feat(ovhcloud): allow openstack application credentials to authenticate

mxm-tr · maxime.hubert · commit eb25d540a3f6 · 2025-05-05T16:12:17.000+02:00
diff --git a/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_manager.go b/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_manager.go
@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"slices"
 	"sync"
 	"time"
@@ -89,6 +88,10 @@ type Config struct {
 	OpenStackPassword string `json:"openstack_password"`
 	OpenStackDomain   string `json:"openstack_domain"`
 
+	// OpenStack application credentials if authentication type is set to openstack_application.
+	OpenStackApplicationCredentialID     string `json:"openstack_application_credential_id"`
+	OpenStackApplicationCredentialSecret string `json:"openstack_application_credential_secret"`
+
 	// Application credentials if CA is run as API consumer without using OpenStack keystone.
 	// Tokens can be created here: https://api.ovh.com/createToken/
 	ApplicationEndpoint    string `json:"application_endpoint"`
@@ -102,6 +105,9 @@ const (
 	// OpenStackAuthenticationType to request a keystone token credentials.
 	OpenStackAuthenticationType = "openstack"
 
+	// OpenStackApplicationCredentialsAuthenticationType to request a keystone token credentials using keystone application credentials.
+	OpenStackApplicationCredentialsAuthenticationType = "openstack_application"
+
 	// ApplicationConsumerAuthenticationType to consume an application key credentials.
 	ApplicationConsumerAuthenticationType = "consumer"
 )
@@ -131,6 +137,13 @@ func NewManager(configFile io.Reader) (*OvhCloudManager, error) {
 			return nil, fmt.Errorf("failed to create OpenStack provider: %w", err)
 		}
 
+		client, err = sdk.NewDefaultClientWithToken(openStackProvider.AuthUrl, openStackProvider.Token)
+	case OpenStackApplicationCredentialsAuthenticationType:
+		openStackProvider, err = sdk.NewOpenstackApplicationProvider(cfg.OpenStackAuthUrl, cfg.OpenStackApplicationCredentialID, cfg.OpenStackApplicationCredentialSecret, cfg.OpenStackDomain)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create OpenStack provider: %w", err)
+		}
+
 		client, err = sdk.NewDefaultClientWithToken(openStackProvider.AuthUrl, openStackProvider.Token)
 	case ApplicationConsumerAuthenticationType:
 		client, err = sdk.NewClient(cfg.ApplicationEndpoint, cfg.ApplicationKey, cfg.ApplicationSecret, cfg.ApplicationConsumerKey)
@@ -271,7 +284,7 @@ func (m *OvhCloudManager) setNodePoolsState(pools []sdk.NodePool) {
 func readConfig(configFile io.Reader) (*Config, error) {
 	cfg := &Config{}
 	if configFile != nil {
-		body, err := ioutil.ReadAll(configFile)
+		body, err := io.ReadAll(configFile)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read content: %w", err)
 		}
@@ -295,8 +308,8 @@ func validatePayload(cfg *Config) error {
 		return fmt.Errorf("`project_id` not found in config file")
 	}
 
-	if cfg.AuthenticationType != OpenStackAuthenticationType && cfg.AuthenticationType != ApplicationConsumerAuthenticationType {
-		return fmt.Errorf("`authentication_type` should only be `openstack` or `consumer`")
+	if cfg.AuthenticationType != OpenStackAuthenticationType && cfg.AuthenticationType != OpenStackApplicationCredentialsAuthenticationType && cfg.AuthenticationType != ApplicationConsumerAuthenticationType {
+		return fmt.Errorf("`authentication_type` should only be `openstack`, `openstack_application` or `consumer`")
 	}
 
 	if cfg.AuthenticationType == OpenStackAuthenticationType {
@@ -317,6 +330,20 @@ func validatePayload(cfg *Config) error {
 		}
 	}
 
+	if cfg.AuthenticationType == OpenStackApplicationCredentialsAuthenticationType {
+		if cfg.OpenStackAuthUrl == "" {
+			return fmt.Errorf("`openstack_auth_url` not found in config file")
+		}
+
+		if cfg.OpenStackApplicationCredentialID == "" {
+			return fmt.Errorf("`openstack_application_credential_id` not found in config file")
+		}
+
+		if cfg.OpenStackApplicationCredentialSecret == "" {
+			return fmt.Errorf("`openstack_application_credential_secret` not found in config file")
+		}
+	}
+
 	if cfg.AuthenticationType == ApplicationConsumerAuthenticationType {
 		if cfg.ApplicationEndpoint == "" {
 			return fmt.Errorf("`application_endpoint` not found in config file")
diff --git a/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_manager_test.go b/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_manager_test.go
@@ -78,6 +78,26 @@ func newTestManager(t *testing.T) *OvhCloudManager {
 	return manager
 }
 
+func TestOvhCloudManager_validateConfig(t *testing.T) {
+	tests := []struct {
+		name                 string
+		configContent        string
+		expectedErrorMessage string
+	}{
+		{
+			name:                 "New entry",
+			configContent:        "{}",
+			expectedErrorMessage: "config content validation failed: `cluster_id` not found in config file",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := NewManager(bytes.NewBufferString(tt.configContent))
+			assert.ErrorContains(t, err, tt.expectedErrorMessage)
+		})
+	}
+}
+
 func TestOvhCloudManager_getFlavorsByName(t *testing.T) {
 	expectedFlavorsByNameFromAPICall := map[string]sdk.Flavor{
 		"b2-7": {
diff --git a/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_provider_test.go b/cluster-autoscaler/cloudprovider/ovhcloud/ovh_cloud_provider_test.go
@@ -28,8 +28,8 @@ import (
 	"k8s.io/autoscaler/cluster-autoscaler/cloudprovider/ovhcloud/sdk"
 )
 
-func newTestProvider(t *testing.T) *OVHCloudProvider {
-	cfg := `{
+const (
+	ovhConsumerConfiguration = `{
 		"project_id": "projectID",
 		"cluster_id": "clusterID",
 		"authentication_type": "consumer",
@@ -38,10 +38,30 @@ func newTestProvider(t *testing.T) *OVHCloudProvider {
 		"application_secret": "secret",
 		"application_consumer_key": "consumer_key"
 	}`
+	openstackUserPasswordConfiguration = `{
+		"project_id": "projectID",
+		"cluster_id": "clusterID",
+		"authentication_type": "openstack",
+		"openstack_auth_url": "https://auth.local",
+		"openstack_domain": "Default",
+		"openstack_username": "user",
+		"openstack_password": "password"
+	}`
+	openstackApplicationCredentialsConfiguration = `{
+		"project_id": "projectID",
+		"cluster_id": "clusterID",
+		"authentication_type": "openstack_application",
+		"openstack_auth_url": "https://auth.local",
+		"openstack_domain": "Default",
+		"openstack_application_credential_id": "credential_id",
+		"openstack_application_credential_secret": "credential_secret"
+	}`
+)
 
+func newTestProvider(t *testing.T, cfg string) (*OVHCloudProvider, error) {
 	manager, err := NewManager(bytes.NewBufferString(cfg))
 	if err != nil {
-		assert.FailNow(t, "failed to create manager", err)
+		return nil, err
 	}
 
 	client := &sdk.ClientMock{}
@@ -110,19 +130,38 @@ func newTestProvider(t *testing.T) *OVHCloudProvider {
 	}
 
 	err = provider.Refresh()
-	assert.NoError(t, err)
+	if err != nil {
+		return provider, err
+	}
 
-	return provider
+	return provider, nil
 }
 
 func TestOVHCloudProvider_BuildOVHcloud(t *testing.T) {
 	t.Run("create new OVHcloud provider", func(t *testing.T) {
-		_ = newTestProvider(t)
+		_, err := newTestProvider(t, ovhConsumerConfiguration)
+		assert.NoError(t, err)
+	})
+}
+
+// TestOVHCloudProvider_BuildOVHcloudOpenstackConfig validates that the configuration file is correct and the auth server is being resolved.
+func TestOVHCloudProvider_BuildOVHcloudOpenstackConfig(t *testing.T) {
+	t.Run("create new OVHcloud provider", func(t *testing.T) {
+		_, err := newTestProvider(t, openstackUserPasswordConfiguration)
+		assert.ErrorContains(t, err, "lookup auth.local")
+	})
+}
+
+func TestOVHCloudProvider_BuildOVHcloudOpenstackApplicationConfig(t *testing.T) {
+	t.Run("create new OVHcloud provider", func(t *testing.T) {
+		_, err := newTestProvider(t, openstackApplicationCredentialsConfiguration)
+		assert.ErrorContains(t, err, "lookup auth.local")
 	})
 }
 
 func TestOVHCloudProvider_Name(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check OVHcloud provider name", func(t *testing.T) {
 		name := provider.Name()
@@ -132,7 +171,8 @@ func TestOVHCloudProvider_Name(t *testing.T) {
 }
 
 func TestOVHCloudProvider_NodeGroups(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check default node groups length", func(t *testing.T) {
 		groups := provider.NodeGroups()
@@ -149,7 +189,8 @@ func TestOVHCloudProvider_NodeGroups(t *testing.T) {
 }
 
 func TestOVHCloudProvider_NodeGroupForNode(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	ListNodePoolNodesCall1 := provider.manager.Client.(*sdk.ClientMock).On(
 		"ListNodePoolNodes",
@@ -317,7 +358,8 @@ func TestOVHCloudProvider_NodeGroupForNode(t *testing.T) {
 }
 
 func TestOVHCloudProvider_Pricing(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("not implemented", func(t *testing.T) {
 		_, err := provider.Pricing()
@@ -326,7 +368,8 @@ func TestOVHCloudProvider_Pricing(t *testing.T) {
 }
 
 func TestOVHCloudProvider_GetAvailableMachineTypes(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check available machine types", func(t *testing.T) {
 		flavors, err := provider.GetAvailableMachineTypes()
@@ -337,7 +380,8 @@ func TestOVHCloudProvider_GetAvailableMachineTypes(t *testing.T) {
 }
 
 func TestOVHCloudProvider_NewNodeGroup(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check new node group default values", func(t *testing.T) {
 		group, err := provider.NewNodeGroup("b2-7", nil, nil, nil, nil)
@@ -350,7 +394,8 @@ func TestOVHCloudProvider_NewNodeGroup(t *testing.T) {
 }
 
 func TestOVHCloudProvider_GetResourceLimiter(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check default resource limiter values", func(t *testing.T) {
 		rl, err := provider.GetResourceLimiter()
@@ -370,7 +415,8 @@ func TestOVHCloudProvider_GetResourceLimiter(t *testing.T) {
 }
 
 func TestOVHCloudProvider_GPULabel(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check gpu label annotation", func(t *testing.T) {
 		label := provider.GPULabel()
@@ -380,7 +426,8 @@ func TestOVHCloudProvider_GPULabel(t *testing.T) {
 }
 
 func TestOVHCloudProvider_GetAvailableGPUTypes(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check available gpu machine types", func(t *testing.T) {
 		flavors := provider.GetAvailableGPUTypes()
@@ -391,7 +438,8 @@ func TestOVHCloudProvider_GetAvailableGPUTypes(t *testing.T) {
 }
 
 func TestOVHCloudProvider_Cleanup(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check return nil", func(t *testing.T) {
 		err := provider.Cleanup()
@@ -400,7 +448,8 @@ func TestOVHCloudProvider_Cleanup(t *testing.T) {
 }
 
 func TestOVHCloudProvider_Refresh(t *testing.T) {
-	provider := newTestProvider(t)
+	provider, err := newTestProvider(t, ovhConsumerConfiguration)
+	assert.NoError(t, err)
 
 	t.Run("check refresh reset node groups correctly", func(t *testing.T) {
 		provider.manager.NodePoolsPerID = map[string]*sdk.NodePool{}
diff --git a/cluster-autoscaler/cloudprovider/ovhcloud/sdk/openstack.go b/cluster-autoscaler/cloudprovider/ovhcloud/sdk/openstack.go
@@ -36,7 +36,7 @@ type OpenStackProvider struct {
 	tokenExpirationTime time.Time
 }
 
-// NewOpenStackProvider initializes a client/token pair to interact with OpenStack
+// NewOpenStackProvider initializes a client/token pair to interact with OpenStack from a user/password.
 func NewOpenStackProvider(authUrl string, username string, password string, domain string, tenant string) (*OpenStackProvider, error) {
 	provider, err := openstack.AuthenticatedClient(gophercloud.AuthOptions{
 		IdentityEndpoint: authUrl,
@@ -58,6 +58,27 @@ func NewOpenStackProvider(authUrl string, username string, password string, doma
 	}, nil
 }
 
+// NewOpenstackApplicationProvider initializes a client/token pair to interact with OpenStack from application credentials.
+func NewOpenstackApplicationProvider(authUrl string, applicationCredentialID string, applicationCredentialSecret string, domain string) (*OpenStackProvider, error) {
+	provider, err := openstack.AuthenticatedClient(gophercloud.AuthOptions{
+		IdentityEndpoint:            authUrl,
+		ApplicationCredentialID:     applicationCredentialID,
+		ApplicationCredentialSecret: applicationCredentialSecret,
+		DomainName:                  domain,
+		AllowReauth:                 true,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OpenStack authenticated client: %w", err)
+	}
+
+	return &OpenStackProvider{
+		provider:            provider,
+		AuthUrl:             authUrl,
+		Token:               provider.Token(),
+		tokenExpirationTime: time.Now().Add(DefaultExpirationTime),
+	}, nil
+}
+
 // ReauthenticateToken revoke the current provider token and re-create a new one
 func (p *OpenStackProvider) ReauthenticateToken() error {
 	err := p.provider.Reauthenticate(p.Token)
diff --git a/cluster-autoscaler/cloudprovider/ovhcloud/sdk/ovh.go b/cluster-autoscaler/cloudprovider/ovhcloud/sdk/ovh.go
@@ -23,7 +23,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -469,7 +469,7 @@ func (c *Client) CallAPIWithContext(ctx context.Context, method, path string, re
 func (c *Client) UnmarshalResponse(response *http.Response, result interface{}) error {
 	// Read all the response body
 	defer response.Body.Close()
-	body, err := ioutil.ReadAll(response.Body)
+	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		return err
 	}
