Add API to create user settings

[christoph-jerolimov]

Fixes:
https://issues.redhat.com/browse/ODC-4755

Analysis / Root cause:
Based on the User Settings for OpenShift Console enhancement proposal we want to create a ConfigMap for each individual user in the namespace openshift-console-user-settings

Currently you need create this namespace yourself, see Test Setup below. This namespace will be automatically created by the console-operator, see PR openshift/console-operator#479

Solution Description:
Because the user could not create a ConfigMap here, we create a new ConfigMap, Role and RoleBinding with the service account role over the bridge. This code provides 3 new endpoints to create, get and delete the user settings. (The second and third API calls primary for debugging / development.) The console will fetch the ConfigMap over the known k8sWatch API.

API
GET /api/console/user-settings
Get the current user settings (returns a ConfigMap or 404)

POST /api/console/user-settings
Create a user setting ConfigMap for the current user. It returns the existing ConfigMap if it is already exist. This method does not accept an initial content for the ConfigMap.

DELETE /api/console/user-settings
Delete the user setting ConfigMap for the current user. Returns 204 No Content if the ConfigMap was deleted, also if it was not created yet.

Screen shots / Gifs for design review:
Irrelevant

Unit test coverage report:

➜  console git:([odc-4755](https://issues.redhat.com/browse/odc-4755)) go test -coverprofile=coverage.out github.com/openshift/console/pkg/usersettings  
ok  	github.com/openshift/console/pkg/usersettings	0.006s	coverage: 16.2% of statements

➜  console git:([odc-4755](https://issues.redhat.com/browse/odc-4755)) ✗ go tool cover -func=coverage.out
github.com/openshift/console/pkg/usersettings/handlers.go:37:	HandleUserSettings		0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:86:	getUserSettings			0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:92:	createUserSettings		0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:121:	deleteUserSettings		0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:140:	createServiceAccountClient	0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:149:	createUserProxyClient		0.0%
github.com/openshift/console/pkg/usersettings/handlers.go:158:	getUserSettingMeta		0.0%
github.com/openshift/console/pkg/usersettings/helpers.go:11:	getUserSettingMeta		100.0%
github.com/openshift/console/pkg/usersettings/helpers.go:29:	createRole			100.0%
github.com/openshift/console/pkg/usersettings/helpers.go:61:	createRoleBinding		100.0%
github.com/openshift/console/pkg/usersettings/helpers.go:85:	createConfigMap			100.0%
github.com/openshift/console/pkg/usersettings/types.go:10:	getConfigMapName		100.0%
github.com/openshift/console/pkg/usersettings/types.go:14:	getRoleName			100.0%
github.com/openshift/console/pkg/usersettings/types.go:18:	getRoleBindingName		100.0%
total:								(statements)			16.2%

Test setup:
This PR require some additional RBAC rules.

1. If PR Add namespace and role resources for user settings console-operator#479 is not part of your cluster you need to create a namespace:

1a Create namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: openshift-console-user-settings
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
    openshift.io/node-selector: ""

Until https://github.com/openshift/console-operator/pull/486/files is merged and available on your cluster you need to add this as well:

1b Create Role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: console-user-settings-admin-fixed
  namespace: openshift-console-user-settings
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
rules:
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch

1c Create RoleBinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: console-user-settings-admin-fixed
  namespace: openshift-console-user-settings
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
roleRef:
  kind: Role
  name: console-user-settings-admin-fixed
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: console
    namespace: openshift-console

2. Because the API calls needs a authentication and CSRF token, you can test the API calls from a logged in browser session with this JavaScript snippet:

In frontend code this is automatically done by coFetch, see co-fetch.js. But to test this without additional frontend code or postman I extracted the code for you:

2a Extract crcf token:

let cookiePrefix = 'csrf-token=';
let getCSRFToken = () =>
  document &&
  document.cookie &&
  document.cookie
    .split(';')
    .map((c) => c.trim())
    .filter((c) => c.startsWith(cookiePrefix))
    .map((c) => c.slice(cookiePrefix.length))
    .pop();
getCSRFToken();

2b Get user-settings:

fetch('/api/console/user-settings', { method: 'GET', headers: { 'X-CSRFToken': getCSRFToken() } }).then(
    (res) => {
        console.log('res', res);
        res.text().then(
            (text) => {
                console.log('text', text);
            },
            (parseErr) => console.warn('parseErr', parseErr)
        );
    },
    (requestErr) => {
        console.warn('requestErr', requestErr);
    }
);

2c Create user-settings:

fetch('/api/console/user-settings', { method: 'POST', headers: { 'X-CSRFToken': getCSRFToken() } }).then(
    (res) => {
        console.log('res', res);
        res.text().then(
            (text) => {
                console.log('text', text);
            },
            (parseErr) => console.warn('parseErr', parseErr)
        );
    },
    (requestErr) => {
        console.warn('requestErr', requestErr);
    }
);

Browser conformance:
Irrelevant

[christoph-jerolimov]

Note for myself, we can fetch the current user uid with this command:

oc get users.user.openshift.io/~ -o template={{.metadata.uid}}

[christoph-jerolimov]

/retest

[jhadvig]

lets just move the context initialization to the HandleUserSettings() and pass it as parameter. That way if we decide in the future to replace it by a single context there would be less changes.

[christoph-jerolimov]

I moved the context, createServiceAccountClient and getResourceData now at the top of HandleUserSettings so that there is just one place for it

[jhadvig]

Also this call can be moved to the HandleUserSettings() and pas as param to the appropriate UserSettingsHandler method

[christoph-jerolimov]

I thought this also, but are unsure how an OPTION request would handle this. Should I add extra if for an OPTION request before that or should we check if this works locally and on a cluster. I will change this and we see what happen :)

[christoph-jerolimov]

Moved context, createServiceAccountClient and getResourceData to HandleUserSettings

[jhadvig]

Also this call can be moved to the HandleUserSettings() and pas as param to the appropriate UserSettingsHandler method.

[christoph-jerolimov]

Done

[jhadvig]

Would be good to add unit tests for these methods.

[christoph-jerolimov]

I would like to move this from "name getters / helpers" to the moment when creating the ResourceNames. See comment above.

But for the moment I added tests for the "name getters / helpers" here as well.

[jhadvig]

Lets create a helper for this, so we can add unit-test.

[christoph-jerolimov]

Done, see helpers.go and helpers_test.go

[jhadvig]

Lets create a helper for this, so we can add unit-test.

[christoph-jerolimov]

Done, see helpers.go and helpers_test.go

[jhadvig]

Lets create a helper for this, so we can add unit-test.

[christoph-jerolimov]

Done, see helpers.go and helpers_test.go

[jhadvig]

👍

[christoph-jerolimov]

@jhadvig All done, I had one small idea for another cleanup. And I can squash all commits leter. Thanks for reviewing this.

[christianvogt]

Make sure there is no UID for the kubeadmin case:

Suggested change

	if name == "kube:admin" {
	resourceIdentifier = "kubeadmin"
	} else if uid != "" {
	resourceIdentifier = uid
	if uid != "" {
	resourceIdentifier = uid
	} else if name == "kube:admin" {
	resourceIdentifier = "kubeadmin"

[christoph-jerolimov]

Changed.

[jhadvig]

The preferred idiomatic way for go, how to structure the response should be:

if err != nil {
        errMsg := fmt.Sprintf("Failed to create user settings: %v", err)
	klog.Errorf(errMsg)
	serverutils.SendResponse(w, http.StatusBadGateway, serverutils.ApiError{Err: errMsg})
	return
}
serverutils.SendResponse(w, http.StatusOK, configMap)

so we return immediatelly

[christoph-jerolimov]

done

[jhadvig]

yeah, thats probably ok

[jhadvig]

we should call deleteUserSettings() method upon error. So we dont end up in an inconsistent state, where Role and RoleBinding was created but the CM for some reason was not.
Either that or we rely that the request would be repeated until all the resources are created.

[christoph-jerolimov]

As discussed in slack, I added deletedUserSettings before returning the create error.

[jhadvig]

/lgtm

[christoph-jerolimov]

/assign @spadgett

[spadgett]

/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jerolimov, jhadvig, spadgett

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [spadgett]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-robot]

@jerolimov: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-gcp-console	d023732	link	/test e2e-gcp-console

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.