feat: add keystoneauth_kubeservicetoken authentication plugin

charts/argocd-understack/templates/application-oidc-rbac.yaml

@@ -0,0 +1,30 @@
+{{- if or (eq (include "understack.isEnabled" (list $.Values.global "oidc_rbac")) "true") (eq (include "understack.isEnabled" (list $.Values.site "oidc_rbac")) "true") }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name "oidc-rbac" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+{{- include "understack.appLabelsBlock" $ | nindent 2 }}
+spec:
+  destination:
+    namespace: kube-system
+    server: {{ $.Values.cluster_server }}
+  project: understack-infra
+  sources:
+  - path: components/oidc-rbac
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - ServerSideApply=true
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}

charts/argocd-understack/values.yaml

@@ -166,6 +166,12 @@ global:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS
@@ -505,6 +511,12 @@ site:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS

components/images-openstack.yaml

@@ -6,20 +6,20 @@ images:
   tags:
     # these are common across all these OpenStack Helm installations
     bootstrap: "ghcr.io/rackerlabs/understack/ansible:latest"
-    db_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    db_drop: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_user: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_service: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ks_endpoints: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    db_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    db_drop: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_user: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_service: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ks_endpoints: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 
     # keystone
-    keystone_api: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_credential_rotate: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_credential_setup: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_db_sync: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_domain_manage: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_fernet_rotate: "ghcr.io/rackerlabs/understack/keystone:2025.2"
-    keystone_fernet_setup: "ghcr.io/rackerlabs/understack/keystone:2025.2"
+    keystone_api: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_credential_rotate: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_credential_setup: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_db_sync: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_domain_manage: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_fernet_rotate: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
+    keystone_fernet_setup: "ghcr.io/rackerlabs/understack/keystone:pr-1876"
 
     # ironic
     ironic_api: "ghcr.io/rackerlabs/understack/ironic:2026.1"
@@ -29,43 +29,43 @@ images:
     ironic_pxe_http: "docker.io/nginx:1.29.8"
     ironic_db_sync: "ghcr.io/rackerlabs/understack/ironic:2026.1"
     # these want curl which apparently is in the openstack-client image
-    ironic_manage_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ironic_retrive_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    ironic_retrive_swift_config: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    ironic_manage_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ironic_retrive_cleaning_network: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    ironic_retrive_swift_config: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 
     # neutron
-    neutron_db_sync: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_dhcp: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_l3: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_l2gw: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_linuxbridge_agent: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_metadata: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_ovn_metadata: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_openvswitch_agent: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_server: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_rpc_server: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_bagpipe_bgp: "ghcr.io/rackerlabs/understack/neutron:2025.2"
-    neutron_netns_cleanup_cron: "ghcr.io/rackerlabs/understack/neutron:2025.2"
+    neutron_db_sync: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_dhcp: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_l3: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_l2gw: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_linuxbridge_agent: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_metadata: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_ovn_metadata: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_openvswitch_agent: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_server: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_rpc_server: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_bagpipe_bgp: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
+    neutron_netns_cleanup_cron: "ghcr.io/rackerlabs/understack/neutron:pr-1876"
 
     # nova
-    nova_api: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_cell_setup: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_cell_setup_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
-    nova_compute: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_compute_ironic: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_compute_ssh: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_conductor: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_db_sync: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_novncproxy: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_novncproxy_assets: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_scheduler: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_spiceproxy: "ghcr.io/rackerlabs/understack/nova:2025.2"
-    nova_spiceproxy_assets: "ghcr.io/rackerlabs/understack/nova:2025.2"
+    nova_api: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_cell_setup: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_cell_setup_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
+    nova_compute: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_compute_ironic: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_compute_ssh: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_conductor: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_db_sync: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_novncproxy: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_novncproxy_assets: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_scheduler: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_spiceproxy: "ghcr.io/rackerlabs/understack/nova:pr-1876"
+    nova_spiceproxy_assets: "ghcr.io/rackerlabs/understack/nova:pr-1876"
     nova_service_cleaner: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # placement
-    placement: "ghcr.io/rackerlabs/understack/placement:2025.2"
-    placement_db_sync: "ghcr.io/rackerlabs/understack/placement:2025.2"
+    placement: "ghcr.io/rackerlabs/understack/placement:pr-1876"
+    placement_db_sync: "ghcr.io/rackerlabs/understack/placement:pr-1876"
 
     # openvswitch
     openvswitch_db_server: "docker.io/openstackhelm/openvswitch:ubuntu_jammy-dpdk-20250127"
@@ -78,36 +78,36 @@ images:
     ovn_controller: "docker.io/openstackhelm/ovn:ubuntu_jammy-20250111"
 
     # horizon
-    horizon: "ghcr.io/rackerlabs/understack/horizon:2025.2"
-    horizon_db_sync: "ghcr.io/rackerlabs/understack/horizon:2025.2"
+    horizon: "ghcr.io/rackerlabs/understack/horizon:pr-1876"
+    horizon_db_sync: "ghcr.io/rackerlabs/understack/horizon:pr-1876"
 
     # glance
-    glance_api: "ghcr.io/rackerlabs/understack/glance:2025.2"
-    glance_db_sync: "ghcr.io/rackerlabs/understack/glance:2025.2"
-    glance_metadefs_load: "ghcr.io/rackerlabs/understack/glance:2025.2"
+    glance_api: "ghcr.io/rackerlabs/understack/glance:pr-1876"
+    glance_db_sync: "ghcr.io/rackerlabs/understack/glance:pr-1876"
+    glance_metadefs_load: "ghcr.io/rackerlabs/understack/glance:pr-1876"
     glance_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # skyline
-    skyline: "ghcr.io/rackerlabs/understack/skyline:2025.2"
-    skyline_db_sync: "ghcr.io/rackerlabs/understack/skyline:2025.2"
-    skyline_nginx: "ghcr.io/rackerlabs/understack/skyline:2025.2"
+    skyline: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
+    skyline_db_sync: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
+    skyline_nginx: "ghcr.io/rackerlabs/understack/skyline:pr-1876"
 
     # cinder
-    cinder_api: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_db_sync: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_scheduler: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_volume: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_volume_usage_audit: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_db_purge: "ghcr.io/rackerlabs/understack/cinder:2025.2"
-    cinder_backup: "ghcr.io/rackerlabs/understack/cinder:2025.2"
+    cinder_api: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_db_sync: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_scheduler: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_volume: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_volume_usage_audit: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_db_purge: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
+    cinder_backup: "ghcr.io/rackerlabs/understack/cinder:pr-1876"
     cinder_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
     cinder_backup_storage_init: "docker.io/openstackhelm/ceph-config-helper:latest-ubuntu_jammy"
 
     # octavia
-    octavia_api: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_db_sync: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_worker: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_housekeeping: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_health_manager: "ghcr.io/rackerlabs/understack/octavia:2025.2"
-    octavia_health_manager_init: "ghcr.io/rackerlabs/understack/openstack-client:2025.2"
+    octavia_api: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_db_sync: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_worker: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_housekeeping: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_health_manager: "ghcr.io/rackerlabs/understack/octavia:pr-1876"
+    octavia_health_manager_init: "ghcr.io/rackerlabs/understack/openstack-client:pr-1876"
 ...

components/keystone/values.yaml

@@ -134,6 +134,16 @@ pod:
             timeoutSeconds: 15
   mounts:
     keystone_api:
+      init_container:
+        - name: oidc-gen-providers
+          mountPath: /scripts
+          readOnly: true
+        - name: oidc-gen-output
+          mountPath: /srv/generated
+        # - name: custom-config-generator
+        #   image: ghcr.io/rackerlabs/understack/keystone:2025.2
+        #   command: ["python3", "/scripts/generate_configs.py"]
+        #   volumeMounts:
       keystone_api:
         volumeMounts:
           - name: keystone-sso
@@ -142,13 +152,24 @@ pod:
           - name: oidc-secret
             mountPath: /etc/oidc-secret
             readOnly: true
+          - name: oidc-gen-providers
+            mountPath: /scripts
+            readOnly: true
+          - name: oidc-gen-output
+            mountPath: /etc/mod_auth_openidc/metadata
         volumes:
           - name: keystone-sso
             secret:
               secretName: keystone-sso
           - name: oidc-secret
             secret:
               secretName: sso-passphrase
+          - name: oidc-gen-output
+            configMap:
+              name: keystone-gen-oidc-metadata
+              defaultMode: 0555
+          - name: oidc-gen-providers
+            emptyDir: {}
     keystone_bootstrap:
       keystone_bootstrap:
         volumeMounts:
@@ -402,3 +423,53 @@ annotations:
       # relies on services to be up so it can remain post
       argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
       argocd.argoproj.io/sync-options: Force=true
+extraObjects:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: keystone-gen-oidc-metadata
+      namespace: openstack
+    data:
+      generate_configs.py: |
+       #!/usr/bin/env python3
+
+        import json
+        import ssl
+        import urllib.parse
+        import urllib.request
+        from pathlib import Path
+
+        METADATA_DIR = Path("/srv/generated")
+        CLIENT_ID = "https://kubernetes.default.svc.cluster.local"
+
+        CLUSTERS = {
+            "rax-dev-iad3-dev": "https://uc-iad.dev.undercloud.rackspace.net:6443",
+            "rax-dev-global":   "https://uc-dev-global.k8s-api.pvceng.rax.io:443",
+        }
+
+        METADATA_DIR.mkdir(parents=True, exist_ok=True)
+
+        # Skip TLS verification — replace with a real SSLContext if you have the CA bundles
+        ctx = ssl._create_unverified_context()
+
+        for site, issuer in CLUSTERS.items():
+            encoded = urllib.parse.quote(issuer, safe="")
+            base = METADATA_DIR / encoded
+
+            print(f"Generating metadata for {site} ({issuer})")
+
+            discovery_url = f"{issuer}/.well-known/openid-configuration"
+            with urllib.request.urlopen(discovery_url, context=ctx) as resp:
+                provider_metadata = json.load(resp)
+
+            (base.with_suffix(".provider")).write_text(json.dumps(provider_metadata, indent=2))
+
+            (base.with_suffix(".client")).write_text(json.dumps({
+                "client_id":     CLIENT_ID,
+                "client_secret": "not-used",
+            }, indent=2))
+
+            (base.with_suffix(".conf")).write_text(json.dumps({
+                "response_type": "id_token",
+                "scope":         "openid",
+            }, indent=2))

components/oidc-rbac/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - oidc-reviewer.yaml

components/oidc-rbac/oidc-reviewer.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-reviewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:service-account-issuer-discovery
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated