Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow customize http vhost config using HttpdCustomization.CustomConfigSecret #525

Merged
merged 1 commit into from
Jan 20, 2025
Merged

Allow customize http vhost config using HttpdCustomization.CustomConfigSecret #525

merged 1 commit into from
Jan 20, 2025
+194 −32

Conversation

stuggi
Copy link
Contributor

@stuggi stuggi commented Jan 10, 2025
edited
Loading

This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into
/etc/httpd/conf/httpd_custom_<endpoint>_<key> .
At the end of the vhost config in the default httpd template these custom configs get included using Include conf/httpd_custom_<endpoint>_*.

For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging

All possible parameters which can be use in a template can be looked up in the <service>-config-data secret of the service like:

$ oc get secret -n openstack keystone-config-data -o json | jq -r .data.TemplatingParameters | base64 -d

or in the running pod of the service in the file:

$ cat /var/lib/config-data/default/templatingParameters

The content of the parameters of the service operator, like:

DatabaseConnection: mysql+pymysql://user:[email protected]/keystone?read_default_file=/etc/my.cnf
KeystoneEndpointInternal: https://keystone-internal.openstack.svc:5000/
KeystoneEndpointPublic: https://keystone-public-openstack.apps-crc.testing/
ProcessNumber: 3
TransportURL: rabbit://user:[email protected]:5671/?ssl=1
VHosts:
    internal:
        Override: false
        SSLCertificateFile: /etc/pki/tls/certs/internal.crt
        SSLCertificateKeyFile: /etc/pki/tls/private/internal.key
        ServerName: keystone-internal.openstack.svc
        TLS: true
    public:
        Override: false
        SSLCertificateFile: /etc/pki/tls/certs/public.crt
        SSLCertificateKeyFile: /etc/pki/tls/private/public.key
        ServerName: keystone-public.openstack.svc
        TLS: true
EnableSecureRBAC: true
FernetMaxActiveKeys: 5
MemcachedServers: memcached-0.memcached.openstack.svc:11212
MemcachedServersWithInet: inet:[memcached-0.memcached.openstack.svc]:11211
MemcachedTLS: true

Jira: https://issues.redhat.com/browse/OSPRH-13100

@stuggi
Copy link
Contributor Author

stuggi commented Jan 10, 2025
edited
Loading

With this change you can e.g. add the following template in a secret to configure OIDC Federation Settings

OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCClaimDelimiter ";"
OIDCPassUserInfoAs "claims"
OIDCPassClaimsAs "both"
OIDCCacheType "memcache"
OIDCMemCacheServers "{{ .MemcachedServers }}"
OIDCProviderMetadataURL "https://my_provider_metadata_url"
OIDCClientID "my_client_id"
OIDCClientSecret "12345678"
OIDCCryptoPassphrase "12345678"
OIDCOAuthClientID "my_oauth_client_id"
OIDCOAuthClientSecret "12345678"
OIDCOAuthIntrospectionEndpoint "https://my_oauth_introspection_endpoint"

# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/websso"
OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/websso/openid"

<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/websso">
  AuthType "openid-connect"
  Require valid-user
</LocationMatch>

<Location ~ "/v3/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/auth">
  AuthType oauth20
  Require valid-user
</Location>

<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
  AuthType "openid-connect"
  Require valid-user
</LocationMatch>

The secret then can be referenced using httpdCustomization.customConfigSecret and keystone config required parameters set via customServiceConfig:

    keystone:
      template:
        customServiceConfig: |
          [federation]
          trusted_dashboard={{ .KeystoneEndpointPublic }}/dashboard/auth/websso/

          [openid]
          remote_id_attribute=HTTP_OIDC_ISS

          [auth]
          methods = password,token,oauth1,mapped,application_credential,openid
        httpdCustomization:
          customConfigSecret: keystone-httpd-override

@stuggi stuggi force-pushed the httpd_include branch 2 times, most recently from 3974d63 to 8220881 Compare January 14, 2025 12:54
@stuggi stuggi requested review from abays and removed request for frenzyfriday January 14, 2025 13:18
@stuggi stuggi mentioned this pull request Jan 14, 2025
Closed
@stuggi
Copy link
Contributor Author

stuggi commented Jan 14, 2025

/test keystone-operator-build-deploy-kuttl

@stuggi stuggi force-pushed the httpd_include branch 5 times, most recently from c78831b to 5ad092e Compare January 17, 2025 08:21
@stuggi stuggi changed the title Allow customize http vhost config using HttpdCustomization.CustomServiceConfigSecret Allow customize http vhost config using HttpdCustomization.CustomConfigSecret Jan 17, 2025
@stuggi
Copy link
Contributor Author

stuggi commented Jan 17, 2025

/retest

@stuggi stuggi requested a review from gibizer January 17, 2025 14:55
gibizer
gibizer reviewed Jan 17, 2025
View reviewed changes
Copy link
Contributor

@gibizer gibizer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks OK to me.

tests/functional/keystoneapi_controller_test.go Outdated Show resolved Hide resolved
@stuggi
Allow customize http vhost config using HttpdCustomization.CustomConf…
48d9c3a 
…igSecret

This change allows to customize the httpd vhost config using this parameter
to specify a secret that contains service config data. The content of each
provided snippet gets rendered as a go template and placed into
/etc/httpd/conf/httpd_custom_<endpoint>_<key> .
At the end of the vhost config in the default httpd template these custom
configs get included using `Include conf/httpd_custom_<endpoint>_*`.

For information on how sections in httpd configuration get merged, check section
"How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging

All possible parameters which can be use in a template can be looked up
in the <service>-config-data secret of the service like:
$ oc get secret -n openstack keystone-config-data -o json | jq -r .data.templatingParameters | base64 -d

or in the running pod of the service in the file:
$ cat /var/lib/config-data/default/templatingParameters

The content is a versioned dump of the parameters of the service operator, like:

~~~
DatabaseConnection: mysql+pymysql://user:[email protected]/keystone?read_default_file=/etc/my.cnf
KeystoneEndpointInternal: https://keystone-internal.openstack.svc:5000
KeystoneEndpointPublic: https://keystone-public-openstack.apps-crc.testing
ProcessNumber: 3
TransportURL: rabbit://user:[email protected]:5671/?ssl=1
VHosts:
    internal:
        Override: false
        SSLCertificateFile: /etc/pki/tls/certs/internal.crt
        SSLCertificateKeyFile: /etc/pki/tls/private/internal.key
        ServerName: keystone-internal.openstack.svc
        TLS: true
    public:
        Override: false
        SSLCertificateFile: /etc/pki/tls/certs/public.crt
        SSLCertificateKeyFile: /etc/pki/tls/private/public.key
        ServerName: keystone-public.openstack.svc
        TLS: true
EnableSecureRBAC: true
FernetMaxActiveKeys: 5
MemcachedServers: memcached-0.memcached.openstack.svc:11212
MemcachedServersWithInet: inet:[memcached-0.memcached.openstack.svc]:11211
MemcachedTLS: true
~~~

Depends-On: openstack-k8s-operators/lib-common#591
Depends-On: openstack-k8s-operators/lib-common#593

Jira: https://issues.redhat.com/browse/OSPRH-13100

Signed-off-by: Martin Schuppert <[email protected]>
olliewalsh
olliewalsh approved these changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@olliewalsh olliewalsh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 20, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olliewalsh, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

gibizer
gibizer reviewed Jan 20, 2025
View reviewed changes
Copy link
Contributor

@gibizer gibizer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still looks good

@openshift-merge-bot openshift-merge-bot bot merged commit 8ac75fb into openstack-k8s-operators:main Jan 20, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gibizer gibizer gibizer left review comments

@olliewalsh olliewalsh olliewalsh approved these changes

@dprince dprince Awaiting requested review from dprince

@abays abays Awaiting requested review from abays

Assignees

@olliewalsh olliewalsh

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@stuggi @olliewalsh @gibizer