[WIP] Gracefully handle config changes

Author: spadgett

pkg/api/api.go

@@ -38,6 +38,7 @@ const (
 	RedirectContainerPortName           = "custom-route-redirect"
 	ServiceCAConfigMapName              = "service-ca"
 	SessionSecretName                   = "session-secret"
+	SessionStorageVolumeName            = "session-storage"
 	TargetNamespace                     = "openshift-console"
 	TrustedCABundleKey                  = "ca-bundle.crt"
 	TrustedCABundleMountDir             = "/etc/pki/ca-trust/extracted/pem"

pkg/console/operator/sync_v400.go

@@ -95,10 +95,17 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 		return statusHandler.FlushAndReturn(err)
 	}
 
+	sessionSecret, err := co.syncSessionSecret(ctx, updatedOperatorConfig, controllerContext.Recorder())
+	if err != nil {
+		return statusHandler.FlushAndReturn(err)
+	}
+
 	var (
-		targetNamespaceAuthServerCA *corev1.ConfigMap
 		sessionSecret               *corev1.Secret
+		targetNamespaceAuthServerCA *corev1.ConfigMap
+		authServerCAConfig *corev1.ConfigMap
 	)
+
 	switch authnConfig.Spec.Type {
 	case configv1.AuthenticationTypeOIDC:
 		if len(authnConfig.Spec.OIDCProviders) > 0 {
@@ -112,11 +119,6 @@ func (co *consoleOperator) sync_v400(ctx context.Context, controllerContext fact
 				}
 			}
 		}
-
-		sessionSecret, err = co.syncSessionSecret(ctx, updatedOperatorConfig, controllerContext.Recorder())
-		if err != nil {
-			return statusHandler.FlushAndReturn(err)
-		}
 	}
 
 	customLogosErr, customLogosErrReason := co.SyncCustomLogos(updatedOperatorConfig)

pkg/console/subresource/configmap/configmap.go

@@ -23,6 +23,7 @@ import (
 const (
 	consoleConfigYamlFile = "console-config.yaml"
 	defaultLogoutURL      = ""
+	sessionDir            = "/var/sessions"
 	pluginProxyEndpoint   = "/api/proxy/plugin/"
 )
 
@@ -104,6 +105,7 @@ func DefaultConfigMap(
 		NodeArchitectures(nodeArchitectures).
 		NodeOperatingSystems(nodeOperatingSystems).
 		AuthConfig(authConfig, apiServerURL).
+		SessionDir(sessionDir).
 		Capabilities(operatorConfig.Spec.Customization.Capabilities).
 		ConfigYAML()
 	if err != nil {

pkg/console/subresource/consoleserver/config_builder.go

@@ -63,6 +63,7 @@ type ConsoleServerCLIConfigBuilder struct {
 	monitoring                   map[string]string
 	customHostnameRedirectPort   int
 	inactivityTimeoutSeconds     int
+	sessionDir                   string
 	pluginsList                  map[string]string
 	pluginsOrder                 []string
 	i18nNamespaceList            []string
@@ -196,6 +197,9 @@ func (b *ConsoleServerCLIConfigBuilder) AuthConfig(authnConfig *configv1.Authent
 		b.authType = "openshift"
 		b.oauthClientID = api.OAuthClientName
 		b.CAFile = oauthServingCertFilePath
+		b.sessionAuthenticationFile = "/var/session-secret/sessionAuthenticationKey"
+		b.sessionEncryptionFile = "/var/session-secret/sessionEncryptionKey"
+
 		return b
 
 	case configv1.AuthenticationTypeOIDC:
@@ -238,6 +242,11 @@ func (b *ConsoleServerCLIConfigBuilder) InactivityTimeout(timeout int) *ConsoleS
 	return b
 }
 
+func (b *ConsoleServerCLIConfigBuilder) SessionDir(sessionDir string) *ConsoleServerCLIConfigBuilder {
+	b.sessionDir = sessionDir
+	return b
+}
+
 func (b *ConsoleServerCLIConfigBuilder) Plugins(plugins map[string]string) *ConsoleServerCLIConfigBuilder {
 	b.pluginsList = plugins
 	return b

pkg/console/subresource/consoleserver/types.go

@@ -100,6 +100,7 @@ type Auth struct {
 type Session struct {
 	CookieEncryptionKeyFile     string `yaml:"cookieEncryptionKeyFile,omitempty"`
 	CookieAuthenticationKeyFile string `yaml:"cookieAuthenticationKeyFile,omitempty"`
+	SessionDir                  string `yaml:"sessionDir,omitempty"`
 	// TODO: move InactivityTimeoutSeconds here
 }
 

pkg/console/subresource/deployment/deployment.go

@@ -58,9 +58,10 @@ type volumeConfig struct {
 	name     string
 	readOnly bool
 	path     string
-	// isSecret or isConfigMap are mutually exclusive
+	// isSecret, isConfigMap, and isEmptyDir are mutually exclusive
 	isSecret    bool
 	isConfigMap bool
+	isEmptyDir  bool
 	mappedKeys  map[string]string
 }
 
@@ -87,7 +88,6 @@ func DefaultDeployment(
 	withStrategy(deployment, infrastructureConfig)
 	withConsoleAnnotations(
 		deployment,
-		consoleConfigMap,
 		serviceCAConfigMap,
 		authnCATrustConfigMap,
 		trustedCAConfigMap,
@@ -194,7 +194,6 @@ func withStrategy(deployment *appsv1.Deployment, infrastructureConfig *configv1.
 // version changes.
 func withConsoleAnnotations(
 	deployment *appsv1.Deployment,
-	consoleConfigMap *corev1.ConfigMap,
 	serviceCAConfigMap *corev1.ConfigMap,
 	authServerCAConfigMap *corev1.ConfigMap,
 	trustedCAConfigMap *corev1.ConfigMap,
@@ -203,8 +202,9 @@ func withConsoleAnnotations(
 	proxyConfig *configv1.Proxy,
 	infrastructureConfig *configv1.Infrastructure,
 ) {
+	// Avoid rolling out when the console-config configmap is updated.
+	// Console now watches the configmap for changes without needing to redeploy.
 	deployment.ObjectMeta.Annotations = map[string]string{
-		configMapResourceVersionAnnotation:            consoleConfigMap.GetResourceVersion(),
 		serviceCAConfigMapResourceVersionAnnotation:   serviceCAConfigMap.GetResourceVersion(),
 		trustedCAConfigMapResourceVersionAnnotation:   trustedCAConfigMap.GetResourceVersion(),
 		proxyConfigResourceVersionAnnotation:          proxyConfig.GetResourceVersion(),
@@ -304,6 +304,16 @@ func withConsoleVolumes(
 				},
 			}
 		}
+		if item.isEmptyDir {
+			vols[i] = corev1.Volume{
+				Name: item.name,
+				VolumeSource: corev1.VolumeSource{
+					EmptyDir: &corev1.EmptyDirVolumeSource{
+						Medium: corev1.StorageMediumMemory,
+					},
+				},
+			}
+		}
 	}
 	deployment.Spec.Template.Spec.Volumes = vols
 }
@@ -519,6 +529,12 @@ func defaultVolumeConfig() []volumeConfig {
 			path:        "/var/service-ca",
 			isConfigMap: true,
 		},
+		{
+			name:       api.SessionStorageVolumeName,
+			readOnly:   false,
+			path:       "/var/sessions",
+			isEmptyDir: true,
+		},
 	}
 }
 

pkg/console/subresource/deployment/deployment_test.go

@@ -632,7 +632,6 @@ func TestWithConsoleAnnotations(t *testing.T) {
 						ObjectMeta: metav1.ObjectMeta{
 							Annotations: map[string]string{
 								workloadManagementAnnotation:                   workloadManagementAnnotationValue,
-								configMapResourceVersionAnnotation:             consoleConfigMap.GetResourceVersion(),
 								serviceCAConfigMapResourceVersionAnnotation:    serviceCAConfigMap.GetResourceVersion(),
 								authnCATrustConfigMapResourceVersionAnnotation: oauthServingCertConfigMap.GetResourceVersion(),
 								trustedCAConfigMapResourceVersionAnnotation:    trustedCAConfigMap.GetResourceVersion(),
@@ -649,7 +648,7 @@ func TestWithConsoleAnnotations(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			withConsoleAnnotations(tt.args.deployment, tt.args.consoleConfigMap, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
+			withConsoleAnnotations(tt.args.deployment, tt.args.serviceCAConfigMap, tt.args.authServerCAConfigMap, tt.args.trustedCAConfigMap, tt.args.oAuthClientSecret, tt.args.sessionSecret, tt.args.proxyConfig, tt.args.infrastructureConfig)
 			if diff := deep.Equal(tt.args.deployment, tt.want); diff != nil {
 				t.Error(diff)
 			}