Upgrade console to version 4.17

Now Requires external Plugins for Network and Monitoring tabs

Author: asaf400

charts/console/Chart.yaml

@@ -5,8 +5,8 @@ description: A Helm chart for Kubernetes
 type: application
 
 # This is the chart version.
-version: 1.0.2
+version: 1.1.0
 
 # This is the version number of the application being deployed.
 # https://docs.openshift.com/container-platform/4.18/release_notes/ocp-4-18-release-notes.html
-appVersion: "4.16.0"
+appVersion: "4.17.0"

charts/console/templates/_helpers.tpl

@@ -87,4 +87,13 @@ Create the name of the service account to use
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
-{{- end }}
+{{- end }}
+
+{{- define "plugins-environment-value" }}
+{{- $result := list -}}
+{{- range .Values.plugins -}}
+  {{- $port := int .port -}}
+  {{- $result = append $result (printf "%s=http://localhost:%d" .name $port) -}}
+{{- end -}}
+{{- join "," $result -}}
+{{- end -}}

charts/console/templates/deployment.yaml

@@ -53,8 +53,7 @@ spec:
             httpGet:
               path: /
               port: http
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
           env:
             {{- if .Values.extraEnv }}
               {{- toYaml .Values.extraEnv | nindent 12 }}
@@ -82,6 +81,41 @@ spec:
             - name: BRIDGE_COOKIE_AUTHENTICATION_KEY_FILE
               value: "/etc/bridge/oidc-authnKey"
             {{- end }}
+            {{- if .Values.plugins }}
+            - name: BRIDGE_PLUGINS
+              value: {{ include "plugins-environment-value" . }}
+            {{- end }}
+        {{- if .Values.plugins }}
+          {{- range .Values.plugins }}
+        - name: {{ .name }}
+          resources: {{- toYaml $.Values.resources | nindent 12 }}
+          readinessProbe:
+            httpGet:
+              path: /
+              port: plugin
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          livenessProbe:
+            httpGet:
+              path: /
+              port: plugin
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          securityContext: {{- toYaml $.Values.securityContext | nindent 12 }}
+          ports:
+            - name: plugin
+              containerPort: {{ .port }}
+              protocol: TCP
+          imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          image: {{ .image }}
+          {{- end }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/console/values.yaml

@@ -52,20 +52,20 @@ oidcIdentityProvider: ""
 # only modify the string elements, not the claim keys
 claims:
   preferredUsername:
-  - preferred_username
+    - preferred_username
   name:
-  - name
+    - name
   email:
-  - email
+    - email
   groups:
-  - groups
+    - groups
 
 bridgeEnvironmentVariables:
-  BRIDGE_USER_AUTH: oidc
-  BRIDGE_K8S_AUTH: oidc
-  BRIDGE_BASE_ADDRESS: # "https://my-console.cluster.example.com"
-  BRIDGE_USER_AUTH_OIDC_CLIENT_ID: # BRIDGE_USER_AUTH_OIDC_CLIENT_ID
-  BRIDGE_USER_AUTH_OIDC_ISSUER_URL: # https://my-oidc-prodiver.okta.jumpcloud.example.com
+  # BRIDGE_USER_AUTH: oidc
+  # BRIDGE_K8S_AUTH: oidc
+  # BRIDGE_BASE_ADDRESS: "https://my-console.cluster.example.com"
+  # BRIDGE_USER_AUTH_OIDC_CLIENT_ID: BRIDGE_USER_AUTH_OIDC_CLIENT_ID
+  # BRIDGE_USER_AUTH_OIDC_ISSUER_URL: https://my-oidc-prodiver.okta.jumpcloud.example.com
   # BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET defaults to consuming vaule from values.secrets.idpSecret.secretName
 
 extraEnv: ""
@@ -94,6 +94,16 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
+# Enable Plugins - run as a sidecar
+# Since version 4.17 network tab has been extracted from console repo into a console dynamic plugin
+plugins: []
+  # - name: networking-console-plugin
+  #   image: asaf400/openshift:networking-console-plugin-e8a088c
+  #   port: 8080
+  # - name: monitoring-plugin
+  #   image: asaf400/openshift:monitoring-plugin
+  #   port: 8081
+
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little

images/monitoring-plugin/20-envsubst-on-templates.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+set -e
+
+ME=$(basename "$0")
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+add_stream_block() {
+  local conffile="/etc/nginx/nginx.conf"
+
+  if grep -q -E "\s*stream\s*\{" "$conffile"; then
+    entrypoint_log "$ME: $conffile contains a stream block; include $stream_output_dir/*.conf to enable stream templates"
+  else
+    # check if the file can be modified, e.g. not on a r/o filesystem
+    touch "$conffile" 2>/dev/null || { entrypoint_log "$ME: info: can not modify $conffile (read-only file system?)"; exit 0; }
+    entrypoint_log "$ME: Appending stream block to $conffile to include $stream_output_dir/*.conf"
+    cat << END >> "$conffile"
+# added by "$ME" on "$(date)"
+stream {
+  include $stream_output_dir/*.conf;
+}
+END
+  fi
+}
+
+auto_envsubst() {
+  local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
+  local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
+  local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
+  local stream_suffix="${NGINX_ENVSUBST_STREAM_TEMPLATE_SUFFIX:-.stream-template}"
+  local stream_output_dir="${NGINX_ENVSUBST_STREAM_OUTPUT_DIR:-/etc/nginx/stream-conf.d}"
+  local filter="${NGINX_ENVSUBST_FILTER:-}"
+
+  local template defined_envs relative_path output_path subdir
+  defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null ))
+  [ -d "$template_dir" ] || return 0
+  if [ ! -w "$output_dir" ]; then
+    entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
+    return 0
+  fi
+  find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
+    relative_path="${template#"$template_dir/"}"
+    output_path="$output_dir/${relative_path%"$suffix"}"
+    subdir=$(dirname "$relative_path")
+    # create a subdirectory where the template file exists
+    mkdir -p "$output_dir/$subdir"
+    entrypoint_log "$ME: Running envsubst on $template to $output_path"
+    envsubst "$defined_envs" < "$template" > "$output_path"
+  done
+
+  # Print the first file with the stream suffix, this will be false if there are none
+  if test -n "$(find "$template_dir" -name "*$stream_suffix" -print -quit)"; then
+    mkdir -p "$stream_output_dir"
+    if [ ! -w "$stream_output_dir" ]; then
+      entrypoint_log "$ME: ERROR: $template_dir exists, but $stream_output_dir is not writable"
+      return 0
+    fi
+    add_stream_block
+    find "$template_dir" -follow -type f -name "*$stream_suffix" -print | while read -r template; do
+      relative_path="${template#"$template_dir/"}"
+      output_path="$stream_output_dir/${relative_path%"$stream_suffix"}"
+      subdir=$(dirname "$relative_path")
+      # create a subdirectory where the template file exists
+      mkdir -p "$stream_output_dir/$subdir"
+      entrypoint_log "$ME: Running envsubst on $template to $output_path"
+      envsubst "$defined_envs" < "$template" > "$output_path"
+    done
+  fi
+}
+
+auto_envsubst
+
+exit 0

images/monitoring-plugin/Dockerfile

@@ -0,0 +1,62 @@
+FROM registry.redhat.io/ubi9/nodejs-18:1-118 AS web-builder
+
+WORKDIR /opt/app-root
+
+USER 0
+
+RUN npm install --global yarn
+
+ENV HUSKY=0
+
+COPY web/package.json web/yarn.lock web/
+COPY Makefile Makefile
+RUN make install-frontend
+
+COPY web/ web/
+RUN make build-frontend
+
+FROM quay.io/redhat-cne/openshift-origin-release:rhel-9-golang-1.22-openshift-4.17 as go-builder
+
+WORKDIR /opt/app-root
+
+COPY Makefile Makefile
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+RUN make install-backend
+
+COPY cmd/ cmd/
+COPY pkg/ pkg/
+
+ENV GOEXPERIMENT=strictfipsruntime
+ENV CGO_ENABLED=1
+
+RUN make build-backend BUILD_OPTS="-tags strictfipsruntime"
+
+FROM amazonlinux:2023
+
+RUN dnf install -y nginx findutils gettext && \
+    mkdir /var/cache/nginx && \
+    mkdir -p /docker-entrypoint.d && \
+    mkdir -p /etc/nginx/templates && \
+    chown -R 1001:0 /var/lib/nginx /var/log/nginx /run /docker-entrypoint.d /etc/nginx/templates /etc/nginx/conf.d && \
+    chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run /docker-entrypoint.d /etc/nginx/templates /etc/nginx/conf.d
+
+USER 1001
+
+COPY --from=web-builder /opt/app-root/web/dist /opt/app-root/web/dist
+COPY --from=go-builder /opt/app-root/plugin-backend /opt/app-root
+
+COPY --from=web-builder /opt/app-root/web/dist /usr/share/nginx/html
+COPY nginx.conf.template /etc/nginx/templates/default.conf.template
+
+COPY docker-entrypoint.sh /
+COPY 20-envsubst-on-templates.sh /docker-entrypoint.d
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+# Run the server
+CMD ["nginx", "-g", "daemon off;"]
+
+# When nginx is removed from CMO, we can use the following ENTRYPOINT instead and remove the nginx install
+# ENTRYPOINT ["/opt/app-root/plugin-backend", "-static-path", "/opt/app-root/web/dist"]

images/monitoring-plugin/README.md

@@ -0,0 +1 @@
+[Build this Dockerfile with acompanying files in this context dir](https://github.com/openshift/monitoring-plugin/blob/release-4.17/)

images/monitoring-plugin/docker-entrypoint.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+# vim:sw=4:ts=4:et
+
+set -e
+
+entrypoint_log() {
+    if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
+        echo "$@"
+    fi
+}
+
+if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
+    if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+        entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
+
+        entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
+        find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
+            case "$f" in
+                *.envsh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Sourcing $f";
+                        . "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *.sh)
+                    if [ -x "$f" ]; then
+                        entrypoint_log "$0: Launching $f";
+                        "$f"
+                    else
+                        # warn on shell scripts without exec bit
+                        entrypoint_log "$0: Ignoring $f, not executable";
+                    fi
+                    ;;
+                *) entrypoint_log "$0: Ignoring $f";;
+            esac
+        done
+
+        entrypoint_log "$0: Configuration complete; ready for start up"
+    else
+        entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
+    fi
+fi
+
+exec "$@"

images/monitoring-plugin/nginx.conf.template

@@ -0,0 +1,4 @@
+server {
+    listen       ${NGINX_PORT};
+    listen       [::]:${NGINX_PORT};
+}