From d6157c306991e56d7b8aafb771f75bf83de0a45a Mon Sep 17 00:00:00 2001
From: "Ritchie, Frank (fr801x)" <fr801x@att.com>
Date: Fri, 18 Oct 2024 13:55:27 -0400
Subject: [PATCH] Use command and args

With recent k8s-keystone-auth images startup by shell script is not
possible.

This PS uses command/args in the deployment instead.

Change-Id: Iabd0d190c2461dbcdc8576f4a597384f46967daa
---
 .../templates/bin/_webhook_start.sh.tpl       | 37 -----------------
 .../templates/configmap-bin.yaml              |  3 --
 .../templates/deployment.yaml                 | 40 +++++++++----------
 3 files changed, 18 insertions(+), 62 deletions(-)
 delete mode 100644 charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl

diff --git a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl
deleted file mode 100644
index 7357f5c0..00000000
--- a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-
-{{/*
-Copyright 2018 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-set -xe
-
-SERVER_CERT_FILE=${SERVER_CERT_FILE:-"/etc/webhook_apiserver/pki/tls.crt"}
-SERVER_KEY_FILE=${SERVER_KEY_FILE:-"/etc/webhook_apiserver/pki/tls.key"}
-POLICY_FILE=${POLICY_FILE:-"/etc/webhook_apiserver/policy.json"}
-SERVER_PORT=${SERVER_PORT:-"8443"}
-KEYSTONE_CA_FILE=${KEYSTONE_CA_FILE:-"/etc/webhook_apiserver/pki/keystone.pem"}
-
-exec /bin/k8s-keystone-auth \
-  --v 5 \
-  --tls-cert-file "${SERVER_CERT_FILE}" \
-  --tls-private-key-file "${SERVER_KEY_FILE}" \
-  --keystone-policy-file "${POLICY_FILE}" \
-  --listen "127.0.0.1:${SERVER_PORT}" \
-{{- if hasKey .Values.certificates "keystone" }}
-  --keystone-ca-file "${KEYSTONE_CA_FILE}" \
-{{- end }}
-  --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
-
diff --git a/charts/apiserver-webhook/templates/configmap-bin.yaml b/charts/apiserver-webhook/templates/configmap-bin.yaml
index 731cd230..bab5add8 100644
--- a/charts/apiserver-webhook/templates/configmap-bin.yaml
+++ b/charts/apiserver-webhook/templates/configmap-bin.yaml
@@ -24,7 +24,4 @@ metadata:
 data:
   ks-user.sh: |-
 {{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }}
-  webhook_start.sh: |-
-{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
-...
 {{- end }}
diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index 60ebcf32..16369051 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -121,7 +121,6 @@ spec:
       annotations:
 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
 {{ dict "envAll" $envAll "podName" "apiserver-webhook" "containerNames" (list "apiserver" "webhook") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
-        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
         dynamic-config-hash: {{ tuple "config-dynamic-config.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
@@ -226,22 +225,27 @@ spec:
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
 {{ dict "envAll" $envAll "application" "apiserver_webhook" "container" "webhook" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           command:
-            - /tmp/webhook_start.sh
+            - "/bin/k8s-keystone-auth"
+          args:
+            - "--v"
+            - {{ .Values.apiserver_webhook.logging.log_level | quote }}
+            - "--tls-cert-file"
+            - {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
+            - "--tls-private-key-file"
+            - {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
+            - "--keystone-policy-file"
+            - {{ $envAll.Values.conf.paths.policy | quote }}
+            - "--listen"
+            - "127.0.0.1:{{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+{{- if hasKey .Values.certificates "keystone" }}
+            - "--keystone-ca-file"
+            - {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
+{{- end }}
+            - "--keystone-url"
+            - {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
           env:
 {{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }}
 {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
-{{- end }}
-            - name: SERVER_CERT_FILE
-              value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
-            - name: SERVER_KEY_FILE
-              value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
-            - name: POLICY_FILE
-              value: {{ $envAll.Values.conf.paths.policy | quote }}
-            - name: SERVER_PORT
-              value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
-{{- if hasKey .Values.certificates "keystone" }}
-            - name: KEYSTONE_CA_FILE
-              value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
 {{- end }}
           volumeMounts:
             - name: etc-webhook
@@ -252,10 +256,6 @@ spec:
               mountPath: {{ $envAll.Values.conf.paths.policy }}
               subPath: policy.json
               readOnly: true
-            - name: configmap-bin
-              mountPath: /tmp/webhook_start.sh
-              subPath: webhook_start.sh
-              readOnly: true
 {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
 {{ if $mounts_webhook.volumeMounts }}{{ toYaml $mounts_webhook.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -283,10 +283,6 @@ spec:
           secret:
             secretName: {{ .Release.Name }}-keys
             defaultMode: 0444
-        - name: configmap-bin
-          configMap:
-            name: {{ .Release.Name }}-bin
-            defaultMode: 0555
         - name: tls-apiserver-webhook-public-server
           secret:
             defaultMode: 292