From 22d56f0ad31aeeb3482541bcf338104c6f42996f Mon Sep 17 00:00:00 2001
From: Doug Goldstein <cardoe@cardoe.com>
Date: Tue, 9 Dec 2025 10:43:30 -0600
Subject: [PATCH] keystone: provide default WSGI script for apache

Provide a WSGI script for Apache to use to start up Keystone since Keystone
stopped shipping their own entrypoint. This is done in a way that users can
override it and the container has less moving pieces at startup.

Change-Id: Id32f8eb5bacea389d388d2483454d4a01ef608be
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
 keystone/templates/bin/_keystone-api.sh.tpl      | 10 ----------
 keystone/templates/configmap-bin.yaml            |  1 +
 keystone/templates/deployment-api.yaml           |  8 ++++----
 keystone/values.yaml                             | 16 +++++++++++++---
 .../notes/keystone-1aaec51f0512e445.yaml         |  7 +++++++
 5 files changed, 25 insertions(+), 17 deletions(-)
 create mode 100644 releasenotes/notes/keystone-1aaec51f0512e445.yaml

diff --git a/keystone/templates/bin/_keystone-api.sh.tpl b/keystone/templates/bin/_keystone-api.sh.tpl
index 9aa11c463e..e01760fbb2 100644
--- a/keystone/templates/bin/_keystone-api.sh.tpl
+++ b/keystone/templates/bin/_keystone-api.sh.tpl
@@ -19,16 +19,6 @@ set -ex
 COMMAND="${@:-start}"
 
 function start () {
-
-  for KEYSTONE_WSGI_SCRIPT in keystone-wsgi-public; do
-    script_path="$(type -p ${KEYSTONE_WSGI_SCRIPT} || true)"
-    if [[ -z "$script_path" ]]; then
-        # In 2025.2 the keystone-wsgi-public script was removed.
-        script_path=$(python3 -c "import sysconfig; print(sysconfig.get_paths()['purelib'])")/keystone/wsgi/api.py
-    fi
-    cp -a "$script_path" /var/www/cgi-bin/keystone/wsgi.py
-  done
-
   {{- if .Values.conf.software.apache2.a2enmod }}
     {{- range .Values.conf.software.apache2.a2enmod }}
   a2enmod {{ . }}
diff --git a/keystone/templates/configmap-bin.yaml b/keystone/templates/configmap-bin.yaml
index 45512d3ec5..51e490ebb1 100644
--- a/keystone/templates/configmap-bin.yaml
+++ b/keystone/templates/configmap-bin.yaml
@@ -41,6 +41,7 @@ data:
 {{ tuple "bin/_db-sync.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   db-drop.py: |
 {{- include "helm-toolkit.scripts.db_drop" . | indent 4 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.wsgi_script "key" "wsgi.py" "format" "ConfigMap" ) | indent 2 }}
   keystone-api.sh: |
 {{ tuple "bin/_keystone-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   endpoint-update.py: |
diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml
index 8d8a1292ac..19cb7a68ee 100644
--- a/keystone/templates/deployment-api.yaml
+++ b/keystone/templates/deployment-api.yaml
@@ -95,8 +95,10 @@ spec:
               mountPath: /var/log/apache2
             - name: run-apache
               mountPath: /var/run/apache2
-            - name: wsgi-keystone
-              mountPath: /var/www/cgi-bin/keystone
+            - name: keystone-bin
+              mountPath: /var/www/cgi-bin/keystone/wsgi.py
+              subPath: wsgi.py
+              readOnly: true
             - name: keystone-etc
               mountPath: /etc/keystone/keystone.conf
               subPath: keystone.conf
@@ -163,8 +165,6 @@ spec:
           emptyDir: {}
         - name: etckeystone
           emptyDir: {}
-        - name: wsgi-keystone
-          emptyDir: {}
         - name: logs-apache
           emptyDir: {}
         - name: run-apache
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 3effab990d..f1937fd2ec 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -776,10 +776,20 @@ conf:
       MaxRequestsPerChild 128
       ThreadLimit         720
     </IfModule>
-  wsgi_script_name: wsgi.py
+  # -- WSGIScriptAlias for apache2. Copied from keystone/wsgi/api.py
+  ## apache cannot load a module and the path can change depending on python version
+  wsgi_script: |
+    import threading
+
+    from keystone.server import wsgi
+
+    application = None
+    lock = threading.Lock()
+    with lock:
+        if application is None:
+            application = wsgi.initialize_public_application()
   wsgi_keystone: |
     {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
-    {{- $wsgiScript := .Values.conf.wsgi_script_name }}
     Listen 0.0.0.0:{{ $portInt }}
 
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
@@ -794,7 +804,7 @@ conf:
     <VirtualHost *:{{ $portInt }}>
         WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP}
         WSGIProcessGroup keystone-public
-        WSGIScriptAlias / /var/www/cgi-bin/keystone/{{ $wsgiScript }}
+        WSGIScriptAlias / /var/www/cgi-bin/keystone/wsgi.py
         WSGIApplicationGroup %{GLOBAL}
         WSGIPassAuthorization On
         ErrorLogFormat "%{cu}t %M"
diff --git a/releasenotes/notes/keystone-1aaec51f0512e445.yaml b/releasenotes/notes/keystone-1aaec51f0512e445.yaml
new file mode 100644
index 0000000000..462a1a43f8
--- /dev/null
+++ b/releasenotes/notes/keystone-1aaec51f0512e445.yaml
@@ -0,0 +1,7 @@
+---
+keystone:
+  - |
+    Provide a WSGI script for Apache to use to start up Keystone since Keystone
+    stopped shipping their own entrypoint. This is done in a way that users can
+    override it and the container has less moving pieces at startup.
+...