Skip to content

feat: add keystoneauth_kubeservicetoken authentication plugin#1876

Draft
skrobul wants to merge 33 commits into
mainfrom
keystone-auth
Draft

feat: add keystoneauth_kubeservicetoken authentication plugin#1876
skrobul wants to merge 33 commits into
mainfrom
keystone-auth

Conversation

@skrobul

@skrobul skrobul commented Mar 26, 2026

Copy link
Copy Markdown
Collaborator

This change adds a keystoneauth OIDC access-token plugin that reads the current OIDC token from a file (access_token_file) instead of requiring a static inline token. It is designed for Kubernetes workload identity, where service-account/OIDC tokens rotate frequently and are projected to disk, making inline configuration brittle. The plugin preserves normal Keystone token caching and only re-reads the file when keystoneauth reauthenticates near Keystone token expiry, so rotated Kubernetes tokens are picked up automatically without forcing reauthentication on every request.

@skrobul skrobul requested review from cardoe and ctria March 26, 2026 12:39
@skrobul skrobul force-pushed the keystone-auth branch 7 times, most recently from 57e180e to d0d4d8b Compare May 14, 2026 11:46
@skrobul skrobul marked this pull request as draft May 20, 2026 16:22
@skrobul skrobul force-pushed the keystone-auth branch 4 times, most recently from 197ad28 to 74621f1 Compare June 8, 2026 15:49
@skrobul skrobul force-pushed the keystone-auth branch 2 times, most recently from 8aa90ca to 020b088 Compare June 15, 2026 12:12
skrobul added 5 commits July 6, 2026 11:13
09aa5fd removed the stray trailing "f" from the a659ab8a2 hash but
left the version numbers unchanged. Helm's chart-repo resolution
ignores semver build metadata (the "+hash" suffix) when matching, so
each pin was silently resolving to whatever pre-fix build already
existed under that version number instead of erroring. Bump every
chart's version number to the one actually published alongside
a659ab8a2 (verified against the tarballs.opendev.org index) so the
identity.openrc wiring fix actually gets deployed.
The chart gained native pod.etcSources support for cinder-ks-etc back
in Feb 2026 (upstream commit 06a5261a0), which unconditionally
declares a cinder-etc-snippets volume (projected, or an emptyDir
fallback when etcSources is empty). Our own pod.mounts override
predates that (Sep 2025) and injects a volume of the same name, so
every cinder Deployment/CronJob ended up with two "cinder-etc-snippets"
volumes. Switch to pod.etcSources for the components that support it
and drop the now-redundant custom mounts. cinder_db_sync keeps its
manual mount since that job template has no etcSources support.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant