operator: Merge pull request redpanda-data#6359 from pvsune/enterpris…

…e/pvsune/rpcloud-sso

Console RedpandaCloud SSO support in the operator

apis/redpanda/v1alpha1/console_enterprise_types.go

@@ -26,6 +26,22 @@ type EnterpriseLogin struct {
 	JWTSecretRef SecretKeyRef `json:"jwtSecretRef"`
 
 	Google *EnterpriseLoginGoogle `json:"google,omitempty"`
+
+	RedpandaCloud *EnterpriseLoginRedpandaCloud `json:"redpandaCloud,omitempty"`
+}
+
+// EnterpriseLoginRedpandaCloud defines configurable fields for RedpandaCloud SSO provider
+type EnterpriseLoginRedpandaCloud struct {
+	Enabled bool `json:"enabled" yaml:"enabled"`
+
+	// Domain is the domain of the auth server
+	Domain string `json:"domain" yaml:"domain"`
+
+	// Audience is the domain where this auth is intended for
+	Audience string `json:"audience" yaml:"audience"`
+
+	// AllowedOrigins indicates if response is allowed from given origin
+	AllowedOrigins string `json:"allowedOrigins,omitempty" yaml:"allowedOrigins,omitempty"`
 }
 
 // IsGoogleLoginEnabled returns true if Google SSO provider is enabled

config/crd/bases/redpanda.vectorized.io_consoles.yaml

@@ -350,6 +350,28 @@ spec:
                     - name
                     - namespace
                     type: object
+                  redpandaCloud:
+                    description: EnterpriseLoginRedpandaCloud defines configurable
+                      fields for RedpandaCloud provider
+                    properties:
+                      allowedOrigins:
+                        description: AllowedOrigins indicates if response is allowed
+                          from given origin
+                        type: string
+                      audience:
+                        description: Audience is the domain where this auth is intended
+                          for
+                        type: string
+                      domain:
+                        description: Domain is the domain of the auth server
+                        type: string
+                      enabled:
+                        type: boolean
+                    required:
+                    - audience
+                    - domain
+                    - enabled
+                    type: object
                 required:
                 - enabled
                 - jwtSecretRef

controllers/redpanda/console_controller_test.go

@@ -342,4 +342,49 @@ var _ = Describe("Console controller", func() {
 			}, timeout, interval).Should(BeTrue())
 		})
 	})
+
+	Context("When enabling multiple Login providers", func() {
+		ctx := context.Background()
+		It("Should prioritize RedpandaCloud", func() {
+			var (
+				rpCloudDomain   = "test.auth.vectorized.io"
+				rpCloudAudience = "dev.vectorized.io"
+			)
+
+			By("Updating Console RedpandaCloud Login fields")
+			console := &redpandav1alpha1.Console{}
+			Expect(k8sClient.Get(ctx, types.NamespacedName{Namespace: ConsoleNamespace, Name: ConsoleName}, console)).Should(Succeed())
+			console.Spec.Login.RedpandaCloud = &redpandav1alpha1.EnterpriseLoginRedpandaCloud{
+				Enabled:  true,
+				Domain:   rpCloudDomain,
+				Audience: rpCloudAudience,
+			}
+			Expect(k8sClient.Update(ctx, console)).Should(Succeed())
+
+			By("Having only RedpandaCloud provider in ConfigMap")
+			createdConfigMaps := &corev1.ConfigMapList{}
+			Eventually(func() bool {
+				if err := k8sClient.List(ctx, createdConfigMaps, client.MatchingLabels(labels.ForConsole(console)), client.InNamespace(ConsoleNamespace)); err != nil {
+					return false
+				}
+				if len(createdConfigMaps.Items) != 1 {
+					return false
+				}
+				for _, cm := range createdConfigMaps.Items {
+					cc := &consolepkg.ConsoleConfig{}
+					if err := yaml.Unmarshal([]byte(cm.Data["config.yaml"]), cc); err != nil {
+						return false
+					}
+					if cc.Login.Google != nil {
+						return false
+					}
+					rpCloudConfig := cc.Login.RedpandaCloud
+					if !rpCloudConfig.Enabled || rpCloudConfig.Domain != rpCloudDomain || rpCloudConfig.Audience != rpCloudAudience {
+						return false
+					}
+				}
+				return true
+			}, timeout, interval).Should(BeTrue())
+		})
+	})
 })

pkg/console/configmap.go

@@ -203,7 +203,14 @@ func (cm *ConfigMap) genLogin(ctx context.Context) (e EnterpriseLogin, err error
 		}
 		enterpriseLogin.JWTSecret = string(jwt)
 
-		switch { // nolint:gocritic // will support more providers
+		switch {
+		case provider.RedpandaCloud != nil:
+			enterpriseLogin.RedpandaCloud = &redpandav1alpha1.EnterpriseLoginRedpandaCloud{
+				Enabled:        provider.RedpandaCloud.Enabled,
+				Domain:         provider.RedpandaCloud.Domain,
+				Audience:       provider.RedpandaCloud.Audience,
+				AllowedOrigins: provider.RedpandaCloud.AllowedOrigins,
+			}
 		case provider.Google != nil:
 			cc := redpandav1alpha1.SecretKeyRef{
 				Namespace: provider.Google.ClientCredentialsRef.Namespace,

pkg/console/console.go

@@ -14,6 +14,8 @@ import (
 	"github.com/cloudhut/common/rest"
 	"github.com/redpanda-data/console/backend/pkg/connect"
 	"github.com/redpanda-data/console/backend/pkg/kafka"
+
+	redpandav1alpha1 "github.com/redpanda-data/redpanda/src/go/k8s/apis/redpanda/v1alpha1"
 )
 
 const (
@@ -54,9 +56,10 @@ type EnterpriseRBAC struct {
 
 // EnterpriseLogin is the Console Enterprise Login config
 type EnterpriseLogin struct {
-	Enabled   bool                   `json:"enabled" yaml:"enabled"`
-	JWTSecret string                 `json:"jwtSecret,omitempty" yaml:"jwtSecret,omitempty"`
-	Google    *EnterpriseLoginGoogle `json:"google,omitempty" yaml:"google,omitempty"`
+	Enabled       bool                                           `json:"enabled" yaml:"enabled"`
+	JWTSecret     string                                         `json:"jwtSecret,omitempty" yaml:"jwtSecret,omitempty"`
+	Google        *EnterpriseLoginGoogle                         `json:"google,omitempty" yaml:"google,omitempty"`
+	RedpandaCloud *redpandav1alpha1.EnterpriseLoginRedpandaCloud `json:"redpandaCloud,omitempty" yaml:"redpandaCloud,omitempty"`
 }
 
 // EnterpriseLoginGoogle is the Console Enterprise Google SSO config