openstack-k8s-operators · vakwetu · Feb 12, 2026 · Feb 16, 2026
diff --git a/playbooks/skmo/ensure-central-ca-bundle.yaml b/playbooks/skmo/ensure-central-ca-bundle.yaml
@@ -0,0 +1,28 @@
+---
+- name: Ensure central control plane uses custom CA bundle
+  hosts: localhost
+  gather_facts: false
+  vars:
+    central_namespace: openstack
+    controlplane_name: controlplane
+    ca_bundle_secret_name: custom-ca-certs
+  tasks:
+    - name: Check current caBundleSecretName
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} get osctlplane {{ controlplane_name }} \
+          -o jsonpath='{.spec.tls.caBundleSecretName}'
+      args:
+        executable: /bin/bash
+      register: ca_bundle_name
+      changed_when: false
+      failed_when: false
+
+    - name: Patch control plane to use custom CA bundle when unset
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} patch osctlplane {{ controlplane_name }} \
+          --type json -p '[{"op":"add","path":"/spec/tls","value":{}},{"op":"add","path":"/spec/tls/caBundleSecretName","value":"{{ ca_bundle_secret_name }}"}]'
+      args:
+        executable: /bin/bash
+      when: ca_bundle_name.stdout | trim == ""
diff --git a/playbooks/skmo/prepare-leaf.yaml b/playbooks/skmo/prepare-leaf.yaml
@@ -0,0 +1,131 @@
+---
+- name: Prepare SKMO leaf prerequisites in regionZero
+  hosts: localhost
+  gather_facts: false
+  vars:
+    skmo_values_file: "{{ cifmw_architecture_repo }}/examples/va/multi-namespace-skmo/control-plane2/skmo-values.yaml"
+    osp_secrets_env_file: "{{ playbook_dir }}/../../lib/control-plane/base/osp-secrets.env"
+    central_namespace: openstack
+    leaf_namespace: openstack2
+    leaf_secret_name: osp-secret
+    central_rootca_secret: rootca-public
+  tasks:
+    - name: Load SKMO values
+      ansible.builtin.set_fact:
+        skmo_values: "{{ lookup('file', skmo_values_file) | from_yaml }}"
+
+    - name: Set SKMO leaf facts
+      ansible.builtin.set_fact:
+        leaf_region: "{{ skmo_values.data.leafRegion }}"
+        leaf_admin_user: "{{ skmo_values.data.leafAdminUser }}"
+        leaf_admin_project: "{{ skmo_values.data.leafAdminProject }}"
+        leaf_admin_password_key: "{{ skmo_values.data.leafAdminPasswordKey }}"
+        keystone_internal_url: "{{ skmo_values.data.keystoneInternalURL }}"
+        keystone_public_url: "{{ skmo_values.data.keystonePublicURL }}"
+        ca_bundle_secret_name: "{{ skmo_values.data.leafCaBundleSecretName }}"
+
+    - name: Ensure leaf osp-secret exists (pre-create from env file)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ leaf_namespace }} get secret {{ leaf_secret_name }} >/dev/null 2>&1; then
+          oc -n {{ leaf_namespace }} create secret generic {{ leaf_secret_name }} \
+            --from-env-file="{{ osp_secrets_env_file }}" \
+            --dry-run=client -o yaml | oc apply -f -
+        fi
+      args:
+        executable: /bin/bash
+
+    - name: Read leaf admin password from leaf secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ leaf_namespace }} get secret {{ leaf_secret_name }} \
+          -o jsonpath='{.data.{{ leaf_admin_password_key }}}' | base64 -d
+      args:
+        executable: /bin/bash
+      register: leaf_admin_password
+      changed_when: false
+
+    - name: Ensure leaf region exists in central Keystone
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack region show {{ leaf_region }} >/dev/null 2>&1 || \
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack region create {{ leaf_region }}
+      args:
+        executable: /bin/bash
+
+    - name: Ensure keystone catalog endpoints exist for leaf region
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack endpoint list --service keystone --interface public --region {{ leaf_region }} \
+          -f value -c ID | head -1 | grep -q .; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack endpoint create --region {{ leaf_region }} identity public "{{ keystone_public_url }}"
+        fi
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack endpoint list --service keystone --interface internal --region {{ leaf_region }} \
+          -f value -c ID | head -1 | grep -q .; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack endpoint create --region {{ leaf_region }} identity internal "{{ keystone_internal_url }}"
+        fi
+      args:
+        executable: /bin/bash
+
+    - name: Ensure leaf admin project exists in central Keystone
+      ansible.builtin.shell: |
+        set -euo pipefail
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack project show {{ leaf_admin_project }} >/dev/null 2>&1 || \
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack project create {{ leaf_admin_project }}
+      args:
+        executable: /bin/bash
+
+    - name: Ensure leaf admin user exists and has admin role
+      ansible.builtin.shell: |
+        set -euo pipefail
+        if ! oc -n {{ central_namespace }} rsh openstackclient \
+          openstack user show {{ leaf_admin_user }} >/dev/null 2>&1; then
+          oc -n {{ central_namespace }} rsh openstackclient \
+            openstack user create --domain Default --password "{{ leaf_admin_password.stdout | trim }}" {{ leaf_admin_user }}
+        fi
+        oc -n {{ central_namespace }} rsh openstackclient \
+          openstack role add --project {{ leaf_admin_project }} --user {{ leaf_admin_user }} admin
+      args:
+        executable: /bin/bash
+
+    - name: Create or append leaf CA bundle secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        tmpdir="$(mktemp -d)"
+        newkey="skmo-central-rootca.crt"
+        export TMPDIR="${tmpdir}"
+
+        if oc -n {{ leaf_namespace }} get secret {{ ca_bundle_secret_name }} \
+          >/dev/null 2>&1; then
+          oc -n {{ leaf_namespace }} get secret {{ ca_bundle_secret_name }} \
+            -o json | python3 -c '
+        import base64, json, os, sys
+        tmpdir = os.environ.get("TMPDIR")
+        data = json.load(sys.stdin).get("data", {})
+        for key, value in data.items():
+            path = os.path.join(tmpdir, key)
+            with open(path, "wb") as f:
+                f.write(base64.b64decode(value))
+        '
+        fi
+
+        oc -n {{ central_namespace }} get secret {{ central_rootca_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/${newkey}"
+
+        oc -n {{ leaf_namespace }} create secret generic \
+          {{ ca_bundle_secret_name }} \
+          --from-file="${tmpdir}" \
+          --dry-run=client -o yaml | oc apply -f -
+
+        rm -rf "${tmpdir}"
+      args:
+        executable: /bin/bash
diff --git a/playbooks/skmo/trust-leaf-ca.yaml b/playbooks/skmo/trust-leaf-ca.yaml
@@ -0,0 +1,51 @@
+---
+- name: Trust SKMO leaf CA in central region
+  hosts: localhost
+  gather_facts: false
+  vars:
+    skmo_values_file: "{{ cifmw_architecture_repo }}/examples/va/multi-namespace-skmo/control-plane2/skmo-values.yaml"
+    central_namespace: openstack
+    leaf_namespace: openstack2
+    leaf_rootca_secret: rootca-public
+  tasks:
+    - name: Load SKMO values
+      ansible.builtin.set_fact:
+        skmo_values: "{{ lookup('file', skmo_values_file) | from_yaml }}"
+
+    - name: Set central CA bundle secret name
+      ansible.builtin.set_fact:
+        central_ca_bundle_secret_name: "{{ skmo_values.data.centralCaBundleSecretName }}"
+
+    - name: Create or append central CA bundle secret
+      ansible.builtin.shell: |
+        set -euo pipefail
+        tmpdir="$(mktemp -d)"
+        newkey="skmo-leaf-rootca.crt"
+        export TMPDIR="${tmpdir}"
+
+        if oc -n {{ central_namespace }} get secret \
+          {{ central_ca_bundle_secret_name }} >/dev/null 2>&1; then
+          oc -n {{ central_namespace }} get secret \
+            {{ central_ca_bundle_secret_name }} -o json | python3 -c '
+        import base64, json, os, sys
+        tmpdir = os.environ.get("TMPDIR")
+        data = json.load(sys.stdin).get("data", {})
+        for key, value in data.items():
+            path = os.path.join(tmpdir, key)
+            with open(path, "wb") as f:
+                f.write(base64.b64decode(value))
+        '
+        fi
+
+        oc -n {{ leaf_namespace }} get secret {{ leaf_rootca_secret }} \
+          -o jsonpath='{.data.tls\.crt}' | base64 -d \
+          > "${tmpdir}/${newkey}"
+
+        oc -n {{ central_namespace }} create secret generic \
+          {{ central_ca_bundle_secret_name }} \
+          --from-file="${tmpdir}" \
+          --dry-run=client -o yaml | oc apply -f -
+
+        rm -rf "${tmpdir}"
+      args:
+        executable: /bin/bash
diff --git a/roles/ci_gen_kustomize_values/templates/multi-namespace-skmo b/roles/ci_gen_kustomize_values/templates/multi-namespace-skmo
@@ -0,0 +1 @@
+multi-namespace