openstack-k8s-operators
diff --git a/‎apis/bases/core.openstack.org_openstackcontrolplanes.yaml‎
Lines changed: 374 additions & 0 deletions b/‎apis/bases/core.openstack.org_openstackcontrolplanes.yaml‎
Lines changed: 374 additions & 0 deletions
diff --git a/‎apis/core/v1beta1/openstackcontrolplane_types.go‎
Lines changed: 140 additions & 0 deletions b/‎apis/core/v1beta1/openstackcontrolplane_types.go‎
Lines changed: 140 additions & 0 deletions
@@ -218,6 +218,9 @@ type OpenStackControlPlaneSpec struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// Watcher - Parameters related to the Watcher service
 	Watcher WatcherSection `json:"watcher,omitempty"`
+
+	// ApplicationCredential - Parameters related to the ApplicationCredential
+	ApplicationCredential ApplicationCredentialSection `json:"applicationCredential"`
 }
 
 // TLSSection defines the desired state of TLS configuration
@@ -412,6 +415,13 @@ type PlacementSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // GlanceSection defines the desired state of Glance service
@@ -438,6 +448,13 @@ type GlanceSection struct {
 	// Convenient to avoid podname (and thus hostname) collision between different deployments.
 	// Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc.
 	UniquePodNames bool `json:"uniquePodNames"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // CinderSection defines the desired state of Cinder service
@@ -464,6 +481,13 @@ type CinderSection struct {
 	// Convenient to avoid podname (and thus hostname) collision between different deployments.
 	// Useful for CI jobs as well as preproduction and production environments that use the same storage backend, etc.
 	UniquePodNames bool `json:"uniquePodNames"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // GaleraSection defines the desired state of Galera services
@@ -557,6 +581,13 @@ type NeutronSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // NovaSection defines the desired state of Nova services
@@ -583,6 +614,13 @@ type NovaSection struct {
 	// for a nova cell. cell0 never have compute nodes and therefore it won't have a noVNCProxy deployed.
 	// Providing an override for cell0 noVNCProxy does not have an effect.
 	CellOverride map[string]NovaCellOverrideSpec `json:"cellOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // NovaCellOverrideSpec to override the generated manifest of several child resources.
@@ -704,6 +742,13 @@ type TelemetrySection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// AlertmanagerOverride, provides the ability to override the generated manifest of several child resources.
 	AlertmanagerOverride Override `json:"alertmanagerOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // SwiftSection defines the desired state of Swift service
@@ -723,6 +768,13 @@ type SwiftSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// ProxyOverride, provides the ability to override the generated manifest of several child resources.
 	ProxyOverride Override `json:"proxyOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // OctaviaSection defines the desired state of the Octavia service
@@ -780,6 +832,13 @@ type BarbicanSection struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// APIOverride, provides the ability to override the generated manifest of several child resources.
 	APIOverride Override `json:"apiOverride,omitempty"`
+
+	// ApplicationCredential allows service-specific overrides of the global AC configuration.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +kubebuilder:default={enabled:false}
+	ApplicationCredential *ServiceAppCredSection `json:"applicationCredential"`
 }
 
 // RedisSection defines the desired state of the Redis service
@@ -823,6 +882,87 @@ type WatcherSection struct {
 	APIOverride Override `json:"apiOverride,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
+// ApplicationCredentialSection defines the desired configuration for ApplicationCredentials
+type ApplicationCredentialSection struct {
+	// Enabled indicates whether an ApplicationCredential should be created
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// ExpirationDays sets the lifetime in days for the AC
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=365
+	// +kubebuilder:validation:Minimum=2
+	ExpirationDays *int `json:"expirationDays,omitempty"`
+
+	// GracePeriodDays sets how many days before expiration the AC should be rotated
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=182
+	// +kubebuilder:validation:Minimum=1
+	GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={"service"}
+	// +kubebuilder:validation:MinItems=1
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// AccessRules lets supply a custom list of rules
+	// If unset, no accessRules field is emitted
+	// +kubebuilder:validation:Optional
+	// +listType=atomic
+	AccessRules []ACRule `json:"accessRules,omitempty"`
+}
+
+// +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
+// ServiceAppCredSection allows service-specific overrides of the global AC configuration
+type ServiceAppCredSection struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=2
+	ExpirationDays *int `json:"expirationDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=1
+	GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// AccessRules lets the service override either the global rules
+	// +kubebuilder:validation:Optional
+	// +listType=atomic
+	AccessRules []ACRule `json:"accessRules,omitempty"`
+}
+
+// ACRule describes a single access rule for an ApplicationCredential
+// +k8s:openapi-gen=true
+type ACRule struct {
+	// Service is the name of the service to target (e.g. "identity").
+	// +kubebuilder:validation:Required
+	Service string `json:"service"`
+	// Path is the HTTP path (e.g. "/v3/auth/tokens").
+	// +kubebuilder:validation:Required
+	Path string `json:"path"`
+	// Method is the HTTP method to allow (e.g. "POST").
+	// +kubebuilder:validation:Required
+	Method string `json:"method"`
+}
+
 // OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane
 type OpenStackControlPlaneStatus struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=status,xDescriptors={"urn:alm:descriptor:io.kubernetes.conditions"}