From d7deddb3d4e3ce5ba4ea120915cb22ca81058171 Mon Sep 17 00:00:00 2001
From: John Mazzitelli <mazz@redhat.com>
Date: Fri, 1 Nov 2024 09:49:52 -0400
Subject: [PATCH] change to redirect_uris

---
 crd-docs/cr/kiali.io_v1alpha1_kiali.yaml      |  2 +-
 crd-docs/crd/kiali.io_kialis.yaml             |  8 ++++--
 .../converge.yml                              | 13 +++++++--
 .../openshift/os-get-kiali-route-url.yml      | 28 +++----------------
 .../kiali-deploy/tasks/openshift/os-main.yml  | 20 +++++++++++++
 .../templates/openshift/oauth.yaml            | 10 +++++--
 6 files changed, 49 insertions(+), 32 deletions(-)

diff --git a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
index be8a06f2..c1a6002f 100644
--- a/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
+++ b/crd-docs/cr/kiali.io_v1alpha1_kiali.yaml
@@ -38,7 +38,7 @@ spec:
       scopes: ["openid", "profile", "email"]
       username_claim: "sub"
     openshift:
-      #kiali_route_url:
+      #redirect_uris:
       #token_inactivity_timeout:
       #token_max_age:
 
diff --git a/crd-docs/crd/kiali.io_kialis.yaml b/crd-docs/crd/kiali.io_kialis.yaml
index 485b8576..81c18009 100644
--- a/crd-docs/crd/kiali.io_kialis.yaml
+++ b/crd-docs/crd/kiali.io_kialis.yaml
@@ -148,9 +148,11 @@ spec:
                     description: "To learn more about these settings and how to configure the OpenShift authentication strategy, read the documentation at https://kiali.io/docs/configuration/authentication/openshift/"
                     type: object
                     properties:
-                      kiali_route_url:
-                        description: "The URL for the Kiali Route that will be used for the OAuth redirect URI. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `openshift` auth strategy enabled."
-                        type: string
+                      redirect_uris:
+                        description: "The OAuthClient redirect URIs. You normally do not have to set this unless you are creating remote cluster resources (see `deployment.remote_cluster_resources_only`) with `auth.strategy` set to `openshift`."
+                        type: array
+                        items:
+                          type: string
                       token_inactivity_timeout:
                         description: "Timeout that overrides the default OpenShift token inactivity timeout. This value represents the maximum amount of time in seconds that can occur between consecutive uses of the token. Tokens become invalid if they are not used within this temporal window. If 0, the Kiali tokens never timeout. OpenShift may have a minimum allowed value - see the OpenShift documentation specific for the version of OpenShift you are using. WARNING: existing tokens will not be affected by changing this setting."
                         type: integer
diff --git a/molecule/remote-cluster-resources-test/converge.yml b/molecule/remote-cluster-resources-test/converge.yml
index 3ff76f54..0caada7d 100644
--- a/molecule/remote-cluster-resources-test/converge.yml
+++ b/molecule/remote-cluster-resources-test/converge.yml
@@ -253,7 +253,7 @@
   - debug: msg="Change auth strategy to openshift to confirm OAuthClient is created"
   - include_tasks: ../common/set_kiali_cr.yml
     vars:
-      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'openshift', 'openshift': {'kiali_route_url': 'http://test-kiali-route' }}}}, recursive=True) }}"
+      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'openshift', 'openshift': {'redirect_uris': ['http://one-redirect-uri', 'http://two-redirect-uri'] }}}}, recursive=True) }}"
   - include_tasks: ../common/wait_for_kiali_cr_changes.yml
   - include_tasks: ../common/tasks.yml
 
@@ -272,10 +272,19 @@
       - query('k8s', kind='ConsoleLink',                              api_version=apiCoLn, label_selector=querySelector, errors='warn') | length == 0
       - query('k8s', kind='OAuthClient',                              api_version=apiOAut, label_selector=querySelector, errors='warn') | length == 1
 
+  - name: Make sure the OAuthClient has the correct redirectURIs defined
+    vars:
+      oauthclient: "{{ query('k8s', kind='OAuthClient', api_version=apiOAut, label_selector=querySelector)[0] }}"
+    assert:
+      that:
+      - oauthclient.redirectURIs | length == 2
+      - oauthclient.redirectURIs[0] == 'http://one-redirect-uri'
+      - oauthclient.redirectURIs[1] == 'http://two-redirect-uri'
+
   - debug: msg="Change auth strategy back to anonymous to see OAuthClient resource gets removed"
   - include_tasks: ../common/set_kiali_cr.yml
     vars:
-      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'anonymous', 'openshift': {'kiali_route_url': '' }}}}, recursive=True) }}"
+      new_kiali_cr: "{{ kiali_cr_list.resources[0] | combine({'spec': {'auth': {'strategy': 'anonymous', 'openshift': {'redirect_uris': [] }}}}, recursive=True) }}"
   - include_tasks: ../common/wait_for_kiali_cr_changes.yml
   - include_tasks: ../common/tasks.yml
 
diff --git a/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml b/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml
index fa838f79..04a2d7fd 100644
--- a/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml
+++ b/roles/default/kiali-deploy/tasks/openshift/os-get-kiali-route-url.yml
@@ -1,23 +1,8 @@
 # All of this is ultimately to obtain the kiali_route_url
 
-- name: Check if kiali_route_url is explicitly configured
-  set_fact:
-    kiali_route_url: "{{ kiali_vars.auth.openshift.kiali_route_url }}"
-  when:
-  - kiali_vars.auth.openshift.kiali_route_url is defined
-  - kiali_vars.auth.openshift.kiali_route_url != ""
-
-- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali Route URL is not defined
-  fail:
-    msg: "The root URL of the Kiali Server route is not specified via auth.openshift.kiali_route_url; this is required when creating remote cluster resources with auth.strategy of openshift."
-  when:
-  - kiali_route_url is not defined
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == True
-  - kiali_vars.auth.strategy == 'openshift'
-
-# We need to auto-discover the Kiali Route URL because the OAuthClient and ConsoleLink resources need it.
-# Note that we perform this auto-discovery only if we expect a Kiali Route to exist on the local cluster,
-# (that is to say, we only perform this auto-discovery if remote_cluster_resources_only is False).
+# We need to auto-discover the Kiali Route URL because the OAuthClient (for redirect URIs) and ConsoleLink resources need it.
+# Note that the user can override redirect URIs in auth.openshift.redirect_uris so this route URL will
+# be ignored in the OAuthClient template in that case.
 
 - name: Get the Kiali Route on OpenShift, which may require waiting some time for it to startup
   k8s_info:
@@ -37,21 +22,18 @@
   delay: 10
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Set Kiali TLS Termination from OpenShift route
   set_fact:
     kiali_route_tls_termination: "{{ kiali_route_raw['resources'][0]['spec']['tls']['termination'] }}"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Detect HTTP Kiali OpenShift route protocol
   set_fact:
     kiali_route_protocol: "http"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
   - kiali_route_tls_termination == ""
 
 - name: Detect HTTPS Kiali OpenShift route protocol
@@ -59,12 +41,10 @@
     kiali_route_protocol: "https"
   when:
   - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
   - kiali_route_tls_termination != ""
 
 - name: Create URL for Kiali OpenShift route
   set_fact:
     kiali_route_url: "{{ kiali_route_protocol }}://{{ kiali_route_raw['resources'][0]['status']['ingress'][0]['host'] }}"
   when:
-  - is_openshift == True
-  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
+  - is_openshift == True
\ No newline at end of file
diff --git a/roles/default/kiali-deploy/tasks/openshift/os-main.yml b/roles/default/kiali-deploy/tasks/openshift/os-main.yml
index 265b3cb3..5c4c772a 100644
--- a/roles/default/kiali-deploy/tasks/openshift/os-main.yml
+++ b/roles/default/kiali-deploy/tasks/openshift/os-main.yml
@@ -90,10 +90,30 @@
   - is_openshift == True
   - kiali_vars.auth.strategy != "openshift"
 
+# For now, when creating remote cluster resources only, we are going to assume there is no way for us to determine what the redirect URIs are
+# going to be other than having the user explicitly configure them. So fail immediately if the user did not tell us what redirect URI[s] to use.
+# Note that this only comes into play when auth.strategy is "openshift".
+- name: Fail if creating remote cluster resources with auth strategy of openshift, but the Kiali redirect URIs are not defined
+  fail:
+    msg: "Redirect URIs for the Kiali Server OAuthClient are not specified via auth.openshift.redirect_uris; this is required when creating remote cluster resources with auth.strategy of openshift."
+  when:
+  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
+  - kiali_vars.auth.strategy == 'openshift'
+  - kiali_vars.auth.openshift.redirect_uris | default([]) | length == 0
+
+# We only need to auto-discover the Kiali route if (a) we know it will exist and (b) we know we need it.
+# We know it will exist if we are creating the Kiali Server itself (i.e. remote_cluster_resources_only == False).
+# We know we need it for ConsoleLinks (and those are only created when we are creating the Kiali Server itself).
+# We know we need it for OAuthClient, too. That is also created when we are creating the Kiali Server itself. But it is also
+# created when creating only remote cluster resources - however, in that case, we are going to require the user to tell us
+# what redirect URIs to use (see the above fail task to ensure the user does that).
+# All of this is to say: we only need to auto-discover the route when we are creating the Kiali Server itself (we do not
+# auto-discover the route when we are creating only the remote cluster resources).
 - name: Get the Kiali Route URL
   include_tasks: openshift/os-get-kiali-route-url.yml
   when:
   - is_openshift == True
+  - kiali_vars.deployment.remote_cluster_resources_only|bool == False
 
 - name: Process OpenShift OAuth client
   k8s:
diff --git a/roles/default/kiali-deploy/templates/openshift/oauth.yaml b/roles/default/kiali-deploy/templates/openshift/oauth.yaml
index d9dec0f0..8c80e948 100644
--- a/roles/default/kiali-deploy/templates/openshift/oauth.yaml
+++ b/roles/default/kiali-deploy/templates/openshift/oauth.yaml
@@ -4,9 +4,15 @@ metadata:
   name: {{ kiali_vars.deployment.instance_name }}-{{ kiali_vars.deployment.namespace }}
   labels: {{ kiali_resource_metadata_labels }}
 redirectURIs:
-  - {{ kiali_route_url }}/api/auth/callback
+{% if kiali_vars.auth.openshift.redirect_uris | default([]) | length > 0 %}
+{% for uri in kiali_vars.auth.openshift.redirect_uris %}
+- "{{ uri }}"
+{% endfor %}
+{% else %}
+- {{ kiali_route_url }}/api/auth/callback
 {% if kiali_vars.server.web_port | length > 0 %}
-  - {{ kiali_route_url }}:{{ kiali_vars.server.web_port }}/api/auth/callback
+- {{ kiali_route_url }}:{{ kiali_vars.server.web_port }}/api/auth/callback
+{% endif %}
 {% endif %}
 grantMethod: auto
 {% if kiali_vars.auth.openshift.token_inactivity_timeout is defined %}