Merge pull request #1189 from apricote/application-credential-support

k8s-ci-robot · web-flow · commit 3ce2de7e9013 · 2022-04-12T18:32:47.000-07:00
✨ Support Application Credential auth
diff --git a/README.md b/README.md
@@ -75,6 +75,8 @@ policy may be made to more closely aligned with other providers in the Cluster A
 
 **NOTE:** The minimum microversion of CAPI using nova is `2.53` now due to `server tags` support, see [code](https://github.com/kubernetes-sigs/cluster-api-provider-openstack/blob/c052e7e600f0e5ebddc839c08746bb636e79be87/pkg/cloud/services/compute/service.go#L38) for additional information.
 
+**NOTE:** We require Keystone v3 for authentication.
+
 ------
 
 ## Development versions
diff --git a/controllers/openstackcluster_controller.go b/controllers/openstackcluster_controller.go
@@ -107,14 +107,15 @@ func (r *OpenStackClusterReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}()
 
-	osProviderClient, clientOpts, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)
+	osProviderClient, clientOpts, projectID, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	scope := &scope.Scope{
 		ProviderClient:     osProviderClient,
 		ProviderClientOpts: clientOpts,
+		ProjectID:          projectID,
 		Logger:             log,
 	}
 
diff --git a/controllers/openstackmachine_controller.go b/controllers/openstackmachine_controller.go
@@ -140,14 +140,15 @@ func (r *OpenStackMachineReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		}
 	}()
 
-	osProviderClient, clientOpts, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)
+	osProviderClient, clientOpts, projectID, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)
 	if err != nil {
 		return reconcile.Result{}, err
 	}
 
 	scope := &scope.Scope{
 		ProviderClient:     osProviderClient,
 		ProviderClientOpts: clientOpts,
+		ProjectID:          projectID,
 		Logger:             log,
 	}
 
diff --git a/pkg/cloud/services/compute/instance.go b/pkg/cloud/services/compute/instance.go
@@ -290,7 +290,7 @@ func (s *Service) getVolumeByName(name string) (*volumes.Volume, error) {
 	listOpts := volumes.ListOpts{
 		AllTenants: false,
 		Name:       name,
-		TenantID:   s.projectID,
+		TenantID:   s.scope.ProjectID,
 	}
 	volumeList, err := s.computeService.ListVolumes(listOpts)
 	if err != nil {
diff --git a/pkg/cloud/services/compute/instance_test.go b/pkg/cloud/services/compute/instance_test.go
@@ -494,9 +494,9 @@ func TestService_getImageID(t *testing.T) {
 			tt.expect(mockComputeClient.EXPECT())
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					ProjectID: "",
+					Logger:    logr.Discard(),
 				},
 				computeService:    mockComputeClient,
 				networkingService: &networking.Service{},
@@ -997,9 +997,9 @@ func TestService_ReconcileInstance(t *testing.T) {
 			tt.expect(computeRecorder, networkRecorder)
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					Logger:    logr.Discard(),
+					ProjectID: "",
 				},
 				computeService: mockComputeClient,
 				networkingService: networking.NewTestService(
@@ -1108,9 +1108,9 @@ func TestService_DeleteInstance(t *testing.T) {
 			tt.expect(computeRecorder, networkRecorder)
 
 			s := Service{
-				projectID: "",
 				scope: &scope.Scope{
-					Logger: logr.Discard(),
+					ProjectID: "",
+					Logger:    logr.Discard(),
 				},
 				computeService: mockComputeClient,
 				networkingService: networking.NewTestService(
diff --git a/pkg/cloud/services/compute/service.go b/pkg/cloud/services/compute/service.go
@@ -23,12 +23,10 @@ import (
 	"github.com/gophercloud/gophercloud/openstack"
 
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/networking"
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/provider"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 )
 
 type Service struct {
-	projectID         string
 	scope             *scope.Scope
 	computeService    Client
 	networkingService *networking.Service
@@ -75,18 +73,12 @@ func NewService(scope *scope.Scope) (*Service, error) {
 		return nil, fmt.Errorf("authInfo must be set")
 	}
 
-	projectID, err := provider.GetProjectID(scope.ProviderClient, scope.ProviderClientOpts)
-	if err != nil {
-		return nil, fmt.Errorf("error retrieveing project id: %v", err)
-	}
-
 	networkingService, err := networking.NewService(scope)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create networking service: %v", err)
 	}
 
 	return &Service{
-		projectID:         projectID,
 		scope:             scope,
 		computeService:    computeService,
 		networkingService: networkingService,
diff --git a/pkg/cloud/services/networking/securitygroups.go b/pkg/cloud/services/networking/securitygroups.go
@@ -404,7 +404,7 @@ func (s *Service) GetSecurityGroups(securityGroupParams []infrav1.SecurityGroupP
 
 		listOpts := groups.ListOpts(sg.Filter)
 		if listOpts.ProjectID == "" {
-			listOpts.ProjectID = s.projectID
+			listOpts.ProjectID = s.scope.ProjectID
 		}
 		listOpts.Name = sg.Name
 		listOpts.ID = sg.UUID
diff --git a/pkg/cloud/services/networking/service.go b/pkg/cloud/services/networking/service.go
@@ -26,7 +26,6 @@ import (
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/attributestags"
 	"k8s.io/apimachinery/pkg/runtime"
 
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/cloud/services/provider"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/record"
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/scope"
 )
@@ -40,9 +39,8 @@ const (
 // Service interfaces with the OpenStack Networking API.
 // It will create a network related infrastructure for the cluster, like network, subnet, router, security groups.
 type Service struct {
-	projectID string
-	scope     *scope.Scope
-	client    NetworkClient
+	scope  *scope.Scope
+	client NetworkClient
 }
 
 // NewService returns an instance of the networking service.
@@ -58,24 +56,18 @@ func NewService(scope *scope.Scope) (*Service, error) {
 		return nil, fmt.Errorf("failed to get project id: authInfo must be set")
 	}
 
-	projectID, err := provider.GetProjectID(scope.ProviderClient, scope.ProviderClientOpts)
-	if err != nil {
-		return nil, fmt.Errorf("error retrieveing project id: %v", err)
-	}
-
 	return &Service{
-		projectID: projectID,
-		scope:     scope,
-		client:    networkClient{serviceClient},
+		scope:  scope,
+		client: networkClient{serviceClient},
 	}, nil
 }
 
 // NewTestService returns a Service with no initialisation. It should only be used by tests.
 func NewTestService(projectID string, client NetworkClient, logger logr.Logger) *Service {
 	return &Service{
-		projectID: projectID,
 		scope: &scope.Scope{
-			Logger: logger,
+			ProjectID: projectID,
+			Logger:    logger,
 		},
 		client: client,
 	}
diff --git a/pkg/cloud/services/provider/provider.go b/pkg/cloud/services/provider/provider.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
+	"github.com/gophercloud/gophercloud/openstack/identity/v3/tokens"
 	osclient "github.com/gophercloud/utils/client"
 	"github.com/gophercloud/utils/openstack/clientconfig"
 	corev1 "k8s.io/api/core/v1"
@@ -34,43 +35,42 @@ import (
 	"sigs.k8s.io/yaml"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-openstack/api/v1beta1"
-	"sigs.k8s.io/cluster-api-provider-openstack/pkg/metrics"
 )
 
 const (
 	cloudsSecretKey = "clouds.yaml"
 	caSecretKey     = "cacert"
 )
 
-func NewClientFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClientFromMachine(ctx context.Context, ctrlClient client.Client, openStackMachine *infrav1.OpenStackMachine) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	var cloud clientconfig.Cloud
 	var caCert []byte
 
 	if openStackMachine.Spec.IdentityRef != nil {
 		var err error
 		cloud, caCert, err = getCloudFromSecret(ctx, ctrlClient, openStackMachine.Namespace, openStackMachine.Spec.IdentityRef.Name, openStackMachine.Spec.CloudName)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, "", err
 		}
 	}
 	return NewClient(cloud, caCert)
 }
 
-func NewClientFromCluster(ctx context.Context, ctrlClient client.Client, openStackCluster *infrav1.OpenStackCluster) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClientFromCluster(ctx context.Context, ctrlClient client.Client, openStackCluster *infrav1.OpenStackCluster) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	var cloud clientconfig.Cloud
 	var caCert []byte
 
 	if openStackCluster.Spec.IdentityRef != nil {
 		var err error
 		cloud, caCert, err = getCloudFromSecret(ctx, ctrlClient, openStackCluster.Namespace, openStackCluster.Spec.IdentityRef.Name, openStackCluster.Spec.CloudName)
 		if err != nil {
-			return nil, nil, err
+			return nil, nil, "", err
 		}
 	}
 	return NewClient(cloud, caCert)
 }
 
-func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, error) {
+func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderClient, *clientconfig.ClientOpts, string, error) {
 	clientOpts := new(clientconfig.ClientOpts)
 	if cloud.AuthInfo != nil {
 		clientOpts.AuthInfo = cloud.AuthInfo
@@ -80,13 +80,13 @@ func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderCl
 
 	opts, err := clientconfig.AuthOptions(clientOpts)
 	if err != nil {
-		return nil, nil, fmt.Errorf("auth option failed for cloud %v: %v", cloud.Cloud, err)
+		return nil, nil, "", fmt.Errorf("auth option failed for cloud %v: %v", cloud.Cloud, err)
 	}
 	opts.AllowReauth = true
 
 	provider, err := openstack.NewClient(opts.IdentityEndpoint)
 	if err != nil {
-		return nil, nil, fmt.Errorf("create providerClient err: %v", err)
+		return nil, nil, "", fmt.Errorf("create providerClient err: %v", err)
 	}
 
 	config := &tls.Config{
@@ -109,9 +109,15 @@ func NewClient(cloud clientconfig.Cloud, caCert []byte) (*gophercloud.ProviderCl
 	}
 	err = openstack.Authenticate(provider, *opts)
 	if err != nil {
-		return nil, nil, fmt.Errorf("providerClient authentication err: %v", err)
+		return nil, nil, "", fmt.Errorf("providerClient authentication err: %v", err)
 	}
-	return provider, clientOpts, nil
+
+	projectID, err := getProjectIDFromAuthResult(provider.GetAuthResult())
+	if err != nil {
+		return nil, nil, "", err
+	}
+
+	return provider, clientOpts, projectID, nil
 }
 
 type defaultLogger struct{}
@@ -161,42 +167,20 @@ func getCloudFromSecret(ctx context.Context, ctrlClient client.Client, secretNam
 	return clouds.Clouds[cloudName], caCert, nil
 }
 
-type project struct {
-	ID   string `json:"id"`
-	Name string
-}
-
-type projects struct {
-	Projects []project `json:"projects"`
-}
-
-func GetProjectID(client *gophercloud.ProviderClient, clientOpts *clientconfig.ClientOpts) (string, error) {
-	if clientOpts.AuthInfo.ProjectID != "" {
-		return clientOpts.AuthInfo.ProjectID, nil
-	}
-
-	projectName := clientOpts.AuthInfo.ProjectName
-	if projectName == "" {
-		return "", fmt.Errorf("failed to get project id")
-	}
-
-	c, err := openstack.NewIdentityV3(client, gophercloud.EndpointOpts{})
-	if err != nil {
-		return "", fmt.Errorf("failed to create identity service client: %v", err)
-	}
+// getProjectIDFromAuthResult handles different auth mechanisms to retrieve the
+// current project id. Usually we use the Identity v3 Token mechanism that
+// returns the project id in the response to the initial auth request.
+func getProjectIDFromAuthResult(authResult gophercloud.AuthResult) (string, error) {
+	switch authResult := authResult.(type) {
+	case tokens.CreateResult:
+		project, err := authResult.ExtractProject()
+		if err != nil {
+			return "", fmt.Errorf("unable to extract project from CreateResult: %v", err)
+		}
 
-	jsonResp := projects{}
-	mc := metrics.NewMetricPrometheusContext("project", "get")
-	resp, err := c.Get(c.ServiceURL("auth", "projects"), &jsonResp, &gophercloud.RequestOpts{OkCodes: []int{200}})
-	if mc.ObserveRequest(err) != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
+		return project.ID, nil
 
-	for _, project := range jsonResp.Projects {
-		if project.Name == projectName {
-			return project.ID, nil
-		}
+	default:
+		return "", fmt.Errorf("unable to get the project id from auth response with type %T", authResult)
 	}
-	return "", fmt.Errorf("project %s not found", projectName)
 }
diff --git a/pkg/scope/scope.go b/pkg/scope/scope.go
@@ -32,6 +32,7 @@ import (
 type Scope struct {
 	ProviderClient     *gophercloud.ProviderClient
 	ProviderClientOpts *clientconfig.ClientOpts
+	ProjectID          string
 
 	Logger logr.Logger
 }
diff --git a/test/e2e/shared/openstack.go b/test/e2e/shared/openstack.go
diff --git a/test/e2e/suites/e2e/e2e_test.go b/test/e2e/suites/e2e/e2e_test.go

Original file line number	Diff line number	Diff line change
`@@ -107,14 +107,15 @@ func (r *OpenStackClusterReconciler) Reconcile(ctx context.Context, req ctrl.Req`
`107`	`107`	`}`
`108`	`108`	`}()`
`109`	`109`
`110`		`- osProviderClient, clientOpts, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)`
	`110`	`+ osProviderClient, clientOpts, projectID, err := provider.NewClientFromCluster(ctx, r.Client, openStackCluster)`
`111`	`111`	`if err != nil {`
`112`	`112`	`return reconcile.Result{}, err`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`scope := &scope.Scope{`
`116`	`116`	`ProviderClient: osProviderClient,`
`117`	`117`	`ProviderClientOpts: clientOpts,`
	`118`	`+ ProjectID: projectID,`
`118`	`119`	`Logger: log,`
`119`	`120`	`}`
`120`	`121`
Original file line number	Diff line number	Diff line change
`@@ -140,14 +140,15 @@ func (r *OpenStackMachineReconciler) Reconcile(ctx context.Context, req ctrl.Req`
`140`	`140`	`}`
`141`	`141`	`}()`
`142`	`142`
`143`		`- osProviderClient, clientOpts, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)`
	`143`	`+ osProviderClient, clientOpts, projectID, err := provider.NewClientFromMachine(ctx, r.Client, openStackMachine)`
`144`	`144`	`if err != nil {`
`145`	`145`	`return reconcile.Result{}, err`
`146`	`146`	`}`
`147`	`147`
`148`	`148`	`scope := &scope.Scope{`
`149`	`149`	`ProviderClient: osProviderClient,`
`150`	`150`	`ProviderClientOpts: clientOpts,`
	`151`	`+ ProjectID: projectID,`
`151`	`152`	`Logger: log,`
`152`	`153`	`}`
`153`	`154`
Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ func (s Service) getVolumeByName(name string) (volumes.Volume, error) {`
`290`	`290`	`listOpts := volumes.ListOpts{`
`291`	`291`	`AllTenants: false,`
`292`	`292`	`Name: name,`
`293`		`- TenantID: s.projectID,`
	`293`	`+ TenantID: s.scope.ProjectID,`
`294`	`294`	`}`
`295`	`295`	`volumeList, err := s.computeService.ListVolumes(listOpts)`
`296`	`296`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -404,7 +404,7 @@ func (s *Service) GetSecurityGroups(securityGroupParams []infrav1.SecurityGroupP`
`404`	`404`
`405`	`405`	`listOpts := groups.ListOpts(sg.Filter)`
`406`	`406`	`if listOpts.ProjectID == "" {`
`407`		`- listOpts.ProjectID = s.projectID`
	`407`	`+ listOpts.ProjectID = s.scope.ProjectID`
`408`	`408`	`}`
`409`	`409`	`listOpts.Name = sg.Name`
`410`	`410`	`listOpts.ID = sg.UUID`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ import (`
`32`	`32`	`type Scope struct {`
`33`	`33`	`ProviderClient *gophercloud.ProviderClient`
`34`	`34`	`ProviderClientOpts *clientconfig.ClientOpts`
	`35`	`+ ProjectID string`
`35`	`36`
`36`	`37`	`Logger logr.Logger`
`37`	`38`	`}`