Allow customize http vhost config using HttpdCustomization.CustomConf…

…igSecret This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<endpoint>_<key> . At the end of the vhost config in the default httpd template these custom configs get included using `Include conf/httpd_custom_<endpoint>_*`. For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging All possible parameters which can be use in a template can be looked up in the <service>-config-data secret of the service like: $ oc get secret -n openstack barbican-config-data -o json | jq -r .data.templatingParameters | base64 -d $ oc get secret -n openstack barbicanapi-config-data -o json | jq -r .data.templatingParameters | base64 -d or in the running pod of the service in the file: $ cat /var/lib/config-data/default/templatingParameters The content is a versioned dump of the parameters of the service operator, like: ~~~ DatabaseConnection: mysql+pymysql://user:pwd@openstack.<namespace>.svc/keystone?read_default_file=/etc/my.cnf EnableSecureRBAC: true EnabledSecretStores: simple_crypto GlobalDefaultSecretStore: simple_crypto KeystoneAuthURL: http://keystone-internal.openstack.svc:5000 LogFile: /var/log/barbican/barbican-api.log ServicePassword: <pwd> ServiceUser: barbican SimpleCryptoEnabled: true SimpleCryptoKEK: "" TimeOut: 90 TransportURL: rabbit://rabbitmq-secret/fake VHosts: internal: Override: true ServerName: barbican-internal.<namespace>.svc TLS: false public: Override: true ServerName: barbican-public.<namespace>.svc TLS: false ~~~ Depends-On: openstack-k8s-operators/lib-common#591 Depends-On: openstack-k8s-operators/lib-common#593 Jira: https://issues.redhat.com/browse/OSPRH-13100 Signed-off-by: Martin Schuppert <[email protected]>
openstack-k8s-operators · Jan 21, 2025 · 6bde6c6 · 6bde6c6
1 parent a09e481
commit 6bde6c6
Show file tree

Hide file tree

Showing 18 changed files with 256 additions and 22 deletions.
diff --git a/api/bases/barbican.openstack.org_barbicanapis.yaml b/api/bases/barbican.openstack.org_barbicanapis.yaml
@@ -118,6 +118,20 @@ spec:
                 - simple_crypto
                 - pkcs11
                 type: string
+              httpdCustomization:
+                description: HttpdCustomization - customize the httpd service
+                properties:
+                  customConfigSecret:
+                    description: |-
+                      CustomConfigSecret - customize the httpd vhost config using this parameter to specify
+                      a secret that contains service config data. The content of each provided snippet gets
+                      rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<key> .
+                      In the default httpd template at the end of the vhost those custom configs get
+                      included using `Include conf/httpd_custom_<endpoint>_*`.
+                      For information on how sections in httpd configuration get merged, check section
+                      "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging
+                    type: string
+                type: object
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/api/bases/barbican.openstack.org_barbicans.yaml b/api/bases/barbican.openstack.org_barbicans.yaml
@@ -91,6 +91,20 @@ spec:
                     description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                       policies
                     type: boolean
+                  httpdCustomization:
+                    description: HttpdCustomization - customize the httpd service
+                    properties:
+                      customConfigSecret:
+                        description: |-
+                          CustomConfigSecret - customize the httpd vhost config using this parameter to specify
+                          a secret that contains service config data. The content of each provided snippet gets
+                          rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<key> .
+                          In the default httpd template at the end of the vhost those custom configs get
+                          included using `Include conf/httpd_custom_<endpoint>_*`.
+                          For information on how sections in httpd configuration get merged, check section
+                          "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging
+                        type: string
+                    type: object
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

diff --git a/api/go.mod b/api/go.mod
@@ -5,7 +5,7 @@ go 1.21
 require (
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.1
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7
 	k8s.io/api v0.29.10
 	k8s.io/apimachinery v0.29.10
 	k8s.io/client-go v0.29.10

diff --git a/api/go.sum b/api/go.sum
@@ -72,8 +72,8 @@ github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo
 github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e h1:hf4kVQBkyG79WcHBxdQ25QrDBbGFdarebS1Tc0Xclq4=
-github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7 h1:vXHpH93PjbAgg5ZN6n5WmxkybVQOs0nhXvVw62o7aZs=
+github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7/go.mod h1:YpNTuJhDWhbXM50O3qBkhO7M+OOyRmWkNVmJ4y3cyFs=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

diff --git a/api/v1beta1/barbicanapi_types.go b/api/v1beta1/barbicanapi_types.go
@@ -53,6 +53,10 @@ type BarbicanAPITemplateCore struct {
 	// +kubebuilder:validation:Optional
 	// APITimeout for HAProxy and Apache defaults to Barbican APITimeout (seconds)
 	APITimeout int `json:"apiTimeout"`
+
+	// +kubebuilder:validation:Optional
+	// HttpdCustomization - customize the httpd service
+	HttpdCustomization HttpdCustomization `json:"httpdCustomization,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.
@@ -62,6 +66,19 @@ type APIOverrideSpec struct {
 	Service map[service.Endpoint]service.RoutedOverrideSpec `json:"service,omitempty"`
 }
 
+// HttpdCustomization - customize the httpd service
+type HttpdCustomization struct {
+	// +kubebuilder:validation:Optional
+	// CustomConfigSecret - customize the httpd vhost config using this parameter to specify
+	// a secret that contains service config data. The content of each provided snippet gets
+	// rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<key> .
+	// In the default httpd template at the end of the vhost those custom configs get
+	// included using `Include conf/httpd_custom_<endpoint>_*`.
+	// For information on how sections in httpd configuration get merged, check section
+	// "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging
+	CustomConfigSecret *string `json:"customConfigSecret,omitempty"`
+}
+
 // BarbicanAPISpec defines the desired state of BarbicanAPI
 type BarbicanAPISpec struct {
 	BarbicanTemplate `json:",inline"`

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/barbican.openstack.org_barbicanapis.yaml b/config/crd/bases/barbican.openstack.org_barbicanapis.yaml
@@ -118,6 +118,20 @@ spec:
                 - simple_crypto
                 - pkcs11
                 type: string
+              httpdCustomization:
+                description: HttpdCustomization - customize the httpd service
+                properties:
+                  customConfigSecret:
+                    description: |-
+                      CustomConfigSecret - customize the httpd vhost config using this parameter to specify
+                      a secret that contains service config data. The content of each provided snippet gets
+                      rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<key> .
+                      In the default httpd template at the end of the vhost those custom configs get
+                      included using `Include conf/httpd_custom_<endpoint>_*`.
+                      For information on how sections in httpd configuration get merged, check section
+                      "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging
+                    type: string
+                type: object
               networkAttachments:
                 description: NetworkAttachments is a list of NetworkAttachment resource
                   names to expose the services to the given network

diff --git a/config/crd/bases/barbican.openstack.org_barbicans.yaml b/config/crd/bases/barbican.openstack.org_barbicans.yaml
@@ -91,6 +91,20 @@ spec:
                     description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                       policies
                     type: boolean
+                  httpdCustomization:
+                    description: HttpdCustomization - customize the httpd service
+                    properties:
+                      customConfigSecret:
+                        description: |-
+                          CustomConfigSecret - customize the httpd vhost config using this parameter to specify
+                          a secret that contains service config data. The content of each provided snippet gets
+                          rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<key> .
+                          In the default httpd template at the end of the vhost those custom configs get
+                          included using `Include conf/httpd_custom_<endpoint>_*`.
+                          For information on how sections in httpd configuration get merged, check section
+                          "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging
+                        type: string
+                    type: object
                   networkAttachments:
                     description: NetworkAttachments is a list of NetworkAttachment
                       resource names to expose the services to the given network

diff --git a/controllers/barbican_common.go b/controllers/barbican_common.go
@@ -41,18 +41,20 @@ func GenerateConfigsGeneric(
 	customData map[string]string,
 	cmLabels map[string]string,
 	scripts bool,
+	customTemplates map[string]string,
 ) error {
 
 	cms := []util.Template{
 		// Templates where the BarbicanAPI config is stored
 		{
-			Name:          fmt.Sprintf("%s-config-data", instance.GetName()),
-			Namespace:     instance.GetNamespace(),
-			Type:          util.TemplateTypeConfig,
-			InstanceType:  instance.GetObjectKind().GroupVersionKind().Kind,
-			ConfigOptions: templateParameters,
-			CustomData:    customData,
-			Labels:        cmLabels,
+			Name:           fmt.Sprintf("%s-config-data", instance.GetName()),
+			Namespace:      instance.GetNamespace(),
+			Type:           util.TemplateTypeConfig,
+			InstanceType:   instance.GetObjectKind().GroupVersionKind().Kind,
+			ConfigOptions:  templateParameters,
+			CustomData:     customData,
+			Labels:         cmLabels,
+			StringTemplate: customTemplates,
 		},
 	}
 	if scripts {

diff --git a/controllers/barbican_controller.go b/controllers/barbican_controller.go
@@ -22,6 +22,7 @@ import (
 	"slices"
 	"time"
 
+	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
@@ -555,10 +556,11 @@ func (r *BarbicanReconciler) reconcileDelete(ctx context.Context, instance *barb
 
 // fields to index to reconcile when change
 const (
-	passwordSecretField     = ".spec.secret"
-	caBundleSecretNameField = ".spec.tls.caBundleSecretName"
-	tlsAPIInternalField     = ".spec.tls.api.internal.secretName"
-	tlsAPIPublicField       = ".spec.tls.api.public.secretName"
+	passwordSecretField                 = ".spec.secret"
+	caBundleSecretNameField             = ".spec.tls.caBundleSecretName"
+	tlsAPIInternalField                 = ".spec.tls.api.internal.secretName"
+	tlsAPIPublicField                   = ".spec.tls.api.public.secretName"
+	httpdCustomServiceConfigSecretField = ".spec.httpdCustomization.customServiceConfigSecret"
 )
 
 var (
@@ -571,6 +573,7 @@ var (
 		caBundleSecretNameField,
 		tlsAPIInternalField,
 		tlsAPIPublicField,
+		httpdCustomServiceConfigSecretField,
 	}
 )
 
@@ -678,7 +681,14 @@ func (r *BarbicanReconciler) generateServiceConfig(
 		maps.Copy(templateParameters, pkcs11TemplateMap)
 	}
 
-	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true)
+	// Marshal the templateParameters map to YAML
+	yamlData, err := yaml.Marshal(templateParameters)
+	if err != nil {
+		return fmt.Errorf("Error marshalling to YAML: %w", err)
+	}
+	customData[common.TemplateParameters] = string(yamlData)
+
+	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, true, map[string]string{})
 }
 
 func (r *BarbicanReconciler) transportURLCreateOrUpdate(

diff --git a/controllers/barbicanapi_controller.go b/controllers/barbicanapi_controller.go
@@ -42,6 +42,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -348,7 +349,16 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 		maps.Copy(templateParameters, pkcs11TemplateMap)
 	}
 
+	httpdOverrideSecret := &corev1.Secret{}
+	if instance.Spec.HttpdCustomization.CustomConfigSecret != nil && *instance.Spec.HttpdCustomization.CustomConfigSecret != "" {
+		httpdOverrideSecret, _, err = secret.GetSecret(ctx, h, *instance.Spec.HttpdCustomization.CustomConfigSecret, instance.Namespace)
+		if err != nil {
+			return err
+		}
+	}
+
 	// create httpd  vhost template parameters
+	customTemplates := map[string]string{}
 	httpdVhostConfig := map[string]interface{}{}
 	for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
 		endptConfig := map[string]interface{}{}
@@ -359,12 +369,29 @@ func (r *BarbicanAPIReconciler) generateServiceConfigs(
 			endptConfig["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", endpt.String())
 			endptConfig["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", endpt.String())
 		}
+
+		endptConfig["Override"] = false
+		if len(httpdOverrideSecret.Data) > 0 {
+			endptConfig["Override"] = true
+			for key, data := range httpdOverrideSecret.Data {
+				if len(data) > 0 {
+					customTemplates["httpd_custom_"+endpt.String()+"_"+key] = string(data)
+				}
+			}
+		}
 		httpdVhostConfig[endpt.String()] = endptConfig
 	}
 	templateParameters["VHosts"] = httpdVhostConfig
 	templateParameters["TimeOut"] = instance.Spec.APITimeout
 
-	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false)
+	// Marshal the templateParameters map to YAML
+	yamlData, err := yaml.Marshal(templateParameters)
+	if err != nil {
+		return fmt.Errorf("Error marshalling to YAML: %w", err)
+	}
+	customData[common.TemplateParameters] = string(yamlData)
+
+	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, customTemplates)
 }
 
 func (r *BarbicanAPIReconciler) reconcileInit(
@@ -907,6 +934,19 @@ func (r *BarbicanAPIReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	}); err != nil {
 		return err
 	}
+
+	// index httpdOverrideSecretField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &barbicanv1beta1.BarbicanAPI{}, httpdCustomServiceConfigSecretField, func(rawObj client.Object) []string {
+		// Extract the secret name from the spec, if one is provided
+		cr := rawObj.(*barbicanv1beta1.BarbicanAPI)
+		if cr.Spec.HttpdCustomization.CustomConfigSecret == nil {
+			return nil
+		}
+		return []string{*cr.Spec.HttpdCustomization.CustomConfigSecret}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&barbicanv1beta1.BarbicanAPI{}).
 		Owns(&corev1.Service{}).

diff --git a/controllers/barbicankeystonelistener_controller.go b/controllers/barbicankeystonelistener_controller.go
@@ -27,6 +27,7 @@ import (
 	"github.com/openstack-k8s-operators/barbican-operator/pkg/barbican"
 	"github.com/openstack-k8s-operators/barbican-operator/pkg/barbicankeystonelistener"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+	"gopkg.in/yaml.v2"
 
 	// keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
@@ -296,7 +297,14 @@ func (r *BarbicanKeystoneListenerReconciler) generateServiceConfigs(
 		"LogFile":      fmt.Sprintf("%s%s.log", barbican.BarbicanLogPath, instance.Name),
 	}
 
-	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false)
+	// Marshal the templateParameters map to YAML
+	yamlData, err := yaml.Marshal(templateParameters)
+	if err != nil {
+		return fmt.Errorf("Error marshalling to YAML: %w", err)
+	}
+	customData[common.TemplateParameters] = string(yamlData)
+
+	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, map[string]string{})
 }
 
 func (r *BarbicanKeystoneListenerReconciler) reconcileInit(

diff --git a/controllers/barbicanworker_controller.go b/controllers/barbicanworker_controller.go
@@ -29,6 +29,7 @@ import (
 	"github.com/openstack-k8s-operators/barbican-operator/pkg/barbican"
 	"github.com/openstack-k8s-operators/barbican-operator/pkg/barbicanworker"
 	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+	"gopkg.in/yaml.v2"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
@@ -300,7 +301,14 @@ func (r *BarbicanWorkerReconciler) generateServiceConfigs(
 		maps.Copy(templateParameters, pkcs11TemplateMap)
 	}
 
-	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false)
+	// Marshal the templateParameters map to YAML
+	yamlData, err := yaml.Marshal(templateParameters)
+	if err != nil {
+		return fmt.Errorf("Error marshalling to YAML: %w", err)
+	}
+	customData[common.TemplateParameters] = string(yamlData)
+
+	return GenerateConfigsGeneric(ctx, h, instance, envVars, templateParameters, customData, labels, false, map[string]string{})
 }
 
 func (r *BarbicanWorkerReconciler) reconcileInit(

diff --git a/go.mod b/go.mod
@@ -11,12 +11,13 @@ require (
 	github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-00010101000000-000000000000
 	github.com/openstack-k8s-operators/infra-operator/apis v0.5.1-0.20241213080025-18e54a028c8b
 	github.com/openstack-k8s-operators/keystone-operator/api v0.5.1-0.20241212135809-dc78e7221d12
-	github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20241216113837-d172b3ac0f4e
+	github.com/openstack-k8s-operators/lib-common/modules/common v0.5.1-0.20250116145727-01a8948d5dd7
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.5.1-0.20241216113837-d172b3ac0f4e
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.5.1-0.20241216113837-d172b3ac0f4e
 	github.com/openstack-k8s-operators/mariadb-operator/api v0.5.0
 	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
+	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.10
 	k8s.io/apimachinery v0.29.10
 	k8s.io/client-go v0.29.10
@@ -72,7 +73,6 @@ require (
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.34.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.29.10 // indirect
 	k8s.io/component-base v0.29.10 // indirect