Make crowd context configurable (#864)

* Make crowd context configurable

* Add unit tests

* Update src/main/charts/crowd/values.yaml

Co-authored-by: Yifei Zhang <[email protected]>

* Fix copypaste

---------

Co-authored-by: Yevhen Ivantsov <[email protected]>
Co-authored-by: Yifei Zhang <[email protected]>

docs/docs/containers/CROWD.md

@@ -54,6 +54,10 @@ If you need to override Crowd's default memory allocation, you can control the m
 
 If Crowd is run behind a reverse proxy server as [described here][3], then you need to specify extra options to make Crowd aware of the setup. They can be controlled via the below environment variables.
 
+* `ATL_TOMCAT_CONTEXTPATH` (default: /crowd)
+
+  The context path the application is served over.
+
 * `ATL_PROXY_NAME` (default: NONE)
 
    The reverse proxy's fully qualified hostname. `CATALINA_CONNECTOR_PROXYNAME`

src/main/charts/crowd/README.md

@@ -68,6 +68,7 @@ Kubernetes: `>=1.21.x-0`
 | crowd.securityContext.fsGroup | int | `2004` | The GID used by the Crowd docker image GID will default to 2004 if not supplied and securityContextEnabled is set to true. This is intended to ensure that the shared-home volume is group-writeable by the GID used by the Crowd container. However, this doesn't appear to work for NFS volumes due to a K8s bug: https://github.com/kubernetes/examples/issues/260  |
 | crowd.securityContextEnabled | bool | `true` | Whether to apply security context to pod.  |
 | crowd.service.annotations | object | `{}` | Additional annotations to apply to the Service  |
+| crowd.service.contextPath | string | `"/crowd"` | The Tomcat context path that Crowd will use. The ATL_TOMCAT_CONTEXTPATH will be set automatically.  |
 | crowd.service.loadBalancerIP | string | `nil` | Use specific loadBalancerIP. Only applies to service type LoadBalancer.  |
 | crowd.service.port | int | `80` | The port on which the Crowd K8s Service will listen  |
 | crowd.service.sessionAffinity | string | `"None"` | Session affinity type. If you want to make sure that connections from a particular client are passed to the same pod each time, set sessionAffinity to ClientIP. See: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity  |
@@ -125,7 +126,7 @@ Kubernetes: `>=1.21.x-0`
 | ingress.maxBodySize | string | `"250m"` | The max body size to allow. Requests exceeding this size will result in an HTTP 413 error being returned to the client.  |
 | ingress.nginx | bool | `true` | Set to 'true' if the Ingress Resource is to use the K8s 'ingress-nginx' controller. https://kubernetes.github.io/ingress-nginx/  This will populate the Ingress Resource with annotations that are specific to the K8s ingress-nginx controller. Set to 'false' if a different controller is to be used, in which case the appropriate annotations for that controller must be specified below under 'ingress.annotations'.  |
 | ingress.openShiftRoute | bool | `false` | Set to true if you want to create an OpenShift Route instead of an Ingress  |
-| ingress.path | string | `"/"` | The base path for the Ingress Resource. For example '/crowd'. Based on a 'ingress.host' value of 'company.k8s.com' this would result in a URL of 'company.k8s.com/crowd'. Due to temporary limitations with changing Crowd context on the application level, only "/" and "/crowd" paths are supported.  |
+| ingress.path | string | `"/"` | The base path for the Ingress Resource. For example '/crowd'. Based on 'ingress.host' value of 'company.k8s.com' this would result in a URL of 'company.k8s.com/crowd'.  |
 | ingress.proxyConnectTimeout | int | `60` | Defines a timeout for establishing a connection with a proxied server. It should be noted that this timeout cannot usually exceed 75 seconds.  |
 | ingress.proxyReadTimeout | int | `60` | Defines a timeout for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed.  |
 | ingress.proxySendTimeout | int | `60` | Sets a timeout for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed.  |

src/main/charts/crowd/templates/configmap-server-config.yaml

@@ -46,10 +46,11 @@ data:
         <Engine name="Catalina"
                 defaultHost="localhost">
 
-          <Host name="localhost"
-                appBase="webapps"
-                unpackWARs="true"
-                autoDeploy="true"/>
+        <Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
+           <Context path="{{ .Values.crowd.service.contextPath | default "/crowd" }}" docBase="../../crowd-webapp" debug="0">
+             <Manager pathname="" />
+           </Context>
+        </Host>
         {{- if .Values.crowd.accessLog.enabled }}
             <Valve className="org.apache.catalina.valves.AccessLogValve"
                    requestAttributesEnabled="true"

src/main/charts/crowd/templates/statefulset.yaml

@@ -129,7 +129,7 @@ spec:
             {{- else }}
             httpGet:
               port: {{ .Values.crowd.ports.http }}
-              path: /crowd/status
+              path: {{ .Values.crowd.service.contextPath}}/status
             initialDelaySeconds: {{ .Values.crowd.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.crowd.readinessProbe.periodSeconds }}
             timeoutSeconds: {{ .Values.crowd.readinessProbe.timeoutSeconds }}
@@ -196,6 +196,10 @@ spec:
             - name: ATL_TOMCAT_SECURE
               value: "true"
             {{ end }}
+            {{ if .Values.crowd.service.contextPath }}
+            - name: ATL_TOMCAT_CONTEXTPATH
+              value: {{ .Values.crowd.service.contextPath | quote }}
+            {{ end }}
             - name: ATL_TOMCAT_PORT
               value: {{ .Values.crowd.ports.http | quote }}
             {{ if .Values.ingress.host }}

src/main/charts/crowd/values.yaml

@@ -137,6 +137,11 @@ crowd:
     #
     loadBalancerIP:
 
+    # -- The Tomcat context path that Crowd will use. The ATL_TOMCAT_CONTEXTPATH
+    # will be set automatically.
+    #
+    contextPath: "/crowd"
+
     # -- Additional annotations to apply to the Service
     #
     annotations: {}
@@ -543,10 +548,9 @@ ingress:
   #
   host:
 
-  # -- The base path for the Ingress Resource. For example '/crowd'. Based on a
+  # -- The base path for the Ingress Resource. For example '/crowd'. Based on
   # 'ingress.host' value of 'company.k8s.com' this would result in a URL of
-  # 'company.k8s.com/crowd'. Due to temporary limitations with changing Crowd context
-  # on the application level, only "/" and "/crowd" paths are supported.
+  # 'company.k8s.com/crowd'.
   #
   path: "/"
 

src/test/java/test/IngressTest.java

@@ -553,4 +553,37 @@ private List<String> extractAllPaths(Traversable<KubeResource> ingresses) {
                 .map(path -> path.path("path").asText())
                 .collect(Collectors.toList());
     }
+
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"crowd"})
+    void crowd_ingress_path_contextPath(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                "ingress.create", "true",
+                "ingress.host", "myhost.mydomain",
+                product + ".service.contextPath", "/my-path"));
+
+        final var ingresses = resources.getAll(Kind.Ingress);
+        Assertions.assertEquals(1, ingresses.size());
+
+        assertThat(ingresses.head().getNode("spec", "rules").required(0).path("http").path("paths").required(0).path("path"))
+                .hasTextEqualTo("/");
+
+    }
+
+    @ParameterizedTest
+    @EnumSource(value = Product.class, names = {"crowd"})
+    void crowd_ingress_path_value(Product product) throws Exception {
+        final var resources = helm.captureKubeResourcesFromHelmChart(product, Map.of(
+                "ingress.create", "true",
+                "ingress.host", "myhost.mydomain",
+                "ingress.path", "/mypath",
+                product + ".service.contextPath", "/my-path"));
+
+        final var ingresses = resources.getAll(Kind.Ingress);
+        Assertions.assertEquals(1, ingresses.size());
+
+        assertThat(ingresses.head().getNode("spec", "rules").required(0).path("http").path("paths").required(0).path("path"))
+                .hasTextEqualTo("/mypath");
+
+    }
 }

src/test/resources/expected_helm_output/crowd/output.yaml

@@ -142,6 +142,7 @@ data:
       securityContextEnabled: true
       service:
         annotations: {}
+        contextPath: /crowd
         loadBalancerIP: null
         port: 80
         sessionAffinity: None
@@ -451,6 +452,8 @@ spec:
               value: "https"
             - name: ATL_TOMCAT_SECURE
               value: "true"
+            - name: ATL_TOMCAT_CONTEXTPATH
+              value: "/crowd"
             - name: ATL_TOMCAT_PORT
               value: "8095"
             - name: ATL_TOMCAT_ACCESS_LOG