[multiple] Use strategic merge patch in Keystone federation kustomization

vakwetu · claude · openshift-merge-bot[bot] · commit b0fb69279b92 · 2026-03-27T19:41:09.000Z
Replace the JSON Patch (op/path/value) entries in the kustomize file
written by hook_controlplane_config.yml with a single strategic merge
patch. The JSON Patch approach was fragile: `add /spec/tls/caBundleSecretName`
would fail if spec.tls had no parent yet, and adding the parent first as
an empty dict would clobber existing TLS fields. A strategic merge patch
merges at each level, so it works regardless of whether spec.tls already
exists and leaves any pre-existing TLS fields untouched.

Signed-off-by: Ade Lee &lt;alee@redhat.com&gt;
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
Made-with: Cursor
diff --git a/roles/federation/tasks/hook_controlplane_config.yml b/roles/federation/tasks/hook_controlplane_config.yml
@@ -141,25 +141,27 @@
           kind: OpenStackControlPlane
           name: .*
         patch: |-
-          - op: add
-            path: /spec/tls/caBundleSecretName
-            value: {{ _federation_ca_bundle_secret_name }}
-          - op: add
-            path: /spec/keystone/template/httpdCustomization
-            value:
-              customConfigSecret: keystone-httpd-override
-          - op: add
-            path: /spec/keystone/template/customServiceConfig
-            value: |
-              [DEFAULT]
-              insecure_debug=true
-              debug=true
-              [federation]
-              trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
-              [openid]
-              remote_id_attribute=HTTP_OIDC_ISS
-              [auth]
-              methods = password,token,oauth1,mapped,application_credential,openid
+          apiVersion: core.openstack.org/v1beta1
+          kind: OpenStackControlPlane
+          metadata:
+            name: controlplane
+          spec:
+            tls:
+              caBundleSecretName: {{ _federation_ca_bundle_secret_name }}
+            keystone:
+              template:
+                httpdCustomization:
+                  customConfigSecret: keystone-httpd-override
+                customServiceConfig: |
+                  [DEFAULT]
+                  insecure_debug=true
+                  debug=true
+                  [federation]
+                  trusted_dashboard={{ cifmw_federation_horizon_url }}/dashboard/auth/websso/
+                  [openid]
+                  remote_id_attribute=HTTP_OIDC_ISS
+                  [auth]
+                  methods = password,token,oauth1,mapped,application_credential,openid
 
 # ---------------------------------------------------------------------------
 # Step 7 - Keystone httpd override secret (always needed)
