Skip to content

Commit 62fd3e5

Browse files
Deydra71Deydra71
committed
Adding roles, access rules and unrestricted AC support
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
1 parent 6ed1e4b commit 62fd3e5

File tree

11 files changed

+277
-9
lines changed

11 files changed

+277
-9
lines changed

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,17 @@ spec:
5353
default: 7
5454
minimum: 1
5555
type: integer
56+
roles:
57+
default:
58+
- admin
59+
- service
60+
items:
61+
type: string
62+
minItems: 1
63+
type: array
64+
unrestricted:
65+
default: false
66+
type: boolean
5667
type: object
5768
x-kubernetes-validations:
5869
- message: gracePeriodDays must be smaller than expirationDays
@@ -197,6 +208,12 @@ spec:
197208
gracePeriodDays:
198209
minimum: 1
199210
type: integer
211+
roles:
212+
items:
213+
type: string
214+
type: array
215+
unrestricted:
216+
type: boolean
200217
type: object
201218
x-kubernetes-validations:
202219
- message: gracePeriodDays must be smaller than expirationDays
@@ -718,6 +735,12 @@ spec:
718735
gracePeriodDays:
719736
minimum: 1
720737
type: integer
738+
roles:
739+
items:
740+
type: string
741+
type: array
742+
unrestricted:
743+
type: boolean
721744
type: object
722745
x-kubernetes-validations:
723746
- message: gracePeriodDays must be smaller than expirationDays
@@ -3516,6 +3539,12 @@ spec:
35163539
gracePeriodDays:
35173540
minimum: 1
35183541
type: integer
3542+
roles:
3543+
items:
3544+
type: string
3545+
type: array
3546+
unrestricted:
3547+
type: boolean
35193548
type: object
35203549
x-kubernetes-validations:
35213550
- message: gracePeriodDays must be smaller than expirationDays
@@ -8431,6 +8460,12 @@ spec:
84318460
gracePeriodDays:
84328461
minimum: 1
84338462
type: integer
8463+
roles:
8464+
items:
8465+
type: string
8466+
type: array
8467+
unrestricted:
8468+
type: boolean
84348469
type: object
84358470
x-kubernetes-validations:
84368471
- message: gracePeriodDays must be smaller than expirationDays
@@ -9248,6 +9283,12 @@ spec:
92489283
gracePeriodDays:
92499284
minimum: 1
92509285
type: integer
9286+
roles:
9287+
items:
9288+
type: string
9289+
type: array
9290+
unrestricted:
9291+
type: boolean
92519292
type: object
92529293
x-kubernetes-validations:
92539294
- message: gracePeriodDays must be smaller than expirationDays
@@ -11700,6 +11741,12 @@ spec:
1170011741
gracePeriodDays:
1170111742
minimum: 1
1170211743
type: integer
11744+
roles:
11745+
items:
11746+
type: string
11747+
type: array
11748+
unrestricted:
11749+
type: boolean
1170311750
type: object
1170411751
x-kubernetes-validations:
1170511752
- message: gracePeriodDays must be smaller than expirationDays
@@ -16172,6 +16219,12 @@ spec:
1617216219
gracePeriodDays:
1617316220
minimum: 1
1617416221
type: integer
16222+
roles:
16223+
items:
16224+
type: string
16225+
type: array
16226+
unrestricted:
16227+
type: boolean
1617516228
type: object
1617616229
x-kubernetes-validations:
1617716230
- message: gracePeriodDays must be smaller than expirationDays
@@ -16803,6 +16856,12 @@ spec:
1680316856
gracePeriodDays:
1680416857
minimum: 1
1680516858
type: integer
16859+
roles:
16860+
items:
16861+
type: string
16862+
type: array
16863+
unrestricted:
16864+
type: boolean
1680616865
type: object
1680716866
x-kubernetes-validations:
1680816867
- message: gracePeriodDays must be smaller than expirationDays

apis/core/v1beta1/openstackcontrolplane_types.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -878,6 +878,17 @@ type ApplicationCredentialSection struct {
878878
// +kubebuilder:default=7
879879
// +kubebuilder:validation:Minimum=1
880880
GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
881+
882+
// +kubebuilder:validation:Optional
883+
// +kubebuilder:default={"admin","service"}
884+
// +kubebuilder:validation:MinItems=1
885+
// Roles to assign to the ApplicationCredential
886+
Roles []string `json:"roles,omitempty"`
887+
888+
// +kubebuilder:validation:Optional
889+
// +kubebuilder:default=false
890+
// Whether the AC should be unrestricted
891+
Unrestricted *bool `json:"unrestricted,omitempty"`
881892
}
882893

883894
// +kubebuilder:validation:XValidation:rule="!(has(self.expirationDays) && has(self.gracePeriodDays)) || self.gracePeriodDays < self.expirationDays",message="gracePeriodDays must be smaller than expirationDays"
@@ -894,6 +905,14 @@ type ServiceAppCredSection struct {
894905
// +kubebuilder:validation:Optional
895906
// +kubebuilder:validation:Minimum=1
896907
GracePeriodDays *int `json:"gracePeriodDays,omitempty"`
908+
909+
// +kubebuilder:validation:Optional
910+
// Roles to assign to the ApplicationCredential
911+
Roles []string `json:"roles,omitempty"`
912+
913+
// +kubebuilder:validation:Optional
914+
// Whether the AC should be unrestricted
915+
Unrestricted *bool `json:"unrestricted,omitempty"`
897916
}
898917

899918
// OpenStackControlPlaneStatus defines the observed state of OpenStackControlPlane

apis/core/v1beta1/zz_generated.deepcopy.go

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

apis/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,4 +116,4 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202408300231
116116
// custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.9.0_patches_tag)
117117
replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20241017142550-a3524acedd49 //allow-merging
118118

119-
replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c
119+
replace github.com/openstack-k8s-operators/keystone-operator/api => github.com/Deydra71/keystone-operator/api v0.0.0-20250519123217-49620096eb19

apis/go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
1-
github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c h1:DXnHQg/+AjMsoJqvQEusjkyjOsOPGbKJ8uRVLyTkseQ=
2-
github.com/Deydra71/keystone-operator/api v0.0.0-20250514070500-15fcdb912b2c/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
1+
github.com/Deydra71/keystone-operator/api v0.0.0-20250519123217-49620096eb19 h1:P93G634OZTX/Fr6g27G0zZioRCxqLxgKEz9xV5NAALI=
2+
github.com/Deydra71/keystone-operator/api v0.0.0-20250519123217-49620096eb19/go.mod h1:VPkYswnrCtlSMTeYjgxTOpfNN7zvxqa+kZ8EWDJaFrg=
33
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
44
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
55
github.com/cert-manager/cert-manager v1.14.7 h1:C2L59sMGMdSpd8SPx5qfPAL7ejZaNxJBRd24S7Ws5Ek=

bindata/crds/crds.yaml

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -217,6 +217,17 @@ spec:
217217
default: 7
218218
minimum: 1
219219
type: integer
220+
roles:
221+
default:
222+
- admin
223+
- service
224+
items:
225+
type: string
226+
minItems: 1
227+
type: array
228+
unrestricted:
229+
default: false
230+
type: boolean
220231
type: object
221232
x-kubernetes-validations:
222233
- message: gracePeriodDays must be smaller than expirationDays
@@ -361,6 +372,12 @@ spec:
361372
gracePeriodDays:
362373
minimum: 1
363374
type: integer
375+
roles:
376+
items:
377+
type: string
378+
type: array
379+
unrestricted:
380+
type: boolean
364381
type: object
365382
x-kubernetes-validations:
366383
- message: gracePeriodDays must be smaller than expirationDays
@@ -882,6 +899,12 @@ spec:
882899
gracePeriodDays:
883900
minimum: 1
884901
type: integer
902+
roles:
903+
items:
904+
type: string
905+
type: array
906+
unrestricted:
907+
type: boolean
885908
type: object
886909
x-kubernetes-validations:
887910
- message: gracePeriodDays must be smaller than expirationDays
@@ -3680,6 +3703,12 @@ spec:
36803703
gracePeriodDays:
36813704
minimum: 1
36823705
type: integer
3706+
roles:
3707+
items:
3708+
type: string
3709+
type: array
3710+
unrestricted:
3711+
type: boolean
36833712
type: object
36843713
x-kubernetes-validations:
36853714
- message: gracePeriodDays must be smaller than expirationDays
@@ -8595,6 +8624,12 @@ spec:
85958624
gracePeriodDays:
85968625
minimum: 1
85978626
type: integer
8627+
roles:
8628+
items:
8629+
type: string
8630+
type: array
8631+
unrestricted:
8632+
type: boolean
85988633
type: object
85998634
x-kubernetes-validations:
86008635
- message: gracePeriodDays must be smaller than expirationDays
@@ -9412,6 +9447,12 @@ spec:
94129447
gracePeriodDays:
94139448
minimum: 1
94149449
type: integer
9450+
roles:
9451+
items:
9452+
type: string
9453+
type: array
9454+
unrestricted:
9455+
type: boolean
94159456
type: object
94169457
x-kubernetes-validations:
94179458
- message: gracePeriodDays must be smaller than expirationDays
@@ -11864,6 +11905,12 @@ spec:
1186411905
gracePeriodDays:
1186511906
minimum: 1
1186611907
type: integer
11908+
roles:
11909+
items:
11910+
type: string
11911+
type: array
11912+
unrestricted:
11913+
type: boolean
1186711914
type: object
1186811915
x-kubernetes-validations:
1186911916
- message: gracePeriodDays must be smaller than expirationDays
@@ -16336,6 +16383,12 @@ spec:
1633616383
gracePeriodDays:
1633716384
minimum: 1
1633816385
type: integer
16386+
roles:
16387+
items:
16388+
type: string
16389+
type: array
16390+
unrestricted:
16391+
type: boolean
1633916392
type: object
1634016393
x-kubernetes-validations:
1634116394
- message: gracePeriodDays must be smaller than expirationDays
@@ -16967,6 +17020,12 @@ spec:
1696717020
gracePeriodDays:
1696817021
minimum: 1
1696917022
type: integer
17023+
roles:
17024+
items:
17025+
type: string
17026+
type: array
17027+
unrestricted:
17028+
type: boolean
1697017029
type: object
1697117030
x-kubernetes-validations:
1697217031
- message: gracePeriodDays must be smaller than expirationDays

bindata/crds/keystone.openstack.org_applicationcredentials.yaml

Lines changed: 34 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -59,24 +59,56 @@ spec:
5959
spec:
6060
description: ApplicationCredentialSpec defines what the user can set
6161
properties:
62+
accessRules:
63+
description: AccessRules defines which services the AC is permitted
64+
to access
65+
items:
66+
description: ACRule defines a service-only access rule for an ApplicationCredential
67+
properties:
68+
method:
69+
description: Method is the HTTP verb to allow (defaults to all
70+
if empty)
71+
type: string
72+
path:
73+
description: Path is the API path to allow
74+
type: string
75+
service:
76+
description: Service is the OpenStack service type
77+
type: string
78+
type: object
79+
type: array
6280
expirationDays:
63-
default: 14
81+
default: 365
6482
description: ExpirationDays sets the lifetime in days for the AC
6583
minimum: 2
6684
type: integer
6785
gracePeriodDays:
68-
default: 7
86+
default: 182
6987
description: GracePeriodDays sets how many days before expiration
7088
the AC should be rotated
7189
minimum: 1
7290
type: integer
7391
passwordSelector:
7492
description: PasswordSelector for extracting the service password
7593
type: string
94+
roles:
95+
default:
96+
- admin
97+
- service
98+
description: Roles to assign to the ApplicationCredential
99+
items:
100+
type: string
101+
minItems: 1
102+
type: array
76103
secret:
77104
default: osp-secret
78105
description: Secret containing service user password
79106
type: string
107+
unrestricted:
108+
default: false
109+
description: Unrestricted indicates whether the AC may be used to
110+
create or destroy other credentials or trusts
111+
type: boolean
80112
userName:
81113
description: UserName - the Keystone user under which this AC is created
82114
type: string

0 commit comments

Comments
 (0)