From 82208812ee0c47a7a31f6bbb2f09f4fd2728dfab Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Wed, 8 Jan 2025 15:57:44 +0100 Subject: [PATCH] Allow customize http vhost config using HttpdCustomization.CustomServiceConfigSecret This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into /etc/httpd/conf/httpd_custom__ . At the end of the vhost config in the default httpd template these custom configs get included using `Include conf/httpd_custom__*`. For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging All possible parameters which can be use in a template can be looked up in the -config-data secret of the service like: $ oc get secret -n openstack keystone-config-data -o json | jq -r .data.templatingParameters | base64 -d or in the running pod of the service in the file: $ cat /var/lib/config-data/default/templatingParameters The content is a versioned dump of the parameters of the service operator, like: ~~~ v1: DatabaseConnection: mysql+pymysql://user:pwd@openstack.openstack.svc/keystone?read_default_file=/etc/my.cnf KeystoneEndpointInternal: https://keystone-internal.openstack.svc:5000 KeystoneEndpointPublic: https://keystone-public-openstack.apps-crc.testing ProcessNumber: 3 TransportURL: rabbit://user:pwd@rabbitmq.openstack.svc:5671/?ssl=1 VHosts: internal: Override: false SSLCertificateFile: /etc/pki/tls/certs/internal.crt SSLCertificateKeyFile: /etc/pki/tls/private/internal.key ServerName: keystone-internal.openstack.svc TLS: true public: Override: false SSLCertificateFile: /etc/pki/tls/certs/public.crt SSLCertificateKeyFile: /etc/pki/tls/private/public.key ServerName: keystone-public.openstack.svc TLS: true enableSecureRBAC: true fernetMaxActiveKeys: 5 memcachedServers: memcached-0.memcached.openstack.svc:11212 memcachedServersWithInet: inet:[memcached-0.memcached.openstack.svc]:11211 memcachedTLS: true ~~~ Depends-On: https://github.com/openstack-k8s-operators/lib-common/pull/591 Signed-off-by: Martin Schuppert --- .../keystone.openstack.org_keystoneapis.yaml | 10 +++ api/go.mod | 2 +- api/go.sum | 4 +- api/v1beta1/keystoneapi_types.go | 10 +++ api/v1beta1/zz_generated.deepcopy.go | 5 ++ .../keystone.openstack.org_keystoneapis.yaml | 10 +++ controllers/keystoneapi_controller.go | 77 +++++++++++++++---- go.mod | 2 +- go.sum | 4 +- templates/keystoneapi/config/httpd.conf | 9 ++- .../config/keystone-api-config.json | 11 ++- templates/keystoneapi/config/keystone.conf | 20 ++--- .../functional/keystoneapi_controller_test.go | 70 +++++++++++++++++ 13 files changed, 199 insertions(+), 35 deletions(-) diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml index d5becf78..602f4311 100644 --- a/api/bases/keystone.openstack.org_keystoneapis.yaml +++ b/api/bases/keystone.openstack.org_keystoneapis.yaml @@ -115,6 +115,16 @@ spec: httpdCustomization: description: HttpdCustomization - customize the httpd service properties: + customServiceConfigSecret: + description: |- + CustomServiceConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string processNumber: default: 3 description: ProcessNumber - Number of processes running in keystone diff --git a/api/go.mod b/api/go.mod index ec8cdab9..b8a7f139 100644 --- a/api/go.mod +++ b/api/go.mod @@ -7,7 +7,7 @@ require ( github.com/google/uuid v1.6.0 github.com/gophercloud/gophercloud v1.14.1 github.com/onsi/gomega v1.34.1 - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 diff --git a/api/go.sum b/api/go.sum index d34a372c..e308dad9 100644 --- a/api/go.sum +++ b/api/go.sum @@ -80,8 +80,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E= github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b h1:laxu7pBlpo+lHdRn/XPqxfLGfSW77nnzdOwIBrO4BkI= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e h1:/iWDp3j+ET3gE5IjKHtdZaPd4SQyLHB/4L5jB16cV3I= diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go index 0be3e508..ab444550 100644 --- a/api/v1beta1/keystoneapi_types.go +++ b/api/v1beta1/keystoneapi_types.go @@ -217,6 +217,16 @@ type HttpdCustomization struct { // +kubebuilder:validation:Minimum=1 // ProcessNumber - Number of processes running in keystone API ProcessNumber *int32 `json:"processNumber"` + + // +kubebuilder:validation:Optional + // CustomServiceConfigSecret - customize the httpd vhost config using this parameter to specify + // a secret that contains service config data. The content of each provided snippet gets + // rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + // In the default httpd template at the end of the vhost those custom configs get + // included using `Include conf/httpd_custom__*`. + // For information on how sections in httpd configuration get merged, check section + // "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + CustomServiceConfigSecret *string `json:"customServiceConfigSecret,omitempty"` } // KeystoneAPIStatus defines the observed state of KeystoneAPI diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 6f1a04b2..44bdb3e5 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -56,6 +56,11 @@ func (in *HttpdCustomization) DeepCopyInto(out *HttpdCustomization) { *out = new(int32) **out = **in } + if in.CustomServiceConfigSecret != nil { + in, out := &in.CustomServiceConfigSecret, &out.CustomServiceConfigSecret + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HttpdCustomization. diff --git a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml index d5becf78..602f4311 100644 --- a/config/crd/bases/keystone.openstack.org_keystoneapis.yaml +++ b/config/crd/bases/keystone.openstack.org_keystoneapis.yaml @@ -115,6 +115,16 @@ spec: httpdCustomization: description: HttpdCustomization - customize the httpd service properties: + customServiceConfigSecret: + description: |- + CustomServiceConfigSecret - customize the httpd vhost config using this parameter to specify + a secret that contains service config data. The content of each provided snippet gets + rendered as a go template and placed into /etc/httpd/conf/httpd_custom_ . + In the default httpd template at the end of the vhost those custom configs get + included using `Include conf/httpd_custom__*`. + For information on how sections in httpd configuration get merged, check section + "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging + type: string processNumber: default: 3 description: ProcessNumber - Number of processes running in keystone diff --git a/controllers/keystoneapi_controller.go b/controllers/keystoneapi_controller.go index 60b2c8b7..b32e22d3 100644 --- a/controllers/keystoneapi_controller.go +++ b/controllers/keystoneapi_controller.go @@ -233,10 +233,11 @@ func (r *KeystoneAPIReconciler) Reconcile(ctx context.Context, req ctrl.Request) // fields to index to reconcile when change const ( - passwordSecretField = ".spec.secret" - caBundleSecretNameField = ".spec.tls.caBundleSecretName" - tlsAPIInternalField = ".spec.tls.api.internal.secretName" - tlsAPIPublicField = ".spec.tls.api.public.secretName" + passwordSecretField = ".spec.secret" + caBundleSecretNameField = ".spec.tls.caBundleSecretName" + tlsAPIInternalField = ".spec.tls.api.internal.secretName" + tlsAPIPublicField = ".spec.tls.api.public.secretName" + httpdCustomServiceConfigSecretField = ".spec.httpdCustomization.customServiceConfigSecret" ) var allWatchFields = []string{ @@ -244,6 +245,7 @@ var allWatchFields = []string{ caBundleSecretNameField, tlsAPIInternalField, tlsAPIPublicField, + httpdCustomServiceConfigSecretField, } // SetupWithManager - @@ -298,6 +300,18 @@ func (r *KeystoneAPIReconciler) SetupWithManager(ctx context.Context, mgr ctrl.M return err } + // index httpdOverrideSecretField + if err := mgr.GetFieldIndexer().IndexField(context.Background(), &keystonev1.KeystoneAPI{}, httpdCustomServiceConfigSecretField, func(rawObj client.Object) []string { + // Extract the secret name from the spec, if one is provided + cr := rawObj.(*keystonev1.KeystoneAPI) + if cr.Spec.HttpdCustomization.CustomServiceConfigSecret == nil { + return nil + } + return []string{*cr.Spec.HttpdCustomization.CustomServiceConfigSecret} + }); err != nil { + return err + } + memcachedFn := func(ctx context.Context, o client.Object) []reconcile.Request { result := []reconcile.Request{} @@ -1185,7 +1199,7 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( databaseAccount := db.GetAccount() dbSecret := db.GetSecret() - templateParameters := map[string]interface{}{ + v1 := map[string]interface{}{ "memcachedServers": mc.GetMemcachedServerListString(), "memcachedServersWithInet": mc.GetMemcachedServerListWithInetString(), "memcachedTLS": mc.GetMemcachedTLSSupport(), @@ -1201,7 +1215,19 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( "fernetMaxActiveKeys": instance.Spec.FernetMaxActiveKeys, } + v1["KeystoneEndpointPublic"], _ = instance.GetEndpoint(endpoint.EndpointPublic) + v1["KeystoneEndpointInternal"], _ = instance.GetEndpoint(endpoint.EndpointInternal) + + httpdOverrideSecret := &corev1.Secret{} + if instance.Spec.HttpdCustomization.CustomServiceConfigSecret != nil && *instance.Spec.HttpdCustomization.CustomServiceConfigSecret != "" { + httpdOverrideSecret, _, err = oko_secret.GetSecret(ctx, h, *instance.Spec.HttpdCustomization.CustomServiceConfigSecret, instance.Namespace) + if err != nil { + return err + } + } + // create httpd vhost template parameters + customTemplates := map[string]string{} httpdVhostConfig := map[string]interface{}{} for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} { endptConfig := map[string]interface{}{} @@ -1212,10 +1238,30 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String()) endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String()) } + + endptConfig["Override"] = false + if len(httpdOverrideSecret.Data) > 0 { + endptConfig["Override"] = true + for key, data := range httpdOverrideSecret.Data { + if len(data) > 0 { + customTemplates["httpd_custom_"+endpt.String()+"_"+key] = string(data) + } + } + } httpdVhostConfig[endpt.String()] = endptConfig } - templateParameters["VHosts"] = httpdVhostConfig - templateParameters["TimeOut"] = instance.Spec.APITimeout + v1["VHosts"] = httpdVhostConfig + v1["TimeOut"] = instance.Spec.APITimeout + + templateParameters := make(map[string]interface{}) + templateParameters["v1"] = v1 + + // Marshal the templateParameters map to YAML + yamlData, err := yaml.Marshal(templateParameters) + if err != nil { + return fmt.Errorf("Error marshalling to YAML: %w", err) + } + customData["templatingParameters"] = string(yamlData) tmpl := []util.Template{ // Scripts @@ -1228,13 +1274,14 @@ func (r *KeystoneAPIReconciler) generateServiceConfigMaps( }, // Configs { - Name: fmt.Sprintf("%s-config-data", instance.Name), - Namespace: instance.Namespace, - Type: util.TemplateTypeConfig, - InstanceType: instance.Kind, - CustomData: customData, - ConfigOptions: templateParameters, - Labels: cmLabels, + Name: fmt.Sprintf("%s-config-data", instance.Name), + Namespace: instance.Namespace, + Type: util.TemplateTypeConfig, + InstanceType: instance.Kind, + StringTemplate: customTemplates, + CustomData: customData, + ConfigOptions: templateParameters, + Labels: cmLabels, }, } return oko_secret.EnsureSecrets(ctx, h, instance, tmpl, envVars) @@ -1294,7 +1341,7 @@ func (r *KeystoneAPIReconciler) reconcileCloudConfig( Name: instance.Spec.Secret, Namespace: instance.Namespace, }, - Type: "Opaque", + Type: corev1.SecretTypeOpaque, } err = r.Client.Get(ctx, types.NamespacedName{Name: keystoneSecret.Name, Namespace: instance.Namespace}, keystoneSecret) diff --git a/go.mod b/go.mod index 7008c8f8..7b5c72a3 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/onsi/gomega v1.34.1 github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240213125925-e40975f3db7e - github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e + github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0 diff --git a/go.sum b/go.sum index 9270d6c7..1588fe24 100644 --- a/go.sum +++ b/go.sum @@ -80,8 +80,8 @@ github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4= github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab h1:Pm9zQyhrs/zGAk9jvyt0hSBP28aHsFdWyI99M/lvFxU= github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241217075239-1fc4566cc5ab/go.mod h1:SSYBbFbgQbOwyY2cQNet7fSdQHHPb2rLo6GXE97Awp8= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4= -github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b h1:laxu7pBlpo+lHdRn/XPqxfLGfSW77nnzdOwIBrO4BkI= +github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250113155806-c6542cc4eb2b/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e h1:HFo4OqPY0x4ZQeaWI2YGonTXAGTQFt+rOEJlfZVhS7s= github.com/openstack-k8s-operators/lib-common/modules/openstack v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:IASoGvp5QM/tBJUd/8i8uIjj4DBnI+64Ydh4r7pmnvA= github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e h1:/iWDp3j+ET3gE5IjKHtdZaPd4SQyLHB/4L5jB16cV3I= diff --git a/templates/keystoneapi/config/httpd.conf b/templates/keystoneapi/config/httpd.conf index 8a023700..741a7222 100644 --- a/templates/keystoneapi/config/httpd.conf +++ b/templates/keystoneapi/config/httpd.conf @@ -22,7 +22,7 @@ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded -{{ range $endpt, $vhost := .VHosts }} +{{ range $endpt, $vhost := .v1.VHosts }} # {{ $endpt }} vhost {{ $vhost.ServerName }} configuration ServerName {{ $vhost.ServerName }} @@ -54,9 +54,14 @@ CustomLog /dev/stdout proxy env=forwarded ## WSGI configuration WSGIApplicationGroup %{GLOBAL} - WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=keystone processes={{ $.ProcessNumber }} threads=1 user=keystone + WSGIDaemonProcess {{ $endpt }} display-name={{ $endpt }} group=keystone processes={{ $.v1.ProcessNumber }} threads=1 user=keystone WSGIProcessGroup {{ $endpt }} WSGIScriptAlias / "/usr/bin/keystone-wsgi-public" WSGIPassAuthorization On + +{{- if $vhost.Override }} + Include conf/httpd_override_{{ $endpt }}_* +{{- end }} + {{ end }} diff --git a/templates/keystoneapi/config/keystone-api-config.json b/templates/keystoneapi/config/keystone-api-config.json index 8b255455..e0f5689b 100644 --- a/templates/keystoneapi/config/keystone-api-config.json +++ b/templates/keystoneapi/config/keystone-api-config.json @@ -16,13 +16,13 @@ { "source": "/var/lib/config-data/default/httpd.conf", "dest": "/etc/httpd/conf/httpd.conf", - "owner": "root", + "owner": "apache", "perm": "0644" }, { "source": "/var/lib/config-data/default/ssl.conf", "dest": "/etc/httpd/conf.d/ssl.conf", - "owner": "root", + "owner": "apache", "perm": "0644" }, { @@ -58,6 +58,13 @@ "dest": "/etc/my.cnf", "owner": "keystone", "perm": "0644" + }, + { + "source": "/var/lib/config-data/default/httpd_override_*", + "dest": "/etc/httpd/conf/", + "owner": "apache", + "perm": "0444", + "optional": true } ] } diff --git a/templates/keystoneapi/config/keystone.conf b/templates/keystoneapi/config/keystone.conf index f2a2165b..1c660e4e 100644 --- a/templates/keystoneapi/config/keystone.conf +++ b/templates/keystoneapi/config/keystone.conf @@ -2,32 +2,32 @@ use_stderr=true [cache] -{{if .memcachedTLS}} +{{if .v1.memcachedTLS}} backend = dogpile.cache.pymemcache -memcache_servers={{ .memcachedServers }} +memcache_servers={{ .v1.memcachedServers }} {{else}} backend = dogpile.cache.memcached -memcache_servers={{ .memcachedServersWithInet }} +memcache_servers={{ .v1.memcachedServersWithInet }} {{end}} enabled=true -tls_enabled={{ .memcachedTLS }} +tls_enabled={{ .v1.memcachedTLS }} [database] max_retries=-1 db_max_retries=-1 -connection={{ .DatabaseConnection }} +connection={{ .v1.DatabaseConnection }} [oslo_policy] -enforce_new_defaults = {{ .enableSecureRBAC }} -enforce_scope = {{ .enableSecureRBAC }} +enforce_new_defaults = {{ .v1.enableSecureRBAC }} +enforce_scope = {{ .v1.enableSecureRBAC }} [fernet_tokens] key_repository=/etc/keystone/fernet-keys -max_active_keys={{ .fernetMaxActiveKeys }} +max_active_keys={{ .v1.fernetMaxActiveKeys }} -{{ if (index . "TransportURL") }} +{{ if (index .v1 "TransportURL") }} [oslo_messaging_notifications] driver=messagingv2 -transport_url={{ .TransportURL }} +transport_url={{ .v1.TransportURL }} topics = barbican_notifications {{ end }} diff --git a/tests/functional/keystoneapi_controller_test.go b/tests/functional/keystoneapi_controller_test.go index a9d9f8ca..7573c9d1 100644 --- a/tests/functional/keystoneapi_controller_test.go +++ b/tests/functional/keystoneapi_controller_test.go @@ -1568,6 +1568,76 @@ var _ = Describe("Keystone controller", func() { }) }) + When("A KeystoneAPI is created with HttpdCustomization.OverrideSecret", func() { + BeforeEach(func() { + customServiceConfigSecretName := types.NamespacedName{Name: "foo", Namespace: namespace} + customConfig := []byte(`OIDCResponseType "id_token" +OIDCMemCacheServers "{{ .v1.memcachedServers }}" +OIDCRedirectURI "{{ .v1.KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/websso/openid"`) + th.CreateSecret( + customServiceConfigSecretName, + map[string][]byte{ + "bar.conf": customConfig, + }, + ) + + spec := GetDefaultKeystoneAPISpec() + spec["httpdCustomization"] = map[string]interface{}{ + "customServiceConfigSecret": customServiceConfigSecretName.Name, + } + + DeferCleanup( + k8sClient.Delete, ctx, CreateKeystoneMessageBusSecret(namespace, "rabbitmq-secret")) + keystone := CreateKeystoneAPI(keystoneAPIName, spec) + DeferCleanup(th.DeleteInstance, keystone) + DeferCleanup( + k8sClient.Delete, ctx, CreateKeystoneAPISecret(namespace, SecretName)) + DeferCleanup(infra.DeleteMemcached, infra.CreateMemcached(namespace, "memcached", memcachedSpec)) + DeferCleanup( + mariadb.DeleteDBService, + mariadb.CreateDBService( + namespace, + GetKeystoneAPI(keystoneAPIName).Spec.DatabaseInstance, + corev1.ServiceSpec{ + Ports: []corev1.ServicePort{{Port: 3306}}, + }, + ), + ) + mariadb.SimulateMariaDBAccountCompleted(keystoneAccountName) + mariadb.SimulateMariaDBDatabaseCompleted(keystoneDatabaseName) + infra.SimulateTransportURLReady(types.NamespacedName{ + Name: fmt.Sprintf("%s-keystone-transport", keystoneAPIName.Name), + Namespace: namespace, + }) + infra.SimulateMemcachedReady(types.NamespacedName{ + Name: "memcached", + Namespace: namespace, + }) + th.SimulateJobSuccess(dbSyncJobName) + th.SimulateJobSuccess(bootstrapJobName) + th.SimulateDeploymentReplicaReady(deploymentName) + }) + + It("it renders the overrideTemplate and adds it to the keystone-config-data secret", func() { + scrt := th.GetSecret(keystoneAPIConfigDataName) + Expect(scrt).ShouldNot(BeNil()) + Expect(scrt.Data).Should(HaveKey("templatingParameters")) + configData := string(scrt.Data["templatingParameters"]) + memcachedServers := fmt.Sprintf("memcached-0.memcached.%s.svc:11211,memcached-1.memcached.%s.svc:11211,memcached-2.memcached.%s.svc:11211", + namespace, namespace, namespace) + Expect(configData).Should(ContainSubstring(fmt.Sprintf("memcachedServers: %s", memcachedServers))) + + for _, cfg := range []string{"httpd_custom_internal_bar.conf", "httpd_custom_public_bar.conf"} { + Expect(scrt.Data).Should(HaveKey(cfg)) + configData := string(scrt.Data[cfg]) + Expect(configData).Should(ContainSubstring("OIDCResponseType \"id_token\"")) + Expect(configData).Should(ContainSubstring(fmt.Sprintf("OIDCMemCacheServers \"%s\"", memcachedServers))) + Expect(configData).Should(ContainSubstring( + fmt.Sprintf("OIDCRedirectURI \"http://keystone-public.%s.svc:5000/v3/auth/OS-FEDERATION/websso/openid\"", namespace))) + } + }) + }) + // Run MariaDBAccount suite tests. these are pre-packaged ginkgo tests // that exercise standard account create / update patterns that should be // common to all controllers that ensure MariaDBAccount CRs.