Add URL validation and comprehensive tests for external Keystone API

vakwetu · vakwetu · commit e06fc425a28f · 2026-01-15T12:19:37.000-05:00
This commit enhances the external Keystone API webhook validation by:

1. Adding URL format validation using net/url.Parse() to ensure
   endpointURL values are valid URLs for both public and internal
   endpoints. The validation checks both for parsing errors and
   requires a URL scheme (http:// or https://) to catch URLs without
   schemes that url.Parse() would otherwise accept.

2. Adding comprehensive test coverage for external Keystone API
   validation including:
   - Rejection when service override is nil
   - Rejection when service override is empty
   - Rejection when only admin endpoint is provided (missing public/internal)
   - Rejection when public endpoint is missing
   - Rejection when internal endpoint is missing
   - Rejection when endpointURL is empty string
   - Rejection of URLs without scheme for public endpoint
   - Rejection of malformed URLs for internal endpoint
   - Acceptance when both public and internal endpoints are valid

All 79 tests pass, including 9 new tests for external Keystone API
validation.

Related: PR comments requesting URL validation and test coverage
diff --git a/api/v1beta1/keystoneapi_webhook.go b/api/v1beta1/keystoneapi_webhook.go
@@ -24,6 +24,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"net/url"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -202,22 +203,57 @@ func (spec *KeystoneAPISpecCore) ValidateExternalKeystoneAPI(basePath *field.Pat
 	hasInternal := false
 
 	for endpointType, overrideSpec := range spec.Override.Service {
+		endpointURLPath := overridePath.Key(string(endpointType)).Child("endpointURL")
 		if endpointType == service.EndpointPublic {
 			hasPublic = true
 			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
 				allErrs = append(allErrs, field.Required(
-					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					endpointURLPath,
 					"external Keystone API requires endpointURL to be set for public endpoint",
 				))
+			} else {
+				// Validate URL format
+				parsedURL, err := url.Parse(*overrideSpec.EndpointURL)
+				if err != nil {
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						fmt.Sprintf("invalid URL format: %v", err),
+					))
+				} else if parsedURL.Scheme == "" {
+					// Require a scheme (http:// or https://)
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						"URL must include a scheme (e.g., http:// or https://)",
+					))
+				}
 			}
 		}
 		if endpointType == service.EndpointInternal {
 			hasInternal = true
 			if overrideSpec.EndpointURL == nil || *overrideSpec.EndpointURL == "" {
 				allErrs = append(allErrs, field.Required(
-					overridePath.Key(string(endpointType)).Child("endpointURL"),
+					endpointURLPath,
 					"external Keystone API requires endpointURL to be set for internal endpoint",
 				))
+			} else {
+				// Validate URL format
+				parsedURL, err := url.Parse(*overrideSpec.EndpointURL)
+				if err != nil {
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						fmt.Sprintf("invalid URL format: %v", err),
+					))
+				} else if parsedURL.Scheme == "" {
+					// Require a scheme (http:// or https://)
+					allErrs = append(allErrs, field.Invalid(
+						endpointURLPath,
+						*overrideSpec.EndpointURL,
+						"URL must include a scheme (e.g., http:// or https://)",
+					))
+				}
 			}
 		}
 	}
diff --git a/test/functional/keystoneapi_webhook_test.go b/test/functional/keystoneapi_webhook_test.go
@@ -216,4 +216,289 @@ var _ = Describe("KeystoneAPI Webhook", func() {
 				"spec.topologyRef.namespace: Invalid value: \"namespace\": Customizing namespace field is not supported"),
 		)
 	})
+
+	When("ExternalKeystoneAPI validation", func() {
+		It("rejects ExternalKeystoneAPI=true with nil service override", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			// Don't set any override
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires service override configuration"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with empty service override", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires service override configuration"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with service override but no endpoints", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"admin": map[string]any{
+						"metadata": map[string]any{
+							"labels": map[string]any{
+								"custom": "label",
+							},
+						},
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires public endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with missing public endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires public endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with missing internal endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires internal endpoint to be defined"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with empty endpointURL", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"external Keystone API requires endpointURL to be set for public endpoint"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with invalid URL format for public endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "not-a-valid-url",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"URL must include a scheme"),
+			)
+		})
+
+		It("rejects ExternalKeystoneAPI=true with invalid URL format for internal endpoint", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+					"internal": map[string]any{
+						"endpointURL": "://invalid-url",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				Or(
+					ContainSubstring("invalid URL format"),
+					ContainSubstring("URL must include a scheme"),
+				),
+			)
+		})
+
+		It("accepts ExternalKeystoneAPI=true with valid endpoints", func() {
+			spec := GetDefaultKeystoneAPISpec()
+			spec["externalKeystoneAPI"] = true
+			spec["override"] = map[string]any{
+				"service": map[string]any{
+					"public": map[string]any{
+						"endpointURL": "http://public.keystone.example.com:5000",
+					},
+					"internal": map[string]any{
+						"endpointURL": "http://internal.keystone.example.com:5000",
+					},
+				},
+			}
+
+			raw := map[string]any{
+				"apiVersion": "keystone.openstack.org/v1beta1",
+				"kind":       "KeystoneAPI",
+				"metadata": map[string]any{
+					"name":      keystoneAPIName.Name,
+					"namespace": keystoneAPIName.Namespace,
+				},
+				"spec": spec,
+			}
+
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
 })
