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12104,6 +12661,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12891,6 +13453,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12900,6 +13506,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13966,6 +14577,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -14122,6 +14777,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14613,6 +15273,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14882,6 +15674,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -15050,6 +15847,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -15138,6 +15940,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -15358,6 +16165,9 @@ spec: enabled: default: false type: boolean + lokiRetentionDays: + default: 95 + type: integer lokiStackSize: default: 1x.demo enum: @@ -16521,6 +17331,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16714,6 +17568,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/bindata/crds/designate.openstack.org_designateapis.yaml b/bindata/crds/designate.openstack.org_designateapis.yaml index e1bb6331e..24a581334 100644 --- a/bindata/crds/designate.openstack.org_designateapis.yaml +++ b/bindata/crds/designate.openstack.org_designateapis.yaml @@ -56,6 +56,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to DesignateSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object backendMdnsServerProtocol: description: |- BackendTypeProtocol - Defines the backend protocol to be used between the designate-worker & diff --git a/bindata/crds/designate.openstack.org_designates.yaml b/bindata/crds/designate.openstack.org_designates.yaml index 43902724c..70a37dfe3 100644 --- a/bindata/crds/designate.openstack.org_designates.yaml +++ b/bindata/crds/designate.openstack.org_designates.yaml @@ -102,6 +102,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to DesignateSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object backendMdnsServerProtocol: description: |- BackendTypeProtocol - Defines the backend protocol to be used between the designate-worker & diff --git a/bindata/crds/glance.openstack.org_glanceapis.yaml b/bindata/crds/glance.openstack.org_glanceapis.yaml index e87c060f3..23baebac7 100644 --- a/bindata/crds/glance.openstack.org_glanceapis.yaml +++ b/bindata/crds/glance.openstack.org_glanceapis.yaml @@ -65,6 +65,14 @@ spec: - single - edge type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - GlanceAPI Container Image URL type: string diff --git a/bindata/crds/glance.openstack.org_glances.yaml b/bindata/crds/glance.openstack.org_glances.yaml index 199595a62..732a319e1 100644 --- a/bindata/crds/glance.openstack.org_glances.yaml +++ b/bindata/crds/glance.openstack.org_glances.yaml @@ -1229,6 +1229,14 @@ spec: APITimeout minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, diff --git a/bindata/crds/heat.openstack.org_heatapis.yaml b/bindata/crds/heat.openstack.org_heatapis.yaml index f368f1507..3bbaa79fc 100644 --- a/bindata/crds/heat.openstack.org_heatapis.yaml +++ b/bindata/crds/heat.openstack.org_heatapis.yaml @@ -48,6 +48,14 @@ spec: spec: description: HeatAPISpec defines the desired state of HeatAPI properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Container Image URL type: string diff --git a/bindata/crds/heat.openstack.org_heatcfnapis.yaml b/bindata/crds/heat.openstack.org_heatcfnapis.yaml index 83c6a963c..eec4b58a3 100644 --- a/bindata/crds/heat.openstack.org_heatcfnapis.yaml +++ b/bindata/crds/heat.openstack.org_heatcfnapis.yaml @@ -48,6 +48,14 @@ spec: spec: description: HeatCfnAPISpec defines the desired state of HeatCfnAPI properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Container Image URL type: string diff --git a/bindata/crds/heat.openstack.org_heatengines.yaml b/bindata/crds/heat.openstack.org_heatengines.yaml index 631681805..d15ff84b7 100644 --- a/bindata/crds/heat.openstack.org_heatengines.yaml +++ b/bindata/crds/heat.openstack.org_heatengines.yaml @@ -48,6 +48,14 @@ spec: spec: description: HeatEngineSpec defines the desired state of HeatEngine properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Container Image URL type: string diff --git a/bindata/crds/heat.openstack.org_heats.yaml b/bindata/crds/heat.openstack.org_heats.yaml index 0997cee9e..b3cfc5f6a 100644 --- a/bindata/crds/heat.openstack.org_heats.yaml +++ b/bindata/crds/heat.openstack.org_heats.yaml @@ -53,6 +53,14 @@ spec: description: APITimeout for Route and Apache minimum: 60 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, diff --git a/bindata/crds/ironic.openstack.org_ironicapis.yaml b/bindata/crds/ironic.openstack.org_ironicapis.yaml index 2b49b458f..525b98fc7 100644 --- a/bindata/crds/ironic.openstack.org_ironicapis.yaml +++ b/bindata/crds/ironic.openstack.org_ironicapis.yaml @@ -57,6 +57,15 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Ironic API Container Image type: string diff --git a/bindata/crds/ironic.openstack.org_ironicconductors.yaml b/bindata/crds/ironic.openstack.org_ironicconductors.yaml index ad328ea7f..7da22e51b 100644 --- a/bindata/crds/ironic.openstack.org_ironicconductors.yaml +++ b/bindata/crds/ironic.openstack.org_ironicconductors.yaml @@ -52,6 +52,15 @@ spec: spec: description: IronicConductorSpec defines the desired state of IronicConductor properties: + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object conductorGroup: description: ConductorGroup - Ironic Conductor conductor group. type: string diff --git a/bindata/crds/ironic.openstack.org_ironicinspectors.yaml b/bindata/crds/ironic.openstack.org_ironicinspectors.yaml index 13f04d4ab..56ef2e10b 100644 --- a/bindata/crds/ironic.openstack.org_ironicinspectors.yaml +++ b/bindata/crds/ironic.openstack.org_ironicinspectors.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Ironic Inspector Container Image type: string diff --git a/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml b/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml index cf005e341..5bf614b75 100644 --- a/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml +++ b/bindata/crds/ironic.openstack.org_ironicneutronagents.yaml @@ -54,6 +54,15 @@ spec: description: IronicNeutronAgentSpec defines the desired state of ML2 baremetal - ironic-neutron-agent agents properties: + auth: + description: Auth - Parameters related to authentication (inherited + from parent Ironic CR) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - ML2 baremtal - Ironic Neutron Agent Image diff --git a/bindata/crds/ironic.openstack.org_ironics.yaml b/bindata/crds/ironic.openstack.org_ironics.yaml index 9ea91472c..4cea34122 100644 --- a/bindata/crds/ironic.openstack.org_ironics.yaml +++ b/bindata/crds/ironic.openstack.org_ironics.yaml @@ -53,6 +53,15 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (shared by + IronicAPI, IronicConductor, and IronicNeutronAgent) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- @@ -621,6 +630,14 @@ spec: description: IronicInspector - Spec definition for the inspector service of this Ironic deployment properties: + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- diff --git a/bindata/crds/manila.openstack.org_manilas.yaml b/bindata/crds/manila.openstack.org_manilas.yaml index d1a3cc4c4..5d484fec3 100644 --- a/bindata/crds/manila.openstack.org_manilas.yaml +++ b/bindata/crds/manila.openstack.org_manilas.yaml @@ -53,6 +53,14 @@ spec: description: APITimeout for HAProxy, Apache, and rpc_response_timeout minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- diff --git a/bindata/crds/neutron.openstack.org_neutronapis.yaml b/bindata/crds/neutron.openstack.org_neutronapis.yaml index 945531b89..bbef3ca2b 100644 --- a/bindata/crds/neutron.openstack.org_neutronapis.yaml +++ b/bindata/crds/neutron.openstack.org_neutronapis.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: NeutronAPI Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/nova.openstack.org_nova.yaml b/bindata/crds/nova.openstack.org_nova.yaml index 99311a735..13b3b428c 100644 --- a/bindata/crds/nova.openstack.org_nova.yaml +++ b/bindata/crds/nova.openstack.org_nova.yaml @@ -371,6 +371,16 @@ spec: description: APITimeout for Route and Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication (shared by + all Nova services) + properties: + applicationCredentialSecret: + description: |- + ApplicationCredentialSecret - the name of the k8s Secret that contains the + application credential data used for authentication + type: string + type: object cellTemplates: additionalProperties: description: |- diff --git a/bindata/crds/nova.openstack.org_novaapis.yaml b/bindata/crds/nova.openstack.org_novaapis.yaml index e2840ab2b..06a8959e8 100644 --- a/bindata/crds/nova.openstack.org_novaapis.yaml +++ b/bindata/crds/nova.openstack.org_novaapis.yaml @@ -277,6 +277,11 @@ spec: The key must be the endpoint type (public, internal) type: object type: object + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string registeredCells: additionalProperties: type: string diff --git a/bindata/crds/nova.openstack.org_novacells.yaml b/bindata/crds/nova.openstack.org_novacells.yaml index 2f015c0d6..7e120d228 100644 --- a/bindata/crds/nova.openstack.org_novacells.yaml +++ b/bindata/crds/nova.openstack.org_novacells.yaml @@ -967,6 +967,11 @@ spec: description: PreserveJobs - do not delete jobs after they finished e.g. to check logs type: boolean + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string secret: description: |- Secret is the name of the Secret instance containing password diff --git a/bindata/crds/nova.openstack.org_novacomputes.yaml b/bindata/crds/nova.openstack.org_novacomputes.yaml index 498fd2fc3..9bc267d12 100644 --- a/bindata/crds/nova.openstack.org_novacomputes.yaml +++ b/bindata/crds/nova.openstack.org_novacomputes.yaml @@ -96,6 +96,11 @@ spec: description: NodeSelector to target subset of worker nodes running this service type: object + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string replicas: default: 1 description: Replicas of the service to run diff --git a/bindata/crds/nova.openstack.org_novaconductors.yaml b/bindata/crds/nova.openstack.org_novaconductors.yaml index bc4e4016d..2d81b2ddd 100644 --- a/bindata/crds/nova.openstack.org_novaconductors.yaml +++ b/bindata/crds/nova.openstack.org_novaconductors.yaml @@ -138,6 +138,11 @@ spec: description: PreserveJobs - do not delete jobs after they finished e.g. to check logs type: boolean + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string replicas: default: 1 description: Replicas of the service to run diff --git a/bindata/crds/nova.openstack.org_novametadata.yaml b/bindata/crds/nova.openstack.org_novametadata.yaml index 6f8b86839..bab6b5b5a 100644 --- a/bindata/crds/nova.openstack.org_novametadata.yaml +++ b/bindata/crds/nova.openstack.org_novametadata.yaml @@ -272,6 +272,11 @@ spec: type: object type: object type: object + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string registeredCells: additionalProperties: type: string diff --git a/bindata/crds/nova.openstack.org_novanovncproxies.yaml b/bindata/crds/nova.openstack.org_novanovncproxies.yaml index 43f1fe5f4..26810a2d4 100644 --- a/bindata/crds/nova.openstack.org_novanovncproxies.yaml +++ b/bindata/crds/nova.openstack.org_novanovncproxies.yaml @@ -249,6 +249,11 @@ spec: type: object type: object type: object + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string replicas: default: 1 description: Replicas of the service to run diff --git a/bindata/crds/nova.openstack.org_novaschedulers.yaml b/bindata/crds/nova.openstack.org_novaschedulers.yaml index 97bf50231..e438587af 100644 --- a/bindata/crds/nova.openstack.org_novaschedulers.yaml +++ b/bindata/crds/nova.openstack.org_novaschedulers.yaml @@ -101,6 +101,11 @@ spec: description: NodeSelector to target subset of worker nodes running this service type: object + region: + default: regionOne + description: Region - the region name to use for service endpoint + discovery + type: string registeredCells: additionalProperties: type: string diff --git a/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml b/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml index a2d1a1b44..6f8416a68 100644 --- a/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml +++ b/bindata/crds/octavia.openstack.org_octaviaamphoracontrollers.yaml @@ -82,6 +82,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL type: string diff --git a/bindata/crds/octavia.openstack.org_octaviaapis.yaml b/bindata/crds/octavia.openstack.org_octaviaapis.yaml index 8ab4cdb82..f36b90742 100644 --- a/bindata/crds/octavia.openstack.org_octaviaapis.yaml +++ b/bindata/crds/octavia.openstack.org_octaviaapis.yaml @@ -56,6 +56,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to OctaviaSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: Octavia Container Image URL type: string diff --git a/bindata/crds/octavia.openstack.org_octavias.yaml b/bindata/crds/octavia.openstack.org_octavias.yaml index 24e72afc6..ef07cef32 100644 --- a/bindata/crds/octavia.openstack.org_octavias.yaml +++ b/bindata/crds/octavia.openstack.org_octavias.yaml @@ -83,6 +83,15 @@ spec: default: 120 description: Octavia API timeout type: integer + auth: + description: Auth - Parameters related to authentication (shared by + all Octavia components) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: default: '# add your customization here' description: |- @@ -162,6 +171,14 @@ spec: description: APITimeout for HAProxy and Apache defaults to OctaviaSpecCore APITimeout (seconds) type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: Octavia Container Image URL type: string @@ -582,6 +599,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL @@ -830,6 +855,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL @@ -1254,6 +1287,14 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object containerImage: description: ContainerImage - Amphora Controller Container Image URL diff --git a/bindata/crds/placement.openstack.org_placementapis.yaml b/bindata/crds/placement.openstack.org_placementapis.yaml index ba8d46b6f..a3a875237 100644 --- a/bindata/crds/placement.openstack.org_placementapis.yaml +++ b/bindata/crds/placement.openstack.org_placementapis.yaml @@ -57,6 +57,14 @@ spec: description: APITimeout for HAProxy, Apache minimum: 10 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object containerImage: description: PlacementAPI Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/swift.openstack.org_swiftproxies.yaml b/bindata/crds/swift.openstack.org_swiftproxies.yaml index 6259000e0..7b4e7a0a3 100644 --- a/bindata/crds/swift.openstack.org_swiftproxies.yaml +++ b/bindata/crds/swift.openstack.org_swiftproxies.yaml @@ -58,6 +58,14 @@ spec: 60 seconds minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object ceilometerEnabled: default: false description: Enables ceilometer in the swift proxy and creates required diff --git a/bindata/crds/swift.openstack.org_swifts.yaml b/bindata/crds/swift.openstack.org_swifts.yaml index c4620f62e..5a98bf38b 100644 --- a/bindata/crds/swift.openstack.org_swifts.yaml +++ b/bindata/crds/swift.openstack.org_swifts.yaml @@ -92,6 +92,14 @@ spec: to 60 seconds minimum: 1 type: integer + auth: + description: Auth - Parameters related to authentication + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing + Application Credential ID and Secret + type: string + type: object ceilometerEnabled: default: false description: Enables ceilometer in the swift proxy and creates diff --git a/bindata/crds/telemetry.openstack.org_autoscalings.yaml b/bindata/crds/telemetry.openstack.org_autoscalings.yaml index f63c24d7d..c92a5b1ee 100644 --- a/bindata/crds/telemetry.openstack.org_autoscalings.yaml +++ b/bindata/crds/telemetry.openstack.org_autoscalings.yaml @@ -70,6 +70,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files diff --git a/bindata/crds/telemetry.openstack.org_ceilometers.yaml b/bindata/crds/telemetry.openstack.org_ceilometers.yaml index 23ad22146..8f8a86876 100644 --- a/bindata/crds/telemetry.openstack.org_ceilometers.yaml +++ b/bindata/crds/telemetry.openstack.org_ceilometers.yaml @@ -116,6 +116,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object centralImage: type: string computeImage: diff --git a/bindata/crds/telemetry.openstack.org_cloudkitties.yaml b/bindata/crds/telemetry.openstack.org_cloudkitties.yaml index 0af21e5a2..b9161b231 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkitties.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkitties.yaml @@ -52,6 +52,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment @@ -528,6 +536,12 @@ spec: Right now required by the maridb-operator to get the credentials from the instance to create the DB Might not be required in future type: string + lokiRetentionDays: + default: 95 + description: |- + LokiRetentionDays defines the number of days logs are kept in Loki storage. + Set to 0 to disable retention limits. + type: integer lokiStackSize: default: 1x.demo description: Size of the LokiStack. Supported are "1x.demo" (default), diff --git a/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml b/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml index 4227545ae..17adde864 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkittyapis.yaml @@ -48,6 +48,14 @@ spec: spec: description: CloudKittyAPISpec defines the desired state of CloudKittyAPI properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml b/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml index 9cb6cf681..831c38f10 100644 --- a/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml +++ b/bindata/crds/telemetry.openstack.org_cloudkittyprocs.yaml @@ -53,6 +53,14 @@ spec: description: CloudKittyProcSpec defines the desired state of CloudKitty Processor properties: + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for application + credential + type: string + type: object containerImage: description: ContainerImage - CloudKitty Container Image URL (will be set to environmental default if empty) diff --git a/bindata/crds/telemetry.openstack.org_telemetries.yaml b/bindata/crds/telemetry.openstack.org_telemetries.yaml index 1d98e9498..e8c535260 100644 --- a/bindata/crds/telemetry.openstack.org_telemetries.yaml +++ b/bindata/crds/telemetry.openstack.org_telemetries.yaml @@ -73,6 +73,14 @@ spec: default: 60 description: APITimeout for Route and Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name + for application credential + type: string + type: object customConfigsSecretName: description: |- A name of a secret containing custom configuration files. Files @@ -439,6 +447,14 @@ spec: default: 60 description: APITimeout for Apache type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object centralImage: type: string computeImage: @@ -614,6 +630,14 @@ spec: default: 60 description: APITimeout for HAProxy, Apache, and rpc_response_timeout type: integer + auth: + description: Auth - authentication settings for keystone integration + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - secret name for + application credential + type: string + type: object cloudKittyAPI: description: CloudKittyAPI - Spec definition for the API service of this CloudKitty deployment @@ -1096,6 +1120,12 @@ spec: description: Enabled - Whether OpenStack CloudKitty service should be deployed and managed type: boolean + lokiRetentionDays: + default: 95 + description: |- + LokiRetentionDays defines the number of days logs are kept in Loki storage. + Set to 0 to disable retention limits. + type: integer lokiStackSize: default: 1x.demo description: Size of the LokiStack. Supported are "1x.demo" (default), diff --git a/bindata/crds/watcher.openstack.org_watchers.yaml b/bindata/crds/watcher.openstack.org_watchers.yaml index a91bdf91e..8c20f5a2f 100644 --- a/bindata/crds/watcher.openstack.org_watchers.yaml +++ b/bindata/crds/watcher.openstack.org_watchers.yaml @@ -460,6 +460,15 @@ spec: type: string type: object type: object + auth: + description: Auth - Parameters related to authentication (shared by + all Watcher components) + properties: + applicationCredentialSecret: + description: ApplicationCredentialSecret - Secret containing Application + Credential ID and Secret + type: string + type: object customServiceConfig: description: |- CustomServiceConfig - customize the service config using this parameter to change service defaults, diff --git a/bindata/rbac/rbac.yaml b/bindata/rbac/rbac.yaml index 320db60b4..20a134624 100644 --- a/bindata/rbac/rbac.yaml +++ b/bindata/rbac/rbac.yaml @@ -414,6 +414,7 @@ rules: - keystone.openstack.org resources: - keystoneapis + - keystoneapplicationcredentials verbs: - create - delete @@ -422,6 +423,14 @@ rules: - patch - update - watch +- apiGroups: + - keystone.openstack.org + resources: + - keystoneapplicationcredentials/status + verbs: + - get + - patch + - update - apiGroups: - machineconfiguration.openshift.io resources: diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml index 99b2419c0..b6bf0f89c 100644 --- a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml +++ b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml @@ -40,6 +40,53 @@ spec: type: object spec: properties: + applicationCredential: + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + default: 730 + minimum: 2 + type: integer + gracePeriodDays: + default: 364 + minimum: 1 + type: integer + roles: + default: + - admin + - service + items: + type: string + minItems: 1 + type: array + unrestricted: + default: false + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: self.gracePeriodDays < self.expirationDays barbican: properties: apiOverride: @@ -166,6 +213,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -175,6 +266,11 @@ spec: default: 90 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object barbicanAPI: properties: apiTimeout: @@ -674,6 +770,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -685,6 +825,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cinderAPI: properties: customServiceConfig: @@ -1769,6 +1914,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -1799,6 +1988,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object backendMdnsServerProtocol: type: string backendType: @@ -3648,6 +3842,50 @@ spec: type: object type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -4195,6 +4433,11 @@ spec: apiTimeout: minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -4574,6 +4817,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cnfAPIOverride: properties: route: @@ -4707,6 +4994,11 @@ spec: default: 600 minimum: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string customServiceConfigSecrets: @@ -6519,6 +6811,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -6652,6 +6988,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -6913,6 +7254,11 @@ spec: type: array ironicInspector: properties: + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -8179,6 +8525,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -8188,6 +8578,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -9246,6 +9641,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -9255,6 +9694,11 @@ spec: default: 120 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object corePlugin: default: ml2 type: string @@ -10076,6 +10520,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cellOverride: additionalProperties: properties: @@ -10359,6 +10847,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cellTemplates: additionalProperties: properties: @@ -11144,6 +11637,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -11179,6 +11716,11 @@ spec: apiTimeout: default: 120 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11221,6 +11763,11 @@ spec: properties: apiTimeout: type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11429,6 +11976,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11581,6 +12133,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -11839,6 +12396,11 @@ spec: amphoraImageOwnerID: default: "" type: string + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: default: '# add your customization here' type: string @@ -12626,6 +13188,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -12635,6 +13241,11 @@ spec: default: 60 minimum: 10 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: @@ -13701,6 +14312,50 @@ spec: type: string swift: properties: + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: true type: boolean @@ -13857,6 +14512,11 @@ spec: default: 60 minimum: 1 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object ceilometerEnabled: default: false type: boolean @@ -14348,6 +15008,138 @@ spec: type: string type: object type: object + applicationCredentialAodh: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCeilometer: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' + applicationCredentialCloudKitty: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' cloudKittyApiOverride: properties: route: @@ -14617,6 +15409,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14785,6 +15582,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object customConfigsSecretName: type: string customServiceConfig: @@ -14873,6 +15675,11 @@ spec: apiTimeout: default: 60 type: integer + auth: + properties: + applicationCredentialSecret: + type: string + type: object cloudKittyAPI: properties: customConfigsSecretName: @@ -15093,6 +15900,9 @@ spec: enabled: default: false type: boolean + lokiRetentionDays: + default: 95 + type: integer lokiStackSize: default: 1x.demo enum: @@ -16256,6 +17066,50 @@ spec: type: string type: object type: object + applicationCredential: + default: + enabled: false + nullable: true + properties: + accessRules: + items: + properties: + method: + minLength: 1 + type: string + path: + minLength: 1 + type: string + service: + minLength: 1 + type: string + required: + - method + - path + - service + type: object + type: array + x-kubernetes-list-type: atomic + enabled: + default: false + type: boolean + expirationDays: + minimum: 2 + type: integer + gracePeriodDays: + minimum: 1 + type: integer + roles: + items: + type: string + type: array + unrestricted: + type: boolean + type: object + x-kubernetes-validations: + - message: gracePeriodDays must be smaller than expirationDays + rule: '!(has(self.expirationDays) && has(self.gracePeriodDays)) + || self.gracePeriodDays < self.expirationDays' enabled: default: false type: boolean @@ -16449,6 +17303,11 @@ spec: type: string type: object type: object + auth: + properties: + applicationCredentialSecret: + type: string + type: object customServiceConfig: type: string databaseAccount: diff --git a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml index a1bee6c67..0d8ae4b2a 100644 --- a/config/manifests/bases/openstack-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/openstack-operator.clusterserviceversion.yaml @@ -38,6 +38,13 @@ spec: kind: OpenStackControlPlane name: openstackcontrolplanes.core.openstack.org specDescriptors: + - description: |- + ApplicationCredential - Global configuration for ApplicationCredentials. + Both this global section AND the per-service applicationCredential section + must be enabled for a service to use ApplicationCredentials. + If omitted, defaults to enabled=false with standard expiration/grace periods. + displayName: Application Credential + path: applicationCredential - description: Barbican - Parameters related to the Barbican service displayName: Barbican path: barbican @@ -48,6 +55,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: barbican.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: barbican.applicationCredential - description: Enabled - Whether Barbican service should be deployed and managed displayName: Enabled path: barbican.enabled @@ -66,6 +77,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: cinder.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: cinder.applicationCredential - description: Enabled - Whether Cinder service should be deployed and managed displayName: Enabled path: cinder.enabled @@ -84,6 +99,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: designate.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: designate.applicationCredential - description: Enabled - Whether the Designate service should be deployed and managed displayName: Enabled @@ -131,6 +150,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: glance.apiOverrides.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: glance.applicationCredential - description: Enabled - Whether Glance service should be deployed and managed displayName: Enabled path: glance.enabled @@ -149,6 +172,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: heat.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: heat.applicationCredential - description: CnfAPIOverride, provides the ability to override the generated manifest of several child resources. displayName: Cnf APIOverride @@ -192,6 +219,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: ironic.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: ironic.applicationCredential - description: Enabled - Whether Ironic services should be deployed and managed displayName: Enabled path: ironic.enabled @@ -235,6 +266,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: manila.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: manila.applicationCredential - description: Enabled - Whether Manila service should be deployed and managed displayName: Enabled path: manila.enabled @@ -264,6 +299,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: neutron.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: neutron.applicationCredential - description: Enabled - Whether Neutron service should be deployed and managed displayName: Enabled path: neutron.enabled @@ -286,6 +325,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: nova.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: nova.applicationCredential - description: |- CellOverride, provides the ability to override the generated manifest of several child resources for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed. @@ -313,6 +356,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: octavia.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: octavia.applicationCredential - description: Enabled - Whether the Octavia service should be deployed and managed displayName: Enabled @@ -329,9 +376,6 @@ spec: Resource displayName: Template path: openstackclient.template - - description: List of environment variables to set in the container. - displayName: Env - path: openstackclient.template.env - description: Ovn - Overrides to use when creating the OVN Services displayName: Ovn path: ovn @@ -364,6 +408,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: placement.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: placement.applicationCredential - description: Enabled - Whether Placement service should be deployed and managed displayName: Enabled path: placement.enabled @@ -404,6 +452,10 @@ spec: - description: Swift - Parameters related to the Swift service displayName: Swift path: swift + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: swift.applicationCredential - description: Enabled - Whether Swift service should be deployed and managed displayName: Enabled path: swift.enabled @@ -436,6 +488,18 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: telemetry.aodhApiOverride.tls + - description: ApplicationCredentialAodh allows service-specific overrides of + the global AC configuration for Aodh. + displayName: Application Credential Aodh + path: telemetry.applicationCredentialAodh + - description: ApplicationCredentialCeilometer allows service-specific overrides + of the global AC configuration for Ceilometer. + displayName: Application Credential Ceilometer + path: telemetry.applicationCredentialCeilometer + - description: ApplicationCredentialCloudKitty allows service-specific overrides + of the global AC configuration for CloudKitty. + displayName: Application Credential Cloud Kitty + path: telemetry.applicationCredentialCloudKitty - description: CloudKittyAPIOverride, provides the ability to override the generated manifest of several child resources. displayName: Cloud Kitty APIOverride @@ -524,6 +588,10 @@ spec: - description: TLS - overrides tls parameters for public endpoint displayName: TLS path: watcher.apiOverride.tls + - description: ApplicationCredential allows service-specific overrides of the + global AC configuration. + displayName: Application Credential + path: watcher.applicationCredential - description: Enabled - Whether Watcher service should be deployed and managed displayName: Enabled path: watcher.enabled diff --git a/config/operator/manager_operator_images.yaml b/config/operator/manager_operator_images.yaml index 5f73cae56..a3794228d 100644 --- a/config/operator/manager_operator_images.yaml +++ b/config/operator/manager_operator_images.yaml @@ -14,46 +14,46 @@ spec: - name: operator env: - name: RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/barbican-operator@sha256:379470e2752f286e73908e94233e884922b231169a5521a59f53843a2dc3184c + value: quay.io/openstack-k8s-operators/barbican-operator@sha256:10bdb8674a5c5a0120a68ded4e8d007f03c8f33592eed1a9ff2ae9e53d377d87 - name: RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/cinder-operator@sha256:6e21a1dda86ba365817102d23a5d4d2d5dcd1c4d8e5f8d74bd24548aa8c63898 + value: quay.io/openstack-k8s-operators/cinder-operator@sha256:5461f69440de95db8df5b1242b3bb08644e215e025b17345b33325633e3dfba6 - name: RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/designate-operator@sha256:d9f6f8dc6a6dd9b0d7c96e4c89b3056291fd61f11126a1304256a4d6cacd0382 + value: quay.io/openstack-k8s-operators/designate-operator@sha256:a2e056d17d1ad90966fa943a1ec1e7c51b0f1f7842d0c0cc16a847bc3a34719e - name: RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/glance-operator@sha256:1f593e8d49d02b6484c89632192ae54771675c54fbd8426e3675b8e20ecfd7c4 + value: quay.io/openstack-k8s-operators/glance-operator@sha256:df7752c1cb7e57607e010dd1dfe92f9dbf926a8eda1cd69003e8f7f4d0ee5ace - name: RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/heat-operator@sha256:27d83ada27cf70cda0c5738f97551d81f1ea4068e83a090f3312e22172d72e10 + value: quay.io/openstack-k8s-operators/heat-operator@sha256:51076be2b4311bd451e68e4e51ed32094e52834de769ee8635978914f0be99e4 - name: RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/horizon-operator@sha256:027cd7ab61ef5071d9ad6b729c95a98e51cd254642f01dc019d44cc98a9232f8 - name: RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/infra-operator@sha256:a504ab83288310bbd8e39f3a01faaa3c210a14d94bbd32124e9eadd46227d6b3 - name: RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/ironic-operator@sha256:bead175f27e5f074f723694f3b66e5aa7238411bf8a27a267b9a2936e4465521 + value: quay.io/openstack-k8s-operators/ironic-operator@sha256:f09760446d12b8ca3f8383ab7711c4dd4cc3e47e04528e2d8dfe8cbdb39dc9f2 - name: RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/keystone-operator@sha256:319c969e88f109b26487a9f5a67203682803d7386424703ab7ca0340be99ae17 - name: RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/manila-operator@sha256:cd911e8d7a7a1104d77691dbaaf54370015cbb82859337746db5a9186d5dc566 + value: quay.io/openstack-k8s-operators/manila-operator@sha256:b8612e20df8c6a317a5e25884052455e2def210c704e1a8105253ead6eb35e87 - name: RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/mariadb-operator@sha256:2d493137559b74e23edb4788b7fbdb38b3e239df0f2d7e6e540e50b2355fc3cf - name: RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/neutron-operator@sha256:bbb46b8b3b69fdfad7bafc10a7e88f6ea58bcdc3c91e30beb79e24417d52e0f6 + value: quay.io/openstack-k8s-operators/neutron-operator@sha256:7b45b0b511f6147f199989a554339aee505f0a3dd50092e2efc236706aabde09 - name: RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/nova-operator@sha256:5340b88039fac393da49ef4e181b2720c809c27a6bb30531a07a49342a1da45e + value: quay.io/openstack-k8s-operators/nova-operator@sha256:7f230a842e37afd8ddfc543f6ed8514217e5916aa003b592ee0c044a1005f8c4 - name: RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/octavia-operator@sha256:e6f2f361f1dcbb321407a5884951e16ff96e7b88942b10b548f27ad4de14a0be + value: quay.io/openstack-k8s-operators/octavia-operator@sha256:aa637692c9fe546c05a5fb53604cbd8cb532a071fbd63f09f60e56d5794a6569 - name: RELATED_IMAGE_OPENSTACK_BAREMETAL_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:89f6fd332fabefd2fff5619432986b37c1c6d197dd1c510f21dfe4609939b8a6 - name: RELATED_IMAGE_OVN_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/ovn-operator@sha256:ea7b72b648a5bde2eebd804c2a5c1608d448a4892176c1b8d000c1eef4bb92b4 - name: RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/placement-operator@sha256:e0824d5d461ada59715eb3048ed9394c80abba09c45503f8f90ee3b34e525488 + value: quay.io/openstack-k8s-operators/placement-operator@sha256:4218e738cc0f3e20002c03cb0f005d7d290bbcc6a891b87dc06089fabb582ed8 - name: RELATED_IMAGE_RABBITMQ_CLUSTER_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/rabbitmq-cluster-operator@sha256:893e66303c1b0bc1d00a299a3f0380bad55c8dc813c8a1c6a4aab379f5aa12a2 - name: RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/swift-operator@sha256:42ad717de1b82267d244b016e5491a5b66a5c3deb6b8c2906a379e1296a2c382 + value: quay.io/openstack-k8s-operators/swift-operator@sha256:77388e446bc3af6f05ac372dbdb120da5d4d64e2ca1cd20b86e66ed4b69e63f8 - name: RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/telemetry-operator@sha256:f9bf288cd0c13912404027a58ea3b90d4092b641e8265adc5c88644ea7fe901a + value: quay.io/openstack-k8s-operators/telemetry-operator@sha256:53ab303c58b5cbff65d21afc524b4cc31f546a32209bf0c75535077446d6d6dc - name: RELATED_IMAGE_TEST_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/test-operator@sha256:3e01e99d3ca1b6c20b1bb015b00cfcbffc584f22a93dc6fe4019d63b813c0241 - name: RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/watcher-operator@sha256:7869203f6f97de780368d507636031090fed3b658d2f7771acbd4481bdfc870b + value: quay.io/openstack-k8s-operators/watcher-operator@sha256:13e69f6777cfc6c8ecd5b9b0e85f420eeb3fd2a7303da030b9942abf76184c78 diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 21d03fa6a..92ee8f170 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -365,6 +365,7 @@ rules: - keystone.openstack.org resources: - keystoneapis + - keystoneapplicationcredentials verbs: - create - delete @@ -373,6 +374,14 @@ rules: - patch - update - watch +- apiGroups: + - keystone.openstack.org + resources: + - keystoneapplicationcredentials/status + verbs: + - get + - patch + - update - apiGroups: - machineconfiguration.openshift.io resources: diff --git a/config/samples/applicationcredentials/kustomization.yaml b/config/samples/applicationcredentials/kustomization.yaml new file mode 100644 index 000000000..c7cbe3ecf --- /dev/null +++ b/config/samples/applicationcredentials/kustomization.yaml @@ -0,0 +1,14 @@ +resources: +- ../base/openstackcontrolplane + +patches: +- target: + kind: OpenStackControlPlane + name: .* + patch: |- + - op: replace + path: /metadata/name + value: openstack +- target: + kind: OpenStackControlPlane + path: patch.yaml diff --git a/config/samples/applicationcredentials/patch.yaml b/config/samples/applicationcredentials/patch.yaml new file mode 100644 index 000000000..c16d4747d --- /dev/null +++ b/config/samples/applicationcredentials/patch.yaml @@ -0,0 +1,77 @@ +apiVersion: core.openstack.org/v1beta1 +kind: OpenStackControlPlane +metadata: + name: openstack +spec: + # Test only services that are enabled by default in basic deployment. + # + applicationCredential: + enabled: true + + # barbican: inherits kubebuilder defaults (no overrides) + # Expected: expirationDays=730, gracePeriodDays=364, roles=[admin,service], unrestricted=false + barbican: + applicationCredential: + enabled: true + + # cinder: custom service-specific overrides + # Tests: all fields customized + cinder: + applicationCredential: + enabled: true + expirationDays: 10 + gracePeriodDays: 5 + roles: + - admin + - service + unrestricted: true + + # glance: partial overrides (only expiration values) + # Tests: partial override, inherits default roles + glance: + applicationCredential: + enabled: true + expirationDays: 180 + gracePeriodDays: 60 + + # swift: only roles override + # Tests: role customization, inherits default expiration values + swift: + applicationCredential: + enabled: true + roles: + - service + + # neutron: minimal override (only enabled) + # Tests: inherits all defaults + neutron: + applicationCredential: + enabled: true + + # placement: custom expiration only + # Tests: single field override + placement: + applicationCredential: + enabled: true + expirationDays: 90 + gracePeriodDays: 30 + + # nova: custom roles with multiple values + # Tests: multiple role assignment + nova: + applicationCredential: + enabled: true + roles: + - admin + - service + - member + + # telemetry/ceilometer: enabled by default in the base sample (telemetry.enabled=true, ceilometer.enabled=true) + # Tests: telemetry-specific AC override path + telemetry: + applicationCredentialCeilometer: + enabled: true + expirationDays: 45 + gracePeriodDays: 20 + roles: + - service diff --git a/go.mod b/go.mod index 1f43e6292..f1a765121 100644 --- a/go.mod +++ b/go.mod @@ -9,36 +9,36 @@ require ( github.com/google/uuid v1.6.0 github.com/iancoleman/strcase v0.3.0 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7 - github.com/onsi/ginkgo/v2 v2.27.5 - github.com/onsi/gomega v1.39.0 + github.com/onsi/ginkgo/v2 v2.28.1 + github.com/onsi/gomega v1.39.1 github.com/openshift/api v3.9.0+incompatible - github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c - github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504 - github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61 - github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a - github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951 + github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035 + github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df + github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49 + github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77 + github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57 github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a - github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e + github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260126081203-efc2df9207eb github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260126081203-efc2df9207eb github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260205083029-d03e9df035ef - github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb + github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260126081203-efc2df9207eb - github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48 + github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4 github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb - github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151 - github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf - github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465 + github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5 + github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7 + github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044 github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c github.com/openstack-k8s-operators/openstack-operator/api v0.0.0-00010101000000-000000000000 github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8 - github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87 - github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c - github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71 + github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d + github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931 + github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4 github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260128101443-e227c7785ffa - github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0 + github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff github.com/pkg/errors v0.9.1 github.com/rabbitmq/cluster-operator/v2 v2.16.0 github.com/stretchr/testify v1.11.1 @@ -81,7 +81,7 @@ require ( github.com/google/gnostic-models v0.7.0 // indirect github.com/google/go-cmp v0.7.0 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect + github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/imdario/mergo v0.3.16 // indirect @@ -120,17 +120,17 @@ require ( go.uber.org/multierr v1.11.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/crypto v0.46.0 // indirect + golang.org/x/crypto v0.47.0 // indirect golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect - golang.org/x/mod v0.31.0 // indirect - golang.org/x/net v0.48.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.49.0 // indirect golang.org/x/oauth2 v0.30.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/sys v0.40.0 // indirect golang.org/x/term v0.39.0 // indirect golang.org/x/text v0.33.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.40.0 // indirect + golang.org/x/tools v0.41.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect diff --git a/go.sum b/go.sum index 2f7937687..e238ac7a4 100644 --- a/go.sum +++ b/go.sum @@ -80,8 +80,8 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc= +github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo= @@ -132,28 +132,28 @@ github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFd github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= -github.com/onsi/ginkgo/v2 v2.27.5 h1:ZeVgZMx2PDMdJm/+w5fE/OyG6ILo1Y3e+QX4zSR0zTE= -github.com/onsi/ginkgo/v2 v2.27.5/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= -github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= -github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI= +github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE= +github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= +github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U= github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c h1:7/1IZQQp6FDu3fXM641kq2XfWqmTUip9/O84l6evg2s= -github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260126155915-bd373daa8e8c/go.mod h1:tfNU2Cy1ofpDtVj+afn0u79/RDQPc7OrRE4RjurwAEQ= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504 h1:qRljZd79/o7PIYtgvBr7OSOjnbxJ+6IJf09qLkgByGM= -github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260124150910-c004203b9504/go.mod h1:dGW+9S6trLzIW4WN5CMwXOUjdc1X7ODxqxObfARP8UA= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61 h1:yW+hlDOVfOCH4TQPRrSC7s/m+0Hb7uovCwGRoRNxOo4= -github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260126110625-223581247a61/go.mod h1:rTrAkG8KR+P+UVXwJjrlTAuxwx3HKMPmrb24qrxLHpM= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a h1:G8yaUi3XadpPp0C0UNc6D6Xk+L0I+CqANDxbt6M+DEU= -github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260126103542-0cf3ce88037a/go.mod h1:ghegwjz1c0J8GSjZiM/qSIzg+qjZNCwUbwbPEbrcrno= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951 h1:fToObXb6NkXBw3sjWHh0+HhbUr23aDd908fHSBcPM7c= -github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260127034304-6f0d6173a951/go.mod h1:mScOSRv5YDbjEPfirc2K+L7kJYZE4PoueTkFoU+BRQ0= +github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035 h1:ZbEYqSRTtyXbOATlY1bDYBa0Rp3MMZjcaR0yHSgLW24= +github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20260130161218-ed22e21b9035/go.mod h1:tfNU2Cy1ofpDtVj+afn0u79/RDQPc7OrRE4RjurwAEQ= +github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df h1:ry1fl+Sp4dXjt+nTe2PkCm0ZpTpiKkqStzjoPq68tuc= +github.com/openstack-k8s-operators/cinder-operator/api v0.6.1-0.20260203100410-bec3d87f42df/go.mod h1:j0JH8VRZHOP6pNkKSWK1Zfj8ov1yVkUwNNheu1xLbwE= +github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49 h1:wSG2ZEorUADT8VOUmKB7cOXmvYOwZMvy6ERd+6PehPg= +github.com/openstack-k8s-operators/designate-operator/api v0.6.1-0.20260130194629-8145dc930d49/go.mod h1:rTrAkG8KR+P+UVXwJjrlTAuxwx3HKMPmrb24qrxLHpM= +github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77 h1:qQF4eugVDwMIFSivIq/mcsO/rDNgWZO3nEUdEEivN40= +github.com/openstack-k8s-operators/glance-operator/api v0.6.1-0.20260203172717-de34ba474e77/go.mod h1:SHocUrLIilw67T26C2wMbJs6IXSWIv1PF/1VqFGxe4Q= +github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57 h1:zTujRvfAMy0o/OyebVaMhv+8wn+/8C5QvVeMmlXFdDI= +github.com/openstack-k8s-operators/heat-operator/api v0.6.1-0.20260205152457-97ee6babce57/go.mod h1:mScOSRv5YDbjEPfirc2K+L7kJYZE4PoueTkFoU+BRQ0= github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5 h1:Rhqx9iFaZgC2VhE2IiCGqPxJtc5A4hoz/5Rv8a+gtDY= github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260126110912-72d03020e1a5/go.mod h1:x8muLIctcCLObcdeynPgycfQ+6ddWIDlSOQ9NElG43M= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a h1:uJL923hT6ZJE1fKq+/FA0mVX46AgE3H+OClpL2DXq4Y= github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260128074606-03b808364e4a/go.mod h1:ZXwFlspJCdZEUjMbmaf61t5AMB4u2vMyAMMoe/vJroE= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e h1:atOsI5KAXuAD1C5fHPjyVWc7nyQrzk9eLJPSkwYTitw= -github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260126092810-cd39d45b6c0e/go.mod h1:6Y/hPIhXYgV0NHe7ZWIo+bdBxhnWkjbv7VLZbFnLNrc= +github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6 h1:NOo/jBBjvIufuuWS0ve7jsnSPH8lxJnyDJrNR0eoQ8c= +github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260205123033-c9cd3795f8c6/go.mod h1:tsE9DPDd7XKJPYfH+cts6cbo084rargXgmeFWtw3FwA= github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959 h1:8FSpTYAoLq27ElDGe3igPl2QUq9IYD6RJGu2Xu+Ymus= github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260126175636-114b4c65a959/go.mod h1:pN/s+czXvApiE9nxeTtDeRTXWcaaCLZSrtoyOSUb37k= github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260126081203-efc2df9207eb h1:35v30c6nI9WtnNnkfh4nRnC/lU9O6rM2Y8onhEAl45g= @@ -164,36 +164,36 @@ github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.2026020508 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260205083029-d03e9df035ef/go.mod h1:ndqfy1KbVorHH6+zlUFPIrCRhMSxO3ImYJUGaooE0x0= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35 h1:IdcI8DFvW8rXtchONSzbDmhhRp1YyO2YaBJDBXr44Gk= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20251230215914-6ba873b49a35/go.mod h1:zOX7Y05keiSppIvLabuyh42QHBMhCcoskAtxFRbwXKo= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb h1:0kP9V1pKfRno6ss7qAy3GcfVK29CobWym6WA7AYA7wY= -github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260126081203-efc2df9207eb/go.mod h1:jofj+VqDszxLCZSBYo794KGkCjMo01xzhQ/gffYzf3I= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a h1:teKxfVLDxJD9ahjeh29GlKHiXNUFDkVRmkpJdeKAvGE= +github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260128142552-e2c25eccae5a/go.mod h1:jofj+VqDszxLCZSBYo794KGkCjMo01xzhQ/gffYzf3I= github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260126081203-efc2df9207eb h1:Fh9yjyogiR9P4oV3a2pSlSUyYzfbWbvlU6RFIjZoxsg= github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260126081203-efc2df9207eb/go.mod h1:sqKTKvYhSzu4Opnjx/J+zzetXKRqYrhxsfvrST/NjoU= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48 h1:PtBSN6ZHkaDRkjsK17e4h4mUGHh5VVDcXojbwdXy2io= -github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260124125332-5046d6342e48/go.mod h1:BDSKDGu90NqHmLWRAyC3Dg++/xTkatoceEs7nhN3NCI= +github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4 h1:Ynrdr1X4RE0gDcgyAlos39AYFKV4I2WfTaZ2oAjU7d0= +github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260203154427-fb9213e462a4/go.mod h1:xOLjSMU4f5F05L0DiCu6Uvz0dOIDmCyQmSVS+ZHaam0= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb h1:Zv7GXyG1wND4wNzCmfMI8oAWsDlrU2QFxq8tsnIKFs0= github.com/openstack-k8s-operators/mariadb-operator/api v0.6.1-0.20260127154438-ff95971883bb/go.mod h1:X6W8pIULiWUc6smaTqiNocjxoXaRLgXediwpI/dxD9s= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151 h1:SK7HCTL8CSS8lHWjW40WgS5AKWilLrtvxIgq8yeTfXM= -github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260128083308-da1a0d762151/go.mod h1:Uu/8M93x55zd7amJpRKGJz4vCmvZvBfzaN6CwnOjDNY= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf h1:Z4dpSajjkeXJzeR3ISnRMReWKVM60yi+FK+Gtbe8OSc= -github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260126165739-ee3d496d73bf/go.mod h1:Id8njTmOl1EayJk8dTeiGetySuhPXqZp7gWgbo+luME= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465 h1:gQ6muqCfHtjdJO9selzjs0MBVIp6AqeJCq3V+Fx2KzY= -github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260126163009-d47fbe954465/go.mod h1:Phcw9t23H4RbOpUqBhFldFBKEbkx+f4c0QGnfFOPh50= +github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5 h1:VswZKlc2SGulbTNITVfddofnXLHGMqpUHjZabRU2V+8= +github.com/openstack-k8s-operators/neutron-operator/api v0.6.1-0.20260130110557-870de6f217b5/go.mod h1:Uu/8M93x55zd7amJpRKGJz4vCmvZvBfzaN6CwnOjDNY= +github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7 h1:oWCSoyfvh87ueqU3yMSoDR6pW+nWptXGsARK+ypIky8= +github.com/openstack-k8s-operators/nova-operator/api v0.6.1-0.20260205135859-d785b91fa1d7/go.mod h1:bo00y0fC762qzXbn3tgpTT35n0CpSPxkZq7jCyE7LYQ= +github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044 h1:IWidpe8G47CpthKIGKVUP0DmtpsCnYn1q4pDB8/pjhM= +github.com/openstack-k8s-operators/octavia-operator/api v0.6.1-0.20260130160650-fee89a8e7044/go.mod h1:Phcw9t23H4RbOpUqBhFldFBKEbkx+f4c0QGnfFOPh50= github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c h1:5gY2Y9OjgHWltvw0jtQWDaoXnfJRObRNozC0dBLz0GQ= github.com/openstack-k8s-operators/openstack-baremetal-operator/api v0.6.1-0.20260126123727-b3f88d69956c/go.mod h1:8Ge7K0IfcMSpoyp9p0lnW36f3nvCf6lnoc4TWoIlazw= github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8 h1:70ennIUokh4YvGdzE7zzRYIHVJ0xnYRNvmrO/f0wk9A= github.com/openstack-k8s-operators/ovn-operator/api v0.6.1-0.20260126160735-3254731d17a8/go.mod h1:o4YQPtgdeJLUBEizUjSSvTMxXsQgivgSul61Vq47/jw= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87 h1:NZWcEwyw13o0592iwtjy6qckFSOeLSATl7m59s3q3kI= -github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260126175637-0015cb155e87/go.mod h1:eWED9YYc2NLXutgocqK5m3LsnQ+aT0MeWgmnsqi6A0Y= +github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d h1:/0ngJXXGiAbMn4SHxpam4CtVGPDHXW8d1yT+PWJRw/U= +github.com/openstack-k8s-operators/placement-operator/api v0.6.1-0.20260203072749-c46bb493557d/go.mod h1:eWED9YYc2NLXutgocqK5m3LsnQ+aT0MeWgmnsqi6A0Y= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec h1:saovr368HPAKHN0aRPh8h8n9s9dn3d8Frmfua0UYRlc= github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec/go.mod h1:Nh2NEePLjovUQof2krTAg4JaAoLacqtPTZQXK6izNfg= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c h1:aJsyz/wHFe/LeoPxa/B3+FpYFu6ovy54kmgj4DbJT5o= -github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260126164332-39546b542a9c/go.mod h1:/2Qd/Xr1bPLaddKmKxhqHP5Zsj7YYz3TkzWOM8miaK0= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71 h1:3dCKtRbLmyrq5sXW9rkfROB8DbIsE++8LkhLoYC/s/I= -github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260124124519-a5bcf05e2d71/go.mod h1:sVND1JTB9Da9X1fX+Q2W2aOynH3+vf9cFGkisPuE9Yg= +github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931 h1:iAa/ahDlWAHFa2WUQJ07SEyzFtYUBkEwtt8vZNQ1V9A= +github.com/openstack-k8s-operators/swift-operator/api v0.6.1-0.20260201211658-98f018aea931/go.mod h1:/2Qd/Xr1bPLaddKmKxhqHP5Zsj7YYz3TkzWOM8miaK0= +github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4 h1:kygc6YDl7kPwj1Ol2wMC6pLuhmpBK2IqULwlaZ7k/rA= +github.com/openstack-k8s-operators/telemetry-operator/api v0.6.1-0.20260205110928-7d95eaebdfe4/go.mod h1:l/jz/k6Al6GSleFlcbfuLjEkZynJZKvI/H4ZlyMCqAg= github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260128101443-e227c7785ffa h1:nTQKjQTyL2riSceHvEAbDhNfTcgJ8V2V9CUQF/9DJYY= github.com/openstack-k8s-operators/test-operator/api v0.6.1-0.20260128101443-e227c7785ffa/go.mod h1:ju4G2suFa006GBnFRzxpchcm/d8vnmr/wI5Um4SHqK0= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0 h1:7tyMpFvBUa1lvok9COBOvA3dFTj2p1Ard6LFGn0+8g8= -github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260123204008-add353f857c0/go.mod h1:1DeGo19yp7py2C+D98Mbv8P8UHYARmPTvfBAuTNXj5Q= +github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff h1:45zoZ6GbBbTsd/WK0G4MxrxzHIkjQ+5m6ayv+QRX29c= +github.com/openstack-k8s-operators/watcher-operator/api v0.6.1-0.20260206073930-3cd4f1433bff/go.mod h1:1DeGo19yp7py2C+D98Mbv8P8UHYARmPTvfBAuTNXj5Q= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -277,20 +277,20 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= -golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= +golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo= golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -315,8 +315,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= -golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/hack/export_operator_related_images.sh b/hack/export_operator_related_images.sh index 548dc6f0c..0c0f9642c 100644 --- a/hack/export_operator_related_images.sh +++ b/hack/export_operator_related_images.sh @@ -1,24 +1,24 @@ # NOTE: this file is automatically generated by hack/sync-bindata.sh! -export RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/barbican-operator@sha256:379470e2752f286e73908e94233e884922b231169a5521a59f53843a2dc3184c -export RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/cinder-operator@sha256:6e21a1dda86ba365817102d23a5d4d2d5dcd1c4d8e5f8d74bd24548aa8c63898 -export RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/designate-operator@sha256:d9f6f8dc6a6dd9b0d7c96e4c89b3056291fd61f11126a1304256a4d6cacd0382 -export RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/glance-operator@sha256:1f593e8d49d02b6484c89632192ae54771675c54fbd8426e3675b8e20ecfd7c4 -export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/heat-operator@sha256:27d83ada27cf70cda0c5738f97551d81f1ea4068e83a090f3312e22172d72e10 +export RELATED_IMAGE_BARBICAN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/barbican-operator@sha256:10bdb8674a5c5a0120a68ded4e8d007f03c8f33592eed1a9ff2ae9e53d377d87 +export RELATED_IMAGE_CINDER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/cinder-operator@sha256:5461f69440de95db8df5b1242b3bb08644e215e025b17345b33325633e3dfba6 +export RELATED_IMAGE_DESIGNATE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/designate-operator@sha256:a2e056d17d1ad90966fa943a1ec1e7c51b0f1f7842d0c0cc16a847bc3a34719e +export RELATED_IMAGE_GLANCE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/glance-operator@sha256:df7752c1cb7e57607e010dd1dfe92f9dbf926a8eda1cd69003e8f7f4d0ee5ace +export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/heat-operator@sha256:51076be2b4311bd451e68e4e51ed32094e52834de769ee8635978914f0be99e4 export RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/horizon-operator@sha256:027cd7ab61ef5071d9ad6b729c95a98e51cd254642f01dc019d44cc98a9232f8 export RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/infra-operator@sha256:a504ab83288310bbd8e39f3a01faaa3c210a14d94bbd32124e9eadd46227d6b3 -export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ironic-operator@sha256:bead175f27e5f074f723694f3b66e5aa7238411bf8a27a267b9a2936e4465521 +export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ironic-operator@sha256:f09760446d12b8ca3f8383ab7711c4dd4cc3e47e04528e2d8dfe8cbdb39dc9f2 export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:319c969e88f109b26487a9f5a67203682803d7386424703ab7ca0340be99ae17 -export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/manila-operator@sha256:cd911e8d7a7a1104d77691dbaaf54370015cbb82859337746db5a9186d5dc566 +export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/manila-operator@sha256:b8612e20df8c6a317a5e25884052455e2def210c704e1a8105253ead6eb35e87 export RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/mariadb-operator@sha256:2d493137559b74e23edb4788b7fbdb38b3e239df0f2d7e6e540e50b2355fc3cf -export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/neutron-operator@sha256:bbb46b8b3b69fdfad7bafc10a7e88f6ea58bcdc3c91e30beb79e24417d52e0f6 -export RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/nova-operator@sha256:5340b88039fac393da49ef4e181b2720c809c27a6bb30531a07a49342a1da45e -export RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/octavia-operator@sha256:e6f2f361f1dcbb321407a5884951e16ff96e7b88942b10b548f27ad4de14a0be +export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/neutron-operator@sha256:7b45b0b511f6147f199989a554339aee505f0a3dd50092e2efc236706aabde09 +export RELATED_IMAGE_NOVA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/nova-operator@sha256:7f230a842e37afd8ddfc543f6ed8514217e5916aa003b592ee0c044a1005f8c4 +export RELATED_IMAGE_OCTAVIA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/octavia-operator@sha256:aa637692c9fe546c05a5fb53604cbd8cb532a071fbd63f09f60e56d5794a6569 export RELATED_IMAGE_OPENSTACK_BAREMETAL_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/openstack-baremetal-operator@sha256:89f6fd332fabefd2fff5619432986b37c1c6d197dd1c510f21dfe4609939b8a6 export RELATED_IMAGE_OVN_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ovn-operator@sha256:ea7b72b648a5bde2eebd804c2a5c1608d448a4892176c1b8d000c1eef4bb92b4 -export RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/placement-operator@sha256:e0824d5d461ada59715eb3048ed9394c80abba09c45503f8f90ee3b34e525488 +export RELATED_IMAGE_PLACEMENT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/placement-operator@sha256:4218e738cc0f3e20002c03cb0f005d7d290bbcc6a891b87dc06089fabb582ed8 export RELATED_IMAGE_RABBITMQ_CLUSTER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/rabbitmq-cluster-operator@sha256:893e66303c1b0bc1d00a299a3f0380bad55c8dc813c8a1c6a4aab379f5aa12a2 -export RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/swift-operator@sha256:42ad717de1b82267d244b016e5491a5b66a5c3deb6b8c2906a379e1296a2c382 -export RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/telemetry-operator@sha256:f9bf288cd0c13912404027a58ea3b90d4092b641e8265adc5c88644ea7fe901a +export RELATED_IMAGE_SWIFT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/swift-operator@sha256:77388e446bc3af6f05ac372dbdb120da5d4d64e2ca1cd20b86e66ed4b69e63f8 +export RELATED_IMAGE_TELEMETRY_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/telemetry-operator@sha256:53ab303c58b5cbff65d21afc524b4cc31f546a32209bf0c75535077446d6d6dc export RELATED_IMAGE_TEST_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/test-operator@sha256:3e01e99d3ca1b6c20b1bb015b00cfcbffc584f22a93dc6fe4019d63b813c0241 -export RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/watcher-operator@sha256:7869203f6f97de780368d507636031090fed3b658d2f7771acbd4481bdfc870b +export RELATED_IMAGE_WATCHER_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/watcher-operator@sha256:13e69f6777cfc6c8ecd5b9b0e85f420eeb3fd2a7303da030b9942abf76184c78 diff --git a/internal/controller/core/openstackcontrolplane_controller.go b/internal/controller/core/openstackcontrolplane_controller.go index c80298f79..78ac06c79 100644 --- a/internal/controller/core/openstackcontrolplane_controller.go +++ b/internal/controller/core/openstackcontrolplane_controller.go @@ -93,6 +93,8 @@ func (r *OpenStackControlPlaneReconciler) GetLogger(ctx context.Context) logr.Lo // +kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=horizon.openstack.org,resources=horizons,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapis,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials/status,verbs=get;patch;update // +kubebuilder:rbac:groups=placement.openstack.org,resources=placementapis,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=glance.openstack.org,resources=glances,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=heat.openstack.org,resources=heats,verbs=get;list;watch;create;update;patch;delete @@ -801,6 +803,7 @@ func (r *OpenStackControlPlaneReconciler) SetupWithManager( Owns(&mariadbv1.Galera{}). Owns(&memcachedv1.Memcached{}). Owns(&keystonev1.KeystoneAPI{}). + Owns(&keystonev1.KeystoneApplicationCredential{}). Owns(&placementv1.PlacementAPI{}). Owns(&glancev1.Glance{}). Owns(&cinderv1.Cinder{}). diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go new file mode 100644 index 000000000..02d402ba9 --- /dev/null +++ b/internal/openstack/applicationcredential.go @@ -0,0 +1,208 @@ +package openstack + +import ( + "context" + "time" + + keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1" + "github.com/openstack-k8s-operators/lib-common/modules/common/helper" + corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/api/core/v1beta1" + k8s_errors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" +) + +// mergeAppCred returns a new ApplicationCredentialSection by overlaying +// service-specific values on top of the global defaults. +func mergeAppCred( + global corev1beta1.ApplicationCredentialSection, + svc *corev1beta1.ServiceAppCredSection, +) corev1beta1.ApplicationCredentialSection { + out := global + if svc != nil { + out.Enabled = svc.Enabled + + // only override expiry/grace if specified + if svc.ExpirationDays != nil { + out.ExpirationDays = svc.ExpirationDays + } + if svc.GracePeriodDays != nil { + out.GracePeriodDays = svc.GracePeriodDays + } + + // only override Roles if user set them + if len(svc.Roles) > 0 { + out.Roles = svc.Roles + } + // only override Unrestricted if user set it + if svc.Unrestricted != nil { + out.Unrestricted = svc.Unrestricted + } + // only override AccessRules if user set them + if len(svc.AccessRules) > 0 { + out.AccessRules = svc.AccessRules + } + } + + return out +} + +// isACEnabled checks if AC should be enabled for a given service configuration +func isACEnabled(globalAC corev1beta1.ApplicationCredentialSection, serviceAC *corev1beta1.ServiceAppCredSection) bool { + // Global AC must be enabled + if !globalAC.Enabled { + return false + } + // Service AC must be enabled + return serviceAC != nil && serviceAC.Enabled +} + +// EnsureApplicationCredentialForService handles AC creation for a single service. +// If service is not ready, AC creation is deferred +// If AC already exists and is ready, it's used immediately +// If AC doesn't exist and service is ready, AC is created +// +// Returns: +// - acSecretName: name of the AC secret (from status), empty if not ready +// - result: ctrl.Result with requeue if AC is being created/not ready +// - err: any error that occurred +func EnsureApplicationCredentialForService( + ctx context.Context, + helper *helper.Helper, + instance *corev1beta1.OpenStackControlPlane, + serviceName string, + serviceReady bool, + secretName string, + passwordSelector string, + serviceUser string, + acConfig *corev1beta1.ServiceAppCredSection, +) (acSecretName string, result ctrl.Result, err error) { + Log := GetLogger(ctx) + + // Generate AC CR name + acName := keystonev1.GetACCRName(serviceName) + + // Check if AC CR exists + acCR := &keystonev1.KeystoneApplicationCredential{ + ObjectMeta: metav1.ObjectMeta{ + Name: acName, + Namespace: instance.Namespace, + }, + } + err = helper.GetClient().Get(ctx, types.NamespacedName{Name: acName, Namespace: instance.Namespace}, acCR) + + if err != nil && !k8s_errors.IsNotFound(err) { + return "", ctrl.Result{}, err + } + acExists := err == nil + + // Check if AC is enabled for this service + if !isACEnabled(instance.Spec.ApplicationCredential, acConfig) { + // AC disabled for this service - delete AC CR if it exists + if acExists { + Log.Info("Application Credential disabled, deleting existing KeystoneApplicationCredential CR", "service", serviceName, "acName", acName) + if err := helper.GetClient().Delete(ctx, acCR); err != nil && !k8s_errors.IsNotFound(err) { + return "", ctrl.Result{}, err + } + } + return "", ctrl.Result{}, nil + } + + // Validate required fields are not empty + if secretName == "" || passwordSelector == "" || serviceUser == "" { + Log.Info("Skipping Application Credential creation: required fields not yet defaulted", + "service", serviceName, + "secretName", secretName, + "passwordSelector", passwordSelector, + "serviceUser", serviceUser) + return "", ctrl.Result{}, nil + } + + // Merge global and service-specific AC configuration + merged := mergeAppCred(instance.Spec.ApplicationCredential, acConfig) + + // Check if AC CR exists and is ready + if acExists { + if acCR.IsReady() { + Log.Info("Application Credential is ready", "service", serviceName, "acName", acName, "secretName", acCR.Status.SecretName) + return acCR.Status.SecretName, ctrl.Result{}, nil + } + // Application Credential exists but not ready yet + Log.Info("Application Credential not ready yet, requeuing", "service", serviceName, "acName", acName) + return "", ctrl.Result{RequeueAfter: time.Second * 10}, nil + } + + // AC doesn't exist + if !serviceReady { + // Service not ready, don't create Application Credential yet + Log.Info("Service not ready, deferring Application Credential creation", "service", serviceName) + return "", ctrl.Result{}, nil + } + + // Service is ready, create Application Credential CR + Log.Info("Service is ready, creating Application Credential", "service", serviceName, "acName", acName) + + err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged) + if err != nil { + return "", ctrl.Result{}, err + } + + // AC created, but not ready yet - requeue to check readiness + return "", ctrl.Result{RequeueAfter: time.Second * 5}, nil +} + +// reconcileApplicationCredential creates or updates a single ApplicationCredential CR +func reconcileApplicationCredential( + ctx context.Context, + helper *helper.Helper, + instance *corev1beta1.OpenStackControlPlane, + acName string, + userName string, + secretName string, + passwordSelector string, + effective corev1beta1.ApplicationCredentialSection, +) error { + log := GetLogger(ctx) + + acObj := &keystonev1.KeystoneApplicationCredential{ + ObjectMeta: metav1.ObjectMeta{ + Name: acName, + Namespace: instance.Namespace, + }, + } + + op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), acObj, func() error { + acObj.Spec.UserName = userName + acObj.Spec.ExpirationDays = *effective.ExpirationDays + acObj.Spec.GracePeriodDays = *effective.GracePeriodDays + acObj.Spec.Secret = secretName + acObj.Spec.PasswordSelector = passwordSelector + acObj.Spec.Roles = effective.Roles + acObj.Spec.Unrestricted = *effective.Unrestricted + + if len(effective.AccessRules) > 0 { + kr := make([]keystonev1.ACRule, 0, len(effective.AccessRules)) + for _, r := range effective.AccessRules { + kr = append(kr, keystonev1.ACRule{ + Service: r.Service, + Path: r.Path, + Method: r.Method, + }) + } + acObj.Spec.AccessRules = kr + } + + return controllerutil.SetControllerReference( + helper.GetBeforeObject(), acObj, helper.GetScheme(), + ) + }) + if err != nil { + return err + } + if op != controllerutil.OperationResultNone { + log.Info("Reconciled Application Credential", "name", acName, "user", userName, "operation", op) + } + return nil +} diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go index a4a29151f..60ccf7369 100644 --- a/internal/openstack/barbican.go +++ b/internal/openstack/barbican.go @@ -61,6 +61,45 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr } } + // Application Credential Management (Day-2 operation) + barbicanReady := barbican.Status.ObservedGeneration == barbican.Generation && barbican.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + barbicanSecret := instance.Spec.Barbican.Template.Secret + if barbicanSecret == "" { + barbicanSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Barbican.ApplicationCredential) || + instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + barbican.Name, + barbicanReady, + barbicanSecret, + instance.Spec.Barbican.Template.PasswordSelectors.Service, + instance.Spec.Barbican.Template.ServiceUser, + instance.Spec.Barbican.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Barbican.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Barbican.Template.BarbicanAPI.TLS = barbican.Spec.BarbicanAPI.TLS diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go index 16f45472b..7f5fdb5a4 100644 --- a/internal/openstack/cinder.go +++ b/internal/openstack/cinder.go @@ -84,6 +84,45 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + cinderReady := cinder.Status.ObservedGeneration == cinder.Generation && cinder.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + cinderSecret := instance.Spec.Cinder.Template.Secret + if cinderSecret == "" { + cinderSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Cinder.ApplicationCredential) || + instance.Spec.Cinder.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + cinder.Name, + cinderReady, + cinderSecret, + instance.Spec.Cinder.Template.PasswordSelectors.Service, + instance.Spec.Cinder.Template.ServiceUser, + instance.Spec.Cinder.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Cinder.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs,set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Cinder.Template.CinderAPI.TLS = cinder.Spec.CinderAPI.TLS diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go index ee7ab703d..364b7822d 100644 --- a/internal/openstack/designate.go +++ b/internal/openstack/designate.go @@ -73,6 +73,45 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont } } + // Application Credential Management (Day-2 operation) + designateReady := designate.Status.ObservedGeneration == designate.Generation && designate.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + designateSecret := instance.Spec.Designate.Template.Secret + if designateSecret == "" { + designateSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Designate.ApplicationCredential) || + instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + designate.Name, + designateReady, + designateSecret, + instance.Spec.Designate.Template.PasswordSelectors.Service, + instance.Spec.Designate.Template.ServiceUser, + instance.Spec.Designate.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Designate.Template.DesignateAPI.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go index b29da2548..8d5dcabcd 100644 --- a/internal/openstack/glance.go +++ b/internal/openstack/glance.go @@ -95,6 +95,57 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + // Check if AC should be enabled and manage it accordingly + glanceReady := glance.Status.ObservedGeneration == glance.Generation && glance.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + glanceSecret := instance.Spec.Glance.Template.Secret + if glanceSecret == "" { + glanceSecret = instance.Spec.Secret + } + + // Check if any GlanceAPI has AC configured + hasACConfigured := false + for _, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { + if glanceAPI.Auth.ApplicationCredentialSecret != "" { + hasACConfigured = true + break + } + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Glance.ApplicationCredential) || hasACConfigured { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + glance.Name, + glanceReady, + glanceSecret, + instance.Spec.Glance.Template.PasswordSelectors.Service, + instance.Spec.Glance.Template.ServiceUser, + instance.Spec.Glance.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret for all GlanceAPIs based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + for name, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { + glanceAPI.Auth.ApplicationCredentialSecret = acSecretName + instance.Spec.Glance.Template.GlanceAPIs[name] = glanceAPI + } + } + // add selector to service overrides for name, glanceAPI := range instance.Spec.Glance.Template.GlanceAPIs { eps := []service.Endpoint{service.EndpointPublic, service.EndpointInternal} diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go index b80f3a37a..16d493d5b 100644 --- a/internal/openstack/heat.go +++ b/internal/openstack/heat.go @@ -93,6 +93,41 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Heat.Template.HeatAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName instance.Spec.Heat.Template.HeatCfnAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + heatReady := heat.Status.ObservedGeneration == heat.Generation && heat.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + heatSecret := instance.Spec.Heat.Template.Secret + if heatSecret == "" { + heatSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Heat.ApplicationCredential) || + instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret != "" { + + heatACSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, helper, instance, heat.Name, heatReady, + heatSecret, + instance.Spec.Heat.Template.PasswordSelectors.Service, + instance.Spec.Heat.Template.ServiceUser, + instance.Spec.Heat.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Heat.Template.Auth.ApplicationCredentialSecret = heatACSecretName + } + // Heat API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go index b42bd6551..c922b0580 100644 --- a/internal/openstack/ironic.go +++ b/internal/openstack/ironic.go @@ -93,6 +93,75 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Ironic.Template.IronicAPI.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName instance.Spec.Ironic.Template.IronicInspector.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + // Ironic has 2 users: ironic (main service) and ironic-inspector + ironicReady := ironic.Status.ObservedGeneration == ironic.Generation && ironic.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + // Both ironic and ironic-inspector share the same secret + ironicSecret := instance.Spec.Ironic.Template.Secret + if ironicSecret == "" { + ironicSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Ironic.ApplicationCredential) || + instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret != "" || + instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret != "" { + + // AC for main ironic service + ironicACSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + ironic.Name, + ironicReady, + ironicSecret, + instance.Spec.Ironic.Template.PasswordSelectors.Service, + instance.Spec.Ironic.Template.ServiceUser, + instance.Spec.Ironic.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret for main ironic service based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Ironic.Template.Auth.ApplicationCredentialSecret = ironicACSecretName + + // AC for ironic-inspector (separate user, separate AC, but shares the same secret as ironic) + inspectorACSecretName, inspectorACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "ironic-inspector", + ironicReady, + ironicSecret, // Inspector shares the same secret as ironic + instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service, + instance.Spec.Ironic.Template.IronicInspector.ServiceUser, + instance.Spec.Ironic.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (inspectorACResult != ctrl.Result{}) { + return inspectorACResult, nil + } + + // Set ApplicationCredentialSecret for ironic-inspector based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Ironic.Template.IronicInspector.Auth.ApplicationCredentialSecret = inspectorACSecretName + } + // Ironic API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go index 08d01e031..d946b2f68 100644 --- a/internal/openstack/manila.go +++ b/internal/openstack/manila.go @@ -63,6 +63,45 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl } } + // Application Credential Management (Day-2 operation) + manilaReady := manila.Status.ObservedGeneration == manila.Generation && manila.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + manilaSecret := instance.Spec.Manila.Template.Secret + if manilaSecret == "" { + manilaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Manila.ApplicationCredential) || + instance.Spec.Manila.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + manila.Name, + manilaReady, + manilaSecret, + instance.Spec.Manila.Template.PasswordSelectors.Service, + instance.Spec.Manila.Template.ServiceUser, + instance.Spec.Manila.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Manila.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Manila.Template.ManilaAPI.TLS = manila.Spec.ManilaAPI.TLS diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go index af2e697ab..cf33dadd5 100644 --- a/internal/openstack/neutron.go +++ b/internal/openstack/neutron.go @@ -107,6 +107,45 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro } instance.Spec.Neutron.Template.TLS.CaBundleSecretName = instance.Status.TLS.CaBundleSecretName + // Application Credential Management (Day-2 operation) + neutronReady := neutronAPI.Status.ObservedGeneration == neutronAPI.Generation && neutronAPI.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + neutronSecret := instance.Spec.Neutron.Template.Secret + if neutronSecret == "" { + neutronSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Neutron.ApplicationCredential) || + instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + neutronAPI.Name, + neutronReady, + neutronSecret, + instance.Spec.Neutron.Template.PasswordSelectors.Service, + instance.Spec.Neutron.Template.ServiceUser, + instance.Spec.Neutron.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Neutron.Template.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go index fd4e97671..0837f4c75 100644 --- a/internal/openstack/nova.go +++ b/internal/openstack/nova.go @@ -155,6 +155,45 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Nova.Template.CellTemplates[cellName] = cellTemplate } + // Application Credential Management (Day-2 operation) + novaReady := nova.Status.ObservedGeneration == nova.Generation && nova.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + novaSecret := instance.Spec.Nova.Template.Secret + if novaSecret == "" { + novaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Nova.ApplicationCredential) || + instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + nova.Name, + novaReady, + novaSecret, + instance.Spec.Nova.Template.PasswordSelectors.Service, + instance.Spec.Nova.Template.ServiceUser, + instance.Spec.Nova.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Nova.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // Nova API svcs, err := service.GetServicesListWithLabel( ctx, diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go index 076996f75..49aed0fc4 100644 --- a/internal/openstack/octavia.go +++ b/internal/openstack/octavia.go @@ -139,6 +139,45 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro } } + // Application Credential Management (Day-2 operation) + octaviaReady := octavia.Status.ObservedGeneration == octavia.Generation && octavia.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + octaviaSecret := instance.Spec.Octavia.Template.Secret + if octaviaSecret == "" { + octaviaSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Octavia.ApplicationCredential) || + instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + octavia.Name, + octaviaReady, + octaviaSecret, + instance.Spec.Octavia.Template.PasswordSelectors.Service, + instance.Spec.Octavia.Template.ServiceUser, + instance.Spec.Octavia.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret = acSecretName + } + svcs, err := service.GetServicesListWithLabel( ctx, helper, diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go index 7d59f4b3e..960eeb4bd 100644 --- a/internal/openstack/placement.go +++ b/internal/openstack/placement.go @@ -70,6 +70,45 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC } } + // Application Credential Management (Day-2 operation) + placementReady := placementAPI.Status.ObservedGeneration == placementAPI.Generation && placementAPI.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + placementSecret := instance.Spec.Placement.Template.Secret + if placementSecret == "" { + placementSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Placement.ApplicationCredential) || + instance.Spec.Placement.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + placementAPI.Name, + placementReady, + placementSecret, + instance.Spec.Placement.Template.PasswordSelectors.Service, + instance.Spec.Placement.Template.ServiceUser, + instance.Spec.Placement.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Placement.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // set CA cert and preserve any previously set TLS certs if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Placement.Template.TLS = placementAPI.Spec.TLS diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go index 5c0651ea2..d965214e6 100644 --- a/internal/openstack/swift.go +++ b/internal/openstack/swift.go @@ -76,6 +76,45 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP } } + // Application Credential Management (Day-2 operation) + swiftReady := swift.Status.ObservedGeneration == swift.GetGeneration() && swift.IsReady() + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + swiftSecret := instance.Spec.Swift.Template.SwiftProxy.Secret + if swiftSecret == "" { + swiftSecret = instance.Spec.Secret + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Swift.ApplicationCredential) || + instance.Spec.Swift.Template.SwiftProxy.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + swift.Name, + swiftReady, + swiftSecret, + instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service, + instance.Spec.Swift.Template.SwiftProxy.ServiceUser, + instance.Spec.Swift.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Swift.Template.SwiftProxy.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs,set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Swift.Template.SwiftProxy.TLS = swift.Spec.SwiftProxy.TLS diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go index 5c9e3d377..fd7a697ef 100644 --- a/internal/openstack/telemetry.go +++ b/internal/openstack/telemetry.go @@ -98,6 +98,136 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont telemetry.Name) } + // Application Credential Management (Day-2 operation) + // Telemetry has 3 separate services with 3 different users: aodh, ceilometer, cloudkitty + telemetryReady := telemetry.Status.ObservedGeneration == telemetry.Generation && telemetry.IsReady() + + // AC for Aodh (if service enabled) + if instance.Spec.Telemetry.Template.Autoscaling.Enabled != nil && *instance.Spec.Telemetry.Template.Autoscaling.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialAodh) || + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + aodhSecret := instance.Spec.Telemetry.Template.Autoscaling.Aodh.Secret + if aodhSecret == "" { + aodhSecret = instance.Spec.Secret + } + + aodhACSecretName, aodhACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "aodh", + telemetryReady, + aodhSecret, + instance.Spec.Telemetry.Template.Autoscaling.Aodh.PasswordSelectors.AodhService, + instance.Spec.Telemetry.Template.Autoscaling.Aodh.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialAodh, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (aodhACResult != ctrl.Result{}) { + return aodhACResult, nil + } + + // Set ApplicationCredentialSecret for Aodh based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = aodhACSecretName + } + } else { + // Aodh service disabled, clear the field + instance.Spec.Telemetry.Template.Autoscaling.Aodh.Auth.ApplicationCredentialSecret = "" + } + + // AC for Ceilometer (if service enabled) + if instance.Spec.Telemetry.Template.Ceilometer.Enabled != nil && *instance.Spec.Telemetry.Template.Ceilometer.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCeilometer) || + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + ceilometerSecret := instance.Spec.Telemetry.Template.Ceilometer.Secret + if ceilometerSecret == "" { + ceilometerSecret = instance.Spec.Secret + } + + ceilometerACSecretName, ceilometerACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "ceilometer", + telemetryReady, + ceilometerSecret, + instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService, + instance.Spec.Telemetry.Template.Ceilometer.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialCeilometer, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (ceilometerACResult != ctrl.Result{}) { + return ceilometerACResult, nil + } + + // Set ApplicationCredentialSecret for Ceilometer based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = ceilometerACSecretName + } + } else { + // Ceilometer service disabled, clear the field + instance.Spec.Telemetry.Template.Ceilometer.Auth.ApplicationCredentialSecret = "" + } + + // AC for CloudKitty (if service enabled) + if instance.Spec.Telemetry.Template.CloudKitty.Enabled != nil && *instance.Spec.Telemetry.Template.CloudKitty.Enabled { + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Telemetry.ApplicationCredentialCloudKitty) || + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret != "" { + + // Apply same fallback logic as in CreateOrPatch to avoid passing empty values to AC + cloudkittySecret := instance.Spec.Telemetry.Template.CloudKitty.Secret + if cloudkittySecret == "" { + cloudkittySecret = instance.Spec.Secret + } + + cloudkittyACSecretName, cloudkittyACResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + "cloudkitty", + telemetryReady, + cloudkittySecret, + instance.Spec.Telemetry.Template.CloudKitty.PasswordSelectors.CloudKittyService, + instance.Spec.Telemetry.Template.CloudKitty.ServiceUser, + instance.Spec.Telemetry.ApplicationCredentialCloudKitty, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (cloudkittyACResult != ctrl.Result{}) { + return cloudkittyACResult, nil + } + + // Set ApplicationCredentialSecret for CloudKitty based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = cloudkittyACSecretName + } + } else { + // CloudKitty service disabled, clear the field + instance.Spec.Telemetry.Template.CloudKitty.Auth.ApplicationCredentialSecret = "" + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Telemetry.Template.Autoscaling.Aodh.TLS = telemetry.Spec.Autoscaling.Aodh.TLS diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go index 1519ef3c6..7298d6eb2 100644 --- a/internal/openstack/watcher.go +++ b/internal/openstack/watcher.go @@ -60,6 +60,61 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro } } + // Application Credential Management (Day-2 operation) + // Watcher uses pointer fields, safely extract values + watcherReady := watcher.Status.ObservedGeneration == watcher.Generation && watcher.IsReady() + + // Helper to get Watcher values (which are pointers) with fallback logic + getWatcherSecret := func() string { + if instance.Spec.Watcher.Template.Secret != nil && *instance.Spec.Watcher.Template.Secret != "" { + return *instance.Spec.Watcher.Template.Secret + } + // Apply same fallback as in CreateOrPatch + return instance.Spec.Secret + } + getWatcherServiceUser := func() string { + if instance.Spec.Watcher.Template.ServiceUser != nil { + return *instance.Spec.Watcher.Template.ServiceUser + } + return "" + } + getWatcherPasswordSelector := func() string { + if instance.Spec.Watcher.Template.PasswordSelectors.Service != nil { + return *instance.Spec.Watcher.Template.PasswordSelectors.Service + } + return "" + } + + // Only call if AC enabled or currently configured + if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Watcher.ApplicationCredential) || + instance.Spec.Watcher.Template.Auth.ApplicationCredentialSecret != "" { + + acSecretName, acResult, err := EnsureApplicationCredentialForService( + ctx, + helper, + instance, + watcher.Name, + watcherReady, + getWatcherSecret(), + getWatcherPasswordSelector(), + getWatcherServiceUser(), + instance.Spec.Watcher.ApplicationCredential, + ) + if err != nil { + return ctrl.Result{}, err + } + + // If AC is not ready, return immediately without updating the service CR + if (acResult != ctrl.Result{}) { + return acResult, nil + } + + // Set ApplicationCredentialSecret based on what the helper returned: + // - If AC disabled: returns "" + // - If AC enabled and ready: returns the AC secret name + instance.Spec.Watcher.Template.Auth.ApplicationCredentialSecret = acSecretName + } + // preserve any previously set TLS certs, set CA cert if instance.Spec.TLS.PodLevel.Enabled { instance.Spec.Watcher.Template.APIServiceTemplate.TLS = watcher.Spec.APIServiceTemplate.TLS diff --git a/test/functional/ctlplane/openstackoperator_controller_test.go b/test/functional/ctlplane/openstackoperator_controller_test.go index 982383d31..4d03a5fb0 100644 --- a/test/functional/ctlplane/openstackoperator_controller_test.go +++ b/test/functional/ctlplane/openstackoperator_controller_test.go @@ -4064,7 +4064,253 @@ var _ = Describe("OpenStackOperator controller nova cell deletion", func() { g.Expect(k8s_errors.IsNotFound(err)).To(BeTrue()) }, timeout, interval).Should(Succeed()) }) + }) + }) +}) + +var _ = Describe("Application Credentials configuration in control plane", func() { + When("global application credentials are enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + "roles": []string{"service", "admin"}, + "unrestricted": false, + } + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + "expirationDays": 100, + "gracePeriodDays": 50, + "roles": []string{"custom", "role"}, + "unrestricted": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should fill defaults correctly", func() { + Eventually(func(g Gomega) { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + g.Expect(cp.Spec.ApplicationCredential.Enabled).To(BeTrue()) + g.Expect(*cp.Spec.ApplicationCredential.ExpirationDays).To(Equal(730)) + g.Expect(*cp.Spec.ApplicationCredential.GracePeriodDays).To(Equal(364)) + g.Expect(cp.Spec.ApplicationCredential.Roles).To(ConsistOf("admin", "service")) + g.Expect(*cp.Spec.ApplicationCredential.Unrestricted).To(BeFalse()) + + ac := cp.Spec.Cinder.ApplicationCredential + g.Expect(ac).NotTo(BeNil()) + g.Expect(*ac.ExpirationDays).To(Equal(100)) + g.Expect(*ac.GracePeriodDays).To(Equal(50)) + g.Expect(ac.Roles).To(ConsistOf("custom", "role")) + g.Expect(*ac.Unrestricted).To(BeTrue()) + }, timeout, interval).Should(Succeed()) + }) + + It("should configure ApplicationCredential with service-specific overrides and global defaults", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // Verify global AC configuration + global := cp.Spec.ApplicationCredential + Expect(global.Enabled).To(BeTrue()) + Expect(*global.ExpirationDays).To(Equal(730)) + Expect(*global.GracePeriodDays).To(Equal(364)) + Expect(global.Roles).To(ConsistOf("admin", "service")) + Expect(*global.Unrestricted).To(BeFalse()) + + // Verify Cinder has service-specific overrides + Expect(cp.Spec.Cinder.Enabled).To(BeTrue()) + Expect(cp.Spec.Cinder.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Cinder.ApplicationCredential.Enabled).To(BeTrue()) + cinderAC := cp.Spec.Cinder.ApplicationCredential + Expect(*cinderAC.ExpirationDays).To(Equal(100)) + Expect(*cinderAC.GracePeriodDays).To(Equal(50)) + Expect(cinderAC.Roles).To(ConsistOf("custom", "role")) + Expect(*cinderAC.Unrestricted).To(BeTrue()) + + // Verify Glance and Manila inherit global defaults (no service-specific AC overrides) + // The service specific values are nil/empty, they inherit the global defaults with mergeAppCred function + Expect(cp.Spec.Glance.Enabled).To(BeTrue()) + Expect(cp.Spec.Manila.Enabled).To(BeTrue()) + Expect(cp.Spec.Manila.Template).NotTo(BeNil()) + + if cp.Spec.Glance.ApplicationCredential != nil { + glanceAC := cp.Spec.Glance.ApplicationCredential + Expect(glanceAC.ExpirationDays).To(BeNil()) + Expect(glanceAC.GracePeriodDays).To(BeNil()) + Expect(glanceAC.Roles).To(BeEmpty()) + Expect(glanceAC.Unrestricted).To(BeNil()) + } + + if cp.Spec.Manila.ApplicationCredential != nil { + manilaAC := cp.Spec.Manila.ApplicationCredential + Expect(manilaAC.ExpirationDays).To(BeNil()) + Expect(manilaAC.GracePeriodDays).To(BeNil()) + Expect(manilaAC.Roles).To(BeEmpty()) + Expect(manilaAC.Unrestricted).To(BeNil()) + } + }) + }) + + When("global application credentials are disabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{"enabled": false} + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + spec["glance"] = map[string]interface{}{ + "enabled": true, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should have global AC disabled in spec", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.ApplicationCredential.Enabled).To(BeFalse()) + }) + }) + + When("service-specific application credentials are disabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{"enabled": true} + spec["glance"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": false, + }, + } + spec["cinder"] = map[string]interface{}{ + "enabled": true, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should have service-specific AC disabled in spec", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // Glance is disabled + Expect(cp.Spec.Glance.Enabled).To(BeTrue()) + Expect(cp.Spec.Glance.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Glance.ApplicationCredential.Enabled).To(BeFalse()) + + // Cidner is enabled + Expect(cp.Spec.Cinder.Enabled).To(BeTrue()) + Expect(cp.Spec.Cinder.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Cinder.ApplicationCredential.Enabled).To(BeTrue()) + }) + + It("should NOT set ApplicationCredentialSecret field before services are ready", func() { + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + + // In functional tests, no actual services are deployed, so they never become "Ready" + // The reconciler should NOT set ApplicationCredentialSecret until service is ready (Day-2) + // This verifies the new dynamic behavior where AC is only applied after service readiness + + if cp.Spec.Cinder.Template != nil { + Expect(cp.Spec.Cinder.Template.Auth.ApplicationCredentialSecret).To(BeEmpty(), + "ApplicationCredentialSecret should be empty when service is not ready") + } + + if cp.Spec.Glance.Template != nil && len(cp.Spec.Glance.Template.GlanceAPIs) > 0 { + for apiName, glanceAPI := range cp.Spec.Glance.Template.GlanceAPIs { + Expect(glanceAPI.Auth.ApplicationCredentialSecret).To(BeEmpty(), + "ApplicationCredentialSecret for Glance API %s should be empty when service is not ready", apiName) + } + } + }) + }) + + When("Heat service with application credentials enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + } + spec["heat"] = map[string]interface{}{ + "enabled": true, + "template": map[string]interface{}{ + "databaseInstance": "openstack", + "secret": "osp-secret", + "apiTimeout": 60, + }, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + + It("should configure ApplicationCredential in spec for Heat service", func() { + // Verify the spec is configured correctly for Heat AC + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.Heat.Enabled).To(BeTrue()) + Expect(cp.Spec.Heat.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Heat.ApplicationCredential.Enabled).To(BeTrue()) + Expect(cp.Spec.Heat.Template).NotTo(BeNil()) + }) + }) + + When("Ironic service with application credentials enabled", func() { + BeforeEach(func() { + spec := GetDefaultOpenStackControlPlaneSpec() + spec["applicationCredential"] = map[string]interface{}{ + "enabled": true, + "expirationDays": 730, + "gracePeriodDays": 364, + } + spec["ironic"] = map[string]interface{}{ + "enabled": true, + "template": map[string]interface{}{ + "databaseInstance": "openstack", + "secret": "osp-secret", + "ironicConductors": []map[string]interface{}{ + { + "replicas": 1, + }, + }, + }, + "applicationCredential": map[string]interface{}{ + "enabled": true, + }, + } + + DeferCleanup(th.DeleteInstance, + CreateOpenStackControlPlane(names.OpenStackControlplaneName, spec), + ) + }) + It("should configure ApplicationCredential in spec for Ironic service", func() { + // Verify the spec is configured correctly for Ironic AC + cp := GetOpenStackControlPlane(names.OpenStackControlplaneName) + Expect(cp.Spec.Ironic.Enabled).To(BeTrue()) + Expect(cp.Spec.Ironic.ApplicationCredential).NotTo(BeNil()) + Expect(cp.Spec.Ironic.ApplicationCredential.Enabled).To(BeTrue()) + Expect(cp.Spec.Ironic.Template).NotTo(BeNil()) }) }) diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml new file mode 120000 index 000000000..762a8cf31 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-assert-deploy-openstack.yaml @@ -0,0 +1 @@ +../../common/assert-sample-deployment.yaml \ No newline at end of file diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml new file mode 100644 index 000000000..6c9d0887d --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/01-deploy-openstack.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml new file mode 100644 index 000000000..7453d5b13 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml @@ -0,0 +1,141 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: |- + set -euo pipefail + NS="${NAMESPACE}" + + wait_ready() { + echo "Waiting for appcred/ac-$1 to be Ready..." + oc wait appcred/ac-$1 -n "$NS" --for=condition=Ready --timeout=180s + } + + check_field() { + local name=$1 field=$2 expected=$3 + local actual=$(oc get appcred ac-$name -n "$NS" -o jsonpath="{.spec.$field}" 2>/dev/null || echo "") + if [ "$actual" != "$expected" ]; then + echo "ERROR: ac-$name.$field: expected '$expected', got '$actual'" + exit 1 + fi + echo "✓ ac-$name.$field = $expected" + } + + check_roles() { + local name=$1 + shift + local expected_roles=("$@") + local roles=$(oc get appcred ac-$name -n "$NS" -o jsonpath='{.spec.roles[*]}') + + # Check each expected role is present + for role in "${expected_roles[@]}"; do + if [[ ! " $roles " =~ " $role " ]]; then + echo "ERROR: ac-$name: Role '$role' not found. Got: $roles" + exit 1 + fi + done + + # Check role count matches + local role_count=$(echo "$roles" | wc -w) + if [ "$role_count" -ne "${#expected_roles[@]}" ]; then + echo "ERROR: ac-$name: Expected ${#expected_roles[@]} roles, got $role_count: $roles" + exit 1 + fi + + echo "✓ ac-$name.roles = [${expected_roles[*]}]" + } + + echo "=========================================" + echo "Testing Application Credential CRs" + echo "=========================================" + echo + + echo "=== Checking global ApplicationCredential is enabled ===" + global_enabled=$(oc get openstackcontrolplane openstack -n "$NS" -o jsonpath='{.spec.applicationCredential.enabled}') + if [ "$global_enabled" != "true" ]; then + echo "ERROR: OpenStackControlPlane.spec.applicationCredential.enabled expected 'true', got '$global_enabled'" + exit 1 + fi + echo "✓ OpenStackControlPlane.spec.applicationCredential.enabled = true" + echo + + # ---- ac-barbican ---- + # Pure defaults: expirationDays=730, gracePeriodDays=364, roles=[admin,service], unrestricted=false + echo "=== Testing ac-barbican (pure defaults) ===" + wait_ready barbican + check_field barbican expirationDays 730 + check_field barbican gracePeriodDays 364 + check_roles barbican "admin" "service" + check_field barbican unrestricted "false" + echo + + # ---- ac-cinder ---- + # Full custom overrides + echo "=== Testing ac-cinder (full custom overrides) ===" + wait_ready cinder + check_field cinder expirationDays 10 + check_field cinder gracePeriodDays 5 + check_roles cinder "admin" "service" + check_field cinder unrestricted "true" + echo + + # ---- ac-glance ---- + # Partial overrides (expiration values only) + echo "=== Testing ac-glance (partial overrides) ===" + wait_ready glance + check_field glance expirationDays 180 + check_field glance gracePeriodDays 60 + check_roles glance "admin" "service" + check_field glance unrestricted "false" + echo + + # ---- ac-swift ---- + # Role override only + echo "=== Testing ac-swift (roles override) ===" + wait_ready swift + check_field swift expirationDays 730 + check_field swift gracePeriodDays 364 + check_roles swift "service" + check_field swift unrestricted "false" + echo + + # ---- ac-neutron ---- + # Inherits all defaults + echo "=== Testing ac-neutron (inherits defaults) ===" + wait_ready neutron + check_field neutron expirationDays 730 + check_field neutron gracePeriodDays 364 + check_roles neutron "admin" "service" + check_field neutron unrestricted "false" + echo + + # ---- ac-placement ---- + # Custom expiration only + echo "=== Testing ac-placement (expiration override) ===" + wait_ready placement + check_field placement expirationDays 90 + check_field placement gracePeriodDays 30 + check_roles placement "admin" "service" + check_field placement unrestricted "false" + echo + + # ---- ac-nova ---- + # Multiple roles + echo "=== Testing ac-nova (multiple roles) ===" + wait_ready nova + check_field nova expirationDays 730 + check_field nova gracePeriodDays 364 + check_roles nova "admin" "service" "member" + check_field nova unrestricted "false" + echo + + # ---- ac-ceilometer ---- + # Telemetry/Ceilometer component (enabled by default in base sample) + echo "=== Testing ac-ceilometer (telemetry/ceilometer) ===" + wait_ready ceilometer + check_field ceilometer expirationDays 45 + check_field ceilometer gracePeriodDays 20 + check_roles ceilometer "service" + check_field ceilometer unrestricted "false" + echo + + echo "All ApplicationCredential CRs validated successfully" diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml new file mode 100644 index 000000000..3cb5652ca --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-deploy-appcred-config.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: | + oc kustomize ../../../../config/samples/applicationcredentials | oc apply -n $NAMESPACE -f - diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml new file mode 100644 index 000000000..df9df9fe0 --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-cleanup.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: core.openstack.org/v1beta1 + kind: OpenStackControlPlane + name: openstack +commands: +- script: | + oc delete secret --ignore-not-found=true combined-ca-bundle -n $NAMESPACE + oc delete secret -l service-cert -n $NAMESPACE + oc delete secret -l ca-cert -n $NAMESPACE diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml new file mode 120000 index 000000000..4d7b8362e --- /dev/null +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/03-errors-cleanup.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_openstack.yaml \ No newline at end of file