openstack-resource-controller icon indicating copy to clipboard operation
openstack-resource-controller copied to clipboard
verified publisher icon k-orc

Add KeyPair controller with Server integration

Open eshulman2 opened this issue 1 month ago • 6 comments

Summary

This PR implements full KeyPair controller support and integrates it with the Server resource, enabling SSH key management and server access control through Kubernetes resources.

Changes

Commit 1: Add KeyPair controller implementation

Implements complete KeyPair resource controller with the following features:

API & Types:

  • KeyPair CRD with spec for both importing existing keys and uploading
  • KeyPairImport for importing public keys from secrets
  • KeyPairSpec for OpenStack resource creation with public key
  • Validation for immutability (keypairs cannot be updated in OpenStack)

Controller Implementation:

  • Client-side name filtering for import/adoption (OpenStack API only supports userID filtering)
  • Deletion guard support through dependency system
  • Status reporting with resource details (fingerprint, type, public key)

Commit 2: Add keypair integration to Server resource

Enables servers to be created with SSH keypairs for access:

API Changes:

  • Added optional keypairRef field to ServerResourceSpec
  • Marked as immutable (matches OpenStack behavior - can't change after creation)

Controller Changes:

  • Added keypair dependency watch (triggers reconciliation when keypair becomes Available)
  • No deletion guard since keypairs are only injected during server boot

Actuator Changes:

  • Fetch and validate referenced KeyPair exists and is Available before server creation
  • Use gophercloud's keypairs.CreateOptsExt extension pattern to inject key_name
  • Get actual OpenStack keypair name from keypair.Status.Resource.Name

Notes

  • KeyPairs are immutable in OpenStack Nova API, so spec changes after creation will be rejected
  • The keypair name in OpenStack may differ from the CR name if spec.resource.name is set
  • No deletion guard on server->keypair reference since keypairs are only injected at boot time

Fixes: https://github.com/k-orc/openstack-resource-controller/issues/136

Assisted-by: claude

eshulman2 avatar Nov 16 '25 14:11 eshulman2

Hey Ella, if you could split your work in multiple commits that would help with the review.

I have found it very helpful, when working on controllers after we created the scaffolding tool, to have at least 2 separate commits:

  • the first one that just runs the scaffolding tool and commits all the generated files. We should write the exact command we ran in the commit message for reproducibility.
  • a second commit that fills the blank and effectively implements the specific parts of the controller, including the API changes and the tests.
  • more commits as necessary, such as adding keypair support to servers like you did.

I'll try to have a first pass at your work today.

mandre avatar Nov 18 '25 07:11 mandre

Hi @mandre I'll work on splitting it tomorrow just 1 missing thing that I already know is missing as I haven't got to is is kuttl testing for the integration with the existing server controller so I'll try to get that into the patch tomorrow as well.

eshulman2 avatar Nov 18 '25 15:11 eshulman2

Hi, @eshulman2. Thanks for the work! Before reviewing, I want to confirm one thing.

Do we want to support compute API microversions before 2.92? I ask because the generation of key pairs has been removed from the Nova API.[1][2]

[1] https://specs.openstack.org/openstack/nova-specs/specs/zed/implemented/keypair-generation-removal.html [2] https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#microversion-2-92

winiciusallan avatar Nov 20 '25 13:11 winiciusallan

@winiciusallan raised a good point. I believe we should remove the ability to generate keypairs as it's gone from nova.

BTW, I'm getting a different result than the one you have in the first commit when running the command from the commit message. I assume you passed arguments interactively. May I suggest you add the -interactive=false flag to your command line? It also seems like you've marked Project as a required dependency at creation, which seems odd.

mandre avatar Nov 21 '25 13:11 mandre

Hi @winiciusallan , @mandre I believe those issues should be fixed. I encountered another issue with the KeyPairImport. keypairs uses names as their UUID and doesn't have an ID that matches the existing ID validation (kubebuilder:validation:Format:=uuid). This is currently a problem for the keypairimport as it is generated expecting to work with a UUID. I added a flag to the templates to allow having a non kubebuilder:validation:Format:=uuid validation for the name based id.

eshulman2 avatar Nov 23 '25 13:11 eshulman2

Hi @winiciusallan , @mandre I believe those issues should be fixed. I encountered another issue with the KeyPairImport. keypairs uses names as their UUID and doesn't have an ID that matches the existing ID validation (kubebuilder:validation:Format:=uuid). This is currently a problem for the keypairimport as it is generated expecting to work with a UUID. I added a flag to the templates to allow having a non kubebuilder:validation:Format:=uuid validation for the name based id.

That's ok for me. There are still cases which we currently don't handle yet, so adding a new spec for it seems good.

Btw, I'll try to take a look at your code today or at the latest tomorrow.

winiciusallan avatar Nov 24 '25 13:11 winiciusallan

Failed to assess the semver bump. See logs for details.

github-actions[bot] avatar Nov 26 '25 13:11 github-actions[bot]