Mirantis
diff --git a/‎Makefile‎
Lines changed: 2 additions & 1 deletion b/‎Makefile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/v1beta1/identity_types.go‎
Lines changed: 2 additions & 2 deletions b/‎api/v1beta1/identity_types.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml‎
Lines changed: 4 additions & 8 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml‎
Lines changed: 4 additions & 8 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml‎
Lines changed: 4 additions & 8 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml‎
Lines changed: 4 additions & 8 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackfloatingippools.yaml‎
Lines changed: 2 additions & 4 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackfloatingippools.yaml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml‎
Lines changed: 2 additions & 4 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml‎
Lines changed: 2 additions & 4 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackservers.yaml‎
Lines changed: 2 additions & 4 deletions b/‎config/crd/bases/infrastructure.cluster.x-k8s.io_openstackservers.yaml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎config/crd/kustomization.yaml‎
Lines changed: 1 addition & 0 deletions b/‎config/crd/kustomization.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎controllers/openstackcluster_controller_test.go‎
Lines changed: 62 additions & 2 deletions b/‎controllers/openstackcluster_controller_test.go‎
Lines changed: 62 additions & 2 deletions
@@ -187,7 +187,8 @@ e2e-templates: $(addprefix $(E2E_NO_ARTIFACT_TEMPLATES_DIR)/, \
 		 cluster-template-flatcar.yaml \
      cluster-template-k8s-upgrade.yaml \
 		 cluster-template-flatcar-sysext.yaml \
-		 cluster-template-no-bastion.yaml)
+		 cluster-template-no-bastion.yaml \
+		 cluster-template-cluster-identity.yaml)
 # Currently no templates that require CI artifacts
 # $(addprefix $(E2E_TEMPLATES_DIR)/, add-templates-here.yaml) \
 
 
@@ -19,8 +19,6 @@ package v1beta1
 // OpenStackIdentityReference is a reference to an infrastructure
 // provider identity to be used to provision cluster resources.
 // +kubebuilder:validation:XValidation:rule="(!has(self.region) && !has(oldSelf.region)) || self.region == oldSelf.region",message="region is immutable"
-// +kubebuilder:validation:XValidation:rule="has(self.name)",message="name is required"
-// +kubebuilder:validation:XValidation:rule="has(self.cloudName)",message="cloudName is required"
 type OpenStackIdentityReference struct {
 	// Type specifies the identity reference type. Defaults to Secret for backward compatibility.
 	// +kubebuilder:validation:Enum=Secret;ClusterIdentity
@@ -33,10 +31,12 @@ type OpenStackIdentityReference struct {
 	// The Secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
 	// The Secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name"`
 
 	// CloudName specifies the name of the entry in the clouds.yaml file to use.
 	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
 	CloudName string `json:"cloudName"`
 
 	// Region specifies an OpenStack region to use. If specified, it overrides
 
@@ -6,6 +6,7 @@ commonLabels:
 # It should be run by config/
 resources:
 - bases/infrastructure.cluster.x-k8s.io_openstackclusters.yaml
+- bases/infrastructure.cluster.x-k8s.io_openstackclusteridentities.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachines.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackmachinetemplates.yaml
 - bases/infrastructure.cluster.x-k8s.io_openstackclustertemplates.yaml
 
@@ -89,7 +89,12 @@ var _ = Describe("OpenStackCluster controller", func() {
 					},
 				},
 			},
-			Spec:   infrav1.OpenStackClusterSpec{},
+			Spec: infrav1.OpenStackClusterSpec{
+				IdentityRef: infrav1.OpenStackIdentityReference{
+					Name:      "test-creds",
+					CloudName: "openstack",
+				},
+			},
 			Status: infrav1.OpenStackClusterStatus{},
 		}
 		capiCluster = &clusterv1.Cluster{
@@ -255,6 +260,32 @@ var _ = Describe("OpenStackCluster controller", func() {
 		Expect(fetched.Spec.IdentityRef.Type).To(Equal("Secret"))
 	})
 
+	It("should fail when namespace is denied access to ClusterIdentity", func() {
+		testCluster.SetName("identity-access-denied")
+		testCluster.Spec.IdentityRef = infrav1.OpenStackIdentityReference{
+			Type:      "ClusterIdentity",
+			Name:      "test-cluster-identity",
+			CloudName: "openstack",
+		}
+
+		err := k8sClient.Create(ctx, testCluster)
+		Expect(err).To(BeNil())
+		err = k8sClient.Create(ctx, capiCluster)
+		Expect(err).To(BeNil())
+
+		identityAccessErr := &scope.IdentityAccessDeniedError{
+			IdentityName:       "test-cluster-identity",
+			RequesterNamespace: testNamespace,
+		}
+		mockScopeFactory.SetClientScopeCreateError(identityAccessErr)
+
+		req := createRequestFromOSCluster(testCluster)
+		result, err := reconciler.Reconcile(ctx, req)
+
+		Expect(err).To(MatchError(identityAccessErr))
+		Expect(result).To(Equal(reconcile.Result{}))
+	})
+
 	It("should reject updates that modify identityRef.region (immutable)", func() {
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
 			IdentityRef: infrav1.OpenStackIdentityReference{
@@ -325,6 +356,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 	It("should be able to reconcile when bastion is explicitly disabled and does not exist", func() {
 		testCluster.SetName("no-bastion-explicit")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			Bastion: &infrav1.Bastion{Enabled: ptr.To(false)},
 		}
 		err := k8sClient.Create(ctx, testCluster)
@@ -349,7 +384,12 @@ var _ = Describe("OpenStackCluster controller", func() {
 	})
 	It("should delete an existing bastion even if its uuid is not stored in status", func() {
 		testCluster.SetName("delete-existing-bastion")
-		testCluster.Spec = infrav1.OpenStackClusterSpec{}
+		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
+		}
 		err := k8sClient.Create(ctx, testCluster)
 		Expect(err).To(BeNil())
 		err = k8sClient.Create(ctx, capiCluster)
@@ -380,6 +420,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 
 		testCluster.SetName("subnet-filtering")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			Bastion: &infrav1.Bastion{
 				Enabled: ptr.To(true),
 				Spec:    &bastionSpec,
@@ -450,6 +494,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 
 		testCluster.SetName("subnet-filtering")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			Bastion: &infrav1.Bastion{
 				Enabled: ptr.To(true),
 				Spec:    &bastionSpec,
@@ -527,6 +575,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 
 		testCluster.SetName("subnet-filtering")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			DisableAPIServerFloatingIP: ptr.To(true),
 			APIServerFixedIP:           ptr.To("10.0.0.1"),
 			DisableExternalNetwork:     ptr.To(true),
@@ -570,6 +622,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 
 		testCluster.SetName("pre-existing-network-components-by-id")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			Network: &infrav1.NetworkParam{
 				ID: ptr.To(clusterNetworkID),
 			},
@@ -629,6 +685,10 @@ var _ = Describe("OpenStackCluster controller", func() {
 
 		testCluster.SetName("pre-existing-network-components-by-id")
 		testCluster.Spec = infrav1.OpenStackClusterSpec{
+			IdentityRef: infrav1.OpenStackIdentityReference{
+				Name:      "test-creds",
+				CloudName: "openstack",
+			},
 			Network: &infrav1.NetworkParam{
 				Filter: &infrav1.NetworkFilter{
 					Name: clusterNetworkName,