mount a session secret in OIDC envs

Author: stlaz

pkg/api/api.go

@@ -37,6 +37,7 @@ const (
 	RedirectContainerPort               = 8444
 	RedirectContainerPortName           = "custom-route-redirect"
 	ServiceCAConfigMapName              = "service-ca"
+	SessionSecretName                   = "session-secret"
 	TargetNamespace                     = "openshift-console"
 	TrustedCABundleKey                  = "ca-bundle.crt"
 	TrustedCABundleMountDir             = "/etc/pki/ca-trust/extracted/pem"

pkg/console/operator/sync_v400.go

@@ -76,7 +76,10 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		return statusHandler.FlushAndReturn(err)
 	}
 
-	var authServerCAConfig *corev1.ConfigMap
+	var (
+		authServerCAConfig *corev1.ConfigMap
+		sessionSecret      *corev1.Secret
+	)
 	switch authnConfig.Spec.Type {
 	case configv1.AuthenticationTypeOIDC:
 		if len(authnConfig.Spec.OIDCProviders) > 0 {
@@ -87,7 +90,10 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 			}
 		}
 
-		sessionSecret := secretsub.Stub()
+		sessionSecret, err = co.syncSessionSecret(ctx, updatedOperatorConfig, controllerContext.Recorder())
+		if err != nil {
+			return statusHandler.FlushAndReturn(err)
+		}
 	}
 
 	cm, cmChanged, cmErrReason, cmErr := co.SyncConfigMap(
@@ -158,6 +164,7 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		authServerCAConfig,
 		trustedCAConfigMap,
 		clientSecret,
+		sessionSecret,
 		set.Proxy,
 		set.Infrastructure,
 		customLogoCanMount,
@@ -261,6 +268,7 @@ func (co *consoleOperator) SyncDeployment(
 	authServerCAConfigMap *corev1.ConfigMap,
 	trustedCAConfigMap *corev1.ConfigMap,
 	sec *corev1.Secret,
+	sessionSecret *corev1.Secret,
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 	canMountCustomLogo bool,
@@ -275,6 +283,7 @@ func (co *consoleOperator) SyncDeployment(
 		authServerCAConfigMap,
 		trustedCAConfigMap,
 		sec,
+		sessionSecret,
 		proxyConfig,
 		infrastructureConfig,
 		canMountCustomLogo,
@@ -587,3 +596,29 @@ func (co *consoleOperator) isCopiedCSVsDisabled(ctx context.Context) (bool, erro
 
 	return copiedCSVsDisabled, nil
 }
+
+func (co *consoleOperator) syncSessionSecret(
+	ctx context.Context,
+	operatorConfig *operatorv1.Console,
+	recorder events.Recorder,
+) (*corev1.Secret, error) {
+
+	sessionSecret, err := co.secretsLister.Secrets(api.TargetNamespace).Get(api.SessionSecretName)
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, err
+	}
+
+	var required *corev1.Secret
+	if sessionSecret == nil {
+		required = secretsub.DefaultSessionSecret(operatorConfig)
+	} else {
+		required = sessionSecret.DeepCopy()
+		changed := secretsub.ResetSessionSecretKeysIfNeeded(required)
+		if !changed {
+			return required, nil
+		}
+	}
+
+	secret, _, err := resourceapply.ApplySecret(ctx, co.secretsClient, recorder, required)
+	return secret, err
+}

pkg/console/subresource/configmap/configmap_test.go

@@ -115,6 +115,7 @@ clusterInfo:
   masterPublicURL: ` + mockAPIServer + `
   controlPlaneTopology: HighlyAvailable
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -171,6 +172,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -192,6 +194,7 @@ providers: {}
 				managedConfig: &corev1.ConfigMap{
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -239,6 +242,7 @@ clusterInfo:
   nodeArchitectures:
   - amd64
   - arm64
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -260,6 +264,7 @@ providers: {}
 				managedConfig: &corev1.ConfigMap{
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -307,6 +312,7 @@ clusterInfo:
   nodeOperatingSystems:
   - foo
   - bar
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -337,6 +343,7 @@ providers: {}
 				managedConfig: &corev1.ConfigMap{
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -380,6 +387,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + string(operatorv1.BrandDedicatedLegacy) + `
   documentationBaseURL: ` + mockOperatorDocURL + `
@@ -415,6 +423,7 @@ providers: {}
 				managedConfig: &corev1.ConfigMap{
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -458,6 +467,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + string(operatorv1.BrandDedicatedLegacy) + `
   documentationBaseURL: ` + mockOperatorDocURL + `
@@ -495,6 +505,7 @@ providers: {}
 				managedConfig: &corev1.ConfigMap{
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -538,6 +549,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + string(operatorv1.BrandDedicatedLegacy) + `
   documentationBaseURL: ` + mockOperatorDocURL + `
@@ -601,6 +613,7 @@ clusterInfo:
   consoleBaseAddress: https://` + customHostname + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -659,6 +672,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -720,6 +734,7 @@ clusterInfo:
   consoleBaseAddress: https://` + host + `
   masterPublicURL: ` + mockAPIServer + `
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -822,6 +837,7 @@ clusterInfo:
   masterPublicURL: ` + mockAPIServer + `
   controlPlaneTopology: External
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -882,6 +898,7 @@ clusterInfo:
   controlPlaneTopology: External
   releaseVersion: ` + testReleaseVersion + `
   copiedCSVsDisabled: true
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -946,6 +963,7 @@ clusterInfo:
   masterPublicURL: ` + mockAPIServer + `
   controlPlaneTopology: HighlyAvailable
   releaseVersion: ` + testReleaseVersion + `
+session: {}
 customization:
   branding: ` + DEFAULT_BRAND + `
   documentationBaseURL: ` + DEFAULT_DOC_URL + `
@@ -1228,6 +1246,7 @@ func Test_extractYAML(t *testing.T) {
 					},
 					Data: map[string]string{configKey: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/
@@ -1238,6 +1257,7 @@ customization:
 			},
 			want: `kind: ConsoleConfig
 apiVersion: console.openshift.io/v1
+session: {}
 customization:
   branding: online
   documentationBaseURL: https://docs.okd.io/4.4/

pkg/console/subresource/consoleserver/config_builder.go

@@ -70,6 +70,8 @@ type ConsoleServerCLIConfigBuilder struct {
 	oidcExtraScopes            []string
 	oidcIssuerURL              string
 	authType                   string
+	sessionEncryptionFile      string
+	sessionAuthenticationFile  string
 }
 
 func (b *ConsoleServerCLIConfigBuilder) Host(host string) *ConsoleServerCLIConfigBuilder {
@@ -175,6 +177,8 @@ func (b *ConsoleServerCLIConfigBuilder) AuthConfig(authnConfig *configv1.Authent
 		b.oidcIssuerURL = oidcProvider.Issuer.URL
 		b.oauthClientID = oidcConfig.ClientID
 		b.oidcExtraScopes = oidcConfig.ExtraScopes
+		b.sessionAuthenticationFile = "/var/session-secret/sessionAuthenticationKey"
+		b.sessionEncryptionFile = "/var/session-secret/sessionEncryptionKey"
 	}
 
 	return b
@@ -237,6 +241,7 @@ func (b *ConsoleServerCLIConfigBuilder) Config() Config {
 		Kind:           "ConsoleConfig",
 		APIVersion:     "console.openshift.io/v1",
 		Auth:           b.auth(),
+		Session:        b.session(),
 		ClusterInfo:    b.clusterInfo(),
 		Customization:  b.customization(),
 		ServingInfo:    b.servingInfo(),
@@ -349,6 +354,14 @@ func (b *ConsoleServerCLIConfigBuilder) auth() Auth {
 	return conf
 }
 
+func (b *ConsoleServerCLIConfigBuilder) session() Session {
+	conf := Session{
+		CookieAuthenticationKeyFile: b.sessionAuthenticationFile,
+		CookieEncryptionKeyFile:     b.sessionEncryptionFile,
+	}
+	return conf
+}
+
 func (b *ConsoleServerCLIConfigBuilder) customization() Customization {
 	conf := Customization{}
 	if len(b.brand) > 0 {