From 0892205a4c13af9716e1f9697df0b4324a0df346 Mon Sep 17 00:00:00 2001
From: Travis Holton <travisholton@catalystcloud.nz>
Date: Thu, 2 Nov 2023 08:33:58 +1300
Subject: [PATCH] Add config for k8s-keystone-auth webhook

* Make keystone auth webhook configurable
* Add unittests for k8s-keystone-auth config
---
 magnum_capi_helm/conf.py              | 11 ++++
 magnum_capi_helm/driver.py            | 20 ++++++++
 magnum_capi_helm/tests/test_driver.py | 73 ++++++++++++++++++++++++++-
 3 files changed, 103 insertions(+), 1 deletion(-)

diff --git a/magnum_capi_helm/conf.py b/magnum_capi_helm/conf.py
index c589443..82c035c 100644
--- a/magnum_capi_helm/conf.py
+++ b/magnum_capi_helm/conf.py
@@ -66,6 +66,17 @@
             "A cluster label can override this."
         ),
     ),
+    cfg.BoolOpt(
+        "k8s_keystone_auth_enabled",
+        default=False,
+        help=(
+            "Enable or disable Keystone authentication webhook."
+            " If enabled this will run the k8s-keystone-auth subchart"
+            " to install the webhook pod and add additional configuration"
+            " to kube-apiserver routing authentication requests through"
+            " the webhook."
+        ),
+    ),
 ]
 
 CONF = cfg.CONF
diff --git a/magnum_capi_helm/driver.py b/magnum_capi_helm/driver.py
index d38b227..0f33e5b 100644
--- a/magnum_capi_helm/driver.py
+++ b/magnum_capi_helm/driver.py
@@ -685,6 +685,26 @@ def _update_helm_release(self, context, cluster, nodegroups=None):
             }
             values = helm.mergeconcat(values, network_details)
 
+        # CatalystCloud: K8s keystone auth webhook
+        if CONF.capi_helm.k8s_keystone_auth_enabled:
+            k8s_keystone_auth_config = {
+                "authWebhook": "k8s-keystone-auth",
+                "openstack": {
+                    "k8sKeystoneAuth": {  # addon subchart configuration
+                        "enabled": True,
+                        "values": {
+                            "openstackAuthUrl": context.auth_url,
+                            "projectId": context.project_id,
+                        },
+                    }
+                },
+            }
+            values = helm.mergeconcat(values, k8s_keystone_auth_config)
+            LOG.debug(
+                "Enable K8s keystone auth webhook for"
+                f" project: {context.project_id} auth url: {context.auth_url}"
+            )
+
         self._helm_client.install_or_upgrade(
             self._get_chart_release_name(cluster),
             CONF.capi_helm.helm_chart_name,
diff --git a/magnum_capi_helm/tests/test_driver.py b/magnum_capi_helm/tests/test_driver.py
index 246cf16..dd084c9 100644
--- a/magnum_capi_helm/tests/test_driver.py
+++ b/magnum_capi_helm/tests/test_driver.py
@@ -25,7 +25,6 @@
 from magnum_capi_helm import helm
 from magnum_capi_helm import kubernetes
 
-
 CONF = conf.CONF
 
 
@@ -1733,6 +1732,78 @@ def test_delete_nodegroup(self, mock_update):
             mock_update.call_args.args[2][0].as_dict(),
         )
 
+    @mock.patch.object(neutron, "get_network", autospec=True)
+    @mock.patch.object(
+        driver.Driver, "_ensure_certificate_secrets", autospec=True
+    )
+    @mock.patch.object(driver.Driver, "_create_appcred_secret", autospec=True)
+    @mock.patch.object(kubernetes.Client, "load", autospec=True)
+    @mock.patch.object(driver.Driver, "_get_image_details", autospec=True)
+    @mock.patch.object(helm.Client, "install_or_upgrade", autospec=True)
+    def test_k8s_keystone_auth_not_enabled(
+        self,
+        mock_install,
+        mock_image,
+        mock_load,
+        mock_appcred,
+        mock_certs,
+        mock_get_net,
+    ):
+        CONF.capi_helm.k8s_keystone_auth_enabled = False
+        mock_image.return_value = (
+            "imageid1",
+            "1.27.4",
+            "ubuntu",
+        )
+        mock_client = mock.MagicMock(spec=kubernetes.Client)
+        mock_load.return_value = mock_client
+        mock_get_net.side_effect = (
+            lambda c, net, source, target, external: f"{net}-{external}"
+        )
+        self.driver._update_helm_release(self.context, self.cluster_obj)
+        mock_install.assert_called()
+        values = mock_install.call_args.args[3]
+        # self.assertIn("kubernetesVersion", values)
+        # print("values: %s" % values["kubernetesVersion"])
+        self.assertNotIn("authWebhook", values)
+
+    @mock.patch.object(neutron, "get_network", autospec=True)
+    @mock.patch.object(
+        driver.Driver, "_ensure_certificate_secrets", autospec=True
+    )
+    @mock.patch.object(driver.Driver, "_create_appcred_secret", autospec=True)
+    @mock.patch.object(kubernetes.Client, "load", autospec=True)
+    @mock.patch.object(driver.Driver, "_get_image_details", autospec=True)
+    @mock.patch.object(helm.Client, "install_or_upgrade", autospec=True)
+    def test_k8s_keystone_auth_enabled(
+        self,
+        mock_install,
+        mock_image,
+        mock_load,
+        mock_appcred,
+        mock_certs,
+        mock_get_net,
+    ):
+        CONF.capi_helm.k8s_keystone_auth_enabled = True
+        mock_image.return_value = (
+            "imageid1",
+            "1.27.4",
+            "ubuntu",
+        )
+        mock_client = mock.MagicMock(spec=kubernetes.Client)
+        mock_load.return_value = mock_client
+        mock_get_net.side_effect = (
+            lambda c, net, source, target, external: f"{net}-{external}"
+        )
+        self.driver._update_helm_release(self.context, self.cluster_obj)
+        mock_install.assert_called()
+        values = mock_install.call_args.args[3]
+        # self.assertIn("kubernetesVersion", values)
+        # print("values: %s" % values["kubernetesVersion"])
+        self.assertIn("authWebhook", values)
+        k8s_keystone_auth_conf = values["openstack"]["k8sKeystoneAuth"]
+        self.assertEqual(k8s_keystone_auth_conf["enabled"], True)
+
     def test_create_federation(self):
         self.assertRaises(
             NotImplementedError,