Add URL validation and comprehensive tests for external Keystone API

vakwetu · vakwetu · commit 18daecbdf88f · 2026-01-15T12:46:36.000-05:00
This commit enhances the external Keystone API webhook validation by:

1. Adding URL format validation using net/url.Parse() to ensure
   endpointURL values are valid URLs for both public and internal
   endpoints. The validation checks both for parsing errors and
   requires a URL scheme (http:// or https://) to catch URLs without
   schemes that url.Parse() would otherwise accept.

2. Removing the redundant check for nil or empty service override.
   As noted in PR comments, this check could be bypassed by providing
   an empty map or invalid keys. The actual validation that matters
   is whether hasPublic and hasInternal are both true, which is
   checked later in the function. This makes the validation more
   robust and prevents bypassing the check.

3. Adding comprehensive test coverage for external Keystone API
   validation including:
   - Rejection when service override is nil (checks for missing endpoints)
   - Rejection when service override is empty (checks for missing endpoints)
   - Rejection when only admin endpoint is provided (missing public/internal)
   - Rejection when public endpoint is missing
   - Rejection when internal endpoint is missing
   - Rejection when endpointURL is empty string
   - Rejection of URLs without scheme for public endpoint
   - Rejection of malformed URLs for internal endpoint
   - Acceptance when both public and internal endpoints are valid

All 79 tests pass, including 9 new tests for external Keystone API
validation.

Related: PR comments requesting URL validation, test coverage, and
removing bypassable validation checks
diff --git a/api/v1beta1/keystoneapi_webhook.go b/api/v1beta1/keystoneapi_webhook.go
@@ -24,6 +24,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"net/url"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -186,38 +187,67 @@ func (spec *KeystoneAPISpecCore) ValidateExternalKeystoneAPI(basePath *field.Pat
 
 	overridePath := basePath.Child("override").Child("service")
 
-	// When ExternalKeystoneAPI is true, service overrides must be provided
-	if spec.Override.Service == nil || len(spec.Override.Service) == 0 {
-		allErrs = append(allErrs, field.Required(
-			overridePath,
-			"external Keystone API requires service override configuration",
-		))
-		return allErrs
-	}
-
 	// Both public and internal endpoints must be defined with EndpointURL set
 	// This ensures services that depend on both endpoints (like Glance) don't fail
 	// when rendering templates
+	// Note: We don't check for nil or empty service override here because the
+	// hasPublic and hasInternal checks below will catch missing endpoints regardless
+	// of whether the map is nil, empty, or contains invalid keys.
 	hasPublic := false
 	hasInternal := false
 
 	for endpointType, overrideSpec := range spec.Override.Service {
+		endpointURLPath := overridePath.Key(string(endpointType)).Child("endpointURL")
 		if endpointType == service.EndpointPublic {
 			hasPublic = true
 			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
 				allErrs = append(allErrs, field.Required(
-					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					endpointURLPath,
 					"external Keystone API requires endpointURL to be set for public endpoint",
 				))
+			} else {
+				// Validate URL format
+				parsedURL, err := url.Parse(*overrideSpec.EndpointURL)
+				if err != nil {
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						fmt.Sprintf("invalid URL format: %v", err),
+					))
+				} else if parsedURL.Scheme == "" {
+					// Require a scheme (http:// or https://)
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						"URL must include a scheme (e.g., http:// or https://)",
+					))
+				}
 			}
 		}
 		if endpointType == service.EndpointInternal {
 			hasInternal = true
 			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
 				allErrs = append(allErrs, field.Required(
-					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					endpointURLPath,
 					"external Keystone API requires endpointURL to be set for internal endpoint",
 				))
+			} else {
+				// Validate URL format
+				parsedURL, err := url.Parse(*overrideSpec.EndpointURL)
+				if err != nil {
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						fmt.Sprintf("invalid URL format: %v", err),
+					))
+				} else if parsedURL.Scheme == "" {
+					// Require a scheme (http:// or https://)
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						"URL must include a scheme (e.g., http:// or https://)",
+					))
+				}
 			}
 		}
 	}
diff --git a/test/functional/keystoneapi_webhook_test.go b/test/functional/keystoneapi_webhook_test.go
@@ -216,4 +216,295 @@ var _ = Describe("KeystoneAPI Webhook", func() {
 				"spec.topologyRef.namespace: Invalid value: \"namespace\": Customizing namespace field is not supported"),
 		)
 	})
+
+	When("ExternalKeystoneAPI validation", func() {
+		It("rejects ExternalKeystoneAPI=true with nil service override", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			// Don't set any override
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			// The validation now checks for missing endpoints rather than missing override
+			Expect(err.Error()).To(
+				Or(
+					ContainSubstring("external Keystone API requires public endpoint to be defined"),
+					ContainSubstring("external Keystone API requires internal endpoint to be defined"),
+				),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with empty service override", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			// The validation now checks for missing endpoints rather than missing override
+			Expect(err.Error()).To(
+				Or(
+					ContainSubstring("external Keystone API requires public endpoint to be defined"),
+					ContainSubstring("external Keystone API requires internal endpoint to be defined"),
+				),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with service override but no endpoints", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"admin": map[string]any{
+						"metadata": map[string]any{
+							"labels": map[string]any{
+								"custom": "label",
+							},
+						},
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires public endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with missing public endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires public endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with missing internal endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires internal endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with empty endpointURL", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires endpointURL to be set for public endpoint"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with invalid URL format for public endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "not-a-valid-url",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"URL must include a scheme"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with invalid URL format for internal endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+					"internal": map[string]any{
+						"endpointURL": "://invalid-url",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				Or(
+					ContainSubstring("invalid URL format"),
+					ContainSubstring("URL must include a scheme"),
+				),
+			)
+		})
+
+		It("accepts ExternalKeystoneAPI=true with valid endpoints", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
 })
