Merge pull request #839 from stlaz/session-secrets

CONSOLE-3912: Add secrets for session encryption/authentication in OIDC

Author: openshift-merge-bot[bot]

go.mod

@@ -8,12 +8,14 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/go-test/deep v1.0.5
+	github.com/google/go-cmp v0.6.0
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 	github.com/openshift/api v0.0.0-20231218131639-7a5aa77cc72d
 	github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d
 	github.com/openshift/client-go v0.0.0-20231218140158-47f6d749b9d9
 	github.com/openshift/library-go v0.0.0-20240115112243-470c096a1ca9
 	github.com/spf13/cobra v1.7.0
+	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.0
 	k8s.io/apiextensions-apiserver v0.29.0
@@ -51,7 +53,6 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.17.7 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 // indirect
 	github.com/google/uuid v1.3.0 // indirect
@@ -90,7 +91,6 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
 	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.10.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect

go.sum

@@ -35,15 +35,23 @@ rules:
   - apiGroups:
       - config.openshift.io
     resources:
+      - authentications
       - oauths
       - infrastructures
       - ingresses
       - proxies
       - clusterversions
+      - featuregates
     verbs:
       - get
       - list
       - watch
+  - apiGroups:
+      - config.openshift.io
+    resources:
+      - authentications/status
+    verbs:
+      - patch
   - apiGroups:
       - config.openshift.io
     resources:

manifests/03-rbac-role-cluster.yaml

@@ -21,6 +21,14 @@ rules:
   # Check: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources
   - create
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

manifests/03-rbac-role-ns-openshift-config-managed.yaml

@@ -1,6 +1,8 @@
 package api
 
 const (
+	AuthServerCAMountDir                = "/var/auth-server-ca"
+	AuthServerCAFileName                = "ca-bundle.crt"
 	ClusterOperatorName                 = "console"
 	ConfigResourceName                  = "cluster"
 	ConsoleContainerPort                = 443
@@ -35,6 +37,7 @@ const (
 	RedirectContainerPort               = 8444
 	RedirectContainerPortName           = "custom-route-redirect"
 	ServiceCAConfigMapName              = "service-ca"
+	SessionSecretName                   = "session-secret"
 	TargetNamespace                     = "openshift-console"
 	TrustedCABundleKey                  = "ca-bundle.crt"
 	TrustedCABundleMountDir             = "/etc/pki/ca-trust/extracted/pem"

pkg/api/api.go

@@ -17,6 +17,7 @@ import (
 	// openshift
 	v1 "github.com/openshift/api/console/v1"
 	operatorsv1 "github.com/openshift/api/operator/v1"
+	operatorv1listers "github.com/openshift/client-go/operator/listers/operator/v1"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
@@ -32,7 +33,6 @@ import (
 
 	// clients
 	consoleclientv1 "github.com/openshift/client-go/console/clientset/versioned/typed/console/v1"
-	operatorclientv1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1"
 	routeclientv1 "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
 
 	// operator
@@ -49,15 +49,14 @@ type CLIDownloadsSyncController struct {
 	consoleCliDownloadsClient consoleclientv1.ConsoleCLIDownloadInterface
 	ingressClient             configclientv1.IngressInterface
 	routeClient               routeclientv1.RoutesGetter
-	operatorConfigClient      operatorclientv1.ConsoleInterface
+	operatorConfigLister      operatorv1listers.ConsoleLister
 }
 
 func NewCLIDownloadsSyncController(
 	// top level config
 	configClient configclientv1.ConfigV1Interface,
 	// clients
 	operatorClient v1helpers.OperatorClient,
-	operatorConfigClient operatorclientv1.OperatorV1Interface,
 	cliDownloadsInterface consoleclientv1.ConsoleCLIDownloadInterface,
 	routeClient routeclientv1.RoutesGetter,
 	// informers
@@ -75,7 +74,7 @@ func NewCLIDownloadsSyncController(
 		consoleCliDownloadsClient: cliDownloadsInterface,
 		ingressClient:             configClient.Ingresses(),
 		routeClient:               routeClient,
-		operatorConfigClient:      operatorConfigClient.Consoles(),
+		operatorConfigLister:      operatorConfigInformer.Lister(),
 	}
 
 	configV1Informers := configInformer.Config().V1()
@@ -95,7 +94,7 @@ func NewCLIDownloadsSyncController(
 }
 
 func (c *CLIDownloadsSyncController) Sync(ctx context.Context, controllerContext factory.SyncContext) error {
-	operatorConfig, err := c.operatorConfigClient.Get(ctx, api.ConfigResourceName, metav1.GetOptions{})
+	operatorConfig, err := c.operatorConfigLister.Get(api.ConfigResourceName)
 	if err != nil {
 		return err
 	}

pkg/console/controllers/clidownloads/controller.go

@@ -22,8 +22,8 @@ import (
 	routev1 "github.com/openshift/api/route/v1"
 	configclientv1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	configinformer "github.com/openshift/client-go/config/informers/externalversions"
-	operatorclientv1 "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1"
 	v1 "github.com/openshift/client-go/operator/informers/externalversions/operator/v1"
+	operatorv1listers "github.com/openshift/client-go/operator/listers/operator/v1"
 	routeclientv1 "github.com/openshift/client-go/route/clientset/versioned/typed/route/v1"
 	routesinformersv1 "github.com/openshift/client-go/route/informers/externalversions/route/v1"
 	"github.com/openshift/library-go/pkg/controller/factory"
@@ -41,7 +41,7 @@ import (
 type HealthCheckController struct {
 	// clients
 	operatorClient       v1helpers.OperatorClient
-	operatorConfigClient operatorclientv1.ConsoleInterface
+	operatorConfigLister operatorv1listers.ConsoleLister
 	infrastructureClient configclientv1.InfrastructureInterface
 	ingressClient        configclientv1.IngressInterface
 	routeClient          routeclientv1.RoutesGetter
@@ -53,7 +53,6 @@ func NewHealthCheckController(
 	configClient configclientv1.ConfigV1Interface,
 	// clients
 	operatorClient v1helpers.OperatorClient,
-	operatorConfigClient operatorclientv1.ConsoleInterface,
 	routev1Client routeclientv1.RoutesGetter,
 	configMapClient coreclientv1.ConfigMapsGetter,
 	// informers
@@ -66,7 +65,7 @@ func NewHealthCheckController(
 ) factory.Controller {
 	ctrl := &HealthCheckController{
 		operatorClient:       operatorClient,
-		operatorConfigClient: operatorConfigClient,
+		operatorConfigLister: operatorConfigInformer.Lister(),
 		infrastructureClient: configClient.Infrastructures(),
 		ingressClient:        configClient.Ingresses(),
 		routeClient:          routev1Client,
@@ -94,7 +93,7 @@ func NewHealthCheckController(
 
 func (c *HealthCheckController) Sync(ctx context.Context, controllerContext factory.SyncContext) error {
 	statusHandler := status.NewStatusHandler(c.operatorClient)
-	operatorConfig, err := c.operatorConfigClient.Get(ctx, api.ConfigResourceName, metav1.GetOptions{})
+	operatorConfig, err := c.operatorConfigLister.Get(api.ConfigResourceName)
 	if err != nil {
 		klog.Errorf("operator config error: %v", err)
 		return statusHandler.FlushAndReturn(err)