Adding passwordSelectors and secret to CR generation

Deydra71 · Deydra71 · commit 7cda4e472e41 · 2025-05-14T09:21:15.000+02:00
Signed-off-by: Veronika Fisarova &lt;vfisarov@redhat.com&gt;
diff --git a/apis/go.mod b/apis/go.mod
@@ -116,4 +116,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
 
-replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c
diff --git a/apis/go.sum b/apis/go.sum
@@ -1,5 +1,5 @@
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45 h1:c13rfNoKIXAd5R/k1D5wCBWtsR31xylSaiXKmfaAI4w=
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=
diff --git a/go.mod b/go.mod
@@ -128,4 +128,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
 
-replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c
diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45 h1:c13rfNoKIXAd5R/k1D5wCBWtsR31xylSaiXKmfaAI4w=
-github.com/Deydra71/keystone-operator/api v0.0.0-20250507073641-38cb51217a45/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=
diff --git a/pkg/openstack/applicationcredential.go b/pkg/openstack/applicationcredential.go
@@ -7,25 +7,20 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	corev1beta1 "github.com/openstack-k8s-operators/openstack-operator/apis/core/v1beta1"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
-// mergeAppCred returns a new ApplicationCredentialSection
-// by starting from the global defaults, then overriding
-// only the fields the service user has explicitly set
+// mergeAppCred returns a new ApplicationCredentialSection by overlaying
+// service-specific values on top of the global defaults.
 func mergeAppCred(
 	global corev1beta1.ApplicationCredentialSection,
 	svc *corev1beta1.ServiceAppCredSection,
 ) corev1beta1.ApplicationCredentialSection {
 	out := global
-
 	if svc != nil {
-		// always override Enabled, even if false
 		out.Enabled = svc.Enabled
-
 		// only override expiry/grace if the user actually set them
 		if svc.ExpirationDays != nil {
 			out.ExpirationDays = svc.ExpirationDays
@@ -34,30 +29,23 @@ func mergeAppCred(
 			out.GracePeriodDays = svc.GracePeriodDays
 		}
 	}
-
 	return out
 }
 
-// ReconcileApplicationCredentials ensures that every OpenStack service which
-// has AC enabled (both globally and per-service) has a corresponding
-// keystone.openstack.org/v1beta1 ApplicationCredential CR, with proper
-// ExpirationDays and GracePeriodDays inherited or overridden
+// ReconcileApplicationCredentials ensures an AC CR per enabled service,
+// propagating its secret name, passwordSelector, and serviceUser fields.
 func ReconcileApplicationCredentials(
 	ctx context.Context,
 	instance *corev1beta1.OpenStackControlPlane,
 	_ *corev1beta1.OpenStackVersion,
 	helper *helper.Helper,
 ) (ctrl.Result, error) {
-
 	log := GetLogger(ctx)
 
-	// If global AC is turned off, delete service AC CRs
+	// If global disabled, delete all ACs:
 	if !instance.Spec.ApplicationCredential.Enabled {
-		log.Info("Global .spec.applicationCredential.enabled is false – deleting all per-service AC CRs")
-		for _, svc := range []string{
-			"glance", "nova", "swift", "ceilometer",
-			"barbican", "cinder", "placement", "neutron",
-		} {
+		log.Info("Global AC disabled; deleting per-service AC CRs")
+		for _, svc := range []string{"glance", "nova", "swift", "ceilometer", "barbican", "cinder", "placement", "neutron"} {
 			ac := &keystonev1.ApplicationCredential{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      fmt.Sprintf("ac-%s", svc),
@@ -71,9 +59,25 @@ func ReconcileApplicationCredentials(
 		return ctrl.Result{}, nil
 	}
 
-	// Build list of services to reconcile
+	// Build a lookup with each service’s secret, selector, and service user name field:
+	services := map[string]struct {
+		SecretName       string
+		PasswordSelector string
+		ServiceUser      string
+	}{
+		"glance":     {instance.Spec.Glance.Template.Secret, instance.Spec.Glance.Template.PasswordSelectors.Service, instance.Spec.Glance.Template.ServiceUser},
+		"nova":       {instance.Spec.Nova.Template.Secret, instance.Spec.Nova.Template.PasswordSelectors.Service, instance.Spec.Nova.Template.ServiceUser},
+		"swift":      {instance.Spec.Swift.Template.SwiftProxy.Secret, instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service, instance.Spec.Swift.Template.SwiftProxy.ServiceUser},
+		"ceilometer": {instance.Spec.Telemetry.Template.Ceilometer.Secret, instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService, instance.Spec.Telemetry.Template.Ceilometer.ServiceUser},
+		"barbican":   {instance.Spec.Barbican.Template.Secret, instance.Spec.Barbican.Template.PasswordSelectors.Service, instance.Spec.Barbican.Template.ServiceUser},
+		"cinder":     {instance.Spec.Cinder.Template.Secret, instance.Spec.Cinder.Template.PasswordSelectors.Service, instance.Spec.Cinder.Template.ServiceUser},
+		"placement":  {instance.Spec.Placement.Template.Secret, instance.Spec.Placement.Template.PasswordSelectors.Service, instance.Spec.Placement.Template.ServiceUser},
+		"neutron":    {instance.Spec.Neutron.Template.Secret, instance.Spec.Neutron.Template.PasswordSelectors.Service, instance.Spec.Neutron.Template.ServiceUser},
+	}
+
+	// Collect each service’s enabled flag and AC section:
 	type svcAC struct {
-		Name      string
+		Key       string
 		Enabled   bool
 		ACSection *corev1beta1.ServiceAppCredSection
 	}
@@ -87,33 +91,35 @@ func ReconcileApplicationCredentials(
 		{"placement", instance.Spec.Placement.Enabled, instance.Spec.Placement.ApplicationCredential},
 		{"neutron", instance.Spec.Neutron.Enabled, instance.Spec.Neutron.ApplicationCredential},
 	}
-
 	global := instance.Spec.ApplicationCredential
 
+	// Loop, CreateOrPatch or delete each AC CR:
 	for _, svc := range svcs {
-		acName := fmt.Sprintf("ac-%s", svc.Name)
+		acName := fmt.Sprintf("ac-%s", svc.Key)
 		acObj := &keystonev1.ApplicationCredential{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      acName,
 				Namespace: instance.Namespace,
 			},
 		}
 
+		// merge flags
 		effective := mergeAppCred(global, svc.ACSection)
-		// if either the service itself is disabled, or the merged AC.Enabled is false,
-		// then ensure that CR is deleted
 		if !(svc.Enabled && effective.Enabled) {
 			if res, err := EnsureDeleted(ctx, helper, acObj); err != nil {
 				return res, err
 			}
 			continue
 		}
 
-		// otherwise create or patch it to have exactly the merged values
+		// create/patch
 		op, err := controllerutil.CreateOrPatch(ctx, helper.GetClient(), acObj, func() error {
-			acObj.Spec.UserName = svc.Name
+			acObj.Spec.UserName = services[svc.Key].ServiceUser
 			acObj.Spec.ExpirationDays = *effective.ExpirationDays
 			acObj.Spec.GracePeriodDays = *effective.GracePeriodDays
+			acObj.Spec.Secret = services[svc.Key].SecretName
+			acObj.Spec.PasswordSelector = services[svc.Key].PasswordSelector
+
 			return controllerutil.SetControllerReference(
 				helper.GetBeforeObject(), acObj, helper.GetScheme(),
 			)
@@ -122,7 +128,7 @@ func ReconcileApplicationCredentials(
 			return ctrl.Result{}, err
 		}
 		if op != controllerutil.OperationResultNone {
-			log.Info("Reconciled ApplicationCredential", "service", svc.Name, "operation", op)
+			log.Info("Reconciled ApplicationCredential", "service", svc.Key, "operation", op)
 		}
 	}
 
