feat: add keystoneauth_kubeservicetoken authentication plugin

.github/workflows/containers-openstack.yaml

@@ -36,6 +36,7 @@ jobs:
           - cinder
           - glance
           - horizon
+          - ironic
           - keystone
           - neutron
           - nova
@@ -48,15 +49,5 @@ jobs:
     with:
       container_name: ${{ matrix.project }}
       dockerfile_path: containers/${{ matrix.project }}/Dockerfile
-      build_args: OPENSTACK_VERSION=2025.2
-      latest_name: "2025.2"
-
-  ironic:
-    uses: ./.github/workflows/build-container-reuse.yaml
-    secrets: inherit
-    with:
-      container_name: ironic
-      dockerfile_path: containers/ironic/Dockerfile
       build_args: OPENSTACK_VERSION=2026.1
       latest_name: "2026.1"
-      target: final

ansible/roles/keystone_bootstrap/defaults/main.yml

@@ -68,3 +68,29 @@ keystone_bootstrap_groups:
     #     role: member
     #   - project: shared-services
     #     role: reader
+
+# domain in which k8s service account groups are created
+keystone_bootstrap_k8s_group_domain: service
+
+# k8s identity providers; override with your cluster issuers
+keystone_k8s_identity:
+  providers: []
+
+# k8s service account groups and their project role assignments
+# Each group can have project_roles with an optional domain to scope the project lookup
+keystone_bootstrap_k8s_groups:
+  - name: k8s-serviceaccounts
+    desc: 'Kubernetes Service Accounts'
+    project_roles:
+      - project: service
+        domain: service
+        role: admin
+      - project: service
+        domain: service
+        role: service
+      - project: baremetal
+        domain: infra
+        role: admin
+      - project: baremetal
+        domain: infra
+        role: service

ansible/roles/keystone_bootstrap/tasks/k8s.yml

@@ -0,0 +1,54 @@
+---
+# Copyright (c) 2026 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create k8s mapping
+  openstack.cloud.federation_mapping:
+    name: k8s-mapping
+    rules:
+      - local:
+          - user:
+              name: '{0}'
+            group:
+              domain:
+                name: service
+              name: k8s-serviceaccounts
+        remote:
+          - type: HTTP_OIDC_SUB
+
+- name: Create k8s identity providers
+  openstack.cloud.federation_idp:
+    name: "{{ item.name }}"
+    is_enabled: true
+    remote_ids:
+      - "{{ item.issuer }}"
+  loop: "{{ keystone_k8s_identity.providers }}"
+
+- name: Create k8s openid protocols
+  openstack.cloud.keystone_federation_protocol:
+    name: openid
+    idp: "{{ item.name }}"
+    mapping: k8s-mapping
+  loop: "{{ keystone_k8s_identity.providers }}"
+
+- name: Get k8s group domain info
+  openstack.cloud.identity_domain_info:
+    name: "{{ keystone_bootstrap_k8s_group_domain }}"
+  register: _k8s_group_domain
+
+- name: Create k8s service account group mappings
+  ansible.builtin.include_tasks: k8s_group.yml
+  loop: "{{ keystone_bootstrap_k8s_groups }}"
+  loop_control:
+    loop_var: group_item

ansible/roles/keystone_bootstrap/tasks/k8s_group.yml

@@ -0,0 +1,34 @@
+---
+# Copyright (c) 2026 Rackspace Technology, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Create k8s group
+  openstack.cloud.identity_group:
+    name: "{{ group_item.name }}"
+    domain_id: "{{ _k8s_group_domain.domains[0].id }}"
+    description: "{{ group_item.desc }}"
+    state: present
+  register: _k8s_group
+
+- name: Assign role to k8s group for project
+  openstack.cloud.role_assignment:
+    group: "{{ _k8s_group.group.id }}"
+    project: "{{ role_item.project }}"
+    project_domain: "{{ role_item.domain | default(omit) }}"
+    role: "{{ role_item.role }}"
+    state: present
+  loop: "{{ group_item.project_roles | default([]) }}"
+  loop_control:
+    loop_var: role_item
+  when: dont_set_roles is not defined

ansible/roles/keystone_bootstrap/tasks/main.yml

@@ -10,5 +10,8 @@
 - name: Define SSO
   ansible.builtin.include_tasks: sso.yml
 
+- name: Define k8s service account groups
+  ansible.builtin.include_tasks: k8s.yml
+
 - name: Define misc keystone
   ansible.builtin.include_tasks: misc.yml

charts/argocd-understack/templates/application-oidc-rbac.yaml

@@ -0,0 +1,30 @@
+{{- if or (eq (include "understack.isEnabled" (list $.Values.global "oidc_rbac")) "true") (eq (include "understack.isEnabled" (list $.Values.site "oidc_rbac")) "true") }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name "oidc-rbac" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+{{- include "understack.appLabelsBlock" $ | nindent 2 }}
+spec:
+  destination:
+    namespace: kube-system
+    server: {{ $.Values.cluster_server }}
+  project: understack-infra
+  sources:
+  - path: components/oidc-rbac
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - ServerSideApply=true
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}

charts/argocd-understack/values.yaml

@@ -166,6 +166,12 @@ global:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS
@@ -338,7 +344,7 @@ site:
     wave: 1
     # -- Chart version for Keystone
     # renovate: datasource=helm depName=keystone registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.14+3bc47c1e9
+    chartVersion: 2026.1.4+872fd69e7
 
   # -- Glance (Image Service)
   glance:
@@ -350,7 +356,7 @@ site:
     wave: 2
     # -- Chart version for Glance
     # renovate: datasource=helm depName=glance registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.7+01c93d867
+    chartVersion: 2026.1.3+872fd69e7
 
   # -- Cinder (Block Storage Service)
   cinder:
@@ -362,7 +368,7 @@ site:
     wave: 2
     # -- Chart version for Cinder
     # renovate: datasource=helm depName=cinder registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.1.3+abd55b4a7
+    chartVersion: 2026.1.5+872fd69e7
 
   # -- Ironic (Bare Metal Service)
   ironic:
@@ -374,7 +380,7 @@ site:
     wave: 2
     # -- Chart version for Ironic
     # renovate: datasource=helm depName=ironic registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.23+ea0d1ecda
+    chartVersion: 2026.1.7+872fd69e7
 
   # -- Neutron (Networking Service)
   neutron:
@@ -386,7 +392,7 @@ site:
     wave: 2
     # -- Chart version for Neutron
     # renovate: datasource=helm depName=neutron registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.33+4df43bd83
+    chartVersion: 2026.1.8+872fd69e7
 
   # -- Placement (Placement Service)
   placement:
@@ -398,7 +404,7 @@ site:
     wave: 2
     # -- Chart version for Placement
     # renovate: datasource=helm depName=placement registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.17+bb8dd0598
+    chartVersion: 2026.1.3+872fd69e7
 
   # -- Nova (Compute Service)
   nova:
@@ -410,7 +416,7 @@ site:
     wave: 3
     # -- Chart version for Nova
     # renovate: datasource=helm depName=nova registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.22+008600f9e
+    chartVersion: 2026.1.7+872fd69e7
 
   # -- Octavia (Load Balancer Service)
   octavia:
@@ -422,7 +428,7 @@ site:
     wave: 3
     # -- Chart version for Octavia
     # renovate: datasource=helm depName=octavia registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.8+01c93d867
+    chartVersion: 2026.1.4+872fd69e7
 
   # -- Horizon (Dashboard)
   horizon:
@@ -434,7 +440,7 @@ site:
     wave: 4
     # -- Chart version for Horizon
     # renovate: datasource=helm depName=horizon registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.4+01c93d867
+    chartVersion: 2026.1.2+872fd69e7
 
   # -- Skyline (Dashboard)
   skyline:
@@ -446,7 +452,7 @@ site:
     wave: 4
     # -- Chart version for Skyline
     # renovate: datasource=helm depName=skyline registryUrl=https://tarballs.opendev.org/openstack/openstack-helm
-    chartVersion: 2025.2.5+01c93d867
+    chartVersion: 2026.1.2+872fd69e7
 
   # -- Open vSwitch (Networking)
   openvswitch:
@@ -505,6 +511,12 @@ site:
     # @default -- false
     enabled: false
 
+  # -- OIDC RBAC (ClusterRoleBindings for OIDC service account issuer discovery)
+  oidc_rbac:
+    # -- Enable/disable deploying OIDC RBAC
+    # @default -- false
+    enabled: false
+
   # -- OpenEBS
   openebs:
     # -- Enable/disable deploying OpenEBS