Console Google SSO support in operator

[pvsune]

Cover letter

Support Enterprise Google SSO in Console controller as described here.

Fixes #2760

Backport Required

• not a bug fix
• issue does not exist in previous branches
• papercut/not impactful enough to backport
• v22.2.x
• v22.1.x
• v21.11.x

UX changes

This PR introduces Enterprise fields configurable in the Console CR. Note that Enterprise fields are ignored by Console app if License is not set:

apiVersion: redpanda.vectorized.io/v1alpha1
kind: Console
metadata:
  name: test-console
  namespace: default
spec:
  ...
  login:
    enabled: true
    jwtSecretRef:
      name: "test-console-jwt"
      namespace: "default"
      key: "jwt" # jwt is default if not provided 
    google:
      enabled: true
      clientCredentialsRef:
        name: "test-console-google" # expects clientId, clientSecret in configmap key
        namespace: "default"
      directory:
        serviceAccountRef:
          name: test-console-google-sa # expects sa.json in configmap key
        targetPrincipal: [email protected]
  licenseRef:
    name: "test-console-license"
    namespace: "default"
    key: "license" # license is default if not provided 
  enterprise:
    rbac:
      enabled: true
      roleBindingsRef:
        name: "test-console-rbac" # expects rbac.yaml in configmap key

By design, referenced resources (i.e. ConfigMap Secret) are not watched because they are not owned by the controller. That means updating them requires a manual reload of the Console app (e.g. changes to RBAC file)

Release notes

Features

• Introduces NamespaceNameRef type instead of using the full glory of corev1.ObjectReference
• Introduce SecretKeyRef type to reference Secret objects
• Add defaulting webhook for Console

Improvements

• Use Redpanda wildcard certificate for Ingress since Console is exposed through https://console.<rp-subdomain>
• Rename ClusterKeyRef to ClusterRef
• Run Console kuttl tests in "console" namespace. I think there's no way to get the autogenerated kuttl namespace and we need to refer that in ClusterRef

[RafalKorepta]

Good Job Left comments.

[RafalKorepta]

NIT: commit message shouldn't have dot at the end.

wrong

operator: Support Google SSO Enterprise feature.

good

operator: Support Google SSO Enterprise feature

[RafalKorepta]

commit lacks of more context like cover letter have. It could be easier for future ppl to read commit message instead of going to github to read the context.

[pvsune]

👍 I updated the commits

[RafalKorepta]

Could this be more generic and works for config map too?

[pvsune]

We can. But I'm thinking if it is better to have a static mount path for files referenced by configmaps (e.g. Google SA file will always be in /etc/console/enterprise/google/sa.json)

[RafalKorepta]

mount path is different thing from key path from configmap. As far as I saw Key is used to point the key inside secret.

[pvsune]

I suppose we can do that. Although it feels a little off 😅 that the key is different from the mounted path. We already have validating/defaulting webhook for this though. If possible I'd like to keep this change simple 🙏

[RafalKorepta]

The genLogin could return the real type, so that you would not need to support second if statement. I would return real type not pointer from genLogin

Suggested change

	loginConfig, err := cm.genLogin(ctx)
	if err != nil {
	return "", err
	}
	if loginConfig != nil {
	consoleConfig.Login = *loginConfig
	}
	consoleConfig.Login, err := cm.genLogin(ctx)
	if err != nil {
	return "", err
	}

[pvsune]

Updated

[RafalKorepta]

Can you add godoc?

[pvsune]

Key field has comment. This is pointed to a newline, do you mean for Namespace, Name?

[RafalKorepta]

No this comment points on lines 14-16 where Name and Namespace is not documented in openAPI spec when CRD is generated.

[pvsune]

👍 Updated

[RafalKorepta]

I'm not sure if webhook is correctly implemented as it reverse the order how webhooks should be called