confidential-containers · cw-kojima1003 · Jan 26, 2026
@@ -25,9 +25,9 @@ RUN_TESTS ?= ''
 RESOURCE_CTRL ?= true
 # BUILTIN_CLOUD_PROVIDERS is used for binary build -- what providers are built in the binaries.
 ifeq ($(RELEASE_BUILD),true)
-	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure gcp ibmcloud ibmcloud_powervs
+	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure gcp ibmcloud ibmcloud_powervs openstack
 else
-	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure byom gcp ibmcloud ibmcloud_powervs libvirt docker
+	BUILTIN_CLOUD_PROVIDERS ?= alibabacloud aws azure byom gcp ibmcloud ibmcloud_powervs libvirt docker openstack
 endif
 
 all: build

@@ -0,0 +1,10 @@
+//go:build openstack
+
+// (C) Copyright Confidential Containers Contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	_ "github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers/openstack"
+)
@@ -122,12 +122,21 @@ byom() {
 
 }
 
+openstack() {
+    test_vars OPENSTACK_IMAGE_ID OPENSTACK_FLAVOR_ID OPENSTACK_SECURITY_GROUP
+    test_vars OPENSTACK_USERNAME OPENSTACK_PASSWORD OPENSTACK_REGION OPENSTACK_TENANT_NAME OPENSTACK_DOMAIN_NAME OPENSTACK_IDENTITY_ENDPOINT
+
+    set -x
+    exec cloud-api-adaptor openstack ${optionals}
+
+}
+
 help_msg() {
     cat <<EOF
 Usage:
-	CLOUD_PROVIDER=alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker $0
+	CLOUD_PROVIDER=alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker|openstack $0
 or
-	$0 alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker
+	$0 alibabacloud|aws|azure|byom|gcp|ibmcloud|ibmcloud-powervs|libvirt|docker|openstack
 
 in addition all cloud provider specific env variables must be set and valid
 (CLOUD_PROVIDER is currently set to "$CLOUD_PROVIDER")
@@ -152,6 +161,8 @@ elif [[ "$CLOUD_PROVIDER" == "libvirt" ]]; then
     libvirt
 elif [[ "$CLOUD_PROVIDER" == "docker" ]]; then
     docker
+elif [[ "$CLOUD_PROVIDER" == "openstack" ]]; then
+    openstack
 else
     help_msg
 fi
@@ -170,6 +170,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gophercloud/gophercloud/v2 v2.8.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect

@@ -397,6 +397,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAV
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo=
+github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=

@@ -0,0 +1,73 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../yamls
+
+images:
+- name: cloud-api-adaptor
+  newName: quay.io/confidential-containers/cloud-api-adaptor # change image if needed
+  newTag: latest
+
+generatorOptions:
+  disableNameSuffixHash: true
+
+configMapGenerator:
+- name: peer-pods-cm
+  namespace: confidential-containers-system
+  literals:
+  - CLOUD_PROVIDER="openstack"
+  - ENABLE_CLOUD_PROVIDER_EXTERNAL_PLUGIN="false" # flag to enable/disable dynamically load cloud provider external plugin feature
+  - CLOUD_CONFIG_VERIFY="false" # It's better set as true to enable could config verify in production env
+  - OPENSTACK_SERVER_PREFIX="" # set
+  - OPENSTACK_IMAGE_ID="" # set
+  - OPENSTACK_FLAVOR_ID="" # set
+  - OPENSTACK_SECURITY_GROUP="" # set
+  - OPENSTACK_NETWORK_ID="" # set
+  - OPENSTACK_FLOATING_IP_NETWORK_ID="" # set if specific floating IP needed
+
+  # The following options are not implemented for OpenStack at this time.
+  #- DISABLECVM=""
+  #- PAUSE_IMAGE=""
+  #- TUNNEL_TYPE=""
+  #- VXLAN_PORT=""
+  #- TAGS=""
+  #- USE_PUBLIC_IP="true"
+  #- EXTERNAL_NETWORK_VIA_PODVM="true"
+  #- POD_SUBNET_CIDRS="10.244.0.0/16,10.96.0.0/12"
+  #- ROOT_VOLUME_SIZE="30"
+  #- FORWARDER_PORT=""
+  #- PEERPODS_LIMIT_PER_NODE="10"
+  #- REMOTE_HYPERVISOR_ENDPOINT="/run/peerpod/hypervisor.sock"
+  #- PEER_PODS_DIR="/run/peerpod/pods"
+  #- ENABLE_SCRATCH_SPACE="false"
+##TLS_SETTINGS
+  #- CACERT_FILE="/etc/certificates/ca.crt" # for TLS
+  #- CERT_FILE="/etc/certificates/client.crt" # for TLS
+  #- CERT_KEY="/etc/certificates/client.key" # for TLS
+  #- TLS_SKIP_VERIFY="" # for testing only
+##TLS_SETTINGS
+
+secretGenerator:
+- name: peer-pods-secret
+  namespace: confidential-containers-system
+  # This file should look like this (w/o quotes!):
+  # OPENSTACK_IDENTITY_ENDPOINT=...
+  # OPENSTACK_USERNAME=...
+  # OPENSTACK_PASSWORD=...
+  # OPENSTACK_TENANT_NAME=...
+  envs:
+    - openstack-cred.env
+##TLS_SETTINGS
+#- name: certs-for-tls
+#  namespace: confidential-containers-system
+#  files:
+#  - <path_to_ca.crt> # set - relative path to ca.crt, located either in the same folder as the kustomization.yaml file or within a subfolder
+#  - <path_to_client.crt> # set - relative path to client.crt, located either in the same folder as the kustomization.yaml file or within a subfolder
+#  - <path_to_client.key> # set - relative path to client.key, located either in the same folder as the kustomization.yaml file or within a subfolder
+##TLS_SETTINGS
+
+patchesStrategicMerge:
+##TLS_SETTINGS
+  #- tls_certs_volume_mount.yaml # set (for tls)
+##TLS_SETTINGS
@@ -0,0 +1,6 @@
+OPENSTACK_IDENTITY_ENDPOINT=<IDENTITY_ENDPOINT>
+OPENSTACK_USERNAME=<USERNAME>
+OPENSTACK_PASSWORD=<PASSWORD>
+OPENSTACK_TENANT_NAME=<TENANT_NAME>
+OPENSTACK_DOMAIN_NAME=<DOMAIN_NAME>
+OPENSTACK_REGION=<REGION>
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-api-adaptor-daemonset
+  namespace: confidential-containers-system
+  labels:
+    app: cloud-api-adaptor
+spec:
+  template:
+    spec:
+      containers:
+      - name: cloud-api-adaptor-con
+        volumeMounts:
+        - mountPath: /etc/certificates
+          name: certs
+      volumes:
+      - name: certs
+        secret:
+          secretName: certs-for-tls
+
+# to apply this uncomment the patchesStrategicMerge of this file in kustomization.yaml
@@ -25,6 +25,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.279.2
 	github.com/docker/docker v28.3.3+incompatible
 	github.com/docker/go-connections v0.5.0
+	github.com/gophercloud/gophercloud/v2 v2.8.0
 	github.com/kdomanski/iso9660 v0.4.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.45.0

@@ -264,6 +264,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAV
 github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
 github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
+github.com/gophercloud/gophercloud/v2 v2.8.0 h1:of2+8tT6+FbEYHfYC8GBu8TXJNsXYSNm9KuvpX7Neqo=
+github.com/gophercloud/gophercloud/v2 v2.8.0/go.mod h1:Ki/ILhYZr/5EPebrPL9Ej+tUg4lqx71/YH2JWVeU+Qk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=

@@ -0,0 +1,48 @@
+// (C) Copyright Confidential Containers Contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package openstack
+
+import (
+	"flag"
+
+	provider "github.com/confidential-containers/cloud-api-adaptor/src/cloud-providers"
+)
+
+var openstackcfg Config
+
+type Manager struct{}
+
+func init() {
+	provider.AddCloudProvider("openstack", &Manager{})
+}
+
+func (_ *Manager) ParseCmd(flags *flag.FlagSet) {
+	reg := provider.NewFlagRegistrar(flags)
+
+	reg.StringWithEnv(&openstackcfg.ServerPrefix, "server-prefix", "", "OPENSTACK_SERVER_PREFIX", "server-prefix")
+	reg.StringWithEnv(&openstackcfg.ImageID, "imageID", "", "OPENSTACK_IMAGE_ID", "openstack-image-id")
+	reg.StringWithEnv(&openstackcfg.FlavorID, "flavorID", "", "OPENSTACK_FLAVOR_ID", "openstack-flavor-id")
+	reg.CustomTypeWithEnv(&openstackcfg.NetworkIDs, "networkID", "", "OPENSTACK_NETWORK_ID", "openstack-network-id")
+	reg.CustomTypeWithEnv(&openstackcfg.SecurityGroups, "security-group", "", "OPENSTACK_SECURITY_GROUP", "openstack-security-group")
+	reg.StringWithEnv(&openstackcfg.FloatingIpNetworkID, "floating-ip-networkID", "", "OPENSTACK_FLOATING_IP_NETWORK_ID", "openstack-floating-ip-network-id")
+
+	reg.StringWithEnv(&openstackcfg.Username, "openstack-username", "", "OPENSTACK_USERNAME", "openstack-username")
+	reg.StringWithEnv(&openstackcfg.Password, "openstack-password", "", "OPENSTACK_PASSWORD", "openstack-password")
+	reg.StringWithEnv(&openstackcfg.Region, "openstack-region", "", "OPENSTACK_REGION", "openstack-region")
+	reg.StringWithEnv(&openstackcfg.TenantName, "openstack-tenant-name", "", "OPENSTACK_TENANT_NAME", "openstack-tenant-name")
+	reg.StringWithEnv(&openstackcfg.DomainName, "openstack-domain-name", "", "OPENSTACK_DOMAIN_NAME", "openstack-domain-name")
+	reg.StringWithEnv(&openstackcfg.IdentityEndpoint, "openstack-identity-endpoint", "", "OPENSTACK_IDENTITY_ENDPOINT", "openstack-identity-endpoint")
+}
+
+func (_ *Manager) LoadEnv() {
+	// No longer needed - environment variables are handled in ParseCmd
+}
+
+func (_ *Manager) NewProvider() (provider.Provider, error) {
+	return NewProvider(&openstackcfg)
+}
+
+func (_ *Manager) GetConfig() (config *Config) {
+	return &openstackcfg
+}