Add OpenStack credential propagation support

Makefile

@@ -356,6 +356,10 @@ dev-eks-creds: dev-aws-creds
 dev-aks-creds: envsubst
 	@NAMESPACE=$(NAMESPACE) $(ENVSUBST) -no-unset -i config/dev/aks-credentials.yaml | $(KUBECTL) apply -f -
 
+.PHONY: dev-openstack-creds
+dev-openstack-creds: envsubst
+	@NAMESPACE=$(NAMESPACE) $(ENVSUBST) -no-unset -i config/dev/openstack-credentials.yaml | $(KUBECTL) apply -f -
+
 .PHONY: dev-apply ## Apply the development environment by deploying the kind cluster, local registry and the HMC helm chart.
 dev-apply: kind-deploy registry-deploy dev-push dev-deploy dev-templates dev-release
 

cmd/main.go

@@ -28,6 +28,7 @@ import (
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
+	capo "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
 	capv "sigs.k8s.io/cluster-api-provider-vsphere/apis/v1beta1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
@@ -57,6 +58,7 @@ func init() {
 	utilruntime.Must(sveltosv1beta1.AddToScheme(scheme))
 	utilruntime.Must(capz.AddToScheme(scheme))
 	utilruntime.Must(capv.AddToScheme(scheme))
+	utilruntime.Must(capo.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 

config/dev/openstack-credentials.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openstack-cloud-config
+  namespace: ${NAMESPACE}
+stringData:
+  clouds.yaml: |
+    clouds:
+      openstack:
+        auth:
+          auth_url: ${OS_AUTH_URL}
+          application_credential_id: ${OS_APPLICATION_CREDENTIAL_ID}
+          application_credential_secret: ${OS_APPLICATION_CREDENTIAL_SECRET}
+        region_name: ${OS_REGION_NAME}
+        interface: ${OS_INTERFACE}
+        identity_api_version: ${OS_IDENTITY_API_VERSION}
+        auth_type: ${OS_AUTH_TYPE}
+---
+apiVersion: hmc.mirantis.com/v1alpha1
+kind: Credential
+metadata:
+  name: openstack-cluster-identity-cred
+  namespace: ${NAMESPACE}
+spec:
+  description: OpenStack credentials
+  identityRef:
+    apiVersion: v1
+    kind: Secret
+    name: openstack-cloud-config
+    namespace: ${NAMESPACE}

go.mod

@@ -30,6 +30,7 @@ require (
 	sigs.k8s.io/cluster-api v1.9.3
 	sigs.k8s.io/cluster-api-operator v0.14.0
 	sigs.k8s.io/cluster-api-provider-azure v1.17.2
+	sigs.k8s.io/cluster-api-provider-openstack v0.11.3
 	sigs.k8s.io/cluster-api-provider-vsphere v1.12.0
 	sigs.k8s.io/controller-runtime v0.19.3
 	sigs.k8s.io/yaml v1.4.0

go.sum

@@ -684,6 +684,8 @@ sigs.k8s.io/cluster-api-operator v0.14.0 h1:0QgO6+XGrNNJnNHKBwvQD5v6w+EaH3Z0RL1n
 sigs.k8s.io/cluster-api-operator v0.14.0/go.mod h1:euShpVN6HyxXas28HkrYxhCPVDW1UV6ljbRBAeCxp8Y=
 sigs.k8s.io/cluster-api-provider-azure v1.17.2 h1:uS9ggE/bryI0hiOWHBa56nYHkWmsPZW3bzYeAddL4vM=
 sigs.k8s.io/cluster-api-provider-azure v1.17.2/go.mod h1:ohdf0TYutOn5vKsXpNVeZUVfUSNIwNhfF6wDjbiqPI0=
+sigs.k8s.io/cluster-api-provider-openstack v0.11.3 h1:ZJ3G+m11bgaD227EuFjuFsFC95MRzJm9JbDIte0xwII=
+sigs.k8s.io/cluster-api-provider-openstack v0.11.3/go.mod h1:0rH6yksLcuwWK/SoSoCOJi4A0kOSL3qrA+qvDVZ9NjU=
 sigs.k8s.io/cluster-api-provider-vsphere v1.12.0 h1:9ze+1JSdLAGiLklsnORvj/vs2XpR9jyVmkT0Dwo1nuc=
 sigs.k8s.io/cluster-api-provider-vsphere v1.12.0/go.mod h1:2y9fsZQ3qjT1kL6IXiOUVcyV0n8DLBQGvyPnId9xRzk=
 sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw=

internal/controller/clusterdeployment_controller.go

@@ -355,7 +355,7 @@ func (r *ClusterDeploymentReconciler) updateCluster(ctx context.Context, mc *hmc
 	}
 
 	if mc.Spec.PropagateCredentials {
-		if err := r.reconcileCredentialPropagation(ctx, mc); err != nil {
+		if err := r.reconcileCredentialPropagation(ctx, mc, cred); err != nil {
 			l.Error(err, "failed to reconcile credentials propagation")
 			return ctrl.Result{}, err
 		}
@@ -696,7 +696,7 @@ func (r *ClusterDeploymentReconciler) objectsAvailable(ctx context.Context, name
 	return len(itemsList.Items) != 0, nil
 }
 
-func (r *ClusterDeploymentReconciler) reconcileCredentialPropagation(ctx context.Context, clusterDeployment *hmc.ClusterDeployment) error {
+func (r *ClusterDeploymentReconciler) reconcileCredentialPropagation(ctx context.Context, clusterDeployment *hmc.ClusterDeployment, credential *hmc.Credential) error {
 	l := ctrl.LoggerFrom(ctx)
 	l.Info("Reconciling CCM credentials propagation")
 
@@ -715,8 +715,9 @@ func (r *ClusterDeploymentReconciler) reconcileCredentialPropagation(ctx context
 
 	propnCfg := &credspropagation.PropagationCfg{
 		Client:            r.Client,
-		ClusterDeployment: clusterDeployment,
+		IdentityRef:       credential.Spec.IdentityRef,
 		KubeconfSecret:    kubeconfSecret,
+		ClusterDeployment: clusterDeployment,
 		SystemNamespace:   r.SystemNamespace,
 	}
 
@@ -763,6 +764,25 @@ func (r *ClusterDeploymentReconciler) reconcileCredentialPropagation(ctx context
 				Reason:  hmc.SucceededReason,
 				Message: "vSphere CCM credentials created",
 			})
+		case "openstack":
+			l.Info("OpenStack creds propagation start")
+			if err := credspropagation.PropagateOpenStackSecrets(ctx, propnCfg); err != nil {
+				errMsg := fmt.Sprintf("failed to create OpenStack CCM credentials: %s", err)
+				apimeta.SetStatusCondition(clusterDeployment.GetConditions(), metav1.Condition{
+					Type:    hmc.CredentialsPropagatedCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  hmc.FailedReason,
+					Message: errMsg,
+				})
+				return errors.New(errMsg)
+			}
+
+			apimeta.SetStatusCondition(clusterDeployment.GetConditions(), metav1.Condition{
+				Type:    hmc.CredentialsPropagatedCondition,
+				Status:  metav1.ConditionTrue,
+				Reason:  hmc.SucceededReason,
+				Message: "OpenStack CCM credentials created",
+			})
 		default:
 			apimeta.SetStatusCondition(clusterDeployment.GetConditions(), metav1.Condition{
 				Type:    hmc.CredentialsPropagatedCondition,

internal/credspropagation/azure.go

@@ -20,7 +20,6 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -94,7 +93,7 @@ func generateAzureCCMSecret(azureCluster *capz.AzureCluster, azureClIdty *capz.A
 		"cloud-config": azureJSON,
 	}
 
-	return makeSecret("azure-cloud-provider", metav1.NamespaceSystem, secretData), nil
+	return makeSecret("azure-cloud-provider", secretData), nil
 }
 
 func getAzureSubnetData(azureCluster *capz.AzureCluster) (subnetName, secGroup, routeTable string) {

internal/credspropagation/common.go

@@ -30,8 +30,9 @@ import (
 
 type PropagationCfg struct {
 	Client            client.Client
-	ClusterDeployment *hmc.ClusterDeployment
 	KubeconfSecret    *corev1.Secret
+	IdentityRef       *corev1.ObjectReference
+	ClusterDeployment *hmc.ClusterDeployment
 	SystemNamespace   string
 }
 
@@ -53,23 +54,23 @@ func applyCCMConfigs(ctx context.Context, kubeconfSecret *corev1.Secret, objects
 	return nil
 }
 
-func makeSecret(name, namespace string, data map[string][]byte) *corev1.Secret {
+func makeSecret(name string, data map[string][]byte) *corev1.Secret {
 	s := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: metav1.NamespaceSystem,
 		},
 		Data: data,
 	}
 	s.SetGroupVersionKind(corev1.SchemeGroupVersion.WithKind("Secret"))
 	return s
 }
 
-func makeConfigMap(name, namespace string, data map[string]string) *corev1.ConfigMap {
+func makeConfigMap(name string, data map[string]string) *corev1.ConfigMap {
 	c := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: metav1.NamespaceSystem,
 		},
 		Data: data,
 	}