OCPBUGS-46513: Add ConsolePluginContentSecurityPolicy feature gate to console config

TheRealJon · TheRealJon · commit 983dadb5c25d · 2025-01-31T15:06:29.000-05:00
diff --git a/pkg/console/operator/operator.go b/pkg/console/operator/operator.go
@@ -87,7 +87,9 @@ type consoleOperator struct {
 	versionGetter             status.VersionGetter
 	// lister
 	consolePluginLister listerv1.ConsolePluginLister
-	// feature gate
+
+	// CSP feature gate enabled
+	contentSecurityPolicyEnabled bool
 
 	resourceSyncer resourcesynccontroller.ResourceSyncer
 
@@ -105,6 +107,7 @@ type trackables struct {
 
 func NewConsoleOperator(
 	ctx context.Context,
+	contentSecurityPolicyEnabled bool,
 	// top level config
 	configClient configclientv1.ConfigV1Interface,
 	configInformer configinformer.SharedInformerFactory,
@@ -185,7 +188,8 @@ func NewConsoleOperator(
 		consolePluginLister: consolePluginInformer.Lister(),
 		resourceSyncer:      resourceSyncer,
 
-		monitoringDeploymentLister: monitoringDeploymentInformer.Lister(),
+		monitoringDeploymentLister:   monitoringDeploymentInformer.Lister(),
+		contentSecurityPolicyEnabled: contentSecurityPolicyEnabled,
 	}
 
 	informers := []factory.Informer{
diff --git a/pkg/console/operator/sync_v400.go b/pkg/console/operator/sync_v400.go
@@ -415,6 +415,7 @@ func (co *consoleOperator) SyncConfigMap(
 		nodeArchitectures,
 		nodeOperatingSystems,
 		copiedCSVsDisabled,
+		co.contentSecurityPolicyEnabled,
 		telemetryConfig,
 		consoleHost,
 	)
diff --git a/pkg/console/starter/starter.go b/pkg/console/starter/starter.go
@@ -220,9 +220,11 @@ func RunOperator(ctx context.Context, controllerContext *controllercmd.Controlle
 		return err
 	}
 
+	contentSecurityPolicyEnabled := featureGates.Enabled("ConsolePluginContentSecurityPolicy")
 	// TODO: rearrange these into informer,client pairs, NOT separated.
 	consoleOperator := consoleoperator.NewConsoleOperator(
 		ctx,
+		contentSecurityPolicyEnabled,
 		// top level config
 		configClient.ConfigV1(),
 		configInformers,
diff --git a/pkg/console/subresource/configmap/configmap.go b/pkg/console/subresource/configmap/configmap.go
@@ -47,6 +47,7 @@ func DefaultConfigMap(
 	nodeArchitectures []string,
 	nodeOperatingSystems []string,
 	copiedCSVsDisabled bool,
+	contentSecurityPolicyEnabled bool,
 	telemeterConfig map[string]string,
 	consoleHost string,
 ) (consoleConfigMap *corev1.ConfigMap, unsupportedOverridesHaveMerged bool, err error) {
@@ -86,6 +87,7 @@ func DefaultConfigMap(
 		Plugins(getPluginsEndpointMap(availablePlugins)).
 		I18nNamespaces(pluginsWithI18nNamespace(availablePlugins)).
 		ContentSecurityPolicies(aggregateCSPDirectives(availablePlugins)).
+		ContentSecurityPolicyEnabled(contentSecurityPolicyEnabled).
 		Proxy(getPluginsProxyServices(availablePlugins)).
 		CustomLogoFile(operatorConfig.Spec.Customization.CustomLogoFile.Key).
 		CustomProductName(operatorConfig.Spec.Customization.CustomProductName).
diff --git a/pkg/console/subresource/configmap/configmap_test.go b/pkg/console/subresource/configmap/configmap_test.go
@@ -51,20 +51,21 @@ nV5cXbp9W1bC12Tc8nnNXn4ypLE2JTQAvyp51zoZ8hQoSnRVx/VCY55Yu+br8gQZ
 // To manually run these tests: go test -v ./pkg/console/subresource/configmap/...
 func TestDefaultConfigMap(t *testing.T) {
 	type args struct {
-		operatorConfig           *operatorv1.Console
-		authConfig               *configv1.Authentication
-		consoleConfig            *configv1.Console
-		managedConfig            *corev1.ConfigMap
-		monitoringSharedConfig   *corev1.ConfigMap
-		authServerCAConfig       *corev1.ConfigMap
-		infrastructureConfig     *configv1.Infrastructure
-		rt                       *routev1.Route
-		inactivityTimeoutSeconds int
-		availablePlugins         []*consolev1.ConsolePlugin
-		nodeArchitectures        []string
-		nodeOperatingSystems     []string
-		copiedCSVsDisabled       bool
-		telemetryConfig          map[string]string
+		operatorConfig               *operatorv1.Console
+		authConfig                   *configv1.Authentication
+		consoleConfig                *configv1.Console
+		managedConfig                *corev1.ConfigMap
+		monitoringSharedConfig       *corev1.ConfigMap
+		authServerCAConfig           *corev1.ConfigMap
+		infrastructureConfig         *configv1.Infrastructure
+		rt                           *routev1.Route
+		inactivityTimeoutSeconds     int
+		availablePlugins             []*consolev1.ConsolePlugin
+		nodeArchitectures            []string
+		nodeOperatingSystems         []string
+		copiedCSVsDisabled           bool
+		contentSecurityPolicyEnabled bool
+		telemetryConfig              map[string]string
 	}
 	t.Setenv("OPERATOR_IMAGE_VERSION", testReleaseVersion)
 	tests := []struct {
@@ -1069,6 +1070,7 @@ providers: {}
 				tt.args.nodeArchitectures,
 				tt.args.nodeOperatingSystems,
 				tt.args.copiedCSVsDisabled,
+				tt.args.contentSecurityPolicyEnabled,
 				tt.args.telemetryConfig,
 				tt.args.rt.Spec.Host,
 			)
diff --git a/pkg/console/subresource/consoleserver/config_builder.go b/pkg/console/subresource/consoleserver/config_builder.go
@@ -42,41 +42,42 @@ const (
 //
 //	b.Host().Brand("").Config()
 type ConsoleServerCLIConfigBuilder struct {
-	host                       string
-	logoutRedirectURL          string
-	brand                      operatorv1.Brand
-	docURL                     string
-	apiServerURL               string
-	controlPlaneToplogy        configv1.TopologyMode
-	statusPageID               string
-	customProductName          string
-	devCatalogCustomization    operatorv1.DeveloperConsoleCatalogCustomization
-	projectAccess              operatorv1.ProjectAccess
-	quickStarts                operatorv1.QuickStarts
-	addPage                    operatorv1.AddPage
-	perspectives               []operatorv1.Perspective
-	customLogoFile             string
-	CAFile                     string
-	monitoring                 map[string]string
-	customHostnameRedirectPort int
-	inactivityTimeoutSeconds   int
-	pluginsList                map[string]string
-	i18nNamespaceList          []string
-	proxyServices              []ProxyService
-	telemetry                  map[string]string
-	releaseVersion             string
-	nodeArchitectures          []string
-	nodeOperatingSystems       []string
-	copiedCSVsDisabled         bool
-	oauthClientID              string
-	oidcExtraScopes            []string
-	oidcIssuerURL              string
-	oidcOCLoginCommand         string
-	authType                   string
-	sessionEncryptionFile      string
-	sessionAuthenticationFile  string
-	capabilities               []operatorv1.Capability
-	contentSecurityPolicyList  map[v1.DirectiveType][]string
+	host                         string
+	logoutRedirectURL            string
+	brand                        operatorv1.Brand
+	docURL                       string
+	apiServerURL                 string
+	controlPlaneToplogy          configv1.TopologyMode
+	statusPageID                 string
+	customProductName            string
+	devCatalogCustomization      operatorv1.DeveloperConsoleCatalogCustomization
+	projectAccess                operatorv1.ProjectAccess
+	quickStarts                  operatorv1.QuickStarts
+	addPage                      operatorv1.AddPage
+	perspectives                 []operatorv1.Perspective
+	customLogoFile               string
+	CAFile                       string
+	monitoring                   map[string]string
+	customHostnameRedirectPort   int
+	inactivityTimeoutSeconds     int
+	pluginsList                  map[string]string
+	i18nNamespaceList            []string
+	proxyServices                []ProxyService
+	telemetry                    map[string]string
+	releaseVersion               string
+	nodeArchitectures            []string
+	nodeOperatingSystems         []string
+	copiedCSVsDisabled           bool
+	oauthClientID                string
+	oidcExtraScopes              []string
+	oidcIssuerURL                string
+	oidcOCLoginCommand           string
+	authType                     string
+	sessionEncryptionFile        string
+	sessionAuthenticationFile    string
+	capabilities                 []operatorv1.Capability
+	contentSecurityPolicyEnabled bool
+	contentSecurityPolicyList    map[v1.DirectiveType][]string
 }
 
 func (b *ConsoleServerCLIConfigBuilder) Host(host string) *ConsoleServerCLIConfigBuilder {
@@ -211,6 +212,11 @@ func (b *ConsoleServerCLIConfigBuilder) ContentSecurityPolicies(cspList map[v1.D
 	return b
 }
 
+func (b *ConsoleServerCLIConfigBuilder) ContentSecurityPolicyEnabled(enabled bool) *ConsoleServerCLIConfigBuilder {
+	b.contentSecurityPolicyEnabled = enabled
+	return b
+}
+
 func (b *ConsoleServerCLIConfigBuilder) I18nNamespaces(i18nNamespaces []string) *ConsoleServerCLIConfigBuilder {
 	b.i18nNamespaceList = i18nNamespaces
 	return b
@@ -248,20 +254,21 @@ func (b *ConsoleServerCLIConfigBuilder) CopiedCSVsDisabled(copiedCSVsDisabled bo
 
 func (b *ConsoleServerCLIConfigBuilder) Config() Config {
 	return Config{
-		Kind:                  "ConsoleConfig",
-		APIVersion:            "console.openshift.io/v1",
-		Auth:                  b.auth(),
-		Session:               b.session(),
-		ClusterInfo:           b.clusterInfo(),
-		Customization:         b.customization(),
-		ServingInfo:           b.servingInfo(),
-		Providers:             b.providers(),
-		MonitoringInfo:        b.monitoringInfo(),
-		Plugins:               b.plugins(),
-		I18nNamespaces:        b.i18nNamespaces(),
-		Proxy:                 b.proxy(),
-		ContentSecurityPolicy: b.contentSecurityPolicy(),
-		Telemetry:             b.telemetry,
+		Kind:                         "ConsoleConfig",
+		APIVersion:                   "console.openshift.io/v1",
+		Auth:                         b.auth(),
+		Session:                      b.session(),
+		ClusterInfo:                  b.clusterInfo(),
+		Customization:                b.customization(),
+		ServingInfo:                  b.servingInfo(),
+		Providers:                    b.providers(),
+		MonitoringInfo:               b.monitoringInfo(),
+		Plugins:                      b.plugins(),
+		I18nNamespaces:               b.i18nNamespaces(),
+		Proxy:                        b.proxy(),
+		ContentSecurityPolicy:        b.contentSecurityPolicy(),
+		ContentSecurityPolicyEnabled: b.getContentSecurityPolicyEnabled(),
+		Telemetry:                    b.telemetry,
 	}
 }
 
@@ -529,6 +536,10 @@ func (b *ConsoleServerCLIConfigBuilder) contentSecurityPolicy() map[v1.Directive
 	return b.contentSecurityPolicyList
 }
 
+func (b *ConsoleServerCLIConfigBuilder) getContentSecurityPolicyEnabled() bool {
+	return b.contentSecurityPolicyEnabled
+}
+
 func (b *ConsoleServerCLIConfigBuilder) proxy() Proxy {
 	return Proxy{
 		Services: b.proxyServices,
diff --git a/pkg/console/subresource/consoleserver/types.go b/pkg/console/subresource/consoleserver/types.go
@@ -18,20 +18,21 @@ import (
 
 // Config is the top-level console server cli configuration.
 type Config struct {
-	APIVersion            string `yaml:"apiVersion"`
-	Kind                  string `yaml:"kind"`
-	ServingInfo           `yaml:"servingInfo"`
-	ClusterInfo           `yaml:"clusterInfo"`
-	Auth                  `yaml:"auth"`
-	Session               `yaml:"session"`
-	Customization         `yaml:"customization"`
-	Providers             `yaml:"providers"`
-	MonitoringInfo        `yaml:"monitoringInfo,omitempty"`
-	Plugins               map[string]string             `yaml:"plugins,omitempty"`
-	I18nNamespaces        []string                      `yaml:"i18nNamespaces,omitempty"`
-	Proxy                 Proxy                         `yaml:"proxy,omitempty"`
-	ContentSecurityPolicy map[v1.DirectiveType][]string `yaml:"contentSecurityPolicy,omitempty"`
-	Telemetry             map[string]string             `yaml:"telemetry,omitempty"`
+	APIVersion                   string `yaml:"apiVersion"`
+	Kind                         string `yaml:"kind"`
+	ServingInfo                  `yaml:"servingInfo"`
+	ClusterInfo                  `yaml:"clusterInfo"`
+	Auth                         `yaml:"auth"`
+	Session                      `yaml:"session"`
+	Customization                `yaml:"customization"`
+	Providers                    `yaml:"providers"`
+	MonitoringInfo               `yaml:"monitoringInfo,omitempty"`
+	Plugins                      map[string]string             `yaml:"plugins,omitempty"`
+	I18nNamespaces               []string                      `yaml:"i18nNamespaces,omitempty"`
+	Proxy                        Proxy                         `yaml:"proxy,omitempty"`
+	ContentSecurityPolicy        map[v1.DirectiveType][]string `yaml:"contentSecurityPolicy,omitempty"`
+	ContentSecurityPolicyEnabled bool                          `yaml:"contentSecurityPolicyEnabled,omitempty"`
+	Telemetry                    map[string]string             `yaml:"telemetry,omitempty"`
 }
 
 type Proxy struct {

Original file line number	Diff line number	Diff line change
`@@ -415,6 +415,7 @@ func (co *consoleOperator) SyncConfigMap(`
`415`	`415`	`nodeArchitectures,`
`416`	`416`	`nodeOperatingSystems,`
`417`	`417`	`copiedCSVsDisabled,`
	`418`	`+ co.contentSecurityPolicyEnabled,`
`418`	`419`	`telemetryConfig,`
`419`	`420`	`consoleHost,`
`420`	`421`	`)`