From 01604fbb9f8673cd2d67c5263b55b00931cd32b2 Mon Sep 17 00:00:00 2001
From: Dave Wilde <dwilde@redhat.com>
Date: Wed, 23 Oct 2024 09:35:35 -0500
Subject: [PATCH] Add Keystone Federation secrets

Keystone federation requires a couple of secrets to work properly. I'm
adding them here to improve QOL for the development and testing of OIDC
federation in the openstack-operators.
---
 Makefile                       |  4 ++++
 scripts/gen-input-kustomize.sh | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/Makefile b/Makefile
index 5d46fc0..2a470dc 100644
--- a/Makefile
+++ b/Makefile
@@ -31,6 +31,8 @@ endif
 # Barbican encryption key should be a random 32-byte string that is base64
 # encoded.  e.g. head --bytes=32 /dev/urandom | base64
 BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY ?= sEFmdFjDUqRM2VemYslV5yGNWjokioJXsg8Nrlc3drU=
+KEYSTONE_FEDERATION_CLIENT_SECRET ?= COX8bmlKAWn56XCGMrKQJj7dgHNAOl6f
+KEYSTONE_CRYPTO_PASSPHRASE ?= openstack
 
 # Allows overriding the cleanup command used in *_cleanup targets.
 # Useful in CI, to allow injectin kustomization in each operator CR directory
@@ -520,6 +522,8 @@ ${1}: export PASSWORD=${PASSWORD}
 ${1}: export METADATA_SHARED_SECRET=${METADATA_SHARED_SECRET}
 ${1}: export HEAT_AUTH_ENCRYPTION_KEY=${HEAT_AUTH_ENCRYPTION_KEY}
 ${1}: export BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY=${BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY}
+${1}: export KEYSTONE_FEDERATION_CLIENT_SECRET=${KEYSTONE_FEDERATION_CLIENT_SECRET}
+${1}: export KEYSTONE_CRYPTO_PASSPHRASE=${KEYSTONE_CRYPTO_PASSPHRASE}
 ${1}: export LIBVIRT_SECRET=${LIBVIRT_SECRET}
 ${1}: export STORAGE_CLASS=${STORAGE_CLASS}
 ${1}: export OUT=${OUT}
diff --git a/scripts/gen-input-kustomize.sh b/scripts/gen-input-kustomize.sh
index fc869fa..485034f 100644
--- a/scripts/gen-input-kustomize.sh
+++ b/scripts/gen-input-kustomize.sh
@@ -40,6 +40,14 @@ if [ -z "$BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY" ]; then
     echo "Please set BARBICAN_SIMPLE_CRYPTO_ENCRYPTION_KEY"; exit 1
 fi
 
+if [ -z "$KEYSTONE_FEDERATION_CLIENT_SECRET" ]; then
+    echo "Please set KEYSTONE_FEDERATION_CLIENT_SECRET"; exit 1
+fi
+
+if [ -z "$KEYSTONE_CRYPTO_PASSPHRASE" ]; then
+    echo "Please set KEYSTONE_CRYPTO_PASSPHRASE"; exit 1
+fi
+
 if [ -z "$LIBVIRT_SECRET" ]; then
     echo "Please set LIBVIRT_SECRET"; exit 1
 fi
@@ -76,6 +84,8 @@ secretGenerator:
   - CinderPassword=${PASSWORD}
   - IronicPassword=${PASSWORD}
   - IronicInspectorPassword=${PASSWORD}
+  - KeystoneClientSecret=${KEYSTONE_FEDERATION_CLIENT_SECRET}
+  - KeystoneCryptoPassphrase=${KEYSTONE_CRYPTO_PASSPHRASE}
   - OctaviaPassword=${PASSWORD}
   - OctaviaHeartbeatKey=${PASSWORD}
   - NovaPassword=${PASSWORD}