Skip to content

Comments

Add support for External Keystone Service#653

Merged
openshift-merge-bot[bot] merged 11 commits intoopenstack-k8s-operators:mainfrom
dmendiza:external-keystone
Jan 16, 2026
Merged

Add support for External Keystone Service#653
openshift-merge-bot[bot] merged 11 commits intoopenstack-k8s-operators:mainfrom
dmendiza:external-keystone

Conversation

@dmendiza
Copy link
Contributor

@dmendiza dmendiza commented Dec 8, 2025

This patch adds a new ExternalKeystoneAPI property to KeystoneAPI to enable the use of an existing Keystone Service that is external to the OpenShift environment used to run this operator.

For example, a multi-region deployment where one region is running a centralized Keystone service can use this to deploy additional regions that can use the centralized Keystone service without the need to run their own instance of Keystone.

Assisted-by: Cursor (Auto Model)

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/0636e0d41791487589955f58fe17b071

openstack-k8s-operators-content-provider FAILURE in 8m 57s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/aac4c90d99a04ad1beac31fb4502f812

openstack-k8s-operators-content-provider FAILURE in 9m 33s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/13d740041bf24217a22f1de016ce4efa

openstack-k8s-operators-content-provider FAILURE in 9m 05s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

This patch adds a new `ExternalKeystoneAPI` property to KeystoneAPI to
enable the use of an existing Keystone Service that is external to the
OpenShift environment used to run this operator.

For example, a multi-region deployment where one region is running a
centralized Keystone service can use this to deploy additional regions
that can use the centralized Keystone service without the need to run
their own instance of Keystone.

Assisted-by: Cursor (Auto Model)
)

var (
// interfaceBundleKeys maps endpoint winterfaces to their corresponding key in the CA bundle secret
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/winterfaces/interfaces/

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ef704189ca0d4a08ac566e2756bb91c0

openstack-k8s-operators-content-provider FAILURE in 8m 57s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/b5471949529848f0aae25cd0855f98aa

openstack-k8s-operators-content-provider FAILURE in 9m 21s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@vakwetu
Copy link
Contributor

vakwetu commented Dec 17, 2025

recheck

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8e97f5c52be1434c822b2bc4304b1a95

openstack-k8s-operators-content-provider FAILURE in 9m 16s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@dmendiza
Copy link
Contributor Author

/recheck

@vakwetu
Copy link
Contributor

vakwetu commented Dec 17, 2025

/test keystone-operator-build-deploy-kuttl

Generate the clouds.yaml for the External Keystone API.
@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/15db4974754f4f8dbeab5a62c88255c3

openstack-k8s-operators-content-provider FAILURE in 10m 02s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

Refactor the change added in this branch to pick the right bundle
internally based on KeystoneAPI spec instead of making callers of
GetAdminServiceClient figure that out.

The client will continue to default to the internal interface, but use
the public interface when using an external Keytone API.
@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/63d602ef9db54a5e850cc9eac9415232

openstack-k8s-operators-content-provider FAILURE in 11m 38s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@vakwetu
Copy link
Contributor

vakwetu commented Dec 22, 2025

recheck

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/2385a873c8954c189a1fdf321f50559f

openstack-k8s-operators-content-provider FAILURE in 9m 22s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@vakwetu
Copy link
Contributor

vakwetu commented Dec 23, 2025

recheck

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/5b01fa6733d54721be36fcdf0bd1d8ae

openstack-k8s-operators-content-provider FAILURE in 12m 58s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@vakwetu
Copy link
Contributor

vakwetu commented Jan 5, 2026

recheck

@vakwetu vakwetu changed the title WIP: Add support for External Keystone Service Add support for External Keystone Service Jan 14, 2026
This commit adds webhook validation to ensure proper configuration
when using external Keystone API. The validation:

- Requires service override configuration when ExternalKeystoneAPI is true
- Ensures both public and internal endpoints are defined
- Ensures both endpoints have EndpointURL set

This prevents reconciliation from starting with invalid configuration
and avoids template rendering failures in services (like Glance) that
depend on both endpoints.

The validation is integrated into both ValidateCreate and ValidateUpdate
webhook functions to catch configuration errors early.

Related: PR comments requesting early validation for external Keystone API
@vakwetu
Copy link
Contributor

vakwetu commented Jan 15, 2026

Added the webhook as requested by @fmount . I'll test the webhook in the morning and then remove the DNM tag.

@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/f5524f39482c44b091e35abd7a858ae1

openstack-k8s-operators-content-provider FAILURE in 8m 24s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

This commit enhances the external Keystone API webhook validation by:

1. Adding URL format validation using net/url.Parse() to ensure
   endpointURL values are valid URLs for both public and internal
   endpoints. The validation checks both for parsing errors and
   requires a URL scheme (http:// or https://) to catch URLs without
   schemes that url.Parse() would otherwise accept.

2. Removing the redundant check for nil or empty service override.
   As noted in PR comments, this check could be bypassed by providing
   an empty map or invalid keys. The actual validation that matters
   is whether hasPublic and hasInternal are both true, which is
   checked later in the function. This makes the validation more
   robust and prevents bypassing the check.

3. Adding comprehensive test coverage for external Keystone API
   validation including:
   - Rejection when service override is nil (checks for missing endpoints)
   - Rejection when service override is empty (checks for missing endpoints)
   - Rejection when only admin endpoint is provided (missing public/internal)
   - Rejection when public endpoint is missing
   - Rejection when internal endpoint is missing
   - Rejection when endpointURL is empty string
   - Rejection of URLs without scheme for public endpoint
   - Rejection of malformed URLs for internal endpoint
   - Acceptance when both public and internal endpoints are valid

All 79 tests pass, including 9 new tests for external Keystone API
validation.

Related: PR comments requesting URL validation, test coverage, and
removing bypassable validation checks
@softwarefactory-project-zuul
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/cadf83a91a194f36a70dd09535b46513

openstack-k8s-operators-content-provider FAILURE in 5m 03s
⚠️ keystone-operator-kuttl SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)
⚠️ keystone-operator-tempest SKIPPED Skipped due to failed job openstack-k8s-operators-content-provider (non-voting)

@vakwetu
Copy link
Contributor

vakwetu commented Jan 15, 2026

Added webhook appears to work just fine! Please review!

@vakwetu
Copy link
Contributor

vakwetu commented Jan 15, 2026

recheck

Copy link
Contributor

@fmount fmount left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just added a comment wrt the way we handle conditions, but overall we're closer to having a final version of this patch.

Instead of marking all conditions as True for external Keystone API
(which is misleading), conditionally initialize conditions only when
ExternalKeystoneAPI is false (regular use case), similar to how
Topology conditions are handled.

This removes the need to set misleading True conditions for external
Keystone API, as those conditions are not relevant when using an
external service.

Also updates the functional test to not check for conditions that
don't exist for external Keystone API (DBReadyCondition and
DeploymentReadyCondition).
…l Keystone API

- Always initialize InputReadyCondition and TLSInputReadyCondition (needed for both internal and external)
- Only initialize deployment-related conditions when ExternalKeystoneAPI is false
- Reorder processing in reconcileExternalKeystoneAPI:
  - Verify secret first
  - Verify endpoints (both public and internal must be defined with valid EndpointURL)
  - Set InputReadyCondition after both secret and endpoints are verified
  - Then verify TLS input
- Improve endpoint validation to check both public and internal endpoints are present
- Remove MarkTrue from verifySecret (it only sets False on errors now)
- Set InputReadyCondition in main reconciliation loop after verification completes
Copy link
Contributor

@fmount fmount left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vakwetu just a comment on the condition messages that can be removed and a couple of nits that are not blockers for the patch, LGTM otherwise!

…dling

- Remove unused ExternalKeystoneAPI condition messages that are no longer
  needed since we conditionally initialize conditions
- Move Topology condition initialization into cl.Set() before Init() call
- Remove unnecessary serviceLabels comment
Copy link
Contributor

@fmount fmount left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jan 16, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 16, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dmendiza, fmount

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit f54dd51 into openstack-k8s-operators:main Jan 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants