diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml index 81cd548b..1ce9da9e 100644 --- a/api/bases/keystone.openstack.org_keystoneapis.yaml +++ b/api/bases/keystone.openstack.org_keystoneapis.yaml @@ -84,6 +84,11 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean memcachedInstance: default: memcached description: Memcached instance name. @@ -360,12 +365,6 @@ spec: description: Secret containing OpenStack password information for keystone AdminPassword type: string - secureRBACEnforceNewDefaults: - default: true - type: boolean - secureRBACEnforceScope: - default: false - type: boolean tls: description: TLS - Parameters related to the TLS properties: diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go index 6daa5423..a2064d7f 100644 --- a/api/v1beta1/keystoneapi_types.go +++ b/api/v1beta1/keystoneapi_types.go @@ -99,13 +99,10 @@ type KeystoneAPISpecCore struct { // Secret containing OpenStack password information for keystone AdminPassword Secret string `json:"secret"` - // +kubebuilder:validation:Optional - // +kubebuilder:default=false - SecureRBACEnforceScope bool `json:"secureRBACEnforceScope"` - // +kubebuilder:validation:Optional // +kubebuilder:default=true - SecureRBACEnforceNewDefaults bool `json:"secureRBACEnforceNewDefaults"` + // EnableSecureRBAC - Enable Consistent and Secure RBAC policies + EnableSecureRBAC bool `json:"enableSecureRBAC"` // +kubebuilder:validation:Optional // +kubebuilder:default="" diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml index 81cd548b..1ce9da9e 100644 --- a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml +++ b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml @@ -84,6 +84,11 @@ spec: files. Those get added to the service config dir in /etc/ . TODO: -> implement' type: object + enableSecureRBAC: + default: true + description: EnableSecureRBAC - Enable Consistent and Secure RBAC + policies + type: boolean memcachedInstance: default: memcached description: Memcached instance name. @@ -360,12 +365,6 @@ spec: description: Secret containing OpenStack password information for keystone AdminPassword type: string - secureRBACEnforceNewDefaults: - default: true - type: boolean - secureRBACEnforceScope: - default: false - type: boolean tls: description: TLS - Parameters related to the TLS properties: diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go index 0977d2b2..3f8e35f3 100644 --- a/controllers/keystoneapi_controller.go +++ b/controllers/keystoneapi_controller.go @@ -1170,8 +1170,7 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( instance.Status.DatabaseHostname, keystone.DatabaseName, ), - "EnforceScope": instance.Spec.SecureRBACEnforceScope, - "EnforceNewDefaults": instance.Spec.SecureRBACEnforceNewDefaults, + "enableSecureRBAC": instance.Spec.EnableSecureRBAC, } // create httpd vhost template parameters diff --git a/templates/keystoneapi/config/keystone.conf b/templates/keystoneapi/config/keystone.conf index 560b6e60..6717aa26 100644 --- a/templates/keystoneapi/config/keystone.conf +++ b/templates/keystoneapi/config/keystone.conf @@ -17,8 +17,8 @@ db_max_retries=-1 connection={{ .DatabaseConnection }} [oslo_policy] -enforce_new_defaults = {{ .EnforceNewDefaults }} -enforce_scope = {{ .EnforceScope }} +enforce_new_defaults = {{ .enableSecureRBAC }} +enforce_scope = {{ .enableSecureRBAC }} [fernet_tokens] key_repository=/etc/keystone/fernet-keys