Merge pull request #1020 from jhadvig/CONSOLE-2892

CONSOLE-2892: Allow dynamic plugins to proxy to services on the cluster

console/v1alpha1/0000_10_consoleplugin.crd.yaml

@@ -39,14 +39,53 @@ spec:
               description: ConsolePluginSpec is the desired plugin configuration.
               type: object
               required:
-                - displayName
                 - service
               properties:
                 displayName:
                   description: displayName is the display name of the plugin.
                   type: string
+                  minLength: 1
+                proxy:
+                  description: proxy is a list of Services that the plugin needs to connect to.
+                  type: object
+                  properties:
+                    services:
+                      description: "services is a list of in-cluster Services that the plugin will connect to. The Service must use HTTPS. Console backend exposes the following endpoint in order to proxy communication between the plugin and the Service: \n /api/proxy/namespace/<service-namespace>/service/<service-name>:<port-number>/<request-path>?<optional-query-parameters> \n Request example path: \n /api/proxy/namespace/helm/service/helm-charts:8443/releases?limit=10"
+                      type: array
+                      items:
+                        description: ConsolePluginProxyService holds information on Service to which console's backend will proxy the plugin's requests.
+                        type: object
+                        required:
+                          - name
+                          - namespace
+                          - port
+                        properties:
+                          authorize:
+                            description: "authorize indicates if the proxied request will logged-in user's OpenShift access token in the \"Authorization\" request header: \n Authorization: Bearer sha256~kV46hPnEYhCWFnB85r5NrprAxggzgb6GOeLbgcKNsH0 \n By default the access token is not part of the proxied request."
+                            type: boolean
+                            default: false
+                          caCertificate:
+                            description: caCertificate provides the cert authority certificate contents, in case the proxied Service is using custom service CA. By default service CA bundle is used.
+                            type: string
+                            pattern: ^-----BEGIN CERTIFICATE-----([\s\S]*)-----END CERTIFICATE-----\s?$
+                          name:
+                            description: name of Service that the plugin needs to connect to.
+                            type: string
+                            maxLength: 128
+                            minLength: 1
+                          namespace:
+                            description: namespace of Service that the plugin needs to connect to
+                            type: string
+                            maxLength: 128
+                            minLength: 1
+                          port:
+                            description: port on which the Service that the plugin needs to connect to is listening on.
+                            type: integer
+                            format: int32
+                            maximum: 65535
+                            minimum: 1
                 service:
-                  description: service is a Kubernetes Service that exposes the plugin using a deployment with an HTTP server. The Service must use HTTPS and service serving certificate. The console backend will proxy the plugins assets from the Service using the service CA bundle.
+                  description: service is a Kubernetes Service that exposes the plugin using a deployment with an HTTP server. The Service must use HTTPS and Service serving certificate. The console backend will proxy the plugins assets from the Service using the service CA bundle.
                   type: object
                   required:
                     - basePath
@@ -57,15 +96,24 @@ spec:
                     basePath:
                       description: basePath is the path to the plugin's assets. The primary asset it the manifest file called `plugin-manifest.json`, which is a JSON document that contains metadata about the plugin and the extensions.
                       type: string
+                      default: /
+                      minLength: 1
+                      pattern: ^/
                     name:
-                      description: name of Service that is serving the plugin.
+                      description: name of Service that is serving the plugin assets.
                       type: string
+                      maxLength: 128
+                      minLength: 1
                     namespace:
-                      description: namespace of Service that is serving the plugin.
+                      description: namespace of Service that is serving the plugin assets.
                       type: string
+                      maxLength: 128
+                      minLength: 1
                     port:
                       description: port on which the Service that is serving the plugin is listening to.
                       type: integer
                       format: int32
+                      maximum: 65535
+                      minimum: 1
       served: true
       storage: true

console/v1alpha1/types_console_plugin.go

@@ -15,32 +15,120 @@ type ConsolePlugin struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata"`
 
+	// +kubebuilder:validation:Required
+	// +required
 	Spec ConsolePluginSpec `json:"spec"`
 }
 
 // ConsolePluginSpec is the desired plugin configuration.
 type ConsolePluginSpec struct {
 	// displayName is the display name of the plugin.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +optional
 	DisplayName string `json:"displayName"`
 	// service is a Kubernetes Service that exposes the plugin using a
 	// deployment with an HTTP server. The Service must use HTTPS and
-	// service serving certificate. The console backend will proxy the
+	// Service serving certificate. The console backend will proxy the
 	// plugins assets from the Service using the service CA bundle.
+	// +kubebuilder:validation:Required
+	// +required
 	Service ConsolePluginService `json:"service"`
+	// proxy is a list of Services that the plugin needs to connect to.
+	// +kubebuilder:validation:Optional
+	// +optional
+	Proxy ConsolePluginProxy `json:"proxy"`
 }
 
-// ConsolePluginService holds information on service that is serving
+// ConsolePluginProxy holds information on various service types
+// to which console's backend will proxy the plugin's requests.
+type ConsolePluginProxy struct {
+	// services is a list of in-cluster Services that the plugin
+	// will connect to. The Service must use HTTPS. Console backend
+	// exposes the following endpoint in order to proxy communication
+	// between the plugin and the Service:
+	//
+	// /api/proxy/namespace/<service-namespace>/service/<service-name>:<port-number>/<request-path>?<optional-query-parameters>
+	//
+	// Request example path:
+	//
+	// /api/proxy/namespace/helm/service/helm-charts:8443/releases?limit=10
+	//
+	// +kubebuilder:validation:Optional
+	// +optional
+	Services []ConsolePluginProxyService `json:"services"`
+}
+
+// ConsolePluginProxyService holds information on Service to which
+// console's backend will proxy the plugin's requests.
+type ConsolePluginProxyService struct {
+	// name of Service that the plugin needs to connect to.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
+	Name string `json:"name"`
+	// namespace of Service that the plugin needs to connect to
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
+	Namespace string `json:"namespace"`
+	// port on which the Service that the plugin needs to connect to
+	// is listening on.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum:=65535
+	// +kubebuilder:validation:Minimum:=1
+	// +required
+	Port int32 `json:"port"`
+	// caCertificate provides the cert authority certificate contents,
+	// in case the proxied Service is using custom service CA.
+	// By default service CA bundle is used.
+	// +kubebuilder:validation:Pattern=`^-----BEGIN CERTIFICATE-----([\s\S]*)-----END CERTIFICATE-----\s?$`
+	// +kubebuilder:validation:Optional
+	// +optional
+	CACertificate string `json:"caCertificate"`
+	// authorize indicates if the proxied request will logged-in user's
+	// OpenShift access token in the "Authorization" request header:
+	//
+	// Authorization: Bearer sha256~kV46hPnEYhCWFnB85r5NrprAxggzgb6GOeLbgcKNsH0
+	//
+	// By default the access token is not part of the proxied request.
+	// +kubebuilder:default:=false
+	// +kubebuilder:validation:Optional
+	// +optional
+	Authorize bool `json:"authorize"`
+}
+
+// ConsolePluginService holds information on Service that is serving
 // console dynamic plugin assets.
 type ConsolePluginService struct {
-	// name of Service that is serving the plugin.
+	// name of Service that is serving the plugin assets.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
 	Name string `json:"name"`
-	// namespace of Service that is serving the plugin.
+	// namespace of Service that is serving the plugin assets.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=128
+	// +required
 	Namespace string `json:"namespace"`
 	// port on which the Service that is serving the plugin is listening to.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum:=65535
+	// +kubebuilder:validation:Minimum:=1
+	// +required
 	Port int32 `json:"port"`
 	// basePath is the path to the plugin's assets. The primary asset it the
 	// manifest file called `plugin-manifest.json`, which is a JSON document
 	// that contains metadata about the plugin and the extensions.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^/`
+	// +kubebuilder:default:="/"
+	// +required
 	BasePath string `json:"basePath"`
 }