Skip to content

feat: passwordless OIDC service-to-service auth#1876

Open
skrobul wants to merge 11 commits into
mainfrom
keystone-auth
Open

feat: passwordless OIDC service-to-service auth#1876
skrobul wants to merge 11 commits into
mainfrom
keystone-auth

Conversation

@skrobul

@skrobul skrobul commented Mar 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements passwordless Keystone service authentication for OpenStack service-to-service calls, replacing static Keystone passwords with Kubernetes service-account (SA) token exchange via OIDC federation. Rationale and design are captured in ADR030: OpenStack Services OIDC Authentication.

Each service pod now uses its auto-mounted SA token to obtain a short-lived Keystone token from a per-cluster OIDC federation endpoint, instead of a long-lived static password pre-generated and distributed per site. Database and RabbitMQ credentials are out of scope and unchanged.

Changes

  • Keystone / Apache: enable mod_auth_openidc via the Ubuntu package (2bb34ec) and bootstrap the k8s-service-account OIDC identity provider, mapping rules, group, and role during deploy (393f5cd).
  • Service credentials: keystone-service-user secrets are now generated via OIDC federation instead of static passwords (a3ee547).
  • oidc-rbac component: new component that deploys a ClusterRoleBinding granting anonymous access to the Kubernetes OIDC discovery/JWKS endpoints, required for Keystone to validate SA tokens issued by each source cluster (311fa7c).
  • keystoneauth-kubeservicetoken: new custom keystoneauth1 plugin (v3oidcaccesstokenfile) that reads the pod's SA token, exchanges it for a Keystone token, and transparently re-exchanges on expiry — the built-in v3oidcaccesstoken plugin only exchanges once and doesn't handle re-authentication (083f2a4, openspec proposal in e82a8c8).
  • Container images: the plugin is installed into the affected OpenStack service images (Cinder, Glance, Horizon, Ironic, Neutron, Nova, Octavia, Placement, Skyline, openstack-client) so they can use auth_type = v3oidcaccesstokenfile (aa355d9).
  • Cleanup: removed the now-unnecessary ironic-ks-user-baremetal job/configmap that pre-provisioned a static Ironic baremetal service user (8a01a80); dropped a redundant cinder-etc-snippets volume declaration that duplicated one added upstream in OSH (6a8821e).
  • chore: upgraded OpenStack to 2026.1 (a64dc4a) and bumped OSH charts/images (89d7cd4) as prerequisites.

Validation

First deploy-repo rollout is staged for rax-dev-iad3-dev in undercloud-deploy#1958, which depends on this PR being merged and released. It has been tested in dev and all of the components start without errors and seem to communicate well.

@skrobul skrobul requested review from cardoe and ctria March 26, 2026 12:39
@skrobul skrobul force-pushed the keystone-auth branch 7 times, most recently from 57e180e to d0d4d8b Compare May 14, 2026 11:46
@skrobul skrobul marked this pull request as draft May 20, 2026 16:22
@skrobul skrobul force-pushed the keystone-auth branch 4 times, most recently from 197ad28 to 74621f1 Compare June 8, 2026 15:49
@skrobul skrobul force-pushed the keystone-auth branch 2 times, most recently from 8aa90ca to 020b088 Compare June 15, 2026 12:12
@skrobul skrobul force-pushed the keystone-auth branch 2 times, most recently from 4318926 to e5b035a Compare July 6, 2026 09:44
@skrobul skrobul force-pushed the keystone-auth branch 4 times, most recently from 4fefeae to 2d43cda Compare July 14, 2026 08:45
skrobul added 8 commits July 14, 2026 09:56
Allow unauthenticated access to OIDC discovery endpoints by deploying
the oidc-reviewer ClusterRoleBinding to all site and global clusters.
The chart gained native pod.etcSources support for cinder-ks-etc back
in Feb 2026 (upstream commit 06a5261a0), which unconditionally
declares a cinder-etc-snippets volume (projected, or an emptyDir
fallback when etcSources is empty). Our own pod.mounts override
predates that (Sep 2025) and injects a volume of the same name, so
every cinder Deployment/CronJob ended up with two "cinder-etc-snippets"
volumes. Switch to pod.etcSources for the components that support it
and drop the now-redundant custom mounts. cinder_db_sync keeps its
manual mount since that job template has no etcSources support.
@skrobul skrobul force-pushed the keystone-auth branch 2 times, most recently from d237223 to 6a8821e Compare July 14, 2026 10:07
@skrobul skrobul changed the title feat: add keystoneauth_kubeservicetoken authentication plugin feat: passwordless OIDC service-to-service auth Jul 14, 2026
@skrobul skrobul marked this pull request as ready for review July 14, 2026 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant