This commit introduces OIDC authentication to the DC CLI
while preserving Keystone as the default authentication method.
Behavior & configuration:
- New authentication selector available as:
* Environment variable: STX_AUTH_TYPE={keystone|oidc}
* CLI parameter: --stx-auth-type keystone|oidc
- Default: keystone (existing behavior)
- Keystone flow (default or when STX_AUTH_TYPE/--stx-auth-type=keystone):
- Unchanged; authenticate with Keystone using X-Auth-Token.
- OIDC flow (when STX_AUTH_TYPE/--stx-auth-type=oidc):
- Obtain OIDC ID/Refresh tokens from $KUBECONFIG (or ~/.kube/config
if not specified); no local token discovery beyond kubeconfig.
- Send OIDC ID-Token via custom HTTPS header: OIDC-Token.
- Build REST API URL without Keystone catalog:
* Protocol from OS_INTERFACE: public/admin=https, internal=http.
* IP/host from OS_AUTH_URL (MGMT locally, OAM remotely).
* Hard-code port and API path per interface (v1/v3 variants),
including region dimension (RegionOne vs SystemController).
Test Plan:
PASS: CLI authenticates with Keystone by default or with
STX_AUTH_TYPE/--stx-auth-type=keystone.
PASS: CLI authenticates with OIDC when
STX_AUTH_TYPE/--stx-auth-type=oidc is specified.
PASS: CLI reads OIDC ID/Refresh tokens from kubeconfig.
PASS: CLI sends OIDC-Token header in OIDC mode.
PASS: In an https enabled system, run a dcmanager command with
--os-endpoint-type parameter set to public and the --os-auth-url
pointing to the oam ip and verify the request succeeds
Depends-On: https://review.opendev.org/c/starlingx/distcloud/+/966303
Story: 2011646
Task: 53595
Change-Id: Iff55f653258bdf40247baf3490943f884d41d781
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
62fe1ee076