Application Credential support

Deydra71 · Deydra71 · commit 5d68e31fef1a · 2025-10-14T11:39:24.000+02:00
diff --git a/api/go.mod b/api/go.mod
@@ -105,3 +105,5 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging
 
 replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20251014080018-27792b7a40a5
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -102,6 +102,7 @@ rules:
   - keystone.openstack.org
   resources:
   - keystoneapis
+  - keystoneapplicationcredentials
   verbs:
   - get
   - list
diff --git a/controllers/swift_common.go b/controllers/swift_common.go
@@ -22,14 +22,14 @@ import (
 	"fmt"
 	"time"
 
+	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
-	"k8s.io/apimachinery/pkg/types"
 
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
-	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
diff --git a/controllers/swift_controller.go b/controllers/swift_controller.go
@@ -59,6 +59,8 @@ func (r *SwiftReconciler) GetLogger(ctx context.Context) logr.Logger {
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts/finalizers,verbs=update;patch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
+//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials,verbs=get;list;watch
 
 // service account, role, rolebinding
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch
diff --git a/controllers/swiftproxy_controller.go b/controllers/swiftproxy_controller.go
@@ -512,6 +512,19 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrlResult, err
 	}
 
+	// Check for Application Credentials
+	ctrlResult, err = keystonev1.VerifyApplicationCredentialsForService(
+		ctx,
+		r.Client,
+		instance.Namespace,
+		"swift",
+		&envVars,
+		10*time.Second,
+	)
+	if (err != nil || ctrlResult != ctrl.Result{}) {
+		return ctrlResult, err
+	}
+
 	// Get the service password and pass it to the template
 	sps, _, err := secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
 	if err != nil {
@@ -578,6 +591,20 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, err
 	}
 
+	// Get Application Credential data if available
+	useAC := false
+	acID := ""
+	acSecret := ""
+	// Try to get Application Credential for this service (via keystone api helper)
+	if acData, err := keystonev1.GetApplicationCredentialFromSecret(ctx, r.Client, instance.Namespace, swift.ServiceName); err != nil {
+		Log.Error(err, "Failed to get ApplicationCredential for service", "service", swift.ServiceName)
+	} else if acData != nil {
+		useAC = true
+		acID = acData.ID
+		acSecret = acData.Secret
+		Log.Info("Using ApplicationCredentials auth", "service", swift.ServiceName)
+	}
+
 	// Create a Secret populated with content from templates/
 	tpl := swiftproxy.SecretTemplates(
 		instance,
@@ -591,6 +618,9 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		os.GetRegion(),
 		transportURLString,
 		instance.Spec.APITimeout,
+		useAC,
+		acID,
+		acSecret,
 	)
 	err = secret.EnsureSecrets(ctx, helper, instance, tpl, &envVars)
 	if err != nil {
@@ -846,6 +876,42 @@ func (r *SwiftProxyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
 		return nil
 	}
 
+	// Application Credential secret watching function
+	acSecretFn := func(_ context.Context, o client.Object) []reconcile.Request {
+		name := o.GetName()
+		ns := o.GetNamespace()
+		result := []reconcile.Request{}
+
+		// Only handle Secret objects
+		if _, isSecret := o.(*corev1.Secret); !isSecret {
+			return nil
+		}
+
+		// Check if this is a swift AC secret by name pattern (ac-swift-secret)
+		expectedSecretName := keystonev1.GetACSecretName("swift")
+		if name == expectedSecretName {
+			// get all SwiftProxy CRs in this namespace
+			swiftProxies := &swiftv1beta1.SwiftProxyList{}
+			listOpts := []client.ListOption{
+				client.InNamespace(ns),
+			}
+			if err := r.List(context.Background(), swiftProxies, listOpts...); err != nil {
+				return nil
+			}
+
+			// Enqueue reconcile for all swift proxy instances
+			for _, cr := range swiftProxies.Items {
+				objKey := client.ObjectKey{
+					Namespace: ns,
+					Name:      cr.Name,
+				}
+				result = append(result, reconcile.Request{NamespacedName: objKey})
+			}
+		}
+
+		return result
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&swiftv1beta1.SwiftProxy{}).
 		Owns(&corev1.Secret{}).
@@ -859,6 +925,8 @@ func (r *SwiftProxyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
 		).
+		Watches(&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(acSecretFn)).
 		Watches(&memcachedv1.Memcached{},
 			handler.EnqueueRequestsFromMapFunc(memcachedFn)).
 		Watches(&topologyv1.Topology{},
diff --git a/go.mod b/go.mod
@@ -116,3 +116,5 @@ replace k8s.io/component-base => k8s.io/component-base v0.31.13 //allow-merging
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250929174222-a0d328fa4dec //allow-merging
 
 replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250627150254-e9823e99808e //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20251014080018-27792b7a40a5
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/Deydra71/keystone-operator/api v0.0.0-20251014080018-27792b7a40a5 h1:qpFuqb7xf9rgua2qwOIJYhB9+ePHB0FfQ/mIufzw7Nc=
+github.com/Deydra71/keystone-operator/api v0.0.0-20251014080018-27792b7a40a5/go.mod h1:braI3juap0JIy6XOvu0AHqVGkfn2/dbw5BBRv84oSAw=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -102,8 +104,6 @@ github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20251007134031
 github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20251007134031-f8d7a8958555/go.mod h1:DtYNaat+pImzGhh+RgfLeSmUEqw6J/TqytTYbvxVg7E=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251007170607-63860ee1375c h1:7Qv0lv6QXwouUPryiZeiVbAIeCv8qYFH3sf80w+V0DE=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20251007170607-63860ee1375c/go.mod h1:Zkxq8zl7w7NRYGxfobFKHu/+MNA+65Lc6ZqtZ8yTogw=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251007150354-bb6ae13a35cf h1:t3fxcJvKqG54QCbwmiPy5BbN/6bIHiJZArrlxeGyU1c=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20251007150354-bb6ae13a35cf/go.mod h1:braI3juap0JIy6XOvu0AHqVGkfn2/dbw5BBRv84oSAw=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251007102731-b786c86bffe7 h1:JcQRAHidrzir4FWiUb+y6L8kHA4bDEvZIiSShOj/lGU=
 github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20251007102731-b786c86bffe7/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20251007102731-b786c86bffe7 h1:mlz/n5Fc5Ypbx5odAvKqlhZBNKEo9BdNtCwTo0mHusk=
diff --git a/pkg/swiftproxy/templates.go b/pkg/swiftproxy/templates.go
@@ -40,6 +40,9 @@ func SecretTemplates(
 	keystoneRegion string,
 	transportURL string,
 	apiTimeout int,
+	useApplicationCredentials bool,
+	applicationCredentialID string,
+	applicationCredentialSecret string,
 ) []util.Template {
 	templateParameters := make(map[string]any)
 	templateParameters["ServiceUser"] = instance.Spec.ServiceUser
@@ -54,6 +57,13 @@ func SecretTemplates(
 	templateParameters["TransportURL"] = transportURL
 	templateParameters["APITimeout"] = apiTimeout
 
+	// Application Credential parameters
+	templateParameters["UseApplicationCredentials"] = useApplicationCredentials
+	if useApplicationCredentials {
+		templateParameters["ApplicationCredentialID"] = applicationCredentialID
+		templateParameters["ApplicationCredentialSecret"] = applicationCredentialSecret
+	}
+
 	// MTLS params
 	if mc.Status.MTLSCert != "" {
 		templateParameters["MemcachedAuthCert"] = fmt.Sprint(memcachedv1.CertMountPath())
diff --git a/templates/swiftproxy/config/00-proxy-server.conf b/templates/swiftproxy/config/00-proxy-server.conf
@@ -80,12 +80,18 @@ project_reader_roles = SwiftProjectReader
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 www_authenticate_uri = {{ .KeystonePublicURL }}
 auth_url = {{ .KeystonePublicURL }}
+{{ if .UseApplicationCredentials -}}
+auth_type = v3applicationcredential
+application_credential_id = {{ .ApplicationCredentialID }}
+application_credential_secret = {{ .ApplicationCredentialSecret }}
+{{- else -}}
 auth_plugin=password
 project_domain_id = default
 user_domain_id = default
 project_name = service
 username = {{ .ServiceUser }}
 password = {{ .ServicePassword }}
+{{- end }}
 delay_auth_decision = True
 
 [filter:s3api]
@@ -108,8 +114,14 @@ use = egg:swift#encryption
 [filter:ceilometer]
 paste.filter_factory = ceilometermiddleware.swift:filter_factory
 auth_url = {{ .KeystonePublicURL }}
+{{ if .UseApplicationCredentials -}}
+auth_type = v3applicationcredential
+application_credential_id = {{ .ApplicationCredentialID }}
+application_credential_secret = {{ .ApplicationCredentialSecret }}
+{{- else -}}
 password = {{ .ServicePassword }}
 username = {{ .ServiceUser }}
+{{- end }}
 region_name  = {{ .KeystoneRegion }}
 url = {{ .TransportURL }}
 project_name = service
