✨ Add OpenStackClusterIdentity for centralized credential management

Makefile

@@ -188,7 +188,8 @@ e2e-templates: $(addprefix $(E2E_NO_ARTIFACT_TEMPLATES_DIR)/, \
 		 cluster-template-flatcar-sysext.yaml \
 		 cluster-template-no-bastion.yaml \
 		 cluster-template-health-monitor.yaml \
-		 cluster-template-capi-v1beta1.yaml)
+		 cluster-template-capi-v1beta1.yaml \
+		 cluster-template-cluster-identity.yaml)
 # Currently no templates that require CI artifacts
 # $(addprefix $(E2E_TEMPLATES_DIR)/, add-templates-here.yaml) \
 

PROJECT

@@ -23,5 +23,8 @@ resources:
 - group: infrastructure
   kind: OpenStackServer
   version: v1alpha1
+- group: infrastructure
+  kind: OpenStackClusterIdentity
+  version: v1alpha1
 - group: infrastructure
 version: "2"

api/v1alpha1/openstackclusteridentity_types.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// OpenStackCredentialSecretReference references a Secret containing OpenStack credentials.
+type OpenStackCredentialSecretReference struct {
+	// Name of the Secret which contains a `clouds.yaml` key (and optionally `cacert`).
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// Namespace where the Secret resides.
+	// +kubebuilder:validation:Required
+	Namespace string `json:"namespace"`
+}
+
+// OpenStackClusterIdentitySpec defines the desired state for an OpenStackClusterIdentity.
+type OpenStackClusterIdentitySpec struct {
+	// SecretRef references the credentials Secret containing a `clouds.yaml` file.
+	// +kubebuilder:validation:Required
+	SecretRef OpenStackCredentialSecretReference `json:"secretRef"`
+
+	// NamespaceSelector limits which namespaces may use this identity. If nil, all namespaces are allowed.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+}
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:path=openstackclusteridentities,scope=Cluster,categories=cluster-api,shortName=osci
+
+// OpenStackClusterIdentity is a cluster-scoped identity that centralizes OpenStack credentials.
+type OpenStackClusterIdentity struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec OpenStackClusterIdentitySpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// OpenStackClusterIdentityList contains a list of OpenStackClusterIdentity.
+type OpenStackClusterIdentityList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OpenStackClusterIdentity `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OpenStackClusterIdentity{}, &OpenStackClusterIdentityList{})
+}

api/v1beta1/identity_types.go

@@ -20,14 +20,23 @@ package v1beta1
 // provider identity to be used to provision cluster resources.
 // +kubebuilder:validation:XValidation:rule="(!has(self.region) && !has(oldSelf.region)) || self.region == oldSelf.region",message="region is immutable"
 type OpenStackIdentityReference struct {
-	// Name is the name of a secret in the same namespace as the resource being provisioned.
-	// The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
-	// The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
+	// Type specifies the identity reference type. Defaults to Secret for backward compatibility.
+	// +kubebuilder:validation:Enum=Secret;ClusterIdentity
+	// +kubebuilder:default=Secret
 	// +kubebuilder:validation:Required
+	Type string `json:"type,omitempty"`
+
+	// Name is the name of a Secret (type=Secret) in the same namespace as the resource being provisioned,
+	// or the name of an OpenStackClusterIdentity (type=ClusterIdentity).
+	// The Secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
+	// The Secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name"`
 
 	// CloudName specifies the name of the entry in the clouds.yaml file to use.
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
 	CloudName string `json:"cloudName"`
 
 	// Region specifies an OpenStack region to use. If specified, it overrides