Merge pull request red-hat-storage#2339 from rchikatw/onboarding

Api added for generating the token
nb-ohad · Dec 23, 2023 · 988b6e4 · 988b6e4
2 parents d241453 + fd21350
commit 988b6e4
Show file tree

Hide file tree

Showing 22 changed files with 593 additions and 17 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,7 @@ ARG LDFLAGS
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -ldflags "$LDFLAGS" -tags netgo,osusergo -o ocs-operator main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o provider-api services/provider/main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o onboarding-secret-generator onboarding/main.go
+RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o ux-backend-server services/ux-backend/main.go
 
 # Build stage 2
 
@@ -22,6 +23,7 @@ COPY --from=builder workspace/ocs-operator /usr/local/bin/ocs-operator
 COPY --from=builder workspace/provider-api /usr/local/bin/provider-api
 COPY --from=builder workspace/onboarding-secret-generator /usr/local/bin/onboarding-secret-generator
 COPY --from=builder workspace/metrics/deploy/*rules*.yaml /ocs-prometheus-rules/
+COPY --from=builder workspace/ux-backend-server /usr/local/bin/ux-backend-server
 
 RUN chmod +x /usr/local/bin/ocs-operator /usr/local/bin/provider-api
 

diff --git a/controllers/ocsinitialization/ocsinitialization_controller.go b/controllers/ocsinitialization/ocsinitialization_controller.go
@@ -15,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,7 +27,10 @@ import (
 // operatorNamespace is the namespace the operator is running in
 var operatorNamespace string
 
-const wrongNamespacedName = "Ignoring this resource. Only one should exist, and this one has the wrong name and/or namespace."
+const (
+	wrongNamespacedName     = "Ignoring this resource. Only one should exist, and this one has the wrong name and/or namespace."
+	random30CharacterString = "KP7TThmSTZegSGmHuPKLnSaaAHSG3RSgqw6akBj0oVk"
+)
 
 // InitNamespacedName returns a NamespacedName for the singleton instance that
 // should exist.
@@ -159,6 +163,18 @@ func (r *OCSInitializationReconciler) Reconcile(ctx context.Context, request rec
 		return reconcile.Result{}, err
 	}
 
+	err = r.reconcileUXBackendSecret(instance)
+	if err != nil {
+		r.Log.Error(err, "Failed to ensure uxbackend secret")
+		return reconcile.Result{}, err
+	}
+
+	err = r.reconcileUXBackendService(instance)
+	if err != nil {
+		r.Log.Error(err, "Failed to ensure uxbackend service")
+		return reconcile.Result{}, err
+	}
+
 	reason := ocsv1.ReconcileCompleted
 	message := ocsv1.ReconcileCompletedMessage
 	util.SetCompleteCondition(&instance.Status.Conditions, reason, message)
@@ -175,6 +191,8 @@ func (r *OCSInitializationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&ocsv1.OCSInitialization{}).
+		Owns(&corev1.Service{}).
+		Owns(&corev1.Secret{}).
 		// Watcher for storagecluster required to update
 		// ocs-operator-config configmap if storagecluster spec changes
 		Watches(
@@ -327,3 +345,81 @@ func (r *OCSInitializationReconciler) getEnableNFSKeyValue() string {
 
 	return "false"
 }
+
+func (r *OCSInitializationReconciler) reconcileUXBackendSecret(initialData *ocsv1.OCSInitialization) error {
+
+	var err error
+
+	secret := &corev1.Secret{}
+	secret.Name = "ux-backend-proxy"
+	secret.Namespace = initialData.Namespace
+
+	_, err = ctrl.CreateOrUpdate(r.ctx, r.Client, secret, func() error {
+
+		if err := ctrl.SetControllerReference(initialData, secret, r.Scheme); err != nil {
+			return err
+		}
+
+		secret.StringData = map[string]string{
+			"session_secret": random30CharacterString,
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		r.Log.Error(err, "Failed to create/update ux-backend secret")
+		return err
+	}
+
+	r.Log.Info("Secret creation succeeded", "Name", secret.Name)
+
+	return nil
+}
+
+func (r *OCSInitializationReconciler) reconcileUXBackendService(initialData *ocsv1.OCSInitialization) error {
+
+	var err error
+
+	service := &corev1.Service{}
+	service.Name = "ux-backend-proxy"
+	service.Namespace = initialData.Namespace
+
+	_, err = ctrl.CreateOrUpdate(r.ctx, r.Client, service, func() error {
+
+		if err := ctrl.SetControllerReference(initialData, service, r.Scheme); err != nil {
+			return err
+		}
+
+		service.Annotations = map[string]string{
+			"service.beta.openshift.io/serving-cert-secret-name": "ux-cert-secret",
+		}
+		service.Spec = corev1.ServiceSpec{
+			Ports: []corev1.ServicePort{
+				{
+					Name:     "proxy",
+					Port:     8888,
+					Protocol: corev1.ProtocolTCP,
+					TargetPort: intstr.IntOrString{
+						Type:   intstr.Int,
+						IntVal: 8888,
+					},
+				},
+			},
+			Selector:        map[string]string{"app": "ux-backend-server"},
+			SessionAffinity: "None",
+			Type:            "ClusterIP",
+		}
+
+		return nil
+
+	})
+
+	if err != nil {
+		r.Log.Error(err, "Failed to create/update ux-backend service")
+		return err
+	}
+	r.Log.Info("Service creation succeeded", "Name", service.Name)
+
+	return nil
+}
diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -3079,6 +3079,8 @@ spec:
                   value: quay.io/ocs-dev/ocs-operator:latest
                 - name: ONBOARDING_SECRET_GENERATOR_IMAGE
                   value: quay.io/ocs-dev/ocs-operator:latest
+                - name: UX_BACKEND_SERVER_IMAGE
+                  value: quay.io/ocs-dev/ocs-operator:latest
                 - name: OPERATOR_NAMESPACE
                   valueFrom:
                     fieldRef:
@@ -3252,6 +3254,79 @@ spec:
                 name: rook-config
               - emptyDir: {}
                 name: default-config-dir
+      - name: ux-backend-server
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: ux-backend-server
+              app.kubernetes.io/component: ux-backend-server
+              app.kubernetes.io/name: ux-backend-server
+          strategy:
+            type: Recreate
+          template:
+            metadata:
+              labels:
+                app: ux-backend-server
+                app.kubernetes.io/component: ux-backend-server
+                app.kubernetes.io/name: ux-backend-server
+            spec:
+              containers:
+              - command:
+                - /usr/local/bin/ux-backend-server
+                env:
+                - name: ONBOARDING_TOKEN_LIFETIME
+                - name: UX_BACKEND_PORT
+                image: quay.io/ocs-dev/ocs-operator:latest
+                imagePullPolicy: IfNotPresent
+                name: ux-backend-server
+                ports:
+                - containerPort: 8080
+                resources: {}
+                volumeMounts:
+                - mountPath: /etc/private-key
+                  name: onboarding-private-key
+                - mountPath: /etc/tls/private
+                  name: ux-cert-secret
+              - args:
+                - -provider=openshift
+                - -https-address=:8888
+                - -http-address=
+                - -email-domain=*
+                - -upstream=https://localhost:8080/onboarding-tokens
+                - -tls-cert=/etc/tls/private/tls.crt
+                - -tls-key=/etc/tls/private/tls.key
+                - -cookie-secret-file=/etc/proxy/secrets/session_secret
+                - -openshift-service-account=ux-backend-server
+                - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                image: quay.io/openshift/origin-oauth-proxy:latest
+                imagePullPolicy: IfNotPresent
+                name: oauth-proxy
+                ports:
+                - containerPort: 8888
+                resources: {}
+                volumeMounts:
+                - mountPath: /etc/proxy/secrets
+                  name: ux-proxy-secret
+                - mountPath: /etc/tls/private
+                  name: ux-cert-secret
+              serviceAccountName: ux-backend-server
+              tolerations:
+              - effect: NoSchedule
+                key: node.ocs.openshift.io/storage
+                operator: Equal
+                value: "true"
+              volumes:
+              - name: onboarding-private-key
+                secret:
+                  optional: true
+                  secretName: onboarding-private-key
+              - name: ux-proxy-secret
+                secret:
+                  secretName: ux-backend-proxy
+              - name: ux-cert-secret
+                secret:
+                  secretName: ux-cert-secret
       permissions:
       - rules:
         - apiGroups:
@@ -3571,4 +3646,6 @@ spec:
     name: ocs-must-gather
   - image: quay.io/ocs-dev/ocs-metrics-exporter:latest
     name: ocs-metrics-exporter
+  - image: quay.io/openshift/origin-oauth-proxy:latest
+    name: ux-backend-oauth-image
   version: 4.15.0
diff --git a/deploy/ocs-operator/manifests/onboarding-secret-generator-binding.yaml b/deploy/ocs-operator/manifests/onboarding-secret-generator-binding.yaml
@@ -1,10 +1,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: onboarding-secret-generator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: onboarding-secret-generator
 subjects:
 - kind: ServiceAccount

diff --git a/deploy/ocs-operator/manifests/onboarding-secret-generator-role.yaml b/deploy/ocs-operator/manifests/onboarding-secret-generator-role.yaml
@@ -1,4 +1,4 @@
-kind: ClusterRole
+kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: onboarding-secret-generator

diff --git a/deploy/ocs-operator/manifests/ux_backend_role.yaml b/deploy/ocs-operator/manifests/ux_backend_role.yaml
@@ -0,0 +1,16 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ux-backend-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - onboarding-private-key
+  - ux-cert-secret
+  - ux-backend-proxy
+  verbs:
+    - get
+    - list
diff --git a/deploy/ocs-operator/manifests/ux_backend_role_binding.yaml b/deploy/ocs-operator/manifests/ux_backend_role_binding.yaml
@@ -0,0 +1,12 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ux-backend-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ux-backend-server
+subjects:
+- kind: ServiceAccount
+  name: ux-backend-server
+  namespace: openshift-storage
diff --git a/deploy/ocs-operator/manifests/ux_backend_sa.yaml b/deploy/ocs-operator/manifests/ux_backend_sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ux-backend-server
diff --git a/hack/common.sh b/hack/common.sh
@@ -62,24 +62,28 @@ DEFAULT_OPERATOR_IMAGE_NAME="ocs-operator"
 DEFAULT_OPERATOR_BUNDLE_NAME="ocs-operator-bundle"
 DEFAULT_FILE_BASED_CATALOG_NAME="ocs-operator-catalog"
 DEFAULT_METRICS_EXPORTER_IMAGE_NAME="ocs-metrics-exporter"
+DEFAULT_UX_BACKEND_OAUTH_IMAGE_NAME="openshift/origin-oauth-proxy"
 
 IMAGE_REGISTRY="${IMAGE_REGISTRY:-${DEFAULT_IMAGE_REGISTRY}}"
 REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE:-${DEFAULT_REGISTRY_NAMESPACE}}"
 OPERATOR_IMAGE_NAME="${OPERATOR_IMAGE_NAME:-${DEFAULT_OPERATOR_IMAGE_NAME}}"
 OPERATOR_BUNDLE_NAME="${OPERATOR_BUNDLE_NAME:-${DEFAULT_OPERATOR_BUNDLE_NAME}}"
 FILE_BASED_CATALOG_NAME="${FILE_BASED_CATALOG_NAME:-${DEFAULT_FILE_BASED_CATALOG_NAME}}"
 METRICS_EXPORTER_IMAGE_NAME="${METRICS_EXPORTER_IMAGE_NAME:-${DEFAULT_METRICS_EXPORTER_IMAGE_NAME}}"
+UX_BACKEND_OAUTH_IMAGE_NAME="${UX_BACKEND_OAUTH_IMAGE_NAME:-${DEFAULT_UX_BACKEND_OAUTH_IMAGE_NAME}}"
 IMAGE_TAG="${IMAGE_TAG:-${DEFAULT_IMAGE_TAG}}"
 
 DEFAULT_OPERATOR_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${OPERATOR_IMAGE_NAME}:${IMAGE_TAG}"
 DEFAULT_BUNDLE_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${OPERATOR_BUNDLE_NAME}:${IMAGE_TAG}"
 DEFAULT_FILE_BASED_CATALOG_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${FILE_BASED_CATALOG_NAME}:${IMAGE_TAG}"
 DEFAULT_METRICS_EXPORTER_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${METRICS_EXPORTER_IMAGE_NAME}:${IMAGE_TAG}"
+DEFAULT_UX_BACKEND_OAUTH_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${UX_BACKEND_OAUTH_IMAGE_NAME}:${IMAGE_TAG}"
 
 OPERATOR_FULL_IMAGE_NAME="${OPERATOR_FULL_IMAGE_NAME:-${DEFAULT_OPERATOR_FULL_IMAGE_NAME}}"
 BUNDLE_FULL_IMAGE_NAME="${BUNDLE_FULL_IMAGE_NAME:-${DEFAULT_BUNDLE_FULL_IMAGE_NAME}}"
 FILE_BASED_CATALOG_FULL_IMAGE_NAME="${FILE_BASED_CATALOG_FULL_IMAGE_NAME:-${DEFAULT_FILE_BASED_CATALOG_FULL_IMAGE_NAME}}"
 METRICS_EXPORTER_FULL_IMAGE_NAME="${METRICS_EXPORTER_FULL_IMAGE_NAME:-${DEFAULT_METRICS_EXPORTER_FULL_IMAGE_NAME}}"
+UX_BACKEND_OAUTH_FULL_IMAGE_NAME="${UX_BACKEND_OAUTH_FULL_IMAGE_NAME:-${DEFAULT_UX_BACKEND_OAUTH_FULL_IMAGE_NAME}}"
 
 NOOBAA_BUNDLE_FULL_IMAGE_NAME="quay.io/noobaa/noobaa-operator-bundle:master-20231217"
 

diff --git a/hack/generate-latest-csv.sh b/hack/generate-latest-csv.sh
@@ -14,6 +14,7 @@ export NOOBAA_DB_IMAGE=${NOOBAA_DB_IMAGE:-${LATEST_NOOBAA_DB_IMAGE}}
 export CEPH_IMAGE=${CEPH_IMAGE:-${LATEST_CEPH_IMAGE}}
 export OCS_IMAGE=${OCS_IMAGE:-${OPERATOR_FULL_IMAGE_NAME}}
 export OCS_METRICS_EXPORTER_IMAGE=${OCS_METRICS_EXPORTER_IMAGE:-${METRICS_EXPORTER_FULL_IMAGE_NAME}}
+export UX_BACKEND_OAUTH_IMAGE=${UX_BACKEND_OAUTH_IMAGE:-${UX_BACKEND_OAUTH_FULL_IMAGE_NAME}}
 export OCS_MUST_GATHER_IMAGE=${OCS_MUST_GATHER_IMAGE:-${LATEST_MUST_GATHER_IMAGE}}
 export ROOK_CSIADDONS_IMAGE=${ROOK_CSIADDONS_IMAGE:-${LATEST_ROOK_CSIADDONS_IMAGE}}
 
@@ -25,6 +26,7 @@ echo -e "\tNOOBAA_CORE_IMAGE=$NOOBAA_CORE_IMAGE"
 echo -e "\tNOOBAA_DB_IMAGE=$NOOBAA_DB_IMAGE"
 echo -e "\tOCS_IMAGE=$OCS_IMAGE"
 echo -e "\tOCS_METRICS_EXPORTER_IMAGE=$OCS_METRICS_EXPORTER_IMAGE"
+echo -e "\tUX_BACKEND_OAUTH_IMAGE=$UX_BACKEND_OAUTH_IMAGE"
 echo -e "\tOCS_MUST_GATHER_IMAGE=$OCS_MUST_GATHER_IMAGE"
 echo -e "\tROOK_CSIADDONS_IMAGE=$ROOK_CSIADDONS_IMAGE"
 

diff --git a/hack/generate-unified-csv.sh b/hack/generate-unified-csv.sh
@@ -61,6 +61,7 @@ $CSV_MERGER \
 	--noobaa-db-image="$NOOBAA_DB_IMAGE" \
 	--ocs-image="$OCS_IMAGE" \
 	--ocs-metrics-exporter-image="$OCS_METRICS_EXPORTER_IMAGE" \
+	--ux-backend-oauth-image="$UX_BACKEND_OAUTH_IMAGE" \
 	--ocs-must-gather-image="$OCS_MUST_GATHER_IMAGE" \
 	--crds-directory="$OUTDIR_CRDS" \
 	--manifests-directory=$BUNDLEMANIFESTS_DIR \

diff --git a/onboarding/main.go b/onboarding/main.go
@@ -18,9 +18,9 @@ import (
 )
 
 const (
-	onboardingTicketPublicKeySecretName  = "onboarding-ticket-key" //Name of existing public key which is used ocs-operator
-	onboardingTicketPrivateKeySecretName = "onboarding-ticket-private-key"
-	serviceAccountName                   = "onboarding-secret-generator"
+	onboardingTicketPublicKeySecretName = "onboarding-ticket-key" //Name of existing public key which is used ocs-operator
+	onboardingPrivateKeySecretName      = "onboarding-private-key"
+	serviceAccountName                  = "onboarding-secret-generator"
 )
 
 func main() {
@@ -60,7 +60,7 @@ func main() {
 
 		privateSecret := &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:        onboardingTicketPrivateKeySecretName,
+				Name:        onboardingPrivateKeySecretName,
 				Namespace:   operatorNamespace,
 				Annotations: map[string]string{"kubernetes.io/service-account.name": serviceAccountName},
 			},

diff --git a/rbac/onboarding-secret-generator-binding.yaml b/rbac/onboarding-secret-generator-binding.yaml
@@ -1,10 +1,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: onboarding-secret-generator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: onboarding-secret-generator
 subjects:
 - kind: ServiceAccount

diff --git a/rbac/onboarding-secret-generator-role.yaml b/rbac/onboarding-secret-generator-role.yaml
@@ -1,4 +1,4 @@
-kind: ClusterRole
+kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: onboarding-secret-generator