[WIP] Gracefully handle config changes

Author: spadgett

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "makefile.configureOnOpen": false
+}

pkg/api/api.go

@@ -38,6 +38,7 @@ const (
 	RedirectContainerPortName           = "custom-route-redirect"
 	ServiceCAConfigMapName              = "service-ca"
 	SessionSecretName                   = "session-secret"
+	SessionStorageVolumeName            = "session-storage"
 	TargetNamespace                     = "openshift-console"
 	TrustedCABundleKey                  = "ca-bundle.crt"
 	TrustedCABundleMountDir             = "/etc/pki/ca-trust/extracted/pem"

pkg/console/operator/sync_v400.go

@@ -95,10 +95,15 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		return statusHandler.FlushAndReturn(err)
 	}
 
+	sessionSecret, err := co.syncSessionSecret(ctx, updatedOperatorConfig, controllerContext.Recorder())
+	if err != nil {
+		return statusHandler.FlushAndReturn(err)
+	}
+
 	var (
 		targetNamespaceAuthServerCA *corev1.ConfigMap
-		sessionSecret               *corev1.Secret
 	)
+
 	switch authnConfig.Spec.Type {
 	case configv1.AuthenticationTypeOIDC:
 		if len(authnConfig.Spec.OIDCProviders) > 0 {
@@ -112,11 +117,6 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 				}
 			}
 		}
-
-		sessionSecret, err = co.syncSessionSecret(ctx, updatedOperatorConfig, controllerContext.Recorder())
-		if err != nil {
-			return statusHandler.FlushAndReturn(err)
-		}
 	}
 
 	customLogosErr, customLogosErrReason := co.SyncCustomLogos(updatedOperatorConfig)

pkg/console/subresource/consoleserver/config_builder.go

@@ -63,6 +63,7 @@ type ConsoleServerCLIConfigBuilder struct {
 	monitoring                   map[string]string
 	customHostnameRedirectPort   int
 	inactivityTimeoutSeconds     int
+	sessionDir                   string
 	pluginsList                  map[string]string
 	pluginsOrder                 []string
 	i18nNamespaceList            []string
@@ -190,12 +191,17 @@ func (b *ConsoleServerCLIConfigBuilder) Capabilities(capabilities []operatorv1.C
 }
 
 func (b *ConsoleServerCLIConfigBuilder) AuthConfig(authnConfig *configv1.Authentication, apiServerURL string) *ConsoleServerCLIConfigBuilder {
+	b.sessionDir = "/var/sessions"
+
 	switch authnConfig.Spec.Type {
 	// We don't disable auth since the internal OAuth server is not disabled even with auth type 'None'.
 	case "", configv1.AuthenticationTypeIntegratedOAuth, configv1.AuthenticationTypeNone:
 		b.authType = "openshift"
 		b.oauthClientID = api.OAuthClientName
 		b.CAFile = oauthServingCertFilePath
+		b.sessionAuthenticationFile = "/var/session-secret/sessionAuthenticationKey"
+		b.sessionEncryptionFile = "/var/session-secret/sessionEncryptionKey"
+
 		return b
 
 	case configv1.AuthenticationTypeOIDC:
@@ -419,6 +425,7 @@ func (b *ConsoleServerCLIConfigBuilder) session() Session {
 	conf := Session{
 		CookieAuthenticationKeyFile: b.sessionAuthenticationFile,
 		CookieEncryptionKeyFile:     b.sessionEncryptionFile,
+		SessionDir:                  b.sessionDir,
 	}
 	return conf
 }

pkg/console/subresource/consoleserver/types.go

@@ -100,6 +100,7 @@ type Auth struct {
 type Session struct {
 	CookieEncryptionKeyFile     string `yaml:"cookieEncryptionKeyFile,omitempty"`
 	CookieAuthenticationKeyFile string `yaml:"cookieAuthenticationKeyFile,omitempty"`
+	SessionDir                  string `yaml:"sessionDir,omitempty"`
 	// TODO: move InactivityTimeoutSeconds here
 }
 

pkg/console/subresource/deployment/deployment.go

@@ -58,9 +58,10 @@ type volumeConfig struct {
 	name     string
 	readOnly bool
 	path     string
-	// isSecret or isConfigMap are mutually exclusive
+	// isSecret, isConfigMap, and isEmptyDir are mutually exclusive
 	isSecret    bool
 	isConfigMap bool
+	isEmptyDir  bool
 	mappedKeys  map[string]string
 }
 
@@ -87,7 +88,6 @@ func DefaultDeployment(
 	withStrategy(deployment, infrastructureConfig)
 	withConsoleAnnotations(
 		deployment,
-		consoleConfigMap,
 		serviceCAConfigMap,
 		authnCATrustConfigMap,
 		trustedCAConfigMap,
@@ -194,7 +194,6 @@ func withStrategy(deployment *appsv1.Deployment, infrastructureConfig *configv1.
 // version changes.
 func withConsoleAnnotations(
 	deployment *appsv1.Deployment,
-	consoleConfigMap *corev1.ConfigMap,
 	serviceCAConfigMap *corev1.ConfigMap,
 	authServerCAConfigMap *corev1.ConfigMap,
 	trustedCAConfigMap *corev1.ConfigMap,
@@ -203,8 +202,9 @@ func withConsoleAnnotations(
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 ) {
+	// Avoid rolling out when the console-config configmap is updated.
+	// Console now watches the configmap for changes without needing to redeploy.
 	deployment.ObjectMeta.Annotations = map[string]string{
-		configMapResourceVersionAnnotation:            consoleConfigMap.GetResourceVersion(),
 		serviceCAConfigMapResourceVersionAnnotation:   serviceCAConfigMap.GetResourceVersion(),
 		trustedCAConfigMapResourceVersionAnnotation:   trustedCAConfigMap.GetResourceVersion(),
 		proxyConfigResourceVersionAnnotation:          proxyConfig.GetResourceVersion(),
@@ -304,6 +304,16 @@ func withConsoleVolumes(
 				},
 			}
 		}
+		if item.isEmptyDir {
+			vols[i] = corev1.Volume{
+				Name: item.name,
+				VolumeSource: corev1.VolumeSource{
+					EmptyDir: &corev1.EmptyDirVolumeSource{
+						Medium: corev1.StorageMediumMemory,
+					},
+				},
+			}
+		}
 	}
 	deployment.Spec.Template.Spec.Volumes = vols
 }
@@ -519,6 +529,12 @@ func defaultVolumeConfig() []volumeConfig {
 			path:        "/var/service-ca",
 			isConfigMap: true,
 		},
+		{
+			name:       api.SessionStorageVolumeName,
+			readOnly:   false,
+			path:       "/var/sessions",
+			isEmptyDir: true,
+		},
 	}
 }
 

pkg/console/subresource/deployment/deployment_test.go

@@ -632,7 +632,6 @@ func TestWithConsoleAnnotations(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Annotations: map[string]string{
 								workloadManagementAnnotation:                   workloadManagementAnnotationValue,
-								configMapResourceVersionAnnotation:             consoleConfigMap.GetResourceVersion(),
 								serviceCAConfigMapResourceVersionAnnotation:    serviceCAConfigMap.GetResourceVersion(),
 								authnCATrustConfigMapResourceVersionAnnotation: oauthServingCertConfigMap.GetResourceVersion(),
 								trustedCAConfigMapResourceVersionAnnotation:    trustedCAConfigMap.GetResourceVersion(),
@@ -649,7 +648,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
+			withConsoleAnnotations(tt.args.deployment, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
 			if diff := deep.Equal(tt.args.deployment, tt.want); diff != nil {
 				t.Error(diff)
 			}