onboarding token genration api added

Signed-off-by: rchikatw <[email protected]>
red-hat-storage · Dec 22, 2023 · 46c697c · 46c697c
1 parent d241453
commit 46c697c
Show file tree

Hide file tree

Showing 21 changed files with 571 additions and 13 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,7 @@ ARG LDFLAGS
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -ldflags "$LDFLAGS" -tags netgo,osusergo -o ocs-operator main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o provider-api services/provider/main.go
 RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o onboarding-secret-generator onboarding/main.go
+RUN GOOS="$GOOS" GOARCH="$GOARCH" go build -tags netgo,osusergo -o ux-backend-server services/ux-backend/main.go
 
 # Build stage 2
 
@@ -22,6 +23,7 @@ COPY --from=builder workspace/ocs-operator /usr/local/bin/ocs-operator
 COPY --from=builder workspace/provider-api /usr/local/bin/provider-api
 COPY --from=builder workspace/onboarding-secret-generator /usr/local/bin/onboarding-secret-generator
 COPY --from=builder workspace/metrics/deploy/*rules*.yaml /ocs-prometheus-rules/
+COPY --from=builder workspace/ux-backend-server /usr/local/bin/ux-backend-server
 
 RUN chmod +x /usr/local/bin/ocs-operator /usr/local/bin/provider-api
 

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -3,6 +3,8 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- ux_backend_role.yaml
+- ux_backend_role_binding.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

diff --git a/config/rbac/ux_backend_role.yaml b/config/rbac/ux_backend_role.yaml
@@ -0,0 +1,14 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ux-backend-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - onboarding-private-key
+  verbs:
+    - get
+    - list
diff --git a/config/rbac/ux_backend_role_binding.yaml b/config/rbac/ux_backend_role_binding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ux-backend-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ux-backend-server
+subjects:
+- kind: ServiceAccount
+  name: ux-backend-server
+  namespace: openshift-storage
diff --git a/controllers/ocsinitialization/ocsinitialization_controller.go b/controllers/ocsinitialization/ocsinitialization_controller.go
@@ -15,6 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,7 +27,10 @@ import (
 // operatorNamespace is the namespace the operator is running in
 var operatorNamespace string
 
-const wrongNamespacedName = "Ignoring this resource. Only one should exist, and this one has the wrong name and/or namespace."
+const (
+	wrongNamespacedName     = "Ignoring this resource. Only one should exist, and this one has the wrong name and/or namespace."
+	random30CharactorString = "KP7TThmSTZegSGmHuPKLnSaaAHSG3RSgqw6akBj0oVk"
+)
 
 // InitNamespacedName returns a NamespacedName for the singleton instance that
 // should exist.
@@ -159,6 +163,18 @@ func (r *OCSInitializationReconciler) Reconcile(ctx context.Context, request rec
 		return reconcile.Result{}, err
 	}
 
+	err = r.reconcileUXBackendSecret(instance)
+	if err != nil {
+		r.Log.Error(err, "Failed to ensure uxbackend secret")
+		return reconcile.Result{}, err
+	}
+
+	err = r.reconcileUXBackendService(instance)
+	if err != nil {
+		r.Log.Error(err, "Failed to ensure uxbackend service")
+		return reconcile.Result{}, err
+	}
+
 	reason := ocsv1.ReconcileCompleted
 	message := ocsv1.ReconcileCompletedMessage
 	util.SetCompleteCondition(&instance.Status.Conditions, reason, message)
@@ -175,6 +191,8 @@ func (r *OCSInitializationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&ocsv1.OCSInitialization{}).
+		Owns(&corev1.Service{}).
+		Owns(&corev1.Secret{}).
 		// Watcher for storagecluster required to update
 		// ocs-operator-config configmap if storagecluster spec changes
 		Watches(
@@ -327,3 +345,82 @@ func (r *OCSInitializationReconciler) getEnableNFSKeyValue() string {
 
 	return "false"
 }
+
+func (r *OCSInitializationReconciler) reconcileUXBackendSecret(initialData *ocsv1.OCSInitialization) error {
+
+	var err error
+
+	secret := &corev1.Secret{}
+	secret.Name = "ux-backend-proxy"
+	secret.Namespace = initialData.Namespace
+
+	_, err = ctrl.CreateOrUpdate(r.ctx, r.Client, secret, func() error {
+
+		if err := ctrl.SetControllerReference(initialData, secret, r.Scheme); err != nil {
+			return err
+		}
+
+		secret.StringData = map[string]string{
+			"session_secret": random30CharactorString,
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		r.Log.Error(err, "Failed to create/update ux-backend secret")
+		return err
+	}
+
+	r.Log.Info("Secret creation succeeded", "Name", secret.Name)
+
+	return nil
+}
+
+func (r *OCSInitializationReconciler) reconcileUXBackendService(initialData *ocsv1.OCSInitialization) error {
+
+	var err error
+	annotations := map[string]string{
+		"service.beta.openshift.io/serving-cert-secret-name": "ux-cert-secret",
+	}
+
+	service := &corev1.Service{}
+	service.Name = "ux-backend-proxy"
+	service.Namespace = initialData.Namespace
+
+	_, err = ctrl.CreateOrUpdate(r.ctx, r.Client, service, func() error {
+
+		if err := ctrl.SetControllerReference(initialData, service, r.Scheme); err != nil {
+			return err
+		}
+
+		service.Annotations = annotations
+		service.Spec = corev1.ServiceSpec{
+			Ports: []corev1.ServicePort{
+				{
+					Name:     "proxy",
+					Port:     8888,
+					Protocol: corev1.ProtocolTCP,
+					TargetPort: intstr.IntOrString{
+						Type:   intstr.Int,
+						IntVal: 8888,
+					},
+				},
+			},
+			Selector:        map[string]string{"app": "ux-backend-server"},
+			SessionAffinity: "None",
+			Type:            "ClusterIP",
+		}
+
+		return nil
+
+	})
+
+	if err != nil {
+		r.Log.Error(err, "Failed to create/update ux-backend service")
+		return err
+	}
+	r.Log.Info("Service creation succeeded", "Name", service.Name)
+
+	return nil
+}
diff --git a/deploy/csv-templates/crds/rook/ceph.rook.io_cephobjectrealms.yaml b/deploy/csv-templates/crds/rook/ceph.rook.io_cephobjectrealms.yaml
@@ -75,3 +75,4 @@ status:
     plural: ""
   conditions: null
   storedVersions: null
+
diff --git a/deploy/csv-templates/ocs-operator.csv.yaml.in b/deploy/csv-templates/ocs-operator.csv.yaml.in
@@ -515,6 +515,17 @@ spec:
           verbs:
           - '*'
         serviceAccountName: ocs-operator
+      - rules:
+        - apiGroups:
+          - ""
+          resourceNames:
+          - onboarding-private-key
+          resources:
+          - secrets
+          verbs:
+          - get
+          - list
+        serviceAccountName: ux-backend-server
       deployments:
       - name: ocs-operator
         spec:

diff --git a/deploy/deploy-with-olm.yaml b/deploy/deploy-with-olm.yaml
@@ -23,10 +23,7 @@ metadata:
   namespace: openshift-marketplace
 spec:
   displayName: OpenShift Container Storage
-  icon:
-    base64data: PHN2ZyBpZD0iTGF5ZXJfMSIgZGF0YS1uYW1lPSJMYXllciAxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAxOTIgMTQ1Ij48ZGVmcz48c3R5bGU+LmNscy0xe2ZpbGw6I2UwMDt9PC9zdHlsZT48L2RlZnM+PHRpdGxlPlJlZEhhdC1Mb2dvLUhhdC1Db2xvcjwvdGl0bGU+PHBhdGggZD0iTTE1Ny43Nyw2Mi42MWExNCwxNCwwLDAsMSwuMzEsMy40MmMwLDE0Ljg4LTE4LjEsMTcuNDYtMzAuNjEsMTcuNDZDNzguODMsODMuNDksNDIuNTMsNTMuMjYsNDIuNTMsNDRhNi40Myw2LjQzLDAsMCwxLC4yMi0xLjk0bC0zLjY2LDkuMDZhMTguNDUsMTguNDUsMCwwLDAtMS41MSw3LjMzYzAsMTguMTEsNDEsNDUuNDgsODcuNzQsNDUuNDgsMjAuNjksMCwzNi40My03Ljc2LDM2LjQzLTIxLjc3LDAtMS4wOCwwLTEuOTQtMS43My0xMC4xM1oiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0xMjcuNDcsODMuNDljMTIuNTEsMCwzMC42MS0yLjU4LDMwLjYxLTE3LjQ2YTE0LDE0LDAsMCwwLS4zMS0zLjQybC03LjQ1LTMyLjM2Yy0xLjcyLTcuMTItMy4yMy0xMC4zNS0xNS43My0xNi42QzEyNC44OSw4LjY5LDEwMy43Ni41LDk3LjUxLjUsOTEuNjkuNSw5MCw4LDgzLjA2LDhjLTYuNjgsMC0xMS42NC01LjYtMTcuODktNS42LTYsMC05LjkxLDQuMDktMTIuOTMsMTIuNSwwLDAtOC40MSwyMy43Mi05LjQ5LDI3LjE2QTYuNDMsNi40MywwLDAsMCw0Mi41Myw0NGMwLDkuMjIsMzYuMywzOS40NSw4NC45NCwzOS40NU0xNjAsNzIuMDdjMS43Myw4LjE5LDEuNzMsOS4wNSwxLjczLDEwLjEzLDAsMTQtMTUuNzQsMjEuNzctMzYuNDMsMjEuNzdDNzguNTQsMTA0LDM3LjU4LDc2LjYsMzcuNTgsNTguNDlhMTguNDUsMTguNDUsMCwwLDEsMS41MS03LjMzQzIyLjI3LDUyLC41LDU1LC41LDc0LjIyYzAsMzEuNDgsNzQuNTksNzAuMjgsMTMzLjY1LDcwLjI4LDQ1LjI4LDAsNTYuNy0yMC40OCw1Ni43LTM2LjY1LDAtMTIuNzItMTEtMjcuMTYtMzAuODMtMzUuNzgiLz48L3N2Zz4=
-    mediatype: image/svg+xml
-  image: quay.io/ocs-dev/ocs-operator-catalog:latest
+  image: quay.io/rchikatw/ocs-operator-catalog:latest201
   publisher: Red Hat
   sourceType: grpc
 ---
@@ -51,3 +48,4 @@ spec:
   name: noobaa-operator
   source: ocs-catalogsource
   sourceNamespace: openshift-marketplace
+
diff --git a/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml b/deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml
@@ -2280,6 +2280,17 @@ spec:
           verbs:
           - '*'
         serviceAccountName: ocs-operator
+      - rules:
+        - apiGroups:
+          - ""
+          resourceNames:
+          - onboarding-private-key
+          resources:
+          - secrets
+          verbs:
+          - get
+          - list
+        serviceAccountName: ux-backend-server
       - rules:
         - apiGroups:
           - ""
@@ -3079,6 +3090,8 @@ spec:
                   value: quay.io/ocs-dev/ocs-operator:latest
                 - name: ONBOARDING_SECRET_GENERATOR_IMAGE
                   value: quay.io/ocs-dev/ocs-operator:latest
+                - name: UX_BACKEND_SERVER_IMAGE
+                  value: quay.io/ocs-dev/ocs-operator:latest
                 - name: OPERATOR_NAMESPACE
                   valueFrom:
                     fieldRef:
@@ -3252,6 +3265,79 @@ spec:
                 name: rook-config
               - emptyDir: {}
                 name: default-config-dir
+      - name: ux-backend-server
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: ux-backend-server
+              app.kubernetes.io/component: ux-backend-server
+              app.kubernetes.io/name: ux-backend-server
+          strategy:
+            type: Recreate
+          template:
+            metadata:
+              labels:
+                app: ux-backend-server
+                app.kubernetes.io/component: ux-backend-server
+                app.kubernetes.io/name: ux-backend-server
+            spec:
+              containers:
+              - command:
+                - /usr/local/bin/ux-backend-server
+                env:
+                - name: ONBOARDING_TOKEN_LIFETIME
+                - name: UX_BACKEND_PORT
+                image: quay.io/ocs-dev/ocs-operator:latest
+                imagePullPolicy: IfNotPresent
+                name: ux-backend-server
+                ports:
+                - containerPort: 8080
+                resources: {}
+                volumeMounts:
+                - mountPath: /etc/private-key
+                  name: onboarding-private-key
+                - mountPath: /etc/tls/private
+                  name: ux-cert-secret
+              - args:
+                - -provider=openshift
+                - -https-address=:8888
+                - -http-address=
+                - -email-domain=*
+                - -upstream=https://localhost:8080/onboarding-tokens
+                - -tls-cert=/etc/tls/private/tls.crt
+                - -tls-key=/etc/tls/private/tls.key
+                - -cookie-secret-file=/etc/proxy/secrets/session_secret
+                - -openshift-service-account=ux-proxy-sa
+                - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+                image: quay.io/openshift/origin-oauth-proxy:latest
+                imagePullPolicy: IfNotPresent
+                name: oauth-proxy
+                ports:
+                - containerPort: 8888
+                resources: {}
+                volumeMounts:
+                - mountPath: /etc/proxy/secrets
+                  name: ux-proxy-secret
+                - mountPath: /etc/tls/private
+                  name: ux-cert-secret
+              serviceAccountName: ux-proxy-sa
+              tolerations:
+              - effect: NoSchedule
+                key: node.ocs.openshift.io/storage
+                operator: Equal
+                value: "true"
+              volumes:
+              - name: onboarding-private-key
+                secret:
+                  optional: true
+                  secretName: onboarding-private-key
+              - name: ux-proxy-secret
+                secret:
+                  secretName: ux-backend-proxy
+              - name: ux-cert-secret
+                secret:
+                  secretName: ux-cert-secret
       permissions:
       - rules:
         - apiGroups:
@@ -3571,4 +3657,8 @@ spec:
     name: ocs-must-gather
   - image: quay.io/ocs-dev/ocs-metrics-exporter:latest
     name: ocs-metrics-exporter
+  - image: quay.io/ocs-dev/ocs-operator:latest
+    name: ux-backend-server-image
+  - image: quay.io/openshift/origin-oauth-proxy:latest
+    name: ux-backend-oauth-image
   version: 4.15.0
diff --git a/deploy/ocs-operator/manifests/onboarding-proxy-sa.yaml b/deploy/ocs-operator/manifests/onboarding-proxy-sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ux-proxy-sa
+  namespace: openshift-storage
diff --git a/hack/common.sh b/hack/common.sh
@@ -62,24 +62,34 @@ DEFAULT_OPERATOR_IMAGE_NAME="ocs-operator"
 DEFAULT_OPERATOR_BUNDLE_NAME="ocs-operator-bundle"
 DEFAULT_FILE_BASED_CATALOG_NAME="ocs-operator-catalog"
 DEFAULT_METRICS_EXPORTER_IMAGE_NAME="ocs-metrics-exporter"
+DEFAULT_UX_BACKEND_SERVER_IMAGE_NAME="ocs-operator"
+DEFAULT_UX_BACKEND_OAUTH_IMAGE_NAME="openshift/origin-oauth-proxy"
+
 
 IMAGE_REGISTRY="${IMAGE_REGISTRY:-${DEFAULT_IMAGE_REGISTRY}}"
 REGISTRY_NAMESPACE="${REGISTRY_NAMESPACE:-${DEFAULT_REGISTRY_NAMESPACE}}"
 OPERATOR_IMAGE_NAME="${OPERATOR_IMAGE_NAME:-${DEFAULT_OPERATOR_IMAGE_NAME}}"
 OPERATOR_BUNDLE_NAME="${OPERATOR_BUNDLE_NAME:-${DEFAULT_OPERATOR_BUNDLE_NAME}}"
 FILE_BASED_CATALOG_NAME="${FILE_BASED_CATALOG_NAME:-${DEFAULT_FILE_BASED_CATALOG_NAME}}"
 METRICS_EXPORTER_IMAGE_NAME="${METRICS_EXPORTER_IMAGE_NAME:-${DEFAULT_METRICS_EXPORTER_IMAGE_NAME}}"
+UX_BACKEND_SERVER_IMAGE_NAME="${UX_BACKEND_SERVER_IMAGE_NAME:-${DEFAULT_UX_BACKEND_SERVER_IMAGE_NAME}}"
+UX_BACKEND_OAUTH_IMAGE_NAME="${UX_BACKEND_OAUTH_IMAGE_NAME:-${DEFAULT_UX_BACKEND_OAUTH_IMAGE_NAME}}"
 IMAGE_TAG="${IMAGE_TAG:-${DEFAULT_IMAGE_TAG}}"
 
 DEFAULT_OPERATOR_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${OPERATOR_IMAGE_NAME}:${IMAGE_TAG}"
 DEFAULT_BUNDLE_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${OPERATOR_BUNDLE_NAME}:${IMAGE_TAG}"
 DEFAULT_FILE_BASED_CATALOG_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${FILE_BASED_CATALOG_NAME}:${IMAGE_TAG}"
 DEFAULT_METRICS_EXPORTER_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${METRICS_EXPORTER_IMAGE_NAME}:${IMAGE_TAG}"
+DEFAULT_UX_BACKEND_SERVER_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${REGISTRY_NAMESPACE}/${UX_BACKEND_SERVER_IMAGE_NAME}:${IMAGE_TAG}"
+DEFAULT_UX_BACKEND_OAUTH_FULL_IMAGE_NAME="${IMAGE_REGISTRY}/${UX_BACKEND_OAUTH_IMAGE_NAME}:${IMAGE_TAG}"
 
 OPERATOR_FULL_IMAGE_NAME="${OPERATOR_FULL_IMAGE_NAME:-${DEFAULT_OPERATOR_FULL_IMAGE_NAME}}"
 BUNDLE_FULL_IMAGE_NAME="${BUNDLE_FULL_IMAGE_NAME:-${DEFAULT_BUNDLE_FULL_IMAGE_NAME}}"
 FILE_BASED_CATALOG_FULL_IMAGE_NAME="${FILE_BASED_CATALOG_FULL_IMAGE_NAME:-${DEFAULT_FILE_BASED_CATALOG_FULL_IMAGE_NAME}}"
 METRICS_EXPORTER_FULL_IMAGE_NAME="${METRICS_EXPORTER_FULL_IMAGE_NAME:-${DEFAULT_METRICS_EXPORTER_FULL_IMAGE_NAME}}"
+UX_BACKEND_SERVER_FULL_IMAGE_NAME="${UX_BACKEND_SERVER_FULL_IMAGE_NAME:-${DEFAULT_UX_BACKEND_SERVER_FULL_IMAGE_NAME}}"
+UX_BACKEND_OAUTH_FULL_IMAGE_NAME="${UX_BACKEND_OAUTH_FULL_IMAGE_NAME:-${DEFAULT_UX_BACKEND_OAUTH_FULL_IMAGE_NAME}}"
+
 
 NOOBAA_BUNDLE_FULL_IMAGE_NAME="quay.io/noobaa/noobaa-operator-bundle:master-20231217"
 

diff --git a/hack/generate-latest-csv.sh b/hack/generate-latest-csv.sh
@@ -14,6 +14,8 @@ export NOOBAA_DB_IMAGE=${NOOBAA_DB_IMAGE:-${LATEST_NOOBAA_DB_IMAGE}}
 export CEPH_IMAGE=${CEPH_IMAGE:-${LATEST_CEPH_IMAGE}}
 export OCS_IMAGE=${OCS_IMAGE:-${OPERATOR_FULL_IMAGE_NAME}}
 export OCS_METRICS_EXPORTER_IMAGE=${OCS_METRICS_EXPORTER_IMAGE:-${METRICS_EXPORTER_FULL_IMAGE_NAME}}
+export UX_BACKEND_SERVER_IMAGE=${UX_BACKEND_SERVER_IMAGE:-${UX_BACKEND_SERVER_FULL_IMAGE_NAME}}
+export UX_BACKEND_OAUTH_IMAGE=${UX_BACKEND_OAUTH_IMAGE:-${UX_BACKEND_OAUTH_FULL_IMAGE_NAME}}
 export OCS_MUST_GATHER_IMAGE=${OCS_MUST_GATHER_IMAGE:-${LATEST_MUST_GATHER_IMAGE}}
 export ROOK_CSIADDONS_IMAGE=${ROOK_CSIADDONS_IMAGE:-${LATEST_ROOK_CSIADDONS_IMAGE}}
 
@@ -25,6 +27,9 @@ echo -e "\tNOOBAA_CORE_IMAGE=$NOOBAA_CORE_IMAGE"
 echo -e "\tNOOBAA_DB_IMAGE=$NOOBAA_DB_IMAGE"
 echo -e "\tOCS_IMAGE=$OCS_IMAGE"
 echo -e "\tOCS_METRICS_EXPORTER_IMAGE=$OCS_METRICS_EXPORTER_IMAGE"
+echo -e "\tUX_BACKEND_SERVER_IMAGE=$UX_BACKEND_SERVER_IMAGE"
+echo -e "\tUX_BACKEND_OAUTH_IMAGE=$UX_BACKEND_OAUTH_IMAGE"
+
 echo -e "\tOCS_MUST_GATHER_IMAGE=$OCS_MUST_GATHER_IMAGE"
 echo -e "\tROOK_CSIADDONS_IMAGE=$ROOK_CSIADDONS_IMAGE"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -75,3 +75,4 @@ status:
		plural: ""
		conditions: null
		storedVersions: null