added changes to oauth proxy config

added changes oauth proxy config to work UI integration smooth

Signed-off-by: rchikatw <rchikatw@redhat.com>

config/rbac/kustomization.yaml

@@ -3,6 +3,9 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- oauth_proxy_role.yaml
+- oauth_proxy_role_binding.yaml
+- ux_backend_sa.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

config/rbac/oauth_proxy_role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: oauth-proxy-role
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]

config/rbac/oauth_proxy_role_binding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oauth-proxy-role-binding
+subjects:
+- kind: ServiceAccount
+  name: ux-backend-server
+  namespace: openshift-storage
+roleRef:
+  kind: ClusterRole
+  name: oauth-proxy-role
+  apiGroup: rbac.authorization.k8s.io

deploy/csv-templates/ocs-operator.csv.yaml.in

@@ -515,6 +515,20 @@ spec:
           verbs:
           - '*'
         serviceAccountName: ocs-operator
+      - rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        serviceAccountName: ux-backend-server
       deployments:
       - name: ocs-operator
         spec:

deploy/ocs-operator/manifests/ocs-operator.clusterserviceversion.yaml

@@ -2280,6 +2280,20 @@ spec:
           verbs:
           - '*'
         serviceAccountName: ocs-operator
+      - rules:
+        - apiGroups:
+          - authentication.k8s.io
+          resources:
+          - tokenreviews
+          verbs:
+          - create
+        - apiGroups:
+          - authorization.k8s.io
+          resources:
+          - subjectaccessreviews
+          verbs:
+          - create
+        serviceAccountName: ux-backend-server
       - rules:
         - apiGroups:
           - ""
@@ -3079,8 +3093,6 @@ spec:
                   value: quay.io/ocs-dev/ocs-operator:latest
                 - name: ONBOARDING_SECRET_GENERATOR_IMAGE
                   value: quay.io/ocs-dev/ocs-operator:latest
-                - name: UX_BACKEND_SERVER_IMAGE
-                  value: quay.io/ocs-dev/ocs-operator:latest
                 - name: OPERATOR_NAMESPACE
                   valueFrom:
                     fieldRef:
@@ -3277,6 +3289,7 @@ spec:
                 env:
                 - name: ONBOARDING_TOKEN_LIFETIME
                 - name: UX_BACKEND_PORT
+                - name: TLS_ENABLED
                 image: quay.io/ocs-dev/ocs-operator:latest
                 imagePullPolicy: IfNotPresent
                 name: ux-backend-server
@@ -3293,11 +3306,12 @@ spec:
                 - -https-address=:8888
                 - -http-address=
                 - -email-domain=*
-                - -upstream=https://localhost:8080/onboarding-tokens
+                - -upstream=http://localhost:8080/
                 - -tls-cert=/etc/tls/private/tls.crt
                 - -tls-key=/etc/tls/private/tls.key
                 - -cookie-secret-file=/etc/proxy/secrets/session_secret
                 - -openshift-service-account=ux-backend-server
+                - -openshift-delegate-urls={"/":{"resource":"StorageCluster","namespace":"openshift-storage","verb":"create"}}
                 - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
                 image: quay.io/openshift/origin-oauth-proxy:latest
                 imagePullPolicy: IfNotPresent

hack/source-manifests.sh

@@ -69,7 +69,7 @@ function gen_ocs_csv() {
 	pushd config/manager
 	$KUSTOMIZE edit set image ocs-dev/ocs-operator="$OCS_IMAGE"
 	popd
-	$KUSTOMIZE build config/manifests/ocs-operator | $OPERATOR_SDK generate bundle -q --overwrite=false --output-dir deploy/ocs-operator --kustomize-dir config/manifests/ocs-operator --package ocs-operator --version "$CSV_VERSION"
+	$KUSTOMIZE build config/manifests/ocs-operator | $OPERATOR_SDK generate bundle -q --overwrite=false --output-dir deploy/ocs-operator --kustomize-dir config/manifests/ocs-operator --package ocs-operator --version "$CSV_VERSION" --extra-service-accounts=ux-backend-server
 	mv deploy/ocs-operator/manifests/*clusterserviceversion.yaml $OCS_CSV
 	cp config/crd/bases/* $ocs_crds_outdir
 }

services/ux-backend/main.go

@@ -15,6 +15,7 @@ import (
 type serverConfig struct {
 	listenPort           int
 	tokenLifetimeInHours int
+	tlsEnabled           bool
 }
 
 func loadAndValidateServerConfig() (*serverConfig, error) {
@@ -41,6 +42,15 @@ func loadAndValidateServerConfig() (*serverConfig, error) {
 		return nil, fmt.Errorf("malformed user-defined listening port %s, %v", listenPortAsString, err)
 	}
 
+	defaultTLSEnabled := false
+	tlsEnabledAsString := os.Getenv("TLS_ENABLED")
+	if tlsEnabledAsString == "" {
+		klog.Infof("No user-defined TLS enabled value provided, defaulting to %t ", defaultTLSEnabled)
+		config.tlsEnabled = defaultTLSEnabled
+	} else if config.tlsEnabled, err = strconv.ParseBool(tlsEnabledAsString); err != nil {
+		return nil, fmt.Errorf("malformed user-defined TLS Enabled value %s, %v", tlsEnabledAsString, err)
+	}
+
 	return &config, nil
 }
 
@@ -60,11 +70,18 @@ func main() {
 
 	klog.Info("ux backend server listening on port ", config.listenPort)
 
-	log.Fatal(http.ListenAndServeTLS(
-		fmt.Sprintf("%s%d", ":", config.listenPort),
-		"/etc/tls/private/tls.crt",
-		"/etc/tls/private/tls.key",
-		nil,
-	))
+	addr := fmt.Sprintf("%s%d", ":", config.listenPort)
+	if config.tlsEnabled {
+		klog.Info("Server configured to run with TLS")
+		err = http.ListenAndServeTLS(addr,
+			"/etc/tls/private/tls.crt",
+			"/etc/tls/private/tls.key",
+			nil,
+		)
+	} else {
+		klog.Info("Server configured to run without TLS")
+		err = http.ListenAndServe(addr, nil)
+	}
+	log.Fatal(err)
 
 }

tools/csv-merger/csv-merger.go

@@ -162,10 +162,6 @@ func unmarshalCSV(filePath string) *csvv1.ClusterServiceVersion {
 				Name:  "ONBOARDING_SECRET_GENERATOR_IMAGE",
 				Value: *ocsContainerImage,
 			},
-			{
-				Name:  "UX_BACKEND_SERVER_IMAGE",
-				Value: *ocsContainerImage,
-			},
 			{
 				Name: util.OperatorNamespaceEnvVar,
 				ValueFrom: &corev1.EnvVarSource{
@@ -980,6 +976,10 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 								Name:  "UX_BACKEND_PORT",
 								Value: os.Getenv("UX_BACKEND_PORT"),
 							},
+							{
+								Name:  "TLS_ENABLED",
+								Value: os.Getenv("TLS_ENABLED"),
+							},
 						},
 					},
 					{
@@ -999,11 +999,12 @@ func getUXBackendServerDeployment() appsv1.DeploymentSpec {
 						Args: []string{"-provider=openshift",
 							"-https-address=:8888",
 							"-http-address=", "-email-domain=*",
-							"-upstream=https://localhost:8080/onboarding-tokens",
+							"-upstream=http://localhost:8080/",
 							"-tls-cert=/etc/tls/private/tls.crt",
 							"-tls-key=/etc/tls/private/tls.key",
 							"-cookie-secret-file=/etc/proxy/secrets/session_secret",
 							"-openshift-service-account=ux-backend-server",
+							`-openshift-delegate-urls={"/":{"resource":"StorageCluster","namespace":"openshift-storage","verb":"create"}}`,
 							"-openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"},
 						Ports: []corev1.ContainerPort{
 							{