feat: passwordless OIDC service-to-service auth#1876
Open
skrobul wants to merge 11 commits into
Open
Conversation
09accd9 to
e050215
Compare
57e180e to
d0d4d8b
Compare
197ad28 to
74621f1
Compare
8aa90ca to
020b088
Compare
4318926 to
e5b035a
Compare
4fefeae to
2d43cda
Compare
Allow unauthenticated access to OIDC discovery endpoints by deploying the oidc-reviewer ClusterRoleBinding to all site and global clusters.
The chart gained native pod.etcSources support for cinder-ks-etc back in Feb 2026 (upstream commit 06a5261a0), which unconditionally declares a cinder-etc-snippets volume (projected, or an emptyDir fallback when etcSources is empty). Our own pod.mounts override predates that (Sep 2025) and injects a volume of the same name, so every cinder Deployment/CronJob ended up with two "cinder-etc-snippets" volumes. Switch to pod.etcSources for the components that support it and drop the now-redundant custom mounts. cinder_db_sync keeps its manual mount since that job template has no etcSources support.
d237223 to
6a8821e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements passwordless Keystone service authentication for OpenStack service-to-service calls, replacing static Keystone passwords with Kubernetes service-account (SA) token exchange via OIDC federation. Rationale and design are captured in ADR030: OpenStack Services OIDC Authentication.
Each service pod now uses its auto-mounted SA token to obtain a short-lived Keystone token from a per-cluster OIDC federation endpoint, instead of a long-lived static password pre-generated and distributed per site. Database and RabbitMQ credentials are out of scope and unchanged.
Changes
mod_auth_openidcvia the Ubuntu package (2bb34ec) and bootstrap the k8s-service-account OIDC identity provider, mapping rules, group, and role during deploy (393f5cd).keystone-service-usersecrets are now generated via OIDC federation instead of static passwords (a3ee547).oidc-rbaccomponent: new component that deploys aClusterRoleBindinggranting anonymous access to the Kubernetes OIDC discovery/JWKS endpoints, required for Keystone to validate SA tokens issued by each source cluster (311fa7c).keystoneauth-kubeservicetoken: new customkeystoneauth1plugin (v3oidcaccesstokenfile) that reads the pod's SA token, exchanges it for a Keystone token, and transparently re-exchanges on expiry — the built-inv3oidcaccesstokenplugin only exchanges once and doesn't handle re-authentication (083f2a4, openspec proposal ine82a8c8).auth_type = v3oidcaccesstokenfile(aa355d9).ironic-ks-user-baremetaljob/configmap that pre-provisioned a static Ironic baremetal service user (8a01a80); dropped a redundantcinder-etc-snippetsvolume declaration that duplicated one added upstream in OSH (6a8821e).chore: upgraded OpenStack to 2026.1 (a64dc4a) and bumped OSH charts/images (89d7cd4) as prerequisites.Validation
First deploy-repo rollout is staged for
rax-dev-iad3-devin undercloud-deploy#1958, which depends on this PR being merged and released. It has been tested in dev and all of the components start without errors and seem to communicate well.