Merge pull request #456 from sapcc/new-go-bits

go.mod

@@ -13,7 +13,6 @@ require (
 	github.com/gofrs/uuid/v5 v5.3.0
 	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/gophercloud/gophercloud/v2 v2.2.0
-	github.com/gophercloud/utils/v2 v2.0.0-20241107125844-da754bc75cd6
 	github.com/gorilla/mux v1.8.1
 	github.com/majewsky/schwift/v2 v2.0.0
 	github.com/opencontainers/go-digest v1.0.0
@@ -22,7 +21,7 @@ require (
 	github.com/redis/go-redis/v9 v9.7.0
 	github.com/rs/cors v1.11.1
 	github.com/sapcc/go-api-declarations v1.12.9
-	github.com/sapcc/go-bits v0.0.0-20241107000306-6eb1626e14d0
+	github.com/sapcc/go-bits v0.0.0-20241111142343-42fa891b5aae
 	github.com/spf13/cobra v1.8.1
 	github.com/timewasted/go-accept-headers v0.0.0-20130320203746-c78f304b1b09
 	go.uber.org/automaxprocs v1.6.0
@@ -45,7 +44,6 @@ require (
 	github.com/jpillora/longestcommon v0.0.0-20161227235612-adb9d91ee629 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/lib/pq v1.10.9 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/package-url/packageurl-go v0.1.3 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -61,6 +59,4 @@ require (
 	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -85,8 +85,6 @@ github.com/google/go-containerregistry v0.20.2/go.mod h1:z38EKdKh4h7IP2gSfUUqEva
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/gophercloud/gophercloud/v2 v2.2.0 h1:STqqnSXuhcg1OPBOZ14z6JDm8fKIN13H2bJg6bBuHp8=
 github.com/gophercloud/gophercloud/v2 v2.2.0/go.mod h1:f2hMRC7Kakbv5vM7wSGHrIPZh6JZR60GVHryJlF/K44=
-github.com/gophercloud/utils/v2 v2.0.0-20241107125844-da754bc75cd6 h1:Vikb1i71pW5yb/ayp+Cw6Z3Wc+3NtT+ui/t4LyJl7dY=
-github.com/gophercloud/utils/v2 v2.0.0-20241107125844-da754bc75cd6/go.mod h1:9KHhEdDkA/4hTdwxS0sALJIp2hFSjrODlKMQcFU2GFw=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -108,12 +106,8 @@ github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ib
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
@@ -124,8 +118,6 @@ github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -179,17 +171,15 @@ github.com/rabbitmq/amqp091-go v1.10.0 h1:STpn5XsHlHGcecLmMFCtg7mqq0RnD+zFr4uzuk
 github.com/rabbitmq/amqp091-go v1.10.0/go.mod h1:Hy4jKW5kQART1u+JkDTF9YYOQUHXqMuhrgxOEeS7G4o=
 github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
 github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc=
 github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU=
 github.com/sapcc/go-api-declarations v1.12.9 h1:4CWkt333oQxGnbka1TH4qApC0bxZe+WIBduygEcxiNw=
 github.com/sapcc/go-api-declarations v1.12.9/go.mod h1:83R3hTANhuRXt/pXDby37IJetw8l7DG41s33Tp9NXxI=
-github.com/sapcc/go-bits v0.0.0-20241107000306-6eb1626e14d0 h1:4dDWf8AxpL1FGLrAAsTSSX0K7wB9Zkti2WxTj6xvGzQ=
-github.com/sapcc/go-bits v0.0.0-20241107000306-6eb1626e14d0/go.mod h1:edzu9ZBNooNFNX1J70nkhV2cOibYvADvr4C39K0stbc=
+github.com/sapcc/go-bits v0.0.0-20241111142343-42fa891b5aae h1:35NZnnix3DricZDP0lCO9kziioZWJd3TPlIvFWYoUuc=
+github.com/sapcc/go-bits v0.0.0-20241111142343-42fa891b5aae/go.mod h1:P4F8aMHla5I0gRW+eOEYrhM89h3heEg0nypTZZcKoBQ=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -249,8 +239,6 @@ google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWn
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

internal/api/keppel/accounts_test.go

@@ -2367,7 +2367,7 @@ func TestSecurityScanPoliciesHappyPath(t *testing.T) {
 
 	// update a policy managed by the current user -> same behavior
 	policy2New := deepCopyViaJSON(policy2)
-	policy2New["action"].(map[string]any)["severity"] = "Medium"
+	policy2New["action"].(map[string]any)["severity"] = "Medium" //nolint:errcheck
 	expectPoliciesToBeApplied(policy1New, policy2New)
 	s.Auditor.ExpectEvents(t,
 		expectedEventForPolicy("create/security-scan-policy", policy2New),

internal/api/keppel/manifests_test.go

@@ -195,7 +195,7 @@ func TestManifestsAPI(t *testing.T) {
 			{"name": "second", "pushed_at": 20003, "last_pulled_at": nil},
 		}
 		sort.Slice(renderedManifests, func(i, j int) bool {
-			return renderedManifests[i]["digest"].(digest.Digest) < renderedManifests[j]["digest"].(digest.Digest)
+			return renderedManifests[i]["digest"].(digest.Digest) < renderedManifests[j]["digest"].(digest.Digest) //nolint:errcheck
 		})
 
 		// test GET without pagination
@@ -227,7 +227,7 @@ func TestManifestsAPI(t *testing.T) {
 		}.Check(t, h)
 		assert.HTTPRequest{
 			Method:       "GET",
-			Path:         "/keppel/v1/accounts/test1/repositories/repo1-1/_manifests?limit=5&marker=" + renderedManifests[4]["digest"].(digest.Digest).String(),
+			Path:         "/keppel/v1/accounts/test1/repositories/repo1-1/_manifests?limit=5&marker=" + renderedManifests[4]["digest"].(digest.Digest).String(), //nolint:errcheck
 			Header:       map[string]string{"X-Test-Perms": "view:tenant1,pull:tenant1"},
 			ExpectStatus: http.StatusOK,
 			ExpectBody:   assert.JSONObject{"manifests": renderedManifests[5:10]},
@@ -241,7 +241,7 @@ func TestManifestsAPI(t *testing.T) {
 			}
 			assert.HTTPRequest{
 				Method:       "GET",
-				Path:         "/keppel/v1/accounts/test1/repositories/repo1-1/_manifests?limit=1&marker=" + renderedManifests[idx]["digest"].(digest.Digest).String(),
+				Path:         "/keppel/v1/accounts/test1/repositories/repo1-1/_manifests?limit=1&marker=" + renderedManifests[idx]["digest"].(digest.Digest).String(), //nolint:errcheck
 				Header:       map[string]string{"X-Test-Perms": "view:tenant1,pull:tenant1"},
 				ExpectStatus: http.StatusOK,
 				ExpectBody:   expectedBody,

internal/api/keppel/peers_test.go

@@ -47,7 +47,7 @@ func TestPeersAPI(t *testing.T) {
 		{"hostname": "keppel.example.org"},
 	}
 	for _, peer := range expectedPeers {
-		err := s.DB.Insert(&models.Peer{HostName: peer["hostname"].(string)})
+		err := s.DB.Insert(&models.Peer{HostName: peer["hostname"].(string)}) //nolint:errcheck
 		if err != nil {
 			t.Fatal(err)
 		}

internal/api/registry/manifests_test.go

@@ -559,7 +559,7 @@ func TestManifestRequiredLabels(t *testing.T) {
 		token := s.GetToken(t, "repository:test1/foo:pull,push")
 
 		image := test.GenerateImageWithCustomConfig(func(cfg map[string]any) {
-			cfg["config"].(map[string]any)["Labels"] = map[string]string{"foo": "is there", "bar": "is there"}
+			cfg["config"].(map[string]any)["Labels"] = map[string]string{"foo": "is there", "bar": "is there"} //nolint:errcheck
 		}, test.GenerateExampleLayer(1))
 		image.Config.MustUpload(t, s, fooRepoRef)
 		image.Layers[0].MustUpload(t, s, fooRepoRef)
@@ -621,7 +621,7 @@ func TestManifestRequiredLabels(t *testing.T) {
 		// upload another image with similar (but not identical) labels as
 		// preparation for the image list test below
 		otherImage := test.GenerateImageWithCustomConfig(func(cfg map[string]any) {
-			cfg["config"].(map[string]any)["Labels"] = map[string]string{"foo": "is there", "bar": "is different"}
+			cfg["config"].(map[string]any)["Labels"] = map[string]string{"foo": "is there", "bar": "is different"} //nolint:errcheck
 		}, image.Layers[0])
 		otherImage.MustUpload(t, s, fooRepoRef, "other")
 
@@ -699,7 +699,7 @@ func TestImageManifestCmdEntrypointAsString(t *testing.T) {
 
 		// generate an image that has strings as Entrypoint and Cmd
 		image := test.GenerateImageWithCustomConfig(func(cfg map[string]any) {
-			cfg["config"].(map[string]any)["Cmd"] = "/usr/bin/env bash"
+			cfg["config"].(map[string]any)["Cmd"] = "/usr/bin/env bash" //nolint:errcheck
 		}, test.GenerateExampleLayer(1))
 		image.MustUpload(t, s, fooRepoRef, "first")
 

internal/api/registry/replication_test.go

@@ -529,7 +529,7 @@ func TestReplicationFailingOverIntoPullDelegation(t *testing.T) {
 					return
 				}
 			}
-			http.DefaultTransport.(*test.RoundTripper).Handlers["registry-tertiary.example.org"] = http.HandlerFunc(tertiaryHandler)
+			http.DefaultTransport.(*test.RoundTripper).Handlers["registry-tertiary.example.org"] = http.HandlerFunc(tertiaryHandler) //nolint:errcheck
 
 			// reconfigure "test1" into an external replica of tertiary
 			for _, db := range []*keppel.DB{s1.DB, s2.DB} {

internal/api/registry/uploads.go

@@ -552,7 +552,7 @@ func (a *API) resumeUpload(ctx context.Context, account models.ReducedAccount, u
 		return nil, keppel.ErrBlobUploadInvalid.With("malformed session state")
 	}
 	hashWriter := sha256.New()
-	err = hashWriter.(encoding.BinaryUnmarshaler).UnmarshalBinary(stateBytes)
+	err = hashWriter.(encoding.BinaryUnmarshaler).UnmarshalBinary(stateBytes) //nolint:errcheck // sha256.New() implements this interface
 	if err != nil {
 		return nil, keppel.ErrBlobUploadInvalid.With("broken session state").WithStatus(http.StatusRequestedRangeNotSatisfiable)
 	}
@@ -566,7 +566,7 @@ func (a *API) resumeUpload(ctx context.Context, account models.ReducedAccount, u
 	// we need to unmarshal the digest state once more because taking a Sum over
 	// this hash may have altered the state
 	hashWriter = sha256.New()
-	err = hashWriter.(encoding.BinaryUnmarshaler).UnmarshalBinary(stateBytes)
+	err = hashWriter.(encoding.BinaryUnmarshaler).UnmarshalBinary(stateBytes) //nolint:errcheck // sha256.New() implements this interface
 	if err != nil {
 		//COVERAGE: This branch is defense in depth. We unmarshaled the same state
 		// above, so hitting an error just here should be impossible.
@@ -654,7 +654,7 @@ func (a *API) streamIntoUpload(ctx context.Context, account models.ReducedAccoun
 	// serialize digest state for next resumeUpload() - note that we do this
 	// BEFORE digest.NewDigest() because digest.NewDigest() may alter the
 	// internal state of `dw.Hash`
-	digestStateBytes, err := dw.Hash.(encoding.BinaryMarshaler).MarshalBinary()
+	digestStateBytes, err := dw.Hash.(encoding.BinaryMarshaler).MarshalBinary() //nolint:errcheck // sha256.New() implements this interface
 	if err != nil {
 		return "", err
 	}

internal/drivers/openstack/federation_swift.go

@@ -28,16 +28,14 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"os"
 	"reflect"
 	"sort"
 	"time"
 
-	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack"
-	"github.com/gophercloud/utils/v2/openstack/clientconfig"
 	"github.com/majewsky/schwift/v2"
 	"github.com/majewsky/schwift/v2/gopherschwift"
+	"github.com/sapcc/go-bits/gophercloudext"
 	"github.com/sapcc/go-bits/logg"
 	"github.com/sapcc/go-bits/osext"
 
@@ -65,22 +63,10 @@ func (fd *federationDriverSwift) Init(ctx context.Context, ad keppel.AuthDriver,
 }
 
 func initSwiftContainerConnection(ctx context.Context, envPrefix string) (*schwift.Container, error) {
-	// authenticate service user
-	ao, err := clientconfig.AuthOptions(&clientconfig.ClientOpts{EnvPrefix: envPrefix + "OS_"})
+	// connect to Swift
+	provider, eo, err := gophercloudext.NewProviderClient(ctx, &gophercloudext.ClientOpts{EnvPrefix: envPrefix + "OS_"})
 	if err != nil {
-		return nil, errors.New("cannot find OpenStack credentials for federation driver: " + err.Error())
-	}
-	ao.AllowReauth = true
-	provider, err := openstack.AuthenticatedClient(ctx, *ao)
-	if err != nil {
-		return nil, errors.New("cannot connect to OpenStack for federation driver: " + err.Error())
-	}
-
-	// find Swift endpoint
-	eo := gophercloud.EndpointOpts{
-		// note that empty values are acceptable in both fields
-		Region:       os.Getenv(envPrefix + "OS_REGION_NAME"),
-		Availability: gophercloud.Availability(os.Getenv(envPrefix + "OS_INTERFACE")),
+		return nil, err
 	}
 	swiftV1, err := openstack.NewObjectStorageV1(provider, eo)
 	if err != nil {

internal/drivers/openstack/keystone.go

@@ -40,10 +40,10 @@ import (
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack"
 	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens"
-	"github.com/gophercloud/utils/v2/openstack/clientconfig"
 	"github.com/redis/go-redis/v9"
 	"github.com/sapcc/go-bits/audittools"
 	"github.com/sapcc/go-bits/errext"
+	"github.com/sapcc/go-bits/gophercloudext"
 	"github.com/sapcc/go-bits/gopherpolicy"
 	"github.com/sapcc/go-bits/logg"
 	"github.com/sapcc/go-bits/osext"
@@ -53,6 +53,7 @@ import (
 
 type keystoneDriver struct {
 	Provider       *gophercloud.ProviderClient
+	EndpointOpts   gophercloud.EndpointOpts
 	IdentityV3     *gophercloud.ServiceClient
 	TokenValidator *gopherpolicy.TokenValidator
 	IsRelevantRole map[string]bool
@@ -69,33 +70,21 @@ func (d *keystoneDriver) PluginTypeID() string {
 }
 
 // Init implements the keppel.AuthDriver interface.
-func (d *keystoneDriver) Init(ctx context.Context, rc *redis.Client) error {
+func (d *keystoneDriver) Init(ctx context.Context, rc *redis.Client) (err error) {
 	// authenticate service user
-	ao, err := clientconfig.AuthOptions(nil)
+	d.Provider, d.EndpointOpts, err = gophercloudext.NewProviderClient(ctx, nil)
 	if err != nil {
-		return errors.New("cannot find OpenStack credentials: " + err.Error())
-	}
-	ao.AllowReauth = true
-	d.Provider, err = openstack.AuthenticatedClient(ctx, *ao)
-	if err != nil {
-		return errors.New("cannot connect to OpenStack: " + err.Error())
-	}
-
-	// find Identity V3 endpoint
-	eo := gophercloud.EndpointOpts{
-		// note that empty values are acceptable in both fields
-		Region:       os.Getenv("OS_REGION_NAME"),
-		Availability: gophercloud.Availability(os.Getenv("OS_INTERFACE")),
+		return err
 	}
-	d.IdentityV3, err = openstack.NewIdentityV3(d.Provider, eo)
+	d.IdentityV3, err = openstack.NewIdentityV3(d.Provider, d.EndpointOpts)
 	if err != nil {
 		return errors.New("cannot find Keystone V3 API: " + err.Error())
 	}
 
 	// load oslo.policy
 	d.TokenValidator = &gopherpolicy.TokenValidator{IdentityV3: d.IdentityV3}
 	policyFilePath := osext.MustGetenv("KEPPEL_OSLO_POLICY_PATH")
-	err = d.TokenValidator.LoadPolicyFile(policyFilePath)
+	err = d.TokenValidator.LoadPolicyFile(policyFilePath, nil)
 	if err != nil {
 		return err
 	}

internal/drivers/openstack/keystone_client.go

@@ -28,10 +28,9 @@ import (
 	"strings"
 
 	"github.com/gophercloud/gophercloud/v2"
-	"github.com/gophercloud/gophercloud/v2/openstack"
 	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/tokens"
-	"github.com/gophercloud/utils/v2/openstack/clientconfig"
 
+	"github.com/sapcc/go-bits/gophercloudext"
 	"github.com/sapcc/keppel/internal/client"
 )
 
@@ -55,20 +54,16 @@ func (d *keystoneClientDriver) MatchesEnvironment() bool {
 
 // Connect implements the client.AuthDriver interface.
 func (d *keystoneClientDriver) Connect(ctx context.Context) error {
-	ao, err := clientconfig.AuthOptions(nil)
-	if err != nil {
-		return errors.New("cannot find OpenStack credentials: " + err.Error())
-	}
-	ao.AllowReauth = true
-	provider, err := openstack.AuthenticatedClient(ctx, *ao)
-	if err != nil {
-		return errors.New("cannot connect to OpenStack: " + err.Error())
-	}
+	var ao gophercloud.AuthOptions
 
-	eo := gophercloud.EndpointOpts{
-		// note that empty values are acceptable in both fields
-		Region:       os.Getenv("OS_REGION_NAME"),
-		Availability: gophercloud.Availability(os.Getenv("OS_INTERFACE")),
+	provider, eo, err := gophercloudext.NewProviderClient(ctx, &gophercloudext.ClientOpts{
+		CustomizeAuthOptions: func(opts *gophercloud.AuthOptions) {
+			// we don't customize anything, but we need a copy for the logic below
+			ao = *opts
+		},
+	})
+	if err != nil {
+		return err
 	}
 	eo.ApplyDefaults("keppel")
 	endpointURL, err := provider.EndpointLocator(eo)

internal/drivers/openstack/swift.go

@@ -28,13 +28,11 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"os"
 	"regexp"
 	"strconv"
 	"sync"
 	"time"
 
-	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack"
 	"github.com/majewsky/schwift/v2"
 	"github.com/majewsky/schwift/v2/gopherschwift"
@@ -71,12 +69,7 @@ func (d *swiftDriver) Init(ad keppel.AuthDriver, cfg keppel.Configuration) error
 		return keppel.ErrAuthDriverMismatch
 	}
 
-	eo := gophercloud.EndpointOpts{
-		// note that empty values are acceptable in both fields
-		Region:       os.Getenv("OS_REGION_NAME"),
-		Availability: gophercloud.Availability(os.Getenv("OS_INTERFACE")),
-	}
-	client, err := openstack.NewObjectStorageV1(k.Provider, eo)
+	client, err := openstack.NewObjectStorageV1(k.Provider, k.EndpointOpts)
 	if err != nil {
 		return err
 	}