From aa52627ffa18fb4e776ab7dc7784613854bbf8ea Mon Sep 17 00:00:00 2001 From: Veronika Fisarova Date: Mon, 18 May 2026 08:29:31 +0200 Subject: [PATCH] Set EDPM service annotation on nova and ceilometer ACs Set the `keystone.openstack.org/edpm-service` annotation on nova and ceilometer ApplicationCredential CRs so the keystone-operator AC controller can gate secret rotation and deletion on EDPM NodeSet hash sync. Other services are not EDPM services and can proceed without the NodeSet check. Signed-off-by: Veronika Fisarova Assisted-by: Claude Opus 4.6 noreply@anthropic.com --- api/go.mod | 2 +- api/go.sum | 4 +-- ...ck.org_keystoneapplicationcredentials.yaml | 4 +++ bindata/rbac/keystone-operator-rbac.yaml | 8 ++++++ config/operator/manager_operator_images.yaml | 2 +- go.mod | 2 +- go.sum | 4 +-- hack/export_operator_related_images.sh | 2 +- internal/openstack/applicationcredential.go | 20 +++++++++++--- internal/openstack/barbican.go | 1 + internal/openstack/cinder.go | 1 + internal/openstack/designate.go | 1 + internal/openstack/glance.go | 1 + internal/openstack/heat.go | 1 + internal/openstack/ironic.go | 2 ++ internal/openstack/manila.go | 1 + internal/openstack/neutron.go | 1 + internal/openstack/nova.go | 1 + internal/openstack/octavia.go | 1 + internal/openstack/placement.go | 1 + internal/openstack/swift.go | 1 + internal/openstack/telemetry.go | 3 +++ internal/openstack/watcher.go | 1 + .../02-assert-appcred-crs.yaml | 26 ++++++++++++++++--- 24 files changed, 76 insertions(+), 15 deletions(-) diff --git a/api/go.mod b/api/go.mod index 80283066ea..9daf3cb772 100644 --- a/api/go.mod +++ b/api/go.mod @@ -15,7 +15,7 @@ require ( github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260519055836-98aca178b9cd github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c - github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 + github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587 github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20260518125357-72bdd580c587 github.com/openstack-k8s-operators/manila-operator/api v0.6.1-0.20260519055834-18a3bfb29f4a diff --git a/api/go.sum b/api/go.sum index c4d936c6ee..4c4503e37f 100644 --- a/api/go.sum +++ b/api/go.sum @@ -130,8 +130,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-5 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c/go.mod h1:RFFB4Zs9IJv1jXs/yMjo+VswSW+rsrFZsoP0QrB1EbI= github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c h1:441tIuWdcTeeNDWjILS4XScC3hd65tWRb7YyUBe8F24= github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c/go.mod h1:R3MsU1uiqYkLXw7yRJ9VZYvpPDiQAJK08EfyZLZZeZk= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 h1:eKSWFldHZyv3Q6Q8xO6IfvlKUxcQ1GstOPCa8HnlWEc= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5/go.mod h1:voVyXEWocD4O+I+bIXLZovkzL51RE17deynYYgKbs0w= +github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf h1:FoKK0zNo48i4ZMFxScupCK/YAmy6Ps4IILz3CK4BCTI= +github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf/go.mod h1:VNX1Mda2u5+yGxycIyVrgABucitMDR9ct3Lj6ROS92I= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587 h1:p03uEXoSreyu7LpFmb9YyYM8tEx2D2+7qqhLXNWHTq0= github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587/go.mod h1:JC04T5G4E/he5ukonV1oCqa0QzFkLv761VbLruVghJM= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.6.1-0.20260506154724-30a976ba8ef0 h1:kMie+G0aHlGwDHjimjj8AUxTl2R7LGfai/8pev2T+TY= diff --git a/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml b/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml index d96ed836ab..86238bf6d2 100644 --- a/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml +++ b/bindata/crds/keystone.openstack.org_keystoneapplicationcredentials.yaml @@ -209,6 +209,10 @@ spec: for this ApplicationCredential. format: int64 type: integer + previousSecretName: + description: PreviousSecretName - name of the previous AC secret. + Only current and previous are protected by finalizer. + type: string rotationEligibleAt: description: |- RotationEligibleAt indicates when rotation becomes eligible (start of grace period window). diff --git a/bindata/rbac/keystone-operator-rbac.yaml b/bindata/rbac/keystone-operator-rbac.yaml index 4e4d3d68b1..25bc1d624f 100644 --- a/bindata/rbac/keystone-operator-rbac.yaml +++ b/bindata/rbac/keystone-operator-rbac.yaml @@ -135,6 +135,14 @@ rules: - patch - update - watch +- apiGroups: + - dataplane.openstack.org + resources: + - openstackdataplanenodesets + verbs: + - get + - list + - watch - apiGroups: - k8s.cni.cncf.io resources: diff --git a/config/operator/manager_operator_images.yaml b/config/operator/manager_operator_images.yaml index 46ac8f874b..a410fd3f4f 100644 --- a/config/operator/manager_operator_images.yaml +++ b/config/operator/manager_operator_images.yaml @@ -30,7 +30,7 @@ spec: - name: RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/ironic-operator@sha256:2c3cb7bbab9f294b00f302ad7f951fe888d80e4acc78aef7ef23a4869711d2bf - name: RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL - value: quay.io/openstack-k8s-operators/keystone-operator@sha256:d92d73580846a154e5c5746370e4223e5473f231a816b0b3a4060f149cac4586 + value: quay.io/openstack-k8s-operators/keystone-operator@sha256:c9270b37a19ec4637f8f69bd0973724f71e1376cfc002d0265137b8a57f505a6 - name: RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL value: quay.io/openstack-k8s-operators/manila-operator@sha256:f0aed94235d37b13ae9e6163655dbbb9df7a309e495ebba7f4cd1747d5e72391 - name: RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL diff --git a/go.mod b/go.mod index 9eeee20e44..865f41665c 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/openstack-k8s-operators/horizon-operator/api v0.6.1-0.20260519055836-98aca178b9cd github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c - github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 + github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587 github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260518125357-72bdd580c587 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260518125357-72bdd580c587 diff --git a/go.sum b/go.sum index aba4317a74..0143366a2e 100644 --- a/go.sum +++ b/go.sum @@ -154,8 +154,8 @@ github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-5 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260518151731-513cdc50e41c/go.mod h1:RFFB4Zs9IJv1jXs/yMjo+VswSW+rsrFZsoP0QrB1EbI= github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c h1:441tIuWdcTeeNDWjILS4XScC3hd65tWRb7YyUBe8F24= github.com/openstack-k8s-operators/ironic-operator/api v0.6.1-0.20260519055835-3fc462342d6c/go.mod h1:R3MsU1uiqYkLXw7yRJ9VZYvpPDiQAJK08EfyZLZZeZk= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5 h1:eKSWFldHZyv3Q6Q8xO6IfvlKUxcQ1GstOPCa8HnlWEc= -github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260518173352-69a47a6187d5/go.mod h1:voVyXEWocD4O+I+bIXLZovkzL51RE17deynYYgKbs0w= +github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf h1:FoKK0zNo48i4ZMFxScupCK/YAmy6Ps4IILz3CK4BCTI= +github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20260520090027-4d7b7a01c0bf/go.mod h1:VNX1Mda2u5+yGxycIyVrgABucitMDR9ct3Lj6ROS92I= github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587 h1:VvXvQw3t7slykvGeb+/CzmnTilSpQV2ji6gjJhHD/XU= github.com/openstack-k8s-operators/lib-common/modules/ansible v0.6.1-0.20260518125357-72bdd580c587/go.mod h1:tXxVkkk8HlATwTmDA5RTP3b+c8apfuMM15mZ2wW5iNs= github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260518125357-72bdd580c587 h1:vCttV5sUx7vQLsQGBEjfXvp/xJo29UyW2srkyAcoTbc= diff --git a/hack/export_operator_related_images.sh b/hack/export_operator_related_images.sh index c6a80bf2f3..5060884a88 100644 --- a/hack/export_operator_related_images.sh +++ b/hack/export_operator_related_images.sh @@ -8,7 +8,7 @@ export RELATED_IMAGE_HEAT_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-opera export RELATED_IMAGE_HORIZON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/horizon-operator@sha256:7800616b815863423484fe0537ef77fbb7cd3f635c864c098ec95dd004d4224b export RELATED_IMAGE_INFRA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/infra-operator@sha256:938b73f665d9d432a4a7e67d347f1504f06b8e143c740246a9c7c6d5630a7ff4 export RELATED_IMAGE_IRONIC_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/ironic-operator@sha256:2c3cb7bbab9f294b00f302ad7f951fe888d80e4acc78aef7ef23a4869711d2bf -export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:d92d73580846a154e5c5746370e4223e5473f231a816b0b3a4060f149cac4586 +export RELATED_IMAGE_KEYSTONE_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/keystone-operator@sha256:c9270b37a19ec4637f8f69bd0973724f71e1376cfc002d0265137b8a57f505a6 export RELATED_IMAGE_MANILA_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/manila-operator@sha256:f0aed94235d37b13ae9e6163655dbbb9df7a309e495ebba7f4cd1747d5e72391 export RELATED_IMAGE_MARIADB_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/mariadb-operator@sha256:db4edc84736a517e632c7201fc7015fea401d997ffcfa9d60ca11c46df74224e export RELATED_IMAGE_NEUTRON_OPERATOR_MANAGER_IMAGE_URL=quay.io/openstack-k8s-operators/neutron-operator@sha256:ad4a7d9fb687b6d89ecda9b03067f9baa002c7c7f8ac89daebf9732351c86b9e diff --git a/internal/openstack/applicationcredential.go b/internal/openstack/applicationcredential.go index 3c699df561..9ca73c6986 100644 --- a/internal/openstack/applicationcredential.go +++ b/internal/openstack/applicationcredential.go @@ -68,14 +68,15 @@ func CleanupApplicationCredentialForService( instance *corev1beta1.OpenStackControlPlane, serviceName string, ) error { + Log := GetLogger(ctx) acName := keystonev1.GetACCRName(serviceName) + acCR := &keystonev1.KeystoneApplicationCredential{ ObjectMeta: metav1.ObjectMeta{ Name: acName, Namespace: instance.Namespace, }, } - Log := GetLogger(ctx) err := helper.GetClient().Delete(ctx, acCR) if k8s_errors.IsNotFound(err) { return nil @@ -106,6 +107,7 @@ func EnsureApplicationCredentialForService( passwordSelector string, serviceUser string, acConfig *corev1beta1.ServiceAppCredSection, + edpmService bool, ) (acSecretName string, result ctrl.Result, err error) { Log := GetLogger(ctx) @@ -154,7 +156,7 @@ func EnsureApplicationCredentialForService( // Check if AC CR exists and is ready if acExists { // We want to run reconcileApplicationCredential to update the AC CR if it exists and is ready and AC config fields changed - err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged) + err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService) if err != nil { return "", ctrl.Result{}, err } @@ -177,7 +179,7 @@ func EnsureApplicationCredentialForService( // Service is ready, create Application Credential CR Log.Info("Service is ready, creating Application Credential", "service", serviceName, "acName", acName) - err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged) + err = reconcileApplicationCredential(ctx, helper, instance, acName, serviceUser, secretName, passwordSelector, merged, edpmService) if err != nil { return "", ctrl.Result{}, err } @@ -196,6 +198,7 @@ func reconcileApplicationCredential( secretName string, passwordSelector string, effective corev1beta1.ApplicationCredentialSection, + edpmService bool, ) error { log := GetLogger(ctx) @@ -215,6 +218,17 @@ func reconcileApplicationCredential( acObj.Spec.Roles = effective.Roles acObj.Spec.Unrestricted = *effective.Unrestricted + annotations := acObj.GetAnnotations() + if annotations == nil { + annotations = map[string]string{} + } + if edpmService { + annotations[keystonev1.EDPMServiceAnnotation] = "true" + } else { + annotations[keystonev1.EDPMServiceAnnotation] = "false" + } + acObj.SetAnnotations(annotations) + if len(effective.AccessRules) > 0 { kr := make([]keystonev1.ACRule, 0, len(effective.AccessRules)) for _, r := range effective.AccessRules { diff --git a/internal/openstack/barbican.go b/internal/openstack/barbican.go index 1c566ed738..50c6a6ce7a 100644 --- a/internal/openstack/barbican.go +++ b/internal/openstack/barbican.go @@ -91,6 +91,7 @@ func ReconcileBarbican(ctx context.Context, instance *corev1beta1.OpenStackContr instance.Spec.Barbican.Template.PasswordSelectors.Service, instance.Spec.Barbican.Template.ServiceUser, instance.Spec.Barbican.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/cinder.go b/internal/openstack/cinder.go index 11c9efbb7d..3c391878c9 100644 --- a/internal/openstack/cinder.go +++ b/internal/openstack/cinder.go @@ -115,6 +115,7 @@ func ReconcileCinder(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Cinder.Template.PasswordSelectors.Service, instance.Spec.Cinder.Template.ServiceUser, instance.Spec.Cinder.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/designate.go b/internal/openstack/designate.go index 5ef092b0e0..b6e4269af1 100644 --- a/internal/openstack/designate.go +++ b/internal/openstack/designate.go @@ -103,6 +103,7 @@ func ReconcileDesignate(ctx context.Context, instance *corev1beta1.OpenStackCont instance.Spec.Designate.Template.PasswordSelectors.Service, instance.Spec.Designate.Template.ServiceUser, instance.Spec.Designate.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/glance.go b/internal/openstack/glance.go index 82c908a6ec..34207515d1 100644 --- a/internal/openstack/glance.go +++ b/internal/openstack/glance.go @@ -145,6 +145,7 @@ func ReconcileGlance(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Glance.Template.PasswordSelectors.Service, instance.Spec.Glance.Template.ServiceUser, instance.Spec.Glance.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/heat.go b/internal/openstack/heat.go index a9bad1d9b0..24168ea164 100644 --- a/internal/openstack/heat.go +++ b/internal/openstack/heat.go @@ -134,6 +134,7 @@ func ReconcileHeat(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Heat.Template.PasswordSelectors.Service, instance.Spec.Heat.Template.ServiceUser, instance.Spec.Heat.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/ironic.go b/internal/openstack/ironic.go index 37b3ff4222..dd01a607b0 100644 --- a/internal/openstack/ironic.go +++ b/internal/openstack/ironic.go @@ -147,6 +147,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Ironic.Template.PasswordSelectors.Service, instance.Spec.Ironic.Template.ServiceUser, instance.Spec.Ironic.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err @@ -173,6 +174,7 @@ func ReconcileIronic(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Ironic.Template.IronicInspector.PasswordSelectors.Service, instance.Spec.Ironic.Template.IronicInspector.ServiceUser, instance.Spec.Ironic.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/manila.go b/internal/openstack/manila.go index dcba216762..956e68481a 100644 --- a/internal/openstack/manila.go +++ b/internal/openstack/manila.go @@ -93,6 +93,7 @@ func ReconcileManila(ctx context.Context, instance *corev1beta1.OpenStackControl instance.Spec.Manila.Template.PasswordSelectors.Service, instance.Spec.Manila.Template.ServiceUser, instance.Spec.Manila.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/neutron.go b/internal/openstack/neutron.go index 29418e4271..b72b570be2 100644 --- a/internal/openstack/neutron.go +++ b/internal/openstack/neutron.go @@ -137,6 +137,7 @@ func ReconcileNeutron(ctx context.Context, instance *corev1beta1.OpenStackContro instance.Spec.Neutron.Template.PasswordSelectors.Service, instance.Spec.Neutron.Template.ServiceUser, instance.Spec.Neutron.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/nova.go b/internal/openstack/nova.go index 7a5bbf2f3e..c6c6b00624 100644 --- a/internal/openstack/nova.go +++ b/internal/openstack/nova.go @@ -209,6 +209,7 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl instance.Spec.Nova.Template.PasswordSelectors.Service, instance.Spec.Nova.Template.ServiceUser, instance.Spec.Nova.ApplicationCredential, + true, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/octavia.go b/internal/openstack/octavia.go index 9d98b89f88..ed5665f776 100644 --- a/internal/openstack/octavia.go +++ b/internal/openstack/octavia.go @@ -185,6 +185,7 @@ func ReconcileOctavia(ctx context.Context, instance *corev1beta1.OpenStackContro instance.Spec.Octavia.Template.PasswordSelectors.Service, instance.Spec.Octavia.Template.ServiceUser, instance.Spec.Octavia.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/placement.go b/internal/openstack/placement.go index 96a1d3dab5..0dd842a4db 100644 --- a/internal/openstack/placement.go +++ b/internal/openstack/placement.go @@ -97,6 +97,7 @@ func ReconcilePlacementAPI(ctx context.Context, instance *corev1beta1.OpenStackC instance.Spec.Placement.Template.PasswordSelectors.Service, instance.Spec.Placement.Template.ServiceUser, instance.Spec.Placement.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/swift.go b/internal/openstack/swift.go index e7dc468a7f..92ed4082f5 100644 --- a/internal/openstack/swift.go +++ b/internal/openstack/swift.go @@ -127,6 +127,7 @@ func ReconcileSwift(ctx context.Context, instance *corev1beta1.OpenStackControlP instance.Spec.Swift.Template.SwiftProxy.PasswordSelectors.Service, instance.Spec.Swift.Template.SwiftProxy.ServiceUser, instance.Spec.Swift.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/telemetry.go b/internal/openstack/telemetry.go index 0d302cb4cd..9233e1ccc8 100644 --- a/internal/openstack/telemetry.go +++ b/internal/openstack/telemetry.go @@ -153,6 +153,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont instance.Spec.Telemetry.Template.Autoscaling.Aodh.PasswordSelectors.AodhService, instance.Spec.Telemetry.Template.Autoscaling.Aodh.ServiceUser, instance.Spec.Telemetry.ApplicationCredentialAodh, + false, ) if err != nil { return ctrl.Result{}, err @@ -198,6 +199,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont instance.Spec.Telemetry.Template.Ceilometer.PasswordSelectors.CeilometerService, instance.Spec.Telemetry.Template.Ceilometer.ServiceUser, instance.Spec.Telemetry.ApplicationCredentialCeilometer, + true, ) if err != nil { return ctrl.Result{}, err @@ -242,6 +244,7 @@ func ReconcileTelemetry(ctx context.Context, instance *corev1beta1.OpenStackCont instance.Spec.Telemetry.Template.CloudKitty.PasswordSelectors.CloudKittyService, instance.Spec.Telemetry.Template.CloudKitty.ServiceUser, instance.Spec.Telemetry.ApplicationCredentialCloudKitty, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/internal/openstack/watcher.go b/internal/openstack/watcher.go index bfed839c50..dace2e5898 100644 --- a/internal/openstack/watcher.go +++ b/internal/openstack/watcher.go @@ -106,6 +106,7 @@ func ReconcileWatcher(ctx context.Context, instance *corev1beta1.OpenStackContro getWatcherPasswordSelector(), getWatcherServiceUser(), instance.Spec.Watcher.ApplicationCredential, + false, ) if err != nil { return ctrl.Result{}, err diff --git a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml index 7453d5b13a..d4305e11b7 100644 --- a/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml +++ b/test/kuttl/tests/ctlplane-basic-deployment-with-appcred/02-assert-appcred-crs.yaml @@ -44,6 +44,16 @@ commands: echo "✓ ac-$name.roles = [${expected_roles[*]}]" } + check_edpm_annotation() { + local name=$1 expected=$2 + local actual=$(oc get appcred ac-$name -n "$NS" -o jsonpath="{.metadata.annotations.keystone\.openstack\.org/edpm-service}" 2>/dev/null || echo "") + if [ "$actual" != "$expected" ]; then + echo "ERROR: ac-$name edpm-service annotation: expected '$expected', got '$actual'" + exit 1 + fi + echo "✓ ac-$name edpm-service = $expected" + } + echo "=========================================" echo "Testing Application Credential CRs" echo "=========================================" @@ -66,6 +76,7 @@ commands: check_field barbican gracePeriodDays 364 check_roles barbican "admin" "service" check_field barbican unrestricted "false" + check_edpm_annotation barbican "false" echo # ---- ac-cinder ---- @@ -76,6 +87,7 @@ commands: check_field cinder gracePeriodDays 5 check_roles cinder "admin" "service" check_field cinder unrestricted "true" + check_edpm_annotation cinder "false" echo # ---- ac-glance ---- @@ -86,6 +98,7 @@ commands: check_field glance gracePeriodDays 60 check_roles glance "admin" "service" check_field glance unrestricted "false" + check_edpm_annotation glance "false" echo # ---- ac-swift ---- @@ -96,6 +109,7 @@ commands: check_field swift gracePeriodDays 364 check_roles swift "service" check_field swift unrestricted "false" + check_edpm_annotation swift "false" echo # ---- ac-neutron ---- @@ -106,6 +120,7 @@ commands: check_field neutron gracePeriodDays 364 check_roles neutron "admin" "service" check_field neutron unrestricted "false" + check_edpm_annotation neutron "false" echo # ---- ac-placement ---- @@ -116,26 +131,29 @@ commands: check_field placement gracePeriodDays 30 check_roles placement "admin" "service" check_field placement unrestricted "false" + check_edpm_annotation placement "false" echo # ---- ac-nova ---- - # Multiple roles - echo "=== Testing ac-nova (multiple roles) ===" + # Multiple roles, EDPM service + echo "=== Testing ac-nova (multiple roles, EDPM service) ===" wait_ready nova check_field nova expirationDays 730 check_field nova gracePeriodDays 364 check_roles nova "admin" "service" "member" check_field nova unrestricted "false" + check_edpm_annotation nova "true" echo # ---- ac-ceilometer ---- - # Telemetry/Ceilometer component (enabled by default in base sample) - echo "=== Testing ac-ceilometer (telemetry/ceilometer) ===" + # Telemetry/Ceilometer component, EDPM service + echo "=== Testing ac-ceilometer (telemetry/ceilometer, EDPM service) ===" wait_ready ceilometer check_field ceilometer expirationDays 45 check_field ceilometer gracePeriodDays 20 check_roles ceilometer "service" check_field ceilometer unrestricted "false" + check_edpm_annotation ceilometer "true" echo echo "All ApplicationCredential CRs validated successfully"