feat: add keystoneauth_kubeservicetoken authentication plugin

charts/argocd-understack/templates/application-oidc-rbac.yaml

@@ -0,0 +1,30 @@
+{{- if or (eq (include "understack.isEnabled" (list $.Values.global "oidc_rbac")) "true") (eq (include "understack.isEnabled" (list $.Values.site "oidc_rbac")) "true") }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name "oidc-rbac" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+{{- include "understack.appLabelsBlock" $ | nindent 2 }}
+spec:
+  destination:
+    namespace: kube-system
+    server: {{ $.Values.cluster_server }}
+  project: understack-infra
+  sources:
+  - path: components/oidc-rbac
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - ServerSideApply=true
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}

charts/argocd-understack/values.yaml

@@ -166,6 +166,12 @@ global:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS
@@ -505,6 +511,12 @@ site:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS

components/images-openstack.yaml

@@ -6,20 +6,20 @@ images:
   tags:
     # these are common across all these OpenStack Helm installations
     bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"
-    db_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    db_drop: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_user: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_service: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_endpoints: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    db_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    db_drop: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_user: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_service: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_endpoints: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 
     # keystone
-    keystone_api: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_credential_rotate: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_credential_setup: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_db_sync: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_domain_manage: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_fernet_rotate: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_fernet_setup: "ghcr.io/rackerlabs/understack/keystone:2025.2"
+    keystone_api: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_credential_rotate: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_credential_setup: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_db_sync: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_domain_manage: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_fernet_rotate: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_fernet_setup: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
 
     # ironic
     ironic_api: "ghcr.io/rackerlabs/understack/ironic:2026.1"
@@ -29,43 +29,43 @@ images:
     ironic_pxe_http: "docker.io/nginx:1.29.8"
     ironic_db_sync: "ghcr.io/rackerlabs/understack/ironic:2026.1"
     # these want curl which apparently is in the openstack-client image
-    ironic_manage_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ironic_retrive_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ironic_retrive_swift_config: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    ironic_manage_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ironic_retrive_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ironic_retrive_swift_config: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 
     # neutron
-    neutron_db_sync: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_dhcp: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_l3: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_l2gw: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_linuxbridge_agent: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_metadata: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_ovn_metadata: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_openvswitch_agent: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_server: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_rpc_server: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_bagpipe_bgp: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_netns_cleanup_cron: "ghcr.io/rackerlabs/understack/neutron:2025.2"
+    neutron_db_sync: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_dhcp: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_l3: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_l2gw: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_linuxbridge_agent: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_metadata: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_ovn_metadata: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_openvswitch_agent: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_server: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_rpc_server: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_bagpipe_bgp: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_netns_cleanup_cron: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
 
     # nova
-    nova_api: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_cell_setup: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_cell_setup_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    nova_compute: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_compute_ironic: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_compute_ssh: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_conductor: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_db_sync: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_novncproxy: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_novncproxy_assets: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_scheduler: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_spiceproxy: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_spiceproxy_assets: "ghcr.io/rackerlabs/understack/nova:2025.2"
+    nova_api: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_cell_setup: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_cell_setup_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    nova_compute: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_compute_ironic: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_compute_ssh: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_conductor: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_db_sync: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_novncproxy: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_novncproxy_assets: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_scheduler: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_spiceproxy: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_spiceproxy_assets: "ghcr.io/rackerlabs/understack/nova:pr-1876"
     nova_service_cleaner: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # placement
-    placement: "ghcr.io/rackerlabs/understack/placement:2025.2"
-    placement_db_sync: "ghcr.io/rackerlabs/understack/placement:2025.2"
+    placement: "ghcr.io/rackerlabs/understack/placement:pr-1876"
+    placement_db_sync: "ghcr.io/rackerlabs/understack/placement:pr-1876"
 
     # openvswitch
     openvswitch_db_server: "docker.io/openstackhelm/openvswitch:ubuntu_jammy-dpdk-20250127"
@@ -78,36 +78,36 @@ images:
     ovn_controller: "docker.io/openstackhelm/ovn:ubuntu_jammy-20250111"
 
     # horizon
-    horizon: "ghcr.io/rackerlabs/understack/horizon:2025.2"
-    horizon_db_sync: "ghcr.io/rackerlabs/understack/horizon:2025.2"
+    horizon: "ghcr.io/rackerlabs/understack/horizon:pr-1876"
+    horizon_db_sync: "ghcr.io/rackerlabs/understack/horizon:pr-1876"
 
     # glance
-    glance_api: "ghcr.io/rackerlabs/understack/glance:2025.2"
-    glance_db_sync: "ghcr.io/rackerlabs/understack/glance:2025.2"
-    glance_metadefs_load: "ghcr.io/rackerlabs/understack/glance:2025.2"
+    glance_api: "ghcr.io/rackerlabs/understack/glance:pr-1876"
+    glance_db_sync: "ghcr.io/rackerlabs/understack/glance:pr-1876"
+    glance_metadefs_load: "ghcr.io/rackerlabs/understack/glance:pr-1876"
     glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # skyline
-    skyline: "ghcr.io/rackerlabs/understack/skyline:2025.2"
-    skyline_db_sync: "ghcr.io/rackerlabs/understack/skyline:2025.2"
-    skyline_nginx: "ghcr.io/rackerlabs/understack/skyline:2025.2"
+    skyline: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
+    skyline_db_sync: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
+    skyline_nginx: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
 
     # cinder
-    cinder_api: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_db_sync: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_scheduler: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_volume: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_volume_usage_audit: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_db_purge: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_backup: "ghcr.io/rackerlabs/understack/cinder:2025.2"
+    cinder_api: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_db_sync: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_scheduler: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_volume: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_volume_usage_audit: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_db_purge: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_backup: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
     cinder_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
     cinder_backup_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # octavia
-    octavia_api: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_db_sync: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_worker: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_housekeeping: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_health_manager: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_health_manager_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    octavia_api: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_db_sync: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_worker: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_housekeeping: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_health_manager: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_health_manager_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 ...

components/keystone/values.yaml

@@ -142,13 +142,19 @@ pod:
           - name: oidc-secret
             mountPath: /etc/oidc-secret
             readOnly: true
+          - name: oidc-metadata
+            readOnly: true
         volumes:
           - name: keystone-sso
             secret:
               secretName: keystone-sso
           - name: oidc-secret
             secret:
               secretName: sso-passphrase
+          - name: oidc-metadata
+            configMap:
+              name: keystone-oidc-metadata
+              defaultMode: 0555
     keystone_bootstrap:
       keystone_bootstrap:
         volumeMounts:
@@ -402,3 +408,12 @@ annotations:
       # relies on services to be up so it can remain post
       argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
       argocd.argoproj.io/sync-options: Force=true
+
+extraObjects:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: keystone-oidc-metadata
+      namespace: openstack
+    data:
+      # Define your OIDC providers metadata in deploy repo

components/oidc-rbac/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - oidc-reviewer.yaml

components/oidc-rbac/oidc-reviewer.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:service-account-issuer-discovery
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated

components/openstack/templates/keystone-service-user.yaml.tpl

@@ -2,10 +2,60 @@
 {{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
 {{- range $_, $user := $users }}
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ (printf "%s-keystone-%s" $serviceName $user.usage) | quote }}
+data:
+  OS_AUTH_TYPE: v3oidcaccesstokenfile
+  OS_AUTH_URL: {{ $.Values.keystoneUrl | quote }}
+  OS_DEFAULT_DOMAIN: "default"
+  OS_INTERFACE: {{ $.Values.keystoneServiceUsers.keystoneInterface | quote }}
+  OS_PROJECT_DOMAIN_NAME: {{ include "openstack.serviceuser.project_domain_name" $user | quote }}
+  OS_PROJECT_NAME: {{ include "openstack.serviceuser.project_name" $user | quote }}
+  OS_USER_DOMAIN_NAME: {{ include "openstack.serviceuser.user_domain_name" $user | quote }}
+  OS_REGION_NAME: {{ $.Values.regionName | quote }}
+  OS_IDENTITY_PROVIDER: {{ $.Values.keystoneServiceUsers.identityProvider }}
+  OS_PROTOCOL: openid
+  OS_ACCESS_TOKEN_FILE: {{ $.Values.keystoneServiceUsers.accessTokenFile }}
+{{- end }}
+{{- end }}
+{{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
+{{- if not (eq $serviceName "keystone") }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ (printf "%s-ks-etc" $serviceName) | quote }}
+data:
+  {{ (printf "%s_auth.conf" $serviceName) | quote }}: |
+  {{- range $_, $user := $users }}
+  {{- $section := $user.section | default $user.usage }}
+  {{- $section := eq $section "user" | ternary "keystone_authtoken" $section -}}
+  {{- $shouldSkip := or (eq $user.usage "test") (eq $user.usage "admin") }}
+  {{- if not $shouldSkip }}
+    [{{ $section }}]
+    auth_type=v3oidcaccesstokenfile
+    auth_url={{ $.Values.keystoneUrl }}
+    identity_provider={{ $.Values.identityProvider }}
+    protocol=openid
+    access_token_file=/var/run/secrets/kubernetes.io/serviceaccount/token
+    region_name={{ $.Values.regionName }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+---
+# Keystone admin must still be placed in ES
+{{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
+{{- range $_, $user := $users }}
+
+{{- if eq $serviceName "keystone" }}
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ (printf "%s-keystone-%s" $serviceName $user.usage) | quote }}
+  name: keystone-keystone-admin
 {{- if $.Values.keystoneServiceUsers.externalLinkAnnotationTemplate }}
   annotations:
     link.argocd.argoproj.io/external-link: {{ tpl $.Values.keystoneServiceUsers.externalLinkAnnotationTemplate (dict "remoteRef" $user.remoteRef) | quote }}
@@ -34,50 +84,4 @@ spec:
       key: {{ $user.remoteRef | quote }}
 {{- end }}
 {{- end }}
-{{- range $serviceName, $users := .Values.keystoneServiceUsers.services }}
-{{- if not (eq $serviceName "keystone") }}
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: {{ (printf "%s-ks-etc" $serviceName) | quote }}
-spec:
-  refreshInterval: {{ $.Values.externalSecretsRefreshInterval | default "1h" }}
-  secretStoreRef:
-    kind: {{ $.Values.keystoneServiceUsers.secretStore.kind | quote }}
-    name: {{ $.Values.keystoneServiceUsers.secretStore.name | quote }}
-  target:
-    name: {{ (printf "%s-ks-etc" $serviceName) | quote }}
-    template:
-      engineVersion: v2
-      data:
-        {{ (printf "%s_auth.conf" $serviceName) | quote }}: |
-        {{- range $_, $user := $users }}
-        {{- $section := $user.section | default $user.usage }}
-        {{- $section := eq $section "user" | ternary "keystone_authtoken" $section -}}
-        {{- $shouldSkip := or (eq $user.usage "test") (eq $user.usage "admin") }}
-        {{- if not $shouldSkip }}
-          [{{ $section }}]
-          auth_url={{ $.Values.keystoneUrl }}
-          project_domain_name={{ include "openstack.serviceuser.project_domain_name" $user }}
-          project_name={{ include "openstack.serviceuser.project_name" $user  }}
-          user_domain_name={{ include "openstack.serviceuser.user_domain_name" $user }}
-          username={{ printf "{{ (fromJson .%s).username }}" $user.usage }}
-          password={{ printf "{{ (fromJson .%s).password }}" $user.usage }}
-          region_name={{ $.Values.regionName }}
-        {{- end }}
-        {{- end }}
-  data:
-  {{/* default section name is the usage field */}}
-  {{/* usage test and admin are special in OpenStack Helm and not added to the config file */}}
-  {{- range $_, $user := $users -}}
-  {{- $shouldSkip := or (eq $user.usage "test") (eq $user.usage "admin") -}}
-  {{- if not $shouldSkip }}
-    - secretKey: {{ $user.usage }}
-      remoteRef:
-        key: {{ $user.remoteRef | quote }}
-  {{- end }}
-  {{- end }}
-{{- end }}
-{{- end }}
 {{- end }}