Application Credential support

Signed-off-by: Veronika Fisarova <[email protected]>

Author: Deydra71

api/go.mod

@@ -75,4 +75,6 @@ require (
 
 // mschuppert: map to latest commit from release-4.18 tag
 // must consistent within modules and service operators
-replace github.com/openshift/api => github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e //allow-merging
+replace github.com/openshift/api => github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250922101113-f41006b2859b

config/rbac/role.yaml

@@ -34,6 +34,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -106,6 +114,14 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - keystone.openstack.org
+  resources:
+  - keystoneapplicationcredentials
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - keystone.openstack.org
   resources:

controllers/swift_common.go

@@ -28,8 +28,13 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"

controllers/swift_controller.go

@@ -59,6 +59,8 @@ func (r *SwiftReconciler) GetLogger(ctx context.Context) logr.Logger {
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=swift.openstack.org,resources=swifts/finalizers,verbs=update;patch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
+//+kubebuilder:rbac:groups=keystone.openstack.org,resources=keystoneapplicationcredentials,verbs=get;list;watch
 
 // service account, role, rolebinding
 // +kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch

controllers/swiftproxy_controller.go

@@ -39,6 +39,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -510,6 +511,19 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrlResult, err
 	}
 
+	// Check for Application Credentials
+	ctrlResult, err = r.verifyApplicationCredentials(
+		ctx,
+		r.GetLogger(ctx),
+		helper.GetClient(),
+		instance.Namespace,
+		"swift",
+		&envVars,
+	)
+	if (err != nil || ctrlResult != ctrl.Result{}) {
+		return ctrlResult, err
+	}
+
 	// Get the service password and pass it to the template
 	sps, _, err := secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
 	if err != nil {
@@ -569,6 +583,20 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, err
 	}
 
+	// Get Application Credential data if available
+	useAC := false
+	acID := ""
+	acSecret := ""
+	// Try to get Application Credential for this service (via keystone api helper)
+	if acData, err := keystonev1.GetApplicationCredentialFromSecret(ctx, r.Client, instance.Namespace, swift.ServiceName); err != nil {
+		Log.Error(err, "Failed to get ApplicationCredential for service", "service", swift.ServiceName)
+	} else if acData != nil {
+		useAC = true
+		acID = acData.ID
+		acSecret = acData.Secret
+		Log.Info("Using ApplicationCredentials auth", "service", swift.ServiceName)
+	}
+
 	// Create a Secret populated with content from templates/
 	tpl := swiftproxy.SecretTemplates(
 		instance,
@@ -581,7 +609,13 @@ func (r *SwiftProxyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		secretRef,
 		os.GetRegion(),
 		transportURLString,
+<<<<<<< HEAD
 		instance.Spec.APITimeout,
+=======
+		useAC,
+		acID,
+		acSecret,
+>>>>>>> d1ed12b (Application Credential support)
 	)
 	err = secret.EnsureSecrets(ctx, helper, instance, tpl, &envVars)
 	if err != nil {
@@ -835,7 +869,43 @@ func (r *SwiftProxyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
 		return nil
 	}
 
-	return ctrl.NewControllerManagedBy(mgr).
+	// Application Credential secret watching function
+	acSecretFn := func(_ context.Context, o client.Object) []reconcile.Request {
+		name := o.GetName()
+		ns := o.GetNamespace()
+		result := []reconcile.Request{}
+
+		// Only handle Secret objects
+		if _, isSecret := o.(*corev1.Secret); !isSecret {
+			return nil
+		}
+
+		// Check if this is a swift AC secret by name pattern (ac-swift-secret)
+		expectedSecretName := keystonev1.GetACSecretName("swift")
+		if name == expectedSecretName {
+			// get all SwiftProxy CRs in this namespace
+			swiftProxies := &swiftv1beta1.SwiftProxyList{}
+			listOpts := []client.ListOption{
+				client.InNamespace(ns),
+			}
+			if err := r.Client.List(context.Background(), swiftProxies, listOpts...); err != nil {
+				return nil
+			}
+
+			// Enqueue reconcile for all swift proxy instances
+			for _, cr := range swiftProxies.Items {
+				objKey := client.ObjectKey{
+					Namespace: ns,
+					Name:      cr.Name,
+				}
+				result = append(result, reconcile.Request{NamespacedName: objKey})
+			}
+		}
+
+		return result
+	}
+
+	b := ctrl.NewControllerManagedBy(mgr).
 		For(&swiftv1beta1.SwiftProxy{}).
 		Owns(&corev1.Secret{}).
 		Owns(&keystonev1.KeystoneService{}).
@@ -848,15 +918,17 @@ func (r *SwiftProxyReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Ma
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
 		).
+		Watches(&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(acSecretFn)).
 		Watches(&memcachedv1.Memcached{},
 			handler.EnqueueRequestsFromMapFunc(memcachedFn)).
 		Watches(&topologyv1.Topology{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
 			builder.WithPredicates(predicate.GenerationChangedPredicate{})).
 		Watches(&keystonev1.KeystoneAPI{},
 			handler.EnqueueRequestsFromMapFunc(r.findObjectForSrc),
-			builder.WithPredicates(keystonev1.KeystoneAPIStatusChangedPredicate)).
-		Complete(r)
+			builder.WithPredicates(keystonev1.KeystoneAPIStatusChangedPredicate))
+	return b.Complete(r)
 }
 
 func (r *SwiftProxyReconciler) findObjectsForSrc(ctx context.Context, src client.Object) []reconcile.Request {
@@ -1020,3 +1092,82 @@ func (r *SwiftProxyReconciler) transportURLCreateOrUpdate(
 
 	return transportURL, op, err
 }
+
+// verifyApplicationCredentials handles Application Credentials validation
+// It only uses AC if it's in a complete/ready state, otherwise continues with password auth
+func (r *SwiftProxyReconciler) verifyApplicationCredentials(
+	ctx context.Context,
+	log logr.Logger,
+	client client.Client,
+	namespace string,
+	serviceName string,
+	configVars *map[string]env.Setter,
+) (ctrl.Result, error) {
+	// Check for Application Credential - only use it if it's fully ready
+	acName := fmt.Sprintf("ac-%s", serviceName)
+	ac := &keystonev1.KeystoneApplicationCredential{}
+
+	if err := client.Get(ctx, types.NamespacedName{Namespace: namespace, Name: acName}, ac); err == nil {
+		// AC CR exists - check if it's in ready state
+		if r.isACReady(ctx, log, client, ac) {
+			// AC is ready - add it to configVars for hash tracking
+			secretKey := types.NamespacedName{Namespace: namespace, Name: ac.Status.SecretName}
+			hash, res, err := secret.VerifySecret(
+				ctx,
+				secretKey,
+				[]string{"AC_ID", "AC_SECRET"},
+				client,
+				10*time.Second,
+			)
+			if err != nil {
+				log.Info("ApplicationCredential secret verification failed, continuing with password auth", "error", err.Error())
+			} else if res.RequeueAfter > 0 {
+				return res, nil
+			} else {
+				// AC is ready and verified - add to configVars for change tracking
+				(*configVars)["secret-"+ac.Status.SecretName] = env.SetValue(hash)
+				log.Info("Using ApplicationCredential authentication")
+			}
+		} else {
+			// AC exists but not ready - wait for it
+			log.Info("ApplicationCredential exists but not ready, waiting")
+			return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
+		}
+	} else if !k8s_errors.IsNotFound(err) {
+		return ctrl.Result{}, err
+	}
+
+	return ctrl.Result{}, nil
+}
+
+// isACReady checks if ApplicationCredential is in a ready state with all required components
+func (r *SwiftProxyReconciler) isACReady(ctx context.Context, log logr.Logger, client client.Client, ac *keystonev1.KeystoneApplicationCredential) bool {
+	// Check if AC has completed setup (secret name is populated)
+	if ac.Status.SecretName == "" {
+		log.V(1).Info("AC not ready: SecretName not populated", "ac", ac.Name)
+		return false
+	}
+
+	secret := &corev1.Secret{}
+	secretKey := types.NamespacedName{Namespace: ac.Namespace, Name: ac.Status.SecretName}
+	if err := client.Get(ctx, secretKey, secret); err != nil {
+		log.V(1).Info("AC not ready: Secret not found", "secret", secretKey, "error", err)
+		return false
+	}
+
+	acID, acIDExists := secret.Data["AC_ID"]
+	acSecret, acSecretExists := secret.Data["AC_SECRET"]
+
+	if !acIDExists || !acSecretExists {
+		log.V(1).Info("AC not ready: Missing required fields", "secret", secretKey)
+		return false
+	}
+
+	if len(acID) == 0 || len(acSecret) == 0 {
+		log.V(1).Info("AC not ready: Empty required fields", "secret", secretKey)
+		return false
+	}
+
+	log.V(1).Info("AC is ready", "secret", secretKey)
+	return true
+}

go.mod

@@ -8,12 +8,12 @@ require (
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.7
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.1
-	github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250922094404-abaedfb5fe2d
+	github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250804160755-893ae5639aec
 	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250922155301-057562fb7182
-	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250916093250-82a76386143d
-	github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250922082314-c83d83092a04
+	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250802061907-896a24e4fc36
+	github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250730071847-837b07f8d72f
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250922082314-c83d83092a04
-	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250922082314-c83d83092a04
+	github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250823121217-7e1cd2e3dd03
 	github.com/openstack-k8s-operators/swift-operator/api v0.3.1-0.20240523121736-379011b2cfac
 	k8s.io/api v0.31.12
 	k8s.io/apimachinery v0.31.12
@@ -51,7 +51,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/openshift/api v3.9.0+incompatible // indirect
-	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250922082314-c83d83092a04 // indirect
+	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250823121217-7e1cd2e3dd03 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -91,3 +91,5 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202507112000
 
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.6.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250717122149-12f70b7f3d8d //allow-merging
+
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250922101113-f41006b2859b

go.sum

@@ -1,3 +1,5 @@
+github.com/Deydra71/keystone-operator/api v0.0.0-20250922101113-f41006b2859b h1:PqXvGTQAwst+hmWDUod6yClfK3pgGVHBDYObjIQldKU=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250922101113-f41006b2859b/go.mod h1:7ZuNZNtwRYklS2H5E5YSjsHOI2sYbAl1AD+N0W/G+8A=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -77,20 +79,18 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyUt0GEdoAE+r5TXy7YS21yNEo+2U=
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
-github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250922094404-abaedfb5fe2d h1:3YV9Js9Gf4lsbYD8D66WVlwlxjrcZ2qmrdEXUE3703Q=
-github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250922094404-abaedfb5fe2d/go.mod h1:t1OgOfbkr5e0GnYb/8DVF7ipTBvnkTiaajshsX/lEGc=
+github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250804160755-893ae5639aec h1:/It+6NDGWlnVmtWyFRuTTz30lZ9F36fULFzUlTccIHg=
+github.com/openstack-k8s-operators/barbican-operator/api v0.6.1-0.20250804160755-893ae5639aec/go.mod h1:Yns9+BfjPFaHNdDgSH1hmCYGl3V6/HTBHlKS9K82Js8=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250922155301-057562fb7182 h1:Ea+FZQOW0Eha1jorgSECFeqI9UrKz8TZlGnSM7X8Yf4=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250922155301-057562fb7182/go.mod h1:3Im8PFiRKPaOZpOuqYShJRN2O2pfjUuhDTUpW4KMHZw=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250916093250-82a76386143d h1:lSRMftk/MbN4qd8ihHh9ucdX4sfR/HUudEcy2h/BNhQ=
-github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250916093250-82a76386143d/go.mod h1:7ZuNZNtwRYklS2H5E5YSjsHOI2sYbAl1AD+N0W/G+8A=
-github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250922082314-c83d83092a04 h1:LJ8HkJVBvsO5sQSN+2u12wVE97KSrRpdVwc35LHGWJg=
-github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250922082314-c83d83092a04/go.mod h1:/t8UOevAIOdAu7SAkfwfyZj6p2pkuupl3mZJPMNqNOo=
+github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250730071847-837b07f8d72f h1:7w9WseH9LSKnLX3UW1AfWPaozN7fimdVoUtOYHnsQKY=
+github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20250730071847-837b07f8d72f/go.mod h1:0bajRHochTUT6Ecfriw27l3vL0yezVrnUmt3bcIpu4w=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250922082314-c83d83092a04 h1:JqJd39rF8rD9KIHmOEFbHP8UyYgttfuouj+kAFNtymU=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250922082314-c83d83092a04/go.mod h1:SmKRclrynSSRCXSLOoWlETalJPvt62ObHsfW8iPvtDA=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250922082314-c83d83092a04 h1:1t4qZshLvaTzytFb9foCBtTtKT4uXzYtVaYTlgYbt+4=
-github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250922082314-c83d83092a04/go.mod h1:IO6+EHBk1Ttd4L8mfnMtG58cc36tDyvdxzCytn+hKeE=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250922082314-c83d83092a04 h1:j5P/ehO4bQ+VqNvqNiX7N/R8wnBweFy7MX685nh4mmY=
-github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250922082314-c83d83092a04/go.mod h1:WbDAhyvX2UTyK9LzYZKjRvEGdn2fsQJHUo5l2J5q/vg=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250823121217-7e1cd2e3dd03 h1:tSMLVApQ4j4YJ56TGIYzaNo2Zh/ruDAY0wCcOEVKoIQ=
+github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20250823121217-7e1cd2e3dd03/go.mod h1:nachFP0Yicw/e8ZlqZzvnBN6w9kjMcnqrhaDw36PGjw=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250823121217-7e1cd2e3dd03 h1:DrKbzsweRx8VBNb5ur+/XcHSi+MR3VdzCsIEXYGc5SM=
+github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250823121217-7e1cd2e3dd03/go.mod h1:U3LQ4Nz2+syTPfW66bSLv6OzefLpsqxWLdX9AFotRPA=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250717122149-12f70b7f3d8d h1:0KCWljk2IEJ+aWNK+RiGpIdu51KPXrYA5RfyUcV4Mb4=
 github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20250717122149-12f70b7f3d8d/go.mod h1:6Mq2N/KtNFW20L+PQC5qkeK8R8UGadmGBXL8HDY6lcg=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

pkg/swiftproxy/templates.go

@@ -39,7 +39,13 @@ func SecretTemplates(
 	secretRef string,
 	keystoneRegion string,
 	transportURL string,
+<<<<<<< HEAD
 	apiTimeout int,
+=======
+	useApplicationCredentials bool,
+	applicationCredentialID string,
+	applicationCredentialSecret string,
+>>>>>>> d1ed12b (Application Credential support)
 ) []util.Template {
 	templateParameters := make(map[string]any)
 	templateParameters["ServiceUser"] = instance.Spec.ServiceUser
@@ -54,6 +60,13 @@ func SecretTemplates(
 	templateParameters["TransportURL"] = transportURL
 	templateParameters["APITimeout"] = apiTimeout
 
+	// Application Credential parameters
+	templateParameters["UseApplicationCredentials"] = useApplicationCredentials
+	if useApplicationCredentials {
+		templateParameters["ApplicationCredentialID"] = applicationCredentialID
+		templateParameters["ApplicationCredentialSecret"] = applicationCredentialSecret
+	}
+
 	// MTLS params
 	if mc.Status.MTLSCert != "" {
 		templateParameters["MemcachedAuthCert"] = fmt.Sprint(memcachedv1.CertMountPath())