Add OAuth Proxy to UI when on OpenShift

[jpkrohling]

Closes #89.

Signed-off-by: Juraci Paixão Kröhling [email protected]

[jpkrohling]

This change is 

[jpkrohling]

This is currently blocked by openshift/oauth-proxy#95. Problem fixed in the latest commit.

Unit tests are passing, as well as end-to-end tests, which execute only on Kubernetes.

Manually testing this on OpenShift, I can see that all the objects are created as required, but I cannot login due to the issue listed above.

So, this is ready for an initial review but shouldn't be merged until the login issue is fixed.

[codecov]

Codecov Report

Merging #100 into master will increase coverage by 0.05%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #100      +/-   ##
==========================================
+ Coverage   99.43%   99.48%   +0.05%     
==========================================
  Files          21       24       +3     
  Lines         879      967      +88     
==========================================
+ Hits          874      962      +88     
  Misses          5        5

Impacted Files	Coverage Δ
pkg/account/oauth-proxy.go	100% <100%> (ø)
pkg/controller/production.go	100% <100%> (ø)	⬆️
pkg/controller/all-in-one.go	100% <100%> (ø)	⬆️
pkg/controller/controller.go	100% <100%> (ø)	⬆️
pkg/route/query.go	100% <100%> (ø)	⬆️
pkg/deployment/query.go	100% <100%> (ø)	⬆️
pkg/account/main.go	100% <100%> (ø)
pkg/inject/oauth-proxy.go	100% <100%> (ø)
pkg/service/query.go	100% <100%> (ø)	⬆️
... and 2 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06ceca0...c329960. Read the comment docs.

[objectiser]

Great job. Haven't tried it out - will do after next round of review.

[objectiser]

Just wondering if we can make this more modular, so uses the platform parameter to govern what should be added here, and generate an error if not supported on the platform?

[jpkrohling]

I started with that, but it felt weird to have if openshift all over the code base.

The idea behind the current approach is that we'd be deciding about the OAuth Proxy based on the enabled flag, and let the controller deal with setting the appropriate flag value based on the platform. The normalize operation will set it to false if not on OpenShift, and default to true if on OpenShift (leaving it as is if explicitly set).

[objectiser]

Just thinking about future platforms - might be better to define the structure now to make it easier for other platforms to be added - as otherwise it could be quite messy to try to decouple the binary decisions between k8s and openshift at a later date.

[objectiser]

Same comment as above - move to a platform specific SPI?

[objectiser]

Shouldn't this also check for platform? All-in-one and production controllers don't check for platform before calling.

[jpkrohling]

The normalize() operation will set the flag to false if the platform doesn't support the OAuth proxy. I should actually remove the reference to OpenShift from this godoc.

[objectiser]

May need to be updated if platform=openshift check added.

[objectiser]

As mentioned above, it would be good if things like this could be moved into a platform specific SPI.

[jpkrohling]

Good catch. I think this will be the only place outside of the inject package (and the normalize) that we have OpenShift-specific knowledge for the OAuth Proxy (the other feature being Routes vs. Ingresses). For now, I'll just add a check on the OAuth Proxy flag and wait for a second implementation before extracting a provider interface.

[objectiser]

Refactoring to support a platform SPI will be handled in a separate PR.

[objectiser]

Reviewed 5 of 20 files at r1, 17 of 18 files at r3.
Reviewable status: all files reviewed, 7 unresolved discussions (waiting on @jpkrohling and @objectiser)