Merge "keystone: provide default WSGI script for apache"

keystone/templates/bin/_keystone-api.sh.tpl

@@ -19,16 +19,6 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
-
-  for KEYSTONE_WSGI_SCRIPT in keystone-wsgi-public; do
-    script_path="$(type -p ${KEYSTONE_WSGI_SCRIPT} || true)"
-    if [[ -z "$script_path" ]]; then
-        # In 2025.2 the keystone-wsgi-public script was removed.
-        script_path=$(python3 -c "import sysconfig; print(sysconfig.get_paths()['purelib'])")/keystone/wsgi/api.py
-    fi
-    cp -a "$script_path" /var/www/cgi-bin/keystone/wsgi.py
-  done
-
   {{- if .Values.conf.software.apache2.a2enmod }}
     {{- range .Values.conf.software.apache2.a2enmod }}
   a2enmod {{ . }}

keystone/templates/configmap-bin.yaml

@@ -41,6 +41,7 @@ data:
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   db-drop.py: |
 {{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_script "key" "wsgi.py" "format" "ConfigMap" ) | indent 2 }}
   keystone-api.sh: |
 {{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   endpoint-update.py: |

keystone/templates/deployment-api.yaml

@@ -95,8 +95,10 @@ spec:
               mountPath: /var/log/apache2
             - name: run-apache
               mountPath: /var/run/apache2
-            - name: wsgi-keystone
-              mountPath: /var/www/cgi-bin/keystone
+            - name: keystone-bin
+              mountPath: /var/www/cgi-bin/keystone/wsgi.py
+              subPath: wsgi.py
+              readOnly: true
             - name: keystone-etc
               mountPath: /etc/keystone/keystone.conf
               subPath: keystone.conf
@@ -163,8 +165,6 @@ spec:
           emptyDir: {}
         - name: etckeystone
           emptyDir: {}
-        - name: wsgi-keystone
-          emptyDir: {}
         - name: logs-apache
           emptyDir: {}
         - name: run-apache

keystone/values.yaml

@@ -776,10 +776,20 @@ conf:
       MaxRequestsPerChild 128
       ThreadLimit         720
     </IfModule>
-  wsgi_script_name: wsgi.py
+  # -- WSGIScriptAlias for apache2. Copied from keystone/wsgi/api.py
+  ## apache cannot load a module and the path can change depending on python version
+  wsgi_script: |
+    import threading
+
+    from keystone.server import wsgi
+
+    application = None
+    lock = threading.Lock()
+    with lock:
+        if application is None:
+            application = wsgi.initialize_public_application()
   wsgi_keystone: |
     {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{- $wsgiScript := .Values.conf.wsgi_script_name }}
     Listen 0.0.0.0:{{ $portInt }}
 
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
@@ -794,7 +804,7 @@ conf:
     <VirtualHost *:{{ $portInt }}>
         WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
         WSGIProcessGroup keystone-public
-        WSGIScriptAlias / /var/www/cgi-bin/keystone/{{ $wsgiScript }}
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/wsgi.py
         WSGIApplicationGroup %{GLOBAL}
         WSGIPassAuthorization On
         ErrorLogFormat "%{cu}t %M"

releasenotes/notes/keystone-1aaec51f0512e445.yaml

@@ -0,0 +1,7 @@
+---
+keystone:
+  - |
+    Provide a WSGI script for Apache to use to start up Keystone since Keystone
+    stopped shipping their own entrypoint. This is done in a way that users can
+    override it and the container has less moving pieces at startup.
+...