provider: add openstack cloud support

This commit allows cloud-api-adaptor(CAA) to support OpenStack-based clouds.

There is currently no provider in CAA that supports clouds built with standard OpenStack.
By implementing an OpenStack provider, we can offer secure pod execution environments in a wider range of fields.

Adding an inbox Provider for OpenStack, referring to the following documentation.
---
https://github.com/confidential-containers/cloud-api-adaptor/blob/main/src/cloud-api-adaptor/docs/addnewprovider.md

- Add and initialize the OpenStack provider manager
- Add a definition for the configuration struct
- Add cloud interfaces
- Add provider interfaces
- Add additional files to modularize the code
- Add relevant unit tests
- Update entrypoint.sh and Makefile

Signed-off-by: cw-kojima1003 <fj3131ci@aa.jp.fujitsu.com>

Author: cw-kojima1003

src/cloud-api-adaptor/Makefile

@@ -25,9 +25,9 @@ RUN_TESTS ?= ''
 RESOURCE_CTRL ?= true
 # BUILTIN_CLOUD_PROVIDERS is used for binary build -- what providers are built in the binaries.
 ifeq ($(RELEASE_BUILD),true)
-	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure gcp ibmcloud ibmcloud_powervs
+	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure gcp ibmcloud ibmcloud_powervs openstack
 else
-	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure byom gcp ibmcloud ibmcloud_powervs libvirt docker
+	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure byom gcp ibmcloud ibmcloud_powervs libvirt docker openstack
 endif
 
 all: build

src/cloud-api-adaptor/cmd/cloud-api-adaptor/openstack.go

@@ -0,0 +1,10 @@
+//go:build openstack
+
+// (C) Copyright Confidential Containers Contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	_ "github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers/openstack"
+)

src/cloud-api-adaptor/entrypoint.sh

@@ -122,12 +122,21 @@ byom() {
 
 }
 
+openstack() {
+    test_vars OPENSTACK_IMAGE_ID OPENSTACK_FLAVOR_ID OPENSTACK_SECURITY_GROUP
+    test_vars OPENSTACK_USERNAME OPENSTACK_PASSWORD OPENSTACK_REGION OPENSTACK_TENANT_NAME OPENSTACK_DOMAIN_NAME OPENSTACK_IDENTITY_ENDPOINT
+
+    set -x
+    exec cloud-api-adaptor openstack ${optionals}
+
+}
+
 help_msg() {
     cat <<EOF
 Usage:
-	CLOUD_PROVIDER=alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker $0
+	CLOUD_PROVIDER=alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker|openstack $0
 or
-	$0 alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker
+	$0 alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker|openstack
 
 in addition all cloud provider specific env variables must be set and valid
 (CLOUD_PROVIDER is currently set to "$CLOUD_PROVIDER")
@@ -152,6 +161,8 @@ elif [[ "$CLOUD_PROVIDER" == "libvirt" ]]; then
     libvirt
 elif [[ "$CLOUD_PROVIDER" == "docker" ]]; then
     docker
+elif [[ "$CLOUD_PROVIDER" == "openstack" ]]; then
+    openstack
 else
     help_msg
 fi

src/cloud-api-adaptor/go.mod

@@ -170,6 +170,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect

src/cloud-api-adaptor/go.sum

@@ -397,6 +397,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAV
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo=
+github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=

src/cloud-api-adaptor/install/overlays/openstack/kustomization.yaml

@@ -0,0 +1,73 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../yamls
+
+images:
+- name: cloud-api-adaptor
+  newName: quay.io/confidential-containers/cloud-api-adaptor # change image if needed
+  newTag: latest
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+configMapGenerator:
+- name: peer-pods-cm
+  namespace: confidential-containers-system
+  literals:
+  - CLOUD_PROVIDER="openstack"
+  - ENABLE_CLOUD_PROVIDER_EXTERNAL_PLUGIN="false" # flag to enable/disable dynamically load cloud provider external plugin feature
+  - CLOUD_CONFIG_VERIFY="false" # It's better set as true to enable could config verify in production env
+  - OPENSTACK_SERVER_PREFIX="" # set
+  - OPENSTACK_IMAGE_ID="" # set
+  - OPENSTACK_FLAVOR_ID="" # set
+  - OPENSTACK_SECURITY_GROUP="" # set
+  - OPENSTACK_NETWORK_ID="" # set
+  - OPENSTACK_FLOATING_IP_NETWORK_ID="" # set if specific floating IP needed
+
+  # The following options are not implemented for OpenStack at this time.
+  #- DISABLECVM=""
+  #- PAUSE_IMAGE=""
+  #- TUNNEL_TYPE=""
+  #- VXLAN_PORT=""
+  #- TAGS=""
+  #- USE_PUBLIC_IP="true"
+  #- EXTERNAL_NETWORK_VIA_PODVM="true"
+  #- POD_SUBNET_CIDRS="10.244.0.0/16,10.96.0.0/12"
+  #- ROOT_VOLUME_SIZE="30"
+  #- FORWARDER_PORT=""
+  #- PEERPODS_LIMIT_PER_NODE="10"
+  #- REMOTE_HYPERVISOR_ENDPOINT="/run/peerpod/hypervisor.sock"
+  #- PEER_PODS_DIR="/run/peerpod/pods"
+  #- ENABLE_SCRATCH_SPACE="false"
+##TLS_SETTINGS
+  #- CACERT_FILE="/etc/certificates/ca.crt" # for TLS
+  #- CERT_FILE="/etc/certificates/client.crt" # for TLS
+  #- CERT_KEY="/etc/certificates/client.key" # for TLS
+  #- TLS_SKIP_VERIFY="" # for testing only
+##TLS_SETTINGS
+
+secretGenerator:
+- name: peer-pods-secret
+  namespace: confidential-containers-system
+  # This file should look like this (w/o quotes!):
+  # OPENSTACK_IDENTITY_ENDPOINT=...
+  # OPENSTACK_USERNAME=...
+  # OPENSTACK_PASSWORD=...
+  # OPENSTACK_TENANT_NAME=...
+  envs:
+    - openstack-cred.env
+##TLS_SETTINGS
+#- name: certs-for-tls
+#  namespace: confidential-containers-system
+#  files:
+#  - <path_to_ca.crt> # set - relative path to ca.crt, located either in the same folder as the kustomization.yaml file or within a subfolder
+#  - <path_to_client.crt> # set - relative path to client.crt, located either in the same folder as the kustomization.yaml file or within a subfolder
+#  - <path_to_client.key> # set - relative path to client.key, located either in the same folder as the kustomization.yaml file or within a subfolder
+##TLS_SETTINGS
+
+patchesStrategicMerge:
+##TLS_SETTINGS
+  #- tls_certs_volume_mount.yaml # set (for tls)
+##TLS_SETTINGS

src/cloud-api-adaptor/install/overlays/openstack/openstack-cred.env.sample

@@ -0,0 +1,6 @@
+OPENSTACK_IDENTITY_ENDPOINT=<IDENTITY_ENDPOINT>
+OPENSTACK_USERNAME=<USERNAME>
+OPENSTACK_PASSWORD=<PASSWORD>
+OPENSTACK_TENANT_NAME=<TENANT_NAME>
+OPENSTACK_DOMAIN_NAME=<DOMAIN_NAME>
+OPENSTACK_REGION=<REGION>

src/cloud-api-adaptor/install/overlays/openstack/tls_certs_volume_mount.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-api-adaptor-daemonset
+  namespace: confidential-containers-system
+  labels:
+    app: cloud-api-adaptor
+spec:
+  template:
+    spec:
+      containers:
+      - name: cloud-api-adaptor-con
+        volumeMounts:
+        - mountPath: /etc/certificates
+          name: certs
+      volumes:
+      - name: certs
+        secret:
+          secretName: certs-for-tls
+
+# to apply this uncomment the patchesStrategicMerge of this file in kustomization.yaml

src/cloud-providers/go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2
 	github.com/docker/docker v28.3.3+incompatible
 	github.com/docker/go-connections v0.5.0
+	github.com/gophercloud/gophercloud/v2 v2.8.0
 	github.com/kdomanski/iso9660 v0.4.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.45.0

src/cloud-providers/go.sum

@@ -264,6 +264,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAV
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo=
+github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=