Fast forward multi cluster feature branch

go.mod

@@ -1,6 +1,6 @@
 module github.com/openshift/console-operator
 
-go 1.15
+go 1.16
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
@@ -10,21 +10,23 @@ require (
 	github.com/go-test/deep v1.0.5
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/open-cluster-management/api v0.0.0-20210527013639-a6845f2ebcb1
-	github.com/openshift/api v0.0.0-20210729103544-e4a0474d1519
+	github.com/openshift/api v0.0.0-20211103080632-8981c8822dfa
 	github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3
-	github.com/openshift/client-go v0.0.0-20210112160336-8889f8b15bd6
+	github.com/openshift/client-go v0.0.0-20211104174419-390ab1a408da
 	github.com/openshift/library-go v0.0.0-20210330121117-68dd4a4c9d9e
 	github.com/pkg/profile v1.4.0 // indirect
-	github.com/spf13/cobra v1.1.1
+	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.21.1
-	k8s.io/apiextensions-apiserver v0.21.0 // indirect
-	k8s.io/apimachinery v0.21.1
-	k8s.io/client-go v0.21.0
-	k8s.io/component-base v0.21.0
-	k8s.io/klog/v2 v2.8.0
+	k8s.io/api v0.22.1
+	k8s.io/apiextensions-apiserver v0.22.1 // indirect
+	k8s.io/apimachinery v0.22.1
+	k8s.io/client-go v0.22.1
+	k8s.io/component-base v0.22.1
+	k8s.io/klog/v2 v2.9.0
 )
 
-// points to temporary-watch-reduction-patch-1.21 to pick up k/k/pull/101102 - please remove it once the pr merges and a new Z release is cut
-replace k8s.io/apiserver => github.com/openshift/kubernetes-apiserver v0.0.0-20210419140141-620426e63a99
+replace (
+	github.com/openshift/api => github.com/jhadvig/api v0.0.0-20211101154927-473eacc76bdf
+	github.com/openshift/client-go => github.com/jhadvig/client-go v0.0.0-20211101145210-04457ae71f20
+)

manifests/0000_90_console_01_prometheusrbac.yaml

@@ -0,0 +1,40 @@
+# Role for accessing metrics exposed by the console
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus-k8s
+  namespace: openshift-console
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - endpoints
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+---
+# Grant cluster-monitoring access to console metrics
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-k8s
+  namespace: openshift-console
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-k8s
+subjects:
+  - kind: ServiceAccount
+    name: prometheus-k8s
+    namespace: openshift-monitoring

manifests/0000_90_console_02_servicemonitor.yaml

@@ -0,0 +1,24 @@
+# Configure cluster-monitoring for console
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: console
+  namespace: openshift-console
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  endpoints:
+    - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+      interval: 30s
+      path: /metrics
+      port: https
+      scheme: https
+      tlsConfig:
+        caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
+        serverName: console.openshift-console.svc
+  jobLabel: component
+  selector:
+    matchLabels:
+      app: console

manifests/02-namespace.yaml

@@ -10,6 +10,7 @@ metadata:
     workload.openshift.io/allowed: "management"
   labels:
     network.openshift.io/policy-group: "console"
+    openshift.io/cluster-monitoring: "true"
 ---
 apiVersion: v1
 kind: Namespace

manifests/03-rbac-role-cluster.yaml

@@ -143,6 +143,7 @@ rules:
       - web-terminal
     verbs:
       - get
+      - list
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

manifests/04-rbac-rolebinding-cluster.yaml

@@ -88,3 +88,23 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: helm-chartrepos-viewer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: console-auth-delegator
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+roleRef:
+  # for protected endpoints like /metrics, the console backend must perform
+  # authentication (tokenreview) & authorization (subjectaccessreview)
+  # which are granted by this ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console

manifests/04-rbac-rolebinding.yaml

@@ -122,3 +122,21 @@ subjects:
   - kind: ServiceAccount
     name: console
     namespace: openshift-console
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: console
+  namespace: kube-system
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+roleRef:
+  kind: Role
+  name: extension-apiserver-authentication-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console

pkg/console/operator/sync_v400.go

@@ -348,8 +348,9 @@ func (co *consoleOperator) SyncConfigMap(
 		}
 	}
 
-	pluginsEndpointMap := co.GetPluginsEndpointMap(operatorConfig.Spec.Plugins)
-	defaultConfigmap, _, err := configmapsub.DefaultConfigMap(operatorConfig, consoleConfig, managedConfig, infrastructureConfig, activeConsoleRoute, useDefaultCAFile, inactivityTimeoutSeconds, pluginsEndpointMap)
+	availablePlugins := co.GetAvailablePlugins(operatorConfig.Spec.Plugins)
+
+	defaultConfigmap, _, err := configmapsub.DefaultConfigMap(operatorConfig, consoleConfig, managedConfig, infrastructureConfig, activeConsoleRoute, useDefaultCAFile, inactivityTimeoutSeconds, availablePlugins)
 	if err != nil {
 		return nil, false, "FailedConsoleConfigBuilder", err
 	}
@@ -532,24 +533,15 @@ func (co *consoleOperator) ValidateCustomLogo(ctx context.Context, operatorConfi
 	return true, "", nil
 }
 
-func (co *consoleOperator) GetPluginsEndpointMap(enabledPluginsNames []string) map[string]string {
-	pluginsEndpointMap := map[string]string{}
+func (co *consoleOperator) GetAvailablePlugins(enabledPluginsNames []string) []*v1alpha1.ConsolePlugin {
+	var availablePlugins []*v1alpha1.ConsolePlugin
 	for _, pluginName := range enabledPluginsNames {
 		plugin, err := co.consolePluginLister.Get(pluginName)
 		if err != nil {
 			klog.Errorf("failed to get %q plugin: %v", pluginName, err)
 			continue
 		}
-		pluginsEndpointMap[pluginName] = getServiceHostname(plugin)
-	}
-	return pluginsEndpointMap
-}
-
-func getServiceHostname(plugin *v1alpha1.ConsolePlugin) string {
-	pluginURL := &url.URL{
-		Scheme: "https",
-		Host:   fmt.Sprintf("%s.%s.svc.cluster.local:%d", plugin.Spec.Service.Name, plugin.Spec.Service.Namespace, plugin.Spec.Service.Port),
-		Path:   plugin.Spec.Service.BasePath,
+		availablePlugins = append(availablePlugins, plugin)
 	}
-	return pluginURL.String()
+	return availablePlugins
 }

pkg/console/subresource/configmap/brand_ocp.go

@@ -4,5 +4,5 @@ package configmap
 
 const (
 	DEFAULT_BRAND   = "ocp"
-	DEFAULT_DOC_URL = "https://docs.openshift.com/container-platform/4.9/"
+	DEFAULT_DOC_URL = "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/"
 )

pkg/console/subresource/configmap/configmap.go

@@ -2,11 +2,13 @@ package configmap
 
 import (
 	"fmt"
+	"net/url"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 
 	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/api/console/v1alpha1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	"github.com/openshift/console-operator/pkg/api"
@@ -19,6 +21,7 @@ import (
 const (
 	consoleConfigYamlFile = "console-config.yaml"
 	defaultLogoutURL      = ""
+	pluginProxyEndpoint   = "/api/proxy/"
 )
 
 func getApiUrl(infrastructureConfig *configv1.Infrastructure) string {
@@ -43,7 +46,7 @@ func DefaultConfigMap(
 	activeConsoleRoute *routev1.Route,
 	useDefaultCAFile bool,
 	inactivityTimeoutSeconds int,
-	pluginsEndpoingMap map[string]string) (consoleConfigmap *corev1.ConfigMap, unsupportedOverridesHaveMerged bool, err error) {
+	availablePlugins []*v1alpha1.ConsolePlugin) (consoleConfigmap *corev1.ConfigMap, unsupportedOverridesHaveMerged bool, err error) {
 
 	defaultBuilder := &consoleserver.ConsoleServerCLIConfigBuilder{}
 	defaultConfig, err := defaultBuilder.Host(activeConsoleRoute.Spec.Host).
@@ -68,7 +71,8 @@ func DefaultConfigMap(
 		DocURL(operatorConfig.Spec.Customization.DocumentationBaseURL).
 		OAuthServingCert(useDefaultCAFile).
 		APIServerURL(getApiUrl(infrastructureConfig)).
-		Plugins(pluginsEndpoingMap).
+		Plugins(GetPluginsEndpointMap(availablePlugins)).
+		Proxy(GetPluginsProxyServices(availablePlugins)).
 		CustomLogoFile(operatorConfig.Spec.Customization.CustomLogoFile.Key).
 		CustomProductName(operatorConfig.Spec.Customization.CustomProductName).
 		CustomDeveloperCatalog(operatorConfig.Spec.Customization.DeveloperCatalog).
@@ -109,6 +113,51 @@ func DefaultConfigMap(
 	return configMap, willMergeConfigOverrides, nil
 }
 
+func GetPluginsEndpointMap(availablePlugins []*v1alpha1.ConsolePlugin) map[string]string {
+	pluginsEndpointMap := map[string]string{}
+	for _, plugin := range availablePlugins {
+		pluginsEndpointMap[plugin.Name] = getServiceURL(plugin)
+	}
+	return pluginsEndpointMap
+}
+
+func GetPluginsProxyServices(availablePlugins []*v1alpha1.ConsolePlugin) []consoleserver.ProxyService {
+	proxyServices := []consoleserver.ProxyService{}
+	for _, plugin := range availablePlugins {
+		for _, service := range plugin.Spec.Proxy.Services {
+			proxyService := consoleserver.ProxyService{
+				ConsoleAPIPath: getConsoleAPIPath(&service),
+				Endpoint:       getProxyServiceURL(&service),
+				CACertificate:  service.CACertificate,
+				Authorize:      service.Authorize,
+			}
+			proxyServices = append(proxyServices, proxyService)
+		}
+	}
+	return proxyServices
+}
+
+func getConsoleAPIPath(service *v1alpha1.ConsolePluginProxyService) string {
+	return fmt.Sprintf("%snamespace/%s/service/%s/", pluginProxyEndpoint, service.Namespace, fmt.Sprintf("%s:%d", service.Name, service.Port))
+}
+
+func getProxyServiceURL(service *v1alpha1.ConsolePluginProxyService) string {
+	pluginURL := &url.URL{
+		Scheme: "https",
+		Host:   fmt.Sprintf("%s.%s.svc.cluster.local:%d", service.Name, service.Namespace, service.Port),
+	}
+	return pluginURL.String()
+}
+
+func getServiceURL(plugin *v1alpha1.ConsolePlugin) string {
+	pluginURL := &url.URL{
+		Scheme: "https",
+		Host:   fmt.Sprintf("%s.%s.svc.cluster.local:%d", plugin.Spec.Service.Name, plugin.Spec.Service.Namespace, plugin.Spec.Service.Port),
+		Path:   plugin.Spec.Service.BasePath,
+	}
+	return pluginURL.String()
+}
+
 func isCustomRoute(activeRoute *routev1.Route) bool {
 	return activeRoute.GetName() == api.OpenshiftConsoleCustomRouteName
 }