Application Credential Support

[Deydra71]

Jira: OSPRH-20524

Adds the end-to-end support for consuming Keystone ApplicationCredentials (AC) in the watcher-operator, enabling WatcherAPI, WatcherApplier, and WatcherDecisionEngine pods to use AC-based authentication when available.

API changes:

Adds an optional authentication field to the Watcher CRs:

spec.auth.applicationCredentialSecret — name of the Secret that contains the Keystone Application Credential ID and Secret (AC_ID and AC_SECRET).

Reconcile behavior:

Reads spec.auth.applicationCredentialSecret
Attempts to load AC_ID / AC_SECRET from the referenced Secret (via the Keystone helper).
If the secret is missing or incomplete, it falls back to password authentication (the AppCred auth is optional, not an error).

• Once the AC Secret is ready with valid AC_ID and AC_SECRET fields, templates AC credentials into the shared service configuration (00-default.conf)
• The configuration hash naturally includes AC values, triggering rolling updates when credentials rotate
• All three child controllers use the same 'watcher' user and shared AC Secret

Both [keystone_authtoken] and [watcher_clients_auth] sections in 00-default.conf are updated to support AC authentication with a block-based if-else structure.

Depends-On: openstack-k8s-operators/keystone-operator#567

[SeanMooney]

i have not looked at he functional test but the current changes are no following the patter we use in the watcher operator.

we shoudl also have kuttl test ideally for this.
in would also like to see one of the tempest jobs use this pattern but that could be in a separate PR

[SeanMooney]

we normally do not use booleans for this
we isntead follow the pattern of chekcign if the parmares are empty in the template.

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/templates/00-default.conf#L8-L10

can you refactor this to use that pattern

in this case you shoudl generate the approate section if

"ACID" is populated

{{ if (index . "ACID") }}
...
{{ end}}

[SeanMooney]

ok so keystone is going to provide a helper function it its api module instead of each fo the service operators using ensureSecret

this is not quite correct for watcher nova or placement because we create separate secrets for sub cr each so the top level watcher controller shoudl receive the application credential and look up the info form the keystone created secret and then populate that into the per CR secrete

so we should look this up once here

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcher_controller.go#L285-L353

then extend createSubLevelSecret to propagate the application credential info into the service secrets.

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcher_controller.go#L355-L360
https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcher_controller.go#L862

even if we were to ignore that pattenr which i dont think we should we would add a new fucntion to the base reconsolie instead to aovid repeating this per service contoler.

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcher_common.go#L407-L448

[SeanMooney]

this looks incorrect to me.

we watcher secrets or other CRDs

genericly

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcherapi_controller.go#L938-L952

the looping over the relevant objects and creation of reconsile request is don by

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/internal/controller/watcherapi_controller.go#L956-L1019

so you shoudl not be generating the reconsile reqeust hree

you would follw the same patthern as the passwordSecretFiled and return a slice of strings []string

// index passwordSecretField
if err := mgr.GetFieldIndexer().IndexField(context.Background(), &watcherv1beta1.WatcherAPI{}, passwordSecretField, func(rawObj client.Object) []string {
	// Extract the secret name from the spec, if one is provided
	cr := rawObj.(*watcherv1beta1.WatcherAPI)
	if cr.Spec.Secret == "" {
		return nil
	}
	return []string{cr.Spec.Secret}
}); err != nil {
	return err
}

with that said as i indicated above the applcition credtial shoudl be manged at the toplevel contoler and the API/applier/descison engine should jus twhatc there input secret.

basiclly the top level contoler will watch the appcliatce credtial secret/CRD and update the subCR secrete, the subcr contoler like the water api contole only watch there secret not teh applcation credital one.

[SeanMooney]

the current design regresses #30 by making each controller depend on the the application credential directly.
https://issues.redhat.com//browse/OSPRH-11483

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/980f61d6994b45f090a0c385ce6ea6af

❌ openstack-meta-content-provider-master FAILURE in 35m 06s
⚠️ watcher-operator-validation-master SKIPPED Skipped due to failed job openstack-meta-content-provider-master
✔️ openstack-meta-content-provider-epoxy SUCCESS in 2h 37m 29s
✔️ watcher-operator-validation-epoxy SUCCESS in 2h 05m 50s
❌ watcher-operator-validation-epoxy-ocp4-16 FAILURE in 23m 59s
✔️ noop SUCCESS in 0s
⚠️ watcher-operator-kuttl SKIPPED Skipped due to failed job openstack-meta-content-provider-master

[Deydra71]

Hey @SeanMooney ! Thanks for the review. We decided today that we will refactor the app cred support in service operators to create a new CRD field for appCredSecret name. So, we will get rid of the watchers, and will use field index instead in only parent controller, as you suggested.

I will prepare changes soon.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from seanmooney. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@Deydra71: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/precommit-check	a22b12b	link	true	/test precommit-check

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ed381afd2cd041709b601f0b977e644f

❌ openstack-meta-content-provider-master FAILURE in 33m 55s
⚠️ watcher-operator-validation-master SKIPPED Skipped due to failed job openstack-meta-content-provider-master
✔️ openstack-meta-content-provider-epoxy SUCCESS in 2h 35m 24s
✔️ watcher-operator-validation-epoxy SUCCESS in 1h 53m 58s
✔️ watcher-operator-validation-epoxy-ocp4-16 SUCCESS in 2h 04m 21s
✔️ noop SUCCESS in 0s
⚠️ watcher-operator-kuttl SKIPPED Skipped due to failed job openstack-meta-content-provider-master