Merge "Add applicationcredentials CR"

chart/crds/identity.openstack.org_applicationcredential.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: applicationcredentials.identity.openstack.org
+spec:
+  group: identity.openstack.org
+  names:
+    kind: ApplicationCredential
+    listKind: ApplicationCredentialList
+    plural: applicationcredentials
+    singular: applicationcredential
+  scope: Cluster
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

chart/templates/clusterrole.yaml

@@ -127,6 +127,7 @@ rules:
 - apiGroups:
   - identity.openstack.org
   resources:
+  - applicationcredentials
   - services
   - keystones
   - endpoints
@@ -141,6 +142,7 @@ rules:
 - apiGroups:
   - identity.openstack.org
   resources:
+  - applicationcredentials/status
   - services/status
   - keystones/status
   - endpoints/status

chart/templates/deployment.yaml

@@ -44,6 +44,8 @@ spec:
         - -m
         - openstack_operator.memcached
         - -m
+        - openstack_operator.openstack.identity.applicationcredential
+        - -m
         - openstack_operator.openstack.identity.endpoints
         - -m
         - openstack_operator.openstack.identity.services

devstack/lib/keystone

@@ -16,24 +16,6 @@
 
 # install_keystone() - Collect source and prepare
 function install_keystone {
-	echo noop
-}
-export -f install_keystone
-
-# configure_keystone() - Set config files, create data dirs, etc
-function configure_keystone {
-    echo noop
-}
-
-# init_keystone() - Initialize databases, etc.
-function init_keystone {
-	echo noop
-}
-export -f init_keystone
-
-# start_keystone() - Start running processes
-function start_keystone {
-
 	# rollout keystone
 	kubernetes_rollout_restart daemonset/keystone
 	kubernetes_rollout_status daemonset/keystone
@@ -60,6 +42,23 @@ function start_keystone {
 		die $LINENO "keystone did not start"
 	fi
 }
+export -f install_keystone
+
+# configure_keystone() - Set config files, create data dirs, etc
+function configure_keystone {
+    echo noop
+}
+
+# init_keystone() - Initialize databases, etc.
+function init_keystone {
+	echo noop
+}
+export -f init_keystone
+
+# start_keystone() - Start running processes
+function start_keystone {
+	echo noop
+}
 export -f start_keystone
 
 # bootstrap_keystone() - Initialize user, role and project

openstack_operator/identity.py

@@ -46,3 +46,11 @@ def ensure_service(name, service_type, desc, url=None, path=""):
     utils.create_or_update('identity/endpoint.yml.j2',
                            service=service_type, interface='public',
                            url=public_url)
+
+
+def ensure_application_credential(name):
+    """Create or update applicationcredentials
+    """
+
+    utils.create_or_update('identity/applicationcredential.yml.j2',
+                           name=name)

openstack_operator/objects.py

@@ -37,6 +37,14 @@ from pykube.objects import Service
 from pykube.objects import StatefulSet
 
 
+class IdentityApplicationCredential(APIObject):
+    """ApplicationCredential Kubernetes object"""
+
+    version = "identity.openstack.org/v1alpha1"
+    endpoint = "applicationcredentials"
+    kind = "ApplicationCredential"
+
+
 class IdentityService(APIObject):
     """Service Kubernetes object"""
 
@@ -124,6 +132,7 @@ MAPPING = {
         "Ingress": Ingress
     },
     "identity.openstack.org/v1alpha1": {
+        "ApplicationCredential": IdentityApplicationCredential,
         "Service": IdentityService,
         "Endpoint": IdentityEndpoint
     },

openstack_operator/openstack/identity/applicationcredential.py

@@ -0,0 +1,77 @@
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Application Credential Operator
+
+This operator helps manage the creation and removal of application
+credential inside Keystone using custom resources.
+"""
+
+import kopf
+from openstack_operator import utils
+
+
+def _get_admin_user_id():
+    """Get admin user id"""
+
+    conn = utils.get_openstack_connection()
+    user_name = conn.config.auth["username"]
+    domain_id = conn.config.auth["user_domain_id"]
+    user = conn.get_user(name_or_id=user_name, domain_id=domain_id)
+    return user.id
+
+
+@kopf.on.resume('identity.openstack.org', 'v1alpha1', 'applicationcredentials')
+@kopf.on.create('identity.openstack.org', 'v1alpha1', 'applicationcredentials')
+def create_or_resume(name, **_):
+    """Create or resume controller
+
+    This function runs when a new resource is created or when the
+    controller is first started.  It creates or updates the appropriate
+    applicationcredential."""
+
+    identity = utils.get_openstack_connection().identity
+
+    user = _get_admin_user_id()
+    credential = \
+        identity.find_application_credential(user=user, name_or_id=name)
+
+    if credential is None:
+        credential = \
+            identity.create_application_credential(user=user, name=name)
+        utils.create_or_update(
+            'identity/secret-applicationcredential.yml.j2',
+            name=name, secret=credential.secret,
+            id=credential.id, adopt=True)
+
+
+@kopf.on.delete('identity.openstack.org', 'v1alpha1', 'applicationcredentials')
+def delete(name, **_):
+    """Delete an endpoint
+
+    This function runs when the applicationcredential CR is deleted and
+    removes the record from Keystone.
+    """
+
+    identity = utils.get_openstack_connection().identity
+
+    user = _get_admin_user_id()
+    credential = \
+        identity.find_application_credential(user=user, name_or_id=name)
+
+    if credential is None:
+        return
+
+    identity.delete_application_credential(user=user,
+                                           application_credential=name)

openstack_operator/templates/identity/applicationcredential.yml.j2

@@ -0,0 +1,19 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: identity.openstack.org/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: {{ name }}

openstack_operator/templates/identity/secret-applicationcredential.yml.j2

@@ -0,0 +1,23 @@
+---
+# Copyright 2020 VEXXHOST, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+metadata:
+  name: {{ name }}-application-credential
+  namespace: openstack
+stringData:
+  id: {{ id }}
+  secret: {{ secret }}
+kind: Secret