Allow customize http vhost config using HttpdCustomization.CustomServiceConfigSecret

[stuggi]

This change allows to customize the httpd vhost config using this parameter to specify a secret that contains service config data. The content of each provided snippet gets rendered as a go template and placed into /etc/httpd/conf/httpd_custom_<endpoint>_<key> .
At the end of the vhost config in the default httpd template these custom configs get included using Include conf/httpd_custom_<endpoint>_*.

For information on how sections in httpd configuration get merged, check section "How the sections are merged" in https://httpd.apache.org/docs/current/sections.html#merging

Depends-On: openstack-k8s-operators/lib-common#591

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[stuggi]

With this change you can e.g. add the following template in a secret to configure OIDC Federation Settings

OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCClaimDelimiter ";"
OIDCPassUserInfoAs "claims"
OIDCPassClaimsAs "both"
OIDCCacheType "memcache"
OIDCMemCacheServers "{{ .memcachedServers }}"
OIDCProviderMetadataURL "https://my_provider_metadata_url"
OIDCClientID "my_client_id"
OIDCClientSecret "12345678"
OIDCCryptoPassphrase "12345678"
OIDCOAuthClientID "my_oauth_client_id"
OIDCOAuthClientSecret "12345678"
OIDCOAuthIntrospectionEndpoint "https://my_oauth_introspection_endpoint"

# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/websso"
OIDCRedirectURI "{{ .KeystoneEndpointPublic }}/v3/auth/OS-FEDERATION/websso/openid"

<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/websso">
  AuthType "openid-connect"
  Require valid-user
</LocationMatch>

<Location ~ "/v3/OS-FEDERATION/identity_providers/my_federation_provider_name/protocols/openid/auth">
  AuthType oauth20
  Require valid-user
</Location>

<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
  AuthType "openid-connect"
  Require valid-user
</LocationMatch>

The secret then can be referenced using httpdCustomization.customServiceConfigSecret and keystone config required parameters set via customServiceConfig:

    keystone:
      template:
        customServiceConfig: |
          [federation]
          trusted_dashboard={{ .KeystoneEndpointPublic }}/dashboard/auth/websso/

          [openid]
          remote_id_attribute=HTTP_OIDC_ISS

          [auth]
          methods = password,token,oauth1,mapped,application_credential,openid
        httpdCustomization:
          overrideSecret: keystone-httpd-override

Todo: Align template parameters to and document a dict on which could be used in a custom config template.

[olliewalsh]

since this is essentially an api do we need to version it?

[stuggi]

you mean using a versioned name as the template parameter e.g. KeystoneEndpointPublicV1?