feat: support cluster mode deployment with the new kustomize-based installation

deploy/base/deployment.yml

@@ -45,16 +45,8 @@ spec:
             periodSeconds: 5
             timeoutSeconds: 1
           env:
-            - name: HAWTIO_ONLINE_MODE
-              value: namespace
-            - name: HAWTIO_ONLINE_AUTH
-              value: form
             - name: HAWTIO_ONLINE_RBAC_ACL
               value: /etc/hawtio/rbac/ACL.yaml
-            - name: HAWTIO_ONLINE_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
           resources:
             requests:
               cpu: "0.2"

deploy/base/kustomization.yml

@@ -7,5 +7,3 @@ resources:
 - configmap-hawtio-rbac.yml
 - deployment.yml
 - service.yml
-- ingress.yml
-- serviceaccount.yml

deploy/k8s/cluster/kustomization.yml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- ../../base
+
+resources:
+- ingress.yml
+
+patchesStrategicMerge:
+- patch-deployment.yml

deploy/k8s/cluster/patch-deployment.yml

@@ -0,0 +1,14 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hawtio-online
+spec:
+  template:
+    spec:
+      containers:
+        - name: hawtio-online
+          env:
+            - name: HAWTIO_ONLINE_AUTH
+              value: form
+            - name: HAWTIO_ONLINE_MODE
+              value: cluster

deploy/k8s/namespace/ingress.yml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hawtio-online
+  labels:
+    app: hawtio
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+spec:
+  tls:
+  - secretName: hawtio-online-tls-serving
+  rules:
+  - http:
+      paths:
+      - path: /(.*)
+        pathType: Prefix
+        backend:
+          service:
+            name: hawtio-online
+            port:
+              number: 443

deploy/k8s/namespace/kustomization.yml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- ../../base
+
+resources:
+- ingress.yml
+- serviceaccount.yml
+
+patchesStrategicMerge:
+- patch-deployment.yml

deploy/k8s/namespace/patch-deployment.yml

@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hawtio-online
+spec:
+  template:
+    spec:
+      containers:
+        - name: hawtio-online
+          env:
+            - name: HAWTIO_ONLINE_AUTH
+              value: form
+            - name: HAWTIO_ONLINE_MODE
+              value: namespace
+            - name: HAWTIO_ONLINE_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace

deploy/openshift/cluster/kustomization.yml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- ../../base
+
+resources:
+- route.yml
+
+patchesStrategicMerge:
+- patch-deployment.yml
+- patch-service.yml

deploy/openshift/cluster/oauthclient.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# OAuthClient requires a redirect URI with a route host name which
+# the platform assigns to the route.
+
+set -eu -o pipefail
+
+redirect_uri=${1:-}
+if [ -z "$redirect_uri" ]; then
+  redirect_uri=$(oc get route hawtio-online -ojsonpath='{$.spec.host}')
+fi
+
+cat <<EOT | oc apply -f -
+apiVersion: oauth.openshift.io/v1
+kind: OAuthClient
+metadata:
+  name: hawtio-online
+grantMethod: auto
+redirectURIs:
+- https://${redirect_uri}
+EOT

deploy/openshift/deployment.yml → deploy/openshift/cluster/patch-deployment.yml

@@ -10,21 +10,18 @@ spec:
           env:
             - name: HAWTIO_ONLINE_AUTH
               value: oauth
+            - name: HAWTIO_ONLINE_MODE
+              value: cluster
             - name: HAWTIO_ONLINE_GATEWAY
               value: 'true'
             - name: OPENSHIFT_WEB_CONSOLE_URL
-              value: ${OPENSHIFT_WEB_CONSOLE_URL}
+              value: ''
             - name: OPENSHIFT_CLUSTER_VERSION
               value: '4'
           volumeMounts:
-            - name: hawtio-online-tls-serving
-              mountPath: /etc/tls/private/serving
             - name: hawtio-online-tls-proxying
               mountPath: /etc/tls/private/proxying
       volumes:
-        - name: hawtio-online-tls-serving
-          secret:
-            secretName: hawtio-online-tls-serving
         - name: hawtio-online-tls-proxying
           secret:
             secretName: hawtio-online-tls-proxying

deploy/openshift/kustomization.yml → deploy/openshift/namespace/kustomization.yml

@@ -2,13 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 bases:
-- ../base
+- ../../base
 
 resources:
 - route.yml
+- serviceaccount.yml
 
 patchesStrategicMerge:
-- deployment.yml
-- service.yml
-- serviceaccount.yml
-- delete-ingress.yml
+- patch-deployment.yml
+- patch-service.yml

deploy/openshift/namespace/patch-deployment.yml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hawtio-online
+spec:
+  template:
+    spec:
+      containers:
+        - name: hawtio-online
+          env:
+            - name: HAWTIO_ONLINE_AUTH
+              value: oauth
+            - name: HAWTIO_ONLINE_MODE
+              value: namespace
+            - name: HAWTIO_ONLINE_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: HAWTIO_ONLINE_GATEWAY
+              value: 'true'
+            - name: OPENSHIFT_WEB_CONSOLE_URL
+              value: ''
+            - name: OPENSHIFT_CLUSTER_VERSION
+              value: '4'
+          volumeMounts:
+            - name: hawtio-online-tls-proxying
+              mountPath: /etc/tls/private/proxying
+      volumes:
+        - name: hawtio-online-tls-proxying
+          secret:
+            secretName: hawtio-online-tls-proxying

deploy/openshift/namespace/patch-service.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hawtio-online
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: hawtio-online-tls-serving

deploy/openshift/namespace/route.yml

@@ -0,0 +1,13 @@
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: hawtio-online
+  labels:
+    app: hawtio
+spec:
+  to:
+    kind: Service
+    name: hawtio-online
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: reencrypt

deploy/openshift/serviceaccount.yml → deploy/openshift/namespace/serviceaccount.yml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: hawtio-online
+  labels:
+    app: hawtio
   annotations:
     # All HTTPS ingresses for the Hawtio Online route
     serviceaccounts.openshift.io/oauth-redirecturi.route: https://

package.json

@@ -45,8 +45,10 @@
     "test": "yarn test:bats",
     "test:bats": "cd docker/osconsole/ && bats config.bats",
     "test:nginx": "cd docker/ && HAWTIO_ONLINE_RBAC_ACL= njs test.js",
-    "deploy:k8s": "kubectl apply --kustomize deploy/base/",
-    "deploy:openshift": "kubectl apply --kustomize deploy/openshift/",
+    "deploy:k8s:namespace": "kubectl apply --kustomize deploy/k8s/namespace/",
+    "deploy:k8s:cluster": "kubectl apply --kustomize deploy/k8s/cluster/",
+    "deploy:openshift:namespace": "oc apply --kustomize deploy/openshift/namespace/",
+    "deploy:openshift:cluster": "oc apply --kustomize deploy/openshift/cluster/ && ./deploy/openshift/cluster/oauthclient.sh $ROUTE_HOSTNAME",
     "k8s:kustomize": "cd deploy/base && kustomize edit set image hawtio/online=docker.io/${ORG:-hawtio}/${PROJECT:-online}:${TAG:-latest}"
   },
   "devDependencies": {