CONSOLE 2919: create OAuth clients on spoke clusters - rebased

bindata/configmaps/console-managed-cluster-ingress-cert-configmap.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-config-managed

bindata/managedclusteractions/console-managed-cluster-action-create-oauth-client.yaml

@@ -0,0 +1,14 @@
+apiVersion: action.open-cluster-management.io/v1beta1
+kind: ManagedClusterAction
+metadata:
+  name: console-managed-cluster-action-oauth-create
+spec:
+  actionType: Create
+  kube:
+    resource: OAuthClient
+    template:
+      apiVersion: oauth.openshift.io/v1
+      kind: OAuthClient
+      metadata:
+        name: console-managed-cluster-oauth-client
+      grantMethod: auto

bindata/managedclusterviews/console-managed-cluster-view-ingress-cert.yaml

@@ -0,0 +1,10 @@
+apiVersion: view.open-cluster-management.io/v1beta1
+kind: ManagedClusterView
+metadata:
+  name: console-managed-cluster-view-ingress-cert
+spec:
+  scope:
+    kind: ConfigMap
+    version: v1
+    name: default-ingress-cert
+    namespace: openshift-config-managed

bindata/managedclusterviews/console-managed-cluster-view-oauth-client.yaml

@@ -0,0 +1,9 @@
+apiVersion: view.open-cluster-management.io/v1beta1
+kind: ManagedClusterView
+metadata:
+  name: console-managed-cluster-view-oauth
+spec:
+  scope:
+    apiVersion: oauth.openshift.io/v1
+    resource: OAuthClient
+    name: console-managed-cluster-oauth-client

examples/cvo-unmanage-operator.yaml

@@ -5,8 +5,8 @@ metadata:
   name: version
 spec:
   overrides:
-  - kind: Deployment
-    name: console-operator
-    namespace: openshift-console-operator
-    unmanaged: true
-    group: apps/v1
+    - kind: Deployment
+      name: console-operator
+      namespace: openshift-console-operator
+      unmanaged: true
+      group: apps/v1

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/go-test/deep v1.0.5
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/open-cluster-management/api v0.0.0-20210527013639-a6845f2ebcb1
 	github.com/openshift/api v0.0.0-20210729103544-e4a0474d1519
 	github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3
 	github.com/openshift/client-go v0.0.0-20210112160336-8889f8b15bd6

go.sum

@@ -410,6 +410,8 @@ github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/open-cluster-management/api v0.0.0-20210527013639-a6845f2ebcb1 h1:AaFycHD9YOfFXe9C5VsYxKf4LKCXKSLZgK2DnFdHY4M=
+github.com/open-cluster-management/api v0.0.0-20210527013639-a6845f2ebcb1/go.mod h1:ot+A1DWq+v1IV+e1S7nhIteYAmNByFgtazvzpoeAfRQ=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/openshift/api v0.0.0-20201214114959-164a2fb63b5f/go.mod h1:aqU5Cq+kqKKPbDMqxo9FojgDeSpNJI7iuskjXjtojDg=
@@ -418,6 +420,7 @@ github.com/openshift/api v0.0.0-20210325044225-ef3741adfc31/go.mod h1:aqU5Cq+kqK
 github.com/openshift/api v0.0.0-20210729103544-e4a0474d1519 h1:g9hT0d7niFH2GD9NT8RHRq/45qDfNkRfEZw2A4HTrjc=
 github.com/openshift/api v0.0.0-20210729103544-e4a0474d1519/go.mod h1:wf/SnvIX5Aq1NkALk26b2extjOGm3Q781gEgvr0+CDY=
 github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
+github.com/openshift/build-machinery-go v0.0.0-20210115170933-e575b44a7a94/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3 h1:hYMLjavR8LrcCva788SxDqYjRc1k2w0LNGi7eX9vY5Y=
 github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20201214125552-e615e336eb49/go.mod h1:9/jG4I6sh+5QublJpZZ4Zs/P4/QCXMsQQ/K/058bSB8=

manifests/03-rbac-role-cluster.yaml

@@ -7,79 +7,109 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
 rules:
-- apiGroups:
-  - oauth.openshift.io
-  resources:
-  - oauthclients
-  verbs:
-  - get
-  - list
-  - update
-  - watch
-  resourceNames:
-  - console
-- apiGroups:
-  - config.openshift.io
-  resources:
-  - oauths
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - config.openshift.io
-  resources:
-  - infrastructures
-  - ingresses
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - config.openshift.io
-  resources:
-  - proxies
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - config.openshift.io
-  resources:
-  - consoles
-  - consoles/status
-  - clusteroperators
-  - clusteroperators/status
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - operator.openshift.io
-  resources:
-  - consoles
-  - consoles/status
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
-- apiGroups:
-  - console.openshift.io
-  resources:
-  - consoleclidownloads
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-  - update
-  - delete
+  - apiGroups:
+      - oauth.openshift.io
+    resources:
+      - oauthclients
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+    resourceNames:
+      - console
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - oauths
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - infrastructures
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - proxies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - consoles
+      - consoles/status
+      - clusteroperators
+      - clusteroperators/status
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - operator.openshift.io
+    resources:
+      - consoles
+      - consoles/status
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - console.openshift.io
+    resources:
+      - consoleclidownloads
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - cluster.open-cluster-management.io
+    resources:
+      - managedclusters
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - action.open-cluster-management.io
+    resources:
+      - managedclusteractions
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - view.open-cluster-management.io
+    resources:
+      - managedclusterviews
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -90,29 +120,29 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
 rules:
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-- apiGroups:
-  - operators.coreos.com
-  resources:
-  - subscriptions
-  resourceNames:
-  - web-terminal
-  verbs:
-  - get
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+  - apiGroups:
+      - operators.coreos.com
+    resources:
+      - subscriptions
+    resourceNames:
+      - web-terminal
+    verbs:
+      - get
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

pkg/api/api.go

@@ -17,6 +17,7 @@ const (
 	ServiceCAConfigMapName                  = "service-ca"
 	DefaultIngressCertConfigMapName         = "default-ingress-cert"
 	OAuthServingCertConfigMapName           = "oauth-serving-cert"
+	OAuthConfigMapName                      = "oauth-openshift"
 	OpenShiftConsoleDeploymentName          = OpenShiftConsoleName
 	OpenShiftConsoleServiceName             = OpenShiftConsoleName
 	OpenshiftConsoleRedirectServiceName     = "console-redirect"
@@ -35,6 +36,16 @@ const (
 	TrustedCABundleMountFile                = "tls-ca-bundle.pem"
 	OCCLIDownloadsCustomResourceName        = "oc-cli-downloads"
 	ODOCLIDownloadsCustomResourceName       = "odo-cli-downloads"
+	HubClusterName                          = "local-cluster"
+	ManagedClusterLabel                     = "managed-cluster"
+	ManagedClusterConfigMapName             = "managed-clusters"
+	ManagedClusterConfigMountDir            = "/var/managed-cluster-config"
+	ManagedClusterConfigKey                 = "managed-clusters.yaml"
+	ManagedClusterAPIServerCAMountDir       = "/var/managed-cluster-certs"
+	ManagedClusterAPIServerCAName           = "managed-cluster-api-server-ca"
+	ManagedClusterAPIServerCAKey            = "ca-bundle.crt"
+	ManagedClusterIngressCertName           = "managed-cluster-ingress-cert"
+	ManagedClusterIngressCertKey            = "ca-bundle.crt"
 
 	ConsoleContainerPortName    = "https"
 	ConsoleContainerPort        = 443