From 6357cfaa79857dd338b1c42a02eb1866609a9f18 Mon Sep 17 00:00:00 2001
From: Matthew Northcott <matthewnorthcott@catalystcloud.nz>
Date: Tue, 5 Aug 2025 14:49:07 +1200
Subject: [PATCH] Support credential API

Adds the `openstack coe credential rotate` command which corresponds to
PATCH /v1/credential/{cluster-uuid} in the API.

Change-Id: I849df62cac5b154d78ead139cf3e0a4ea2fd55ca
Signed-off-by: Matthew Northcott <matthewnorthcott@catalystcloud.nz>
---
 magnumclient/osc/v1/credentials.py            | 39 +++++++++++++++++++
 magnumclient/v1/client.py                     |  2 +
 magnumclient/v1/credentials.py                | 31 +++++++++++++++
 .../credential-rotate-02cc95069e3329fb.yaml   |  5 +++
 setup.cfg                                     |  2 +
 5 files changed, 79 insertions(+)
 create mode 100644 magnumclient/osc/v1/credentials.py
 create mode 100644 magnumclient/v1/credentials.py
 create mode 100644 releasenotes/notes/credential-rotate-02cc95069e3329fb.yaml

diff --git a/magnumclient/osc/v1/credentials.py b/magnumclient/osc/v1/credentials.py
new file mode 100644
index 00000000..55e031d1
--- /dev/null
+++ b/magnumclient/osc/v1/credentials.py
@@ -0,0 +1,39 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from osc_lib.command import command
+from osc_lib.i18n import _
+
+
+class RotateCredential(command.Command):
+    _description = _("Rotate the credentials for the cluster using the "
+                     "current user account.")
+
+    def get_parser(self, prog_name):
+        parser = super(RotateCredential, self).get_parser(prog_name)
+        parser.add_argument('cluster',
+                            metavar='<cluster>',
+                            help='ID or name of the cluster')
+        return parser
+
+    def take_action(self, parsed_args):
+        self.log.debug("take_action(%s)", parsed_args)
+
+        mag_client = self.app.client_manager.container_infra
+
+        try:
+            cluster = mag_client.credentials.update(parsed_args.cluster)
+        except Exception as e:
+            print("Credential rotation failed: %s" % e)
+        else:
+            print("Request to rotate credentials for cluster %s accepted."
+                  % cluster.uuid)
diff --git a/magnumclient/v1/client.py b/magnumclient/v1/client.py
index 7ccb3c4d..ce25f235 100644
--- a/magnumclient/v1/client.py
+++ b/magnumclient/v1/client.py
@@ -22,6 +22,7 @@ from magnumclient.common import httpclient
 from magnumclient.v1 import certificates
 from magnumclient.v1 import cluster_templates
 from magnumclient.v1 import clusters
+from magnumclient.v1 import credentials
 from magnumclient.v1 import mservices
 from magnumclient.v1 import nodegroups
 from magnumclient.v1 import quotas
@@ -213,3 +214,4 @@ class Client(object):
         self.stats = stats.StatsManager(self.http_client)
         self.quotas = quotas.QuotasManager(self.http_client)
         self.nodegroups = nodegroups.NodeGroupManager(self.http_client)
+        self.credentials = credentials.CredentialManager(self.http_client)
diff --git a/magnumclient/v1/credentials.py b/magnumclient/v1/credentials.py
new file mode 100644
index 00000000..de0e8933
--- /dev/null
+++ b/magnumclient/v1/credentials.py
@@ -0,0 +1,31 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from magnumclient.common import base
+
+
+class Cluster(base.Resource):
+    def __repr__(self):
+        return "<Cluster %s>" % self._info
+
+
+class CredentialManager(base.Manager):
+    api_name = "credentials"
+    resource_class = Cluster
+
+    @staticmethod
+    def _path(id=None):
+        return "/v1/credentials/%s" % id
+
+    def update(self, id):
+        resp, resp_body = self.api.json_request('PATCH', self._path(id=id))
+        return self.resource_class(self, resp_body)
diff --git a/releasenotes/notes/credential-rotate-02cc95069e3329fb.yaml b/releasenotes/notes/credential-rotate-02cc95069e3329fb.yaml
new file mode 100644
index 00000000..2f42204b
--- /dev/null
+++ b/releasenotes/notes/credential-rotate-02cc95069e3329fb.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Implemented OpenStack command for credential-rotate which can be invoked
+    with `openstack coe credential rotate <cluster>`.
diff --git a/setup.cfg b/setup.cfg
index 33bfc35a..83a0b35c 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -66,3 +66,5 @@ openstack.container_infra.v1 =
     coe_nodegroup_delete = magnumclient.osc.v1.nodegroups:DeleteNodeGroup
     coe_nodegroup_update = magnumclient.osc.v1.nodegroups:UpdateNodeGroup
 
+    coe_credential_rotate = magnumclient.osc.v1.credentials:RotateCredential
+