[k8s-keystone-auth] Remove use of github.com/go-chi/chi/v5 (#3007)

* Add tests for keystone webhooks

Signed-off-by: Stephen Finucane <[email protected]>

* Remove use of github.com/go-chi/chi/v5

Our use of this is very minimal. There is no good reason to pull in a
dependency when the stdlib variant is more than sufficient.

Signed-off-by: Stephen Finucane <[email protected]>

* Remove unnecessary go.mod replaces

Signed-off-by: Stephen Finucane <[email protected]>

---------

Signed-off-by: Stephen Finucane <[email protected]>
Co-authored-by: Jesse Haka <[email protected]>

Author: stephenfin

go.mod

@@ -6,7 +6,6 @@ toolchain go1.24.5
 
 require (
 	github.com/container-storage-interface/spec v1.11.0
-	github.com/go-chi/chi/v5 v5.2.2
 	github.com/google/uuid v1.6.0
 	github.com/gophercloud/gophercloud/v2 v2.8.0
 	github.com/gophercloud/utils/v2 v2.0.0-20250212084022-725b94822eeb
@@ -48,15 +47,11 @@ require (
 // the below fixes the "go list -m all" execution
 replace (
 	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.33.3
-	k8s.io/cri-client => k8s.io/cri-client v0.33.3
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.33.3
 	k8s.io/endpointslice => k8s.io/endpointslice v0.33.3
 	k8s.io/externaljwt => k8s.io/externaljwt v0.33.3
 	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.33.3
 	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.33.3
 	k8s.io/kube-proxy => k8s.io/kube-proxy v0.33.3
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.33.3
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.33.3
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.33.3
 )
 

go.sum

@@ -105,8 +105,6 @@ github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZ
 github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
 github.com/gkampitakis/go-snaps v0.5.14 h1:3fAqdB6BCPKHDMHAKRwtPUwYexKtGrNuw8HX/T/4neo=
 github.com/gkampitakis/go-snaps v0.5.14/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc=
-github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=

pkg/identity/keystone/keystone.go

@@ -24,7 +24,6 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/go-chi/chi/v5"
 	"github.com/gophercloud/gophercloud/v2"
 	"github.com/gophercloud/gophercloud/v2/openstack"
 	"github.com/gophercloud/gophercloud/v2/openstack/utils"
@@ -116,11 +115,11 @@ func (k *Auth) Run() {
 		go wait.Until(k.runWorker, time.Second, k.stopCh)
 	}
 
-	r := chi.NewRouter()
-	r.HandleFunc("/webhook", k.Handler)
+	mux := http.NewServeMux()
+	mux.HandleFunc("/webhook", k.Handler)
 
 	klog.Infof("Starting webhook server...")
-	klog.Fatal(http.ListenAndServeTLS(k.config.Address, k.config.CertFile, k.config.KeyFile, r))
+	klog.Fatal(http.ListenAndServeTLS(k.config.Address, k.config.CertFile, k.config.KeyFile, mux))
 }
 
 func (k *Auth) enqueueConfigMap(obj interface{}) {

pkg/identity/keystone/keystone_test.go

@@ -17,6 +17,12 @@ limitations under the License.
 package keystone
 
 import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"reflect"
 	"testing"
 
@@ -59,3 +65,90 @@ func TestUserAgentFlag(t *testing.T) {
 		})
 	}
 }
+
+// mockKeystoner is a mock implementation of IKeystone for testing
+type mockKeystoner struct{}
+
+func (m *mockKeystoner) GetTokenInfo(ctx context.Context, token string) (*tokenInfo, error) {
+	return nil, fmt.Errorf("invalid token")
+}
+
+func (m *mockKeystoner) GetGroups(ctx context.Context, token string, userID string) ([]string, error) {
+	return nil, fmt.Errorf("invalid token")
+}
+
+func TestWebhookRouting(t *testing.T) {
+	// Create a minimal Auth instance for testing
+	auth := &Auth{
+		authn: &Authenticator{
+			keystoner: &mockKeystoner{},
+		},
+		authz: &Authorizer{
+			pl: nil,
+		},
+		syncer: &Syncer{
+			syncConfig: nil,
+		},
+	}
+
+	tests := []struct {
+		name           string
+		path           string
+		method         string
+		body           map[string]interface{}
+		expectedStatus int
+	}{
+		{
+			name:   "valid_webhook_path",
+			path:   "/webhook",
+			method: http.MethodPost,
+			body: map[string]interface{}{
+				"apiVersion": "authentication.k8s.io/v1beta1",
+				"kind":       "TokenReview",
+				"spec": map[string]interface{}{
+					"token": "test-token",
+				},
+			},
+			// Handler will try to authenticate and fail, but we're testing routing
+			expectedStatus: http.StatusUnauthorized,
+		},
+		{
+			name:           "invalid_path",
+			path:           "/invalid",
+			method:         http.MethodPost,
+			body:           map[string]interface{}{},
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:           "root_path",
+			path:           "/",
+			method:         http.MethodPost,
+			body:           map[string]interface{}{},
+			expectedStatus: http.StatusNotFound,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create a request
+			bodyBytes, _ := json.Marshal(tc.body)
+			req := httptest.NewRequest(tc.method, tc.path, bytes.NewReader(bodyBytes))
+			req.Header.Set("Content-Type", "application/json")
+
+			// Create a response recorder
+			rr := httptest.NewRecorder()
+
+			// Create router and register handler
+			mux := http.NewServeMux()
+			mux.HandleFunc("/webhook", auth.Handler)
+
+			// Serve the request
+			mux.ServeHTTP(rr, req)
+
+			// Check status code
+			if rr.Code != tc.expectedStatus {
+				t.Errorf("Expected status %d, got %d", tc.expectedStatus, rr.Code)
+			}
+		})
+	}
+}