operator: add support for RedpandaCloud provider

(cherry picked from commit 2df607c)

Author: pvsune

src/go/k8s/apis/redpanda/v1alpha1/cluster_types.go

@@ -257,33 +257,17 @@ type StorageSpec struct {
 // used as a external listener. This port is tight to the autogenerated
 // host port. The collision between Kafka external, Kafka internal,
 // Admin, Pandaproxy, Schema Registry and RPC port is checked in the webhook.
-// An optional endpointTemplate can be used to configure advertised addresses
-// for Kafka API and Pandaproxy, while it is disallowed for other listeners.
 type ExternalConnectivityConfig struct {
 	// Enabled enables the external connectivity feature
 	Enabled bool `json:"enabled,omitempty"`
 	// Subdomain can be used to change the behavior of an advertised
 	// KafkaAPI. Each broker advertises Kafka API as follows
-	// ENDPOINT.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT.
+	// BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT.
 	// If Subdomain is empty then each broker advertises Kafka
 	// API as PUBLIC_NODE_IP:EXTERNAL_KAFKA_API_PORT.
 	// If TLS is enabled then this subdomain will be requested
 	// as a subject alternative name.
 	Subdomain string `json:"subdomain,omitempty"`
-	// EndpointTemplate is a Golang template string that allows customizing each
-	// broker advertised address.
-	// Redpanda uses the format BROKER_ID.SUBDOMAIN:EXTERNAL_KAFKA_API_PORT by
-	// default for advertised addresses. When an EndpointTemplate is
-	// provided, then the BROKER_ID part is replaced with the endpoint
-	// computed from the template.
-	// The following variables are available to the template:
-	// - Index: the Redpanda broker progressive number
-	// - HostIP: the ip address of the Node, as reported in pod status
-	//
-	// Common template functions from Sprig (http://masterminds.github.io/sprig/)
-	// are also available. The set of available functions is limited to hermetic
-	// functions because template application needs to be deterministic.
-	EndpointTemplate string `json:"endpointTemplate,omitempty"`
 	// The preferred address type to be assigned to the external
 	// advertised addresses. The valid types are ExternalDNS,
 	// ExternalIP, InternalDNS, InternalIP, and Hostname.

src/go/k8s/apis/redpanda/v1alpha1/cluster_webhook.go

@@ -15,7 +15,6 @@ import (
 	"strconv"
 
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-	"github.com/redpanda-data/redpanda/src/go/k8s/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -278,12 +277,6 @@ func (r *Cluster) validateAdminListeners() field.ErrorList {
 				r.Spec.Configuration.AdminAPI,
 				"bootstrap loadbalancer not available for http admin api"))
 	}
-	if externalAdmin != nil && externalAdmin.External.EndpointTemplate != "" {
-		allErrs = append(allErrs,
-			field.Invalid(field.NewPath("spec").Child("configuration").Child("adminApi"),
-				r.Spec.Configuration.AdminAPI,
-				"cannot provide an endpoint template for admin listener"))
-	}
 
 	// for now only one listener can have TLS to be backward compatible with v1alpha1 API
 	foundListenerWithTLS := false
@@ -313,7 +306,6 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 	}
 
 	var external *KafkaAPI
-	var externalIdx int
 	for i, p := range r.Spec.Configuration.KafkaAPI {
 		if p.External.Enabled {
 			if external != nil {
@@ -323,7 +315,6 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 						"only one kafka api listener can be marked as external"))
 			}
 			external = &r.Spec.Configuration.KafkaAPI[i]
-			externalIdx = i
 		}
 	}
 
@@ -366,36 +357,10 @@ func (r *Cluster) validateKafkaListeners() field.ErrorList {
 				r.Spec.Configuration.KafkaAPI,
 				"bootstrap port cannot be empty"))
 	}
-	// nolint:dupl // not identical
-	if external != nil && external.External.EndpointTemplate != "" {
-		if external.External.Subdomain == "" {
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec").Child("configuration").Child("kafkaApi").Index(externalIdx).Child("external"),
-					external.External,
-					"endpointTemplate can only be used in combination with subdomain"))
-		}
-
-		err := checkValidEndpointTemplate(external.External.EndpointTemplate)
-		if err != nil {
-			log.Error(err, "Invalid endpoint template received", "template", external.External.EndpointTemplate)
-			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec").Child("configuration").Child("kafkaApi").Index(externalIdx).Child("external").Child("endpointTemplate"),
-					external.External.EndpointTemplate,
-					fmt.Sprintf("template is invalid: %v", err)))
-		}
-	}
 
 	return allErrs
 }
 
-func checkValidEndpointTemplate(tmpl string) error {
-	// Using an example input to ensure that the template expression is allowed
-	data := utils.NewEndpointTemplateData(0, "1.2.3.4")
-	_, err := utils.ComputeEndpoint(tmpl, data)
-	return err
-}
-
-// nolint:funlen,gocyclo // it's a sequence of checks
 func (r *Cluster) validatePandaproxyListeners() field.ErrorList {
 	var allErrs field.ErrorList
 	var proxyExternal *PandaproxyAPI
@@ -447,25 +412,6 @@ func (r *Cluster) validatePandaproxyListeners() field.ErrorList {
 					r.Spec.Configuration.PandaproxyAPI[i],
 					"sudomain of external pandaproxy must be the same as kafka's"))
 		}
-		// nolint:dupl // not identical
-		if kafkaExternal != nil && proxyExternal.External.EndpointTemplate != "" {
-			if proxyExternal.External.Subdomain == "" {
-				allErrs = append(allErrs,
-					field.Invalid(field.NewPath("spec").Child("configuration").Child("pandaproxyApi").Index(i).Child("external"),
-						proxyExternal.External,
-						"endpointTemplate can only be used in combination with subdomain"))
-			}
-
-			err := checkValidEndpointTemplate(proxyExternal.External.EndpointTemplate)
-			if err != nil {
-				log.Error(err, "Invalid endpoint template received", "template", proxyExternal.External.EndpointTemplate)
-				allErrs = append(allErrs,
-					field.Invalid(field.NewPath("spec").Child("configuration").Child("pandaproxyApi").Index(i).
-						Child("external").Child("endpointTemplate"),
-						proxyExternal.External.EndpointTemplate,
-						fmt.Sprintf("template is invalid: %v", err)))
-			}
-		}
 	}
 
 	// for now only one listener can have TLS to be backward compatible with v1alpha1 API
@@ -564,13 +510,6 @@ func (r *Cluster) validateSchemaRegistryListener() field.ErrorList {
 				r.Spec.Configuration.SchemaRegistry.External,
 				"bootstrap loadbalancer not available for schema reigstry"))
 	}
-	if schemaRegistry.External.EndpointTemplate != "" {
-		allErrs = append(allErrs,
-			field.Invalid(field.NewPath("spec").Child("configuration").Child("schemaRegistry").Child("external").Child("endpointTemplate"),
-				r.Spec.Configuration.SchemaRegistry.External.EndpointTemplate,
-				"cannot provide an endpoint template for schema registry"))
-	}
-
 	return allErrs
 }
 

src/go/k8s/apis/redpanda/v1alpha1/cluster_webhook_test.go

@@ -1022,118 +1022,6 @@ func TestCreation(t *testing.T) {
 		err := rp.ValidateCreate()
 		assert.Error(t, err)
 	})
-	t.Run("endpoint template not allowed for schemaregistry", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-		const commonDomain = "company.org"
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:   true,
-			Subdomain: commonDomain,
-		}})
-		rp.Spec.Configuration.SchemaRegistry = &v1alpha1.SchemaRegistryAPI{External: &v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        commonDomain,
-			EndpointTemplate: "xxx",
-		}}
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	// nolint:dupl // not really a duplicate
-	t.Run("endpoint template not allowed for adminapi", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-		const commonDomain = "company.org"
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:   true,
-			Subdomain: commonDomain,
-		}})
-		rp.Spec.Configuration.AdminAPI = append(rp.Spec.Configuration.AdminAPI, v1alpha1.AdminAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        commonDomain,
-			EndpointTemplate: "xxx",
-		}})
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	t.Run("endpoint template without subdomain is not allowed in kafka API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			EndpointTemplate: "xxx",
-		}})
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	t.Run("endpoint template without subdomain is not allowed in pandaproxy API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled: true,
-		}})
-		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			EndpointTemplate: "xxx",
-		}})
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	t.Run("invalid endpoint template in kafka API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        "example.com",
-			EndpointTemplate: "{{.Inexistent}}",
-		}})
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	t.Run("valid endpoint template in kafka API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        "example.com",
-			EndpointTemplate: "{{.Index}}-broker",
-		}})
-		err := rp.ValidateCreate()
-		assert.NoError(t, err)
-	})
-	// nolint:dupl // not really a duplicate
-	t.Run("invalid endpoint template in pandaproxy API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		const commonDomain = "mydomain"
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:   true,
-			Subdomain: commonDomain,
-		}})
-		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        commonDomain,
-			EndpointTemplate: "{{.Index | nonexistent }}",
-		}})
-		err := rp.ValidateCreate()
-		assert.Error(t, err)
-	})
-	// nolint:dupl // not really a duplicate
-	t.Run("valid endpoint template in pandaproxy API", func(t *testing.T) {
-		rp := redpandaCluster.DeepCopy()
-
-		const commonDomain = "mydomain"
-		rp.Spec.Configuration.KafkaAPI = append(rp.Spec.Configuration.KafkaAPI, v1alpha1.KafkaAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:   true,
-			Subdomain: commonDomain,
-		}})
-		rp.Spec.Configuration.PandaproxyAPI = append(rp.Spec.Configuration.PandaproxyAPI, v1alpha1.PandaproxyAPI{External: v1alpha1.ExternalConnectivityConfig{
-			Enabled:          true,
-			Subdomain:        commonDomain,
-			EndpointTemplate: "{{.Index}}-pp",
-		}})
-		err := rp.ValidateCreate()
-		assert.NoError(t, err)
-	})
 }
 
 func TestSchemaRegistryValidations(t *testing.T) {

src/go/k8s/apis/redpanda/v1alpha1/console_enterprise_types.go

@@ -26,6 +26,22 @@ type EnterpriseLogin struct {
 	JWTSecretRef SecretKeyRef `json:"jwtSecretRef"`
 
 	Google *EnterpriseLoginGoogle `json:"google,omitempty"`
+
+	RedpandaCloud *EnterpriseLoginRedpandaCloud `json:"redpandaCloud,omitempty"`
+}
+
+// EnterpriseLoginRedpandaCloud defines configurable fields for RedpandaCloud SSO provider
+type EnterpriseLoginRedpandaCloud struct {
+	Enabled bool `json:"enabled" yaml:"enabled"`
+
+	// Domain is the domain of the auth server
+	Domain string `json:"domain" yaml:"domain"`
+
+	// Audience is the domain where this auth is intended for
+	Audience string `json:"audience" yaml:"audience"`
+
+	// AllowedOrigins indicates if response is allowed from given origin
+	AllowedOrigins string `json:"allowedOrigins,omitempty" yaml:"allowedOrigins,omitempty"`
 }
 
 // IsGoogleLoginEnabled returns true if Google SSO provider is enabled