Add webhook validation for external Keystone API

This commit adds webhook validation to ensure proper configuration
when using external Keystone API. The validation:

- Requires service override configuration when ExternalKeystoneAPI is true
- Ensures both public and internal endpoints are defined
- Ensures both endpoints have EndpointURL set

This prevents reconciliation from starting with invalid configuration
and avoids template rendering failures in services (like Glance) that
depend on both endpoints.

The validation is integrated into both ValidateCreate and ValidateUpdate
webhook functions to catch configuration errors early.

Related: PR comments requesting early validation for external Keystone API

Author: vakwetu

api/v1beta1/keystoneapi_webhook.go

@@ -115,6 +115,9 @@ func (spec *KeystoneAPISpecCore) ValidateCreate(basePath *field.Path, namespace
 	// referenced because is not supported
 	allErrs = append(allErrs, spec.ValidateTopology(basePath, namespace)...)
 
+	// Validate external Keystone API configuration
+	allErrs = append(allErrs, spec.ValidateExternalKeystoneAPI(basePath)...)
+
 	return allErrs
 }
 
@@ -158,6 +161,9 @@ func (spec *KeystoneAPISpecCore) ValidateUpdate(_ KeystoneAPISpecCore, basePath
 	// referenced because is not supported
 	allErrs = append(allErrs, spec.ValidateTopology(basePath, namespace)...)
 
+	// Validate external Keystone API configuration
+	allErrs = append(allErrs, spec.ValidateExternalKeystoneAPI(basePath)...)
+
 	return allErrs
 }
 
@@ -169,6 +175,70 @@ func (r *KeystoneAPI) ValidateDelete() (admission.Warnings, error) {
 	return nil, nil
 }
 
+// ValidateExternalKeystoneAPI validates the external Keystone API configuration
+func (spec *KeystoneAPISpecCore) ValidateExternalKeystoneAPI(basePath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if !spec.ExternalKeystoneAPI {
+		// No validation needed when external Keystone API is not enabled
+		return allErrs
+	}
+
+	overridePath := basePath.Child("override").Child("service")
+
+	// When ExternalKeystoneAPI is true, service overrides must be provided
+	if spec.Override.Service == nil || len(spec.Override.Service) == 0 {
+		allErrs = append(allErrs, field.Required(
+			overridePath,
+			"external Keystone API requires service override configuration",
+		))
+		return allErrs
+	}
+
+	// Both public and internal endpoints must be defined with EndpointURL set
+	// This ensures services that depend on both endpoints (like Glance) don't fail
+	// when rendering templates
+	hasPublic := false
+	hasInternal := false
+
+	for endpointType, overrideSpec := range spec.Override.Service {
+		if endpointType == service.EndpointPublic {
+			hasPublic = true
+			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
+				allErrs = append(allErrs, field.Required(
+					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					"external Keystone API requires endpointURL to be set for public endpoint",
+				))
+			}
+		}
+		if endpointType == service.EndpointInternal {
+			hasInternal = true
+			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
+				allErrs = append(allErrs, field.Required(
+					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					"external Keystone API requires endpointURL to be set for internal endpoint",
+				))
+			}
+		}
+	}
+
+	if !hasPublic {
+		allErrs = append(allErrs, field.Required(
+			overridePath,
+			fmt.Sprintf("external Keystone API requires %s endpoint to be defined", service.EndpointPublic),
+		))
+	}
+
+	if !hasInternal {
+		allErrs = append(allErrs, field.Required(
+			overridePath,
+			fmt.Sprintf("external Keystone API requires %s endpoint to be defined", service.EndpointInternal),
+		))
+	}
+
+	return allErrs
+}
+
 // SetDefaultRouteAnnotations sets HAProxy timeout values of the route
 func (spec *KeystoneAPISpecCore) SetDefaultRouteAnnotations(annotations map[string]string) {
 	const haProxyAnno = "haproxy.router.openshift.io/timeout"