Merge pull request #1189 from apricote/application-credential-support

✨ Support Application Credential auth

Author: k8s-ci-robot

README.md

@@ -75,6 +75,8 @@ policy may be made to more closely aligned with other providers in the Cluster A
 
 **NOTE:** The minimum microversion of CAPI using nova is `2.53` now due to `server tags` support, see [code](https://github.com/kubernetes-sigs/cluster-api-provider-openstack/blob/c052e7e600f0e5ebddc839c08746bb636e79be87/pkg/cloud/services/compute/service.go#L38) for additional information.
 
+**NOTE:** We require Keystone v3 for authentication.
+
 ------
 
 ## Development versions

controllers/openstackcluster_controller.go

@@ -107,14 +107,15 @@ func (r *OpenStackClusterReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}()
 
-	osProviderClient, clientOpts, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)
+	osProviderClient, clientOpts, projectID, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	scope := &scope.Scope{
 		ProviderClient:     osProviderClient,
 		ProviderClientOpts: clientOpts,
+		ProjectID:          projectID,
 		Logger:             log,
 	}
 

controllers/openstackmachine_controller.go

@@ -140,14 +140,15 @@ func (r *OpenStackMachineReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}()
 
-	osProviderClient, clientOpts, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)
+	osProviderClient, clientOpts, projectID, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	scope := &scope.Scope{
 		ProviderClient:     osProviderClient,
 		ProviderClientOpts: clientOpts,
+		ProjectID:          projectID,
 		Logger:             log,
 	}
 

pkg/cloud/services/compute/instance.go

@@ -290,7 +290,7 @@ func (s *Service) getVolumeByName(name string) (*volumes.Volume, error) {
 	listOpts := volumes.ListOpts{
 		AllTenants: false,
 		Name:       name,
-		TenantID:   s.projectID,
+		TenantID:   s.scope.ProjectID,
 	}
 	volumeList, err := s.computeService.ListVolumes(listOpts)
 	if err != nil {

pkg/cloud/services/compute/instance_test.go

@@ -494,9 +494,9 @@ func TestService_getImageID(t *testing.T) {
 			tt.expect(mockComputeClient.EXPECT())
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					ProjectID: "",
+					Logger:    logr.Discard(),
 				},
 				computeService:    mockComputeClient,
 				networkingService: &networking.Service{},
@@ -997,9 +997,9 @@ func TestService_ReconcileInstance(t *testing.T) {
 			tt.expect(computeRecorder, networkRecorder)
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					Logger:    logr.Discard(),
+					ProjectID: "",
 				},
 				computeService: mockComputeClient,
 				networkingService: networking.NewTestService(
@@ -1108,9 +1108,9 @@ func TestService_DeleteInstance(t *testing.T) {
 			tt.expect(computeRecorder, networkRecorder)
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					ProjectID: "",
+					Logger:    logr.Discard(),
 				},
 				computeService: mockComputeClient,
 				networkingService: networking.NewTestService(

pkg/cloud/services/compute/service.go

@@ -23,12 +23,10 @@ import (
 	"github.com/gophercloud/gophercloud/openstack"
 
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/networking"
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/provider"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 )
 
 type Service struct {
-	projectID         string
 	scope             *scope.Scope
 	computeService    Client
 	networkingService *networking.Service
@@ -75,18 +73,12 @@ func NewService(scope *scope.Scope) (*Service, error) {
 		return nil, fmt.Errorf("authInfo must be set")
 	}
 
-	projectID, err := provider.GetProjectID(scope.ProviderClient, scope.ProviderClientOpts)
-	if err != nil {
-		return nil, fmt.Errorf("error retrieveing project id: %v", err)
-	}
-
 	networkingService, err := networking.NewService(scope)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create networking service: %v", err)
 	}
 
 	return &Service{
-		projectID:         projectID,
 		scope:             scope,
 		computeService:    computeService,
 		networkingService: networkingService,

pkg/cloud/services/networking/securitygroups.go

@@ -404,7 +404,7 @@ func (s *Service) GetSecurityGroups(securityGroupParams []infrav1.SecurityGroupP
 
 		listOpts := groups.ListOpts(sg.Filter)
 		if listOpts.ProjectID == "" {
-			listOpts.ProjectID = s.projectID
+			listOpts.ProjectID = s.scope.ProjectID
 		}
 		listOpts.Name = sg.Name
 		listOpts.ID = sg.UUID

pkg/cloud/services/networking/service.go

@@ -26,7 +26,6 @@ import (
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/attributestags"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/provider"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/record"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 )
@@ -40,9 +39,8 @@ const (
 // Service interfaces with the OpenStack Networking API.
 // It will create a network related infrastructure for the cluster, like network, subnet, router, security groups.
 type Service struct {
-	projectID string
-	scope     *scope.Scope
-	client    NetworkClient
+	scope  *scope.Scope
+	client NetworkClient
 }
 
 // NewService returns an instance of the networking service.
@@ -58,24 +56,18 @@ func NewService(scope *scope.Scope) (*Service, error) {
 		return nil, fmt.Errorf("failed to get project id: authInfo must be set")
 	}
 
-	projectID, err := provider.GetProjectID(scope.ProviderClient, scope.ProviderClientOpts)
-	if err != nil {
-		return nil, fmt.Errorf("error retrieveing project id: %v", err)
-	}
-
 	return &Service{
-		projectID: projectID,
-		scope:     scope,
-		client:    networkClient{serviceClient},
+		scope:  scope,
+		client: networkClient{serviceClient},
 	}, nil
 }
 
 // NewTestService returns a Service with no initialisation. It should only be used by tests.
 func NewTestService(projectID string, client NetworkClient, logger logr.Logger) *Service {
 	return &Service{
-		projectID: projectID,
 		scope: &scope.Scope{
-			Logger: logger,
+			ProjectID: projectID,
+			Logger:    logger,
 		},
 		client: client,
 	}

pkg/cloud/services/provider/provider.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/tokens"
 	osclient "github.com/gophercloud/utils/client"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	corev1 "k8s.io/api/core/v1"
@@ -34,43 +35,42 @@ import (
 	"sigs.k8s.io/yaml"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/metrics"
 )
 
 const (
 	cloudsSecretKey = "clouds.yaml"
 	caSecretKey     = "cacert"
 )
 
-func NewClientFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClientFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	var cloud clientconfig.Cloud
 	var caCert []byte
 
 	if openStackMachine.Spec.IdentityRef != nil {
 		var err error
 		cloud, caCert, err = getCloudFromSecret(ctx, ctrlClient, openStackMachine.Namespace, openStackMachine.Spec.IdentityRef.Name, openStackMachine.Spec.CloudName)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, "", err
 		}
 	}
 	return NewClient(cloud, caCert)
 }
 
-func NewClientFromCluster(ctx context.Context, ctrlClient client.Client, openStackCluster *infrav1.OpenStackCluster) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClientFromCluster(ctx context.Context, ctrlClient client.Client, openStackCluster *infrav1.OpenStackCluster) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	var cloud clientconfig.Cloud
 	var caCert []byte
 
 	if openStackCluster.Spec.IdentityRef != nil {
 		var err error
 		cloud, caCert, err = getCloudFromSecret(ctx, ctrlClient, openStackCluster.Namespace, openStackCluster.Spec.IdentityRef.Name, openStackCluster.Spec.CloudName)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, "", err
 		}
 	}
 	return NewClient(cloud, caCert)
 }
 
-func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	clientOpts := new(clientconfig.ClientOpts)
 	if cloud.AuthInfo != nil {
 		clientOpts.AuthInfo = cloud.AuthInfo
@@ -80,13 +80,13 @@ func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderCl
 
 	opts, err := clientconfig.AuthOptions(clientOpts)
 	if err != nil {
-		return nil, nil, fmt.Errorf("auth option failed for cloud %v: %v", cloud.Cloud, err)
+		return nil, nil, "", fmt.Errorf("auth option failed for cloud %v: %v", cloud.Cloud, err)
 	}
 	opts.AllowReauth = true
 
 	provider, err := openstack.NewClient(opts.IdentityEndpoint)
 	if err != nil {
-		return nil, nil, fmt.Errorf("create providerClient err: %v", err)
+		return nil, nil, "", fmt.Errorf("create providerClient err: %v", err)
 	}
 
 	config := &tls.Config{
@@ -109,9 +109,15 @@ func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderCl
 	}
 	err = openstack.Authenticate(provider, *opts)
 	if err != nil {
-		return nil, nil, fmt.Errorf("providerClient authentication err: %v", err)
+		return nil, nil, "", fmt.Errorf("providerClient authentication err: %v", err)
 	}
-	return provider, clientOpts, nil
+
+	projectID, err := getProjectIDFromAuthResult(provider.GetAuthResult())
+	if err != nil {
+		return nil, nil, "", err
+	}
+
+	return provider, clientOpts, projectID, nil
 }
 
 type defaultLogger struct{}
@@ -161,42 +167,20 @@ func getCloudFromSecret(ctx context.Context, ctrlClient client.Client, secretNam
 	return clouds.Clouds[cloudName], caCert, nil
 }
 
-type project struct {
-	ID   string `json:"id"`
-	Name string
-}
-
-type projects struct {
-	Projects []project `json:"projects"`
-}
-
-func GetProjectID(client *gophercloud.ProviderClient, clientOpts *clientconfig.ClientOpts) (string, error) {
-	if clientOpts.AuthInfo.ProjectID != "" {
-		return clientOpts.AuthInfo.ProjectID, nil
-	}
-
-	projectName := clientOpts.AuthInfo.ProjectName
-	if projectName == "" {
-		return "", fmt.Errorf("failed to get project id")
-	}
-
-	c, err := openstack.NewIdentityV3(client, gophercloud.EndpointOpts{})
-	if err != nil {
-		return "", fmt.Errorf("failed to create identity service client: %v", err)
-	}
+// getProjectIDFromAuthResult handles different auth mechanisms to retrieve the
+// current project id. Usually we use the Identity v3 Token mechanism that
+// returns the project id in the response to the initial auth request.
+func getProjectIDFromAuthResult(authResult gophercloud.AuthResult) (string, error) {
+	switch authResult := authResult.(type) {
+	case tokens.CreateResult:
+		project, err := authResult.ExtractProject()
+		if err != nil {
+			return "", fmt.Errorf("unable to extract project from CreateResult: %v", err)
+		}
 
-	jsonResp := projects{}
-	mc := metrics.NewMetricPrometheusContext("project", "get")
-	resp, err := c.Get(c.ServiceURL("auth", "projects"), &jsonResp, &gophercloud.RequestOpts{OkCodes: []int{200}})
-	if mc.ObserveRequest(err) != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
+		return project.ID, nil
 
-	for _, project := range jsonResp.Projects {
-		if project.Name == projectName {
-			return project.ID, nil
-		}
+	default:
+		return "", fmt.Errorf("unable to get the project id from auth response with type %T", authResult)
 	}
-	return "", fmt.Errorf("project %s not found", projectName)
 }

pkg/scope/scope.go

@@ -32,6 +32,7 @@ import (
 type Scope struct {
 	ProviderClient     *gophercloud.ProviderClient
 	ProviderClientOpts *clientconfig.ClientOpts
+	ProjectID          string
 
 	Logger logr.Logger
 }