Adding roles, access rules and unrestricted AC support

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Author: Deydra71

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -53,6 +53,17 @@ spec:
                     default: 7
                     minimum: 1
                     type: integer
+                  roles:
+                    default:
+                    - admin
+                    - service
+                    items:
+                      type: string
+                    minItems: 1
+                    type: array
+                  unrestricted:
+                    default: false
+                    type: boolean
                 type: object
                 x-kubernetes-validations:
                 - message: gracePeriodDays must be smaller than expirationDays
@@ -188,6 +199,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -197,6 +219,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -709,6 +737,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -718,6 +757,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -3507,6 +3552,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -3516,6 +3572,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -8422,6 +8484,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -8431,6 +8504,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -9239,6 +9318,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -9248,6 +9338,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -11691,6 +11787,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -11700,6 +11807,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -16163,6 +16276,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -16172,6 +16296,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays
@@ -16794,6 +16924,17 @@ spec:
                       enabled: false
                     nullable: true
                     properties:
+                      accessRules:
+                        items:
+                          properties:
+                            method:
+                              type: string
+                            path:
+                              type: string
+                            service:
+                              type: string
+                          type: object
+                        type: array
                       enabled:
                         default: false
                         type: boolean
@@ -16803,6 +16944,12 @@ spec:
                       gracePeriodDays:
                         minimum: 1
                         type: integer
+                      roles:
+                        items:
+                          type: string
+                        type: array
+                      unrestricted:
+                        type: boolean
                     type: object
                     x-kubernetes-validations:
                     - message: gracePeriodDays must be smaller than expirationDays

apis/core/v1beta1/openstackcontrolplane_types.go

@@ -878,6 +878,17 @@ type ApplicationCredentialSection struct {
 	// +kubebuilder:default=7
 	// +kubebuilder:validation:Minimum=1
 	GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={"admin","service"}
+	// +kubebuilder:validation:MinItems=1
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted,omitempty"`
 }
 
 // +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
@@ -894,6 +905,33 @@ type ServiceAppCredSection struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Minimum=1
 	GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Roles to assign to the ApplicationCredential
+	Roles []string `json:"roles,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Whether the AC should be unrestricted
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Set service specific AC access rules
+	AccessRules []ACRule `json:"accessRules,omitempty"`
+}
+
+// ACRule sets access rules for AC
+type ACRule struct {
+	// Service is the OpenStack service type
+	// +kubebuilder:validation:Optional
+	Service string `json:"service"`
+
+	// Path is the API path to allow
+	// +kubebuilder:validation:Optional
+	Path string `json:"path,omitempty"`
+
+	// Method is the HTTP verb to allow (defaults to all if empty)
+	// +kubebuilder:validation:Optional
+	Method string `json:"method,omitempty"`
 }
 
 // OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane

apis/core/v1beta1/zz_generated.deepcopy.go

@@ -116,4 +116,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
 
-replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c
+replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250516124117-1428c333f73e

apis/go.mod

@@ -1,5 +1,5 @@
-github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
-github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250516124117-1428c333f73e h1:1fN4dK/dqIYoJrdkN+rdnaRdOVTIsxfs6a0RFyseSRQ=
+github.com/Deydra71/keystone-operator/api v0.0.0-20250516124117-1428c333f73e/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=