Context

Implement support to define a custom logo. The component should handle the creation of a ConfigMap with the logo image and configuring it: https://docs.openshift.com/container-platform/4.5/web_console/customizing-the-web-console.html#adding-a-custom-logo_customizing-web-console

Context

#50 makes it possible for other components to patch the plugins field. To make manual syncing in Argo CD obsolete while continuing to allow other components to patch the plugins, the plugins configured in this component through the params should be converted to a patch.

Example:

parameters:
  openshift4_console:
    config:
      plugins:
        - example-plugin

apiVersion: redhatcop.redhat.io/v1alpha1
kind: Patch
metadata:
[...]
spec:
  patches:
    patch1:
      patchTemplate: "\"spec\":\n  \"plugins\":\n  - \"example-plugin\""
      patchType: application/strategic-merge-patch+json
      targetObjectRef:
        apiVersion: operator.openshift.io/v1
        kind: Console
        name: cluster
[...]

Alternatives

• Only manage plugins in this component
• Require manual syncing when enabling plugins through this component

Implementation notes

When implementing this, please verify that the generated name for the Patch resource managed by this component differs from the name of the Patch resource for the Console object which is managed by component openshift4-logging.

Context

Currently the component still has support for generating valid Console configurations for OpenShift 4.7 and older, cf.

We should probably remove all of that as OpenShift 4.7 has been EOL since August 24, 2022 (cf. https://access.redhat.com/support/policy/updates/openshift), and removing the legacy logic would simplify the component implementation a fair bit.

Alternatives

Keep the additional logic, and deal with the maintenance overhead.

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-pod-disruption-budgets

This update provides support for pod disruption budgets (PDBs) to the OpenShift Container Platform web console. From Workloads → PodDisruptionBudgets, you can create PDBs for pod resources. You can select maxUnavailable and minAvailable from the availability requirement list and set the value of pods running. Alternatively, pod disruption budgets can be created from pod controller resources list and Detail pages. For example, from Workloads → Deployments click Add PodDisruptionBudget.

Deliverables

• Ensure this component can set PDBs for the OpenShift web console
• Set some defaults if feasible

Context

We implemented support for securing custom console routes with Let's Encrypt certificates requested by cert-manager in #9, cf. the implementation:

However, by creating the Certificate resource in namespace openshift-config we run into the issue that OpenShift doesn't admit the route/ingress for the HTTP01 solver, because a route using the same hostname already exists in namespace openshift-console.

After some research, I only see two possible workarounds::

1. Create Certificate resource in namespace openshift-console and copy certificate into namespace openshift-config (e.g. with Kyverno, this creates a hard dependency for Kyverno on any OCP4 cluster which wants to use a custom console route with a Let's Encrypt certificate)
2. Use DNS01 challenge with an acme-dns client and issuer configured by the component. This would mean that setting up a custom Let's Encrypt certificate for the console would require configuring additional DNS records for the cluster.

Note that there appears to be no way to selectively allow sharing hostnames across namespaces, only the option to globally allow using hostnames across namespaces on an ingresscontroller, cf. routeAdmission.namespaceOwnership.InterNamespaceAllowed in https://docs.openshift.com/container-platform/4.9/networking/ingress-operator.html#nw-ingress-controller-configuration-parameters_configuring-ingress and https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-admission-policy_route-configuration, so we can't inform the ingress controller that in this specific case sharing the hostname between two namespaces is fine.

Actual Behaviour

Custom certificate managed by cert-manager for OpenShift console can't be renewed (using HTTP01 challenge)

Expected Behaviour

Custom certificate managed by cert-manager for OpenShift console is renewed

Acceptance Criteria

• Support for custom console route secured with cert-manager certificate works as expected

Steps to Reproduce the Problem

1. Configure a custom log
2. Visit the web console

Actual Behavior

No favicon is displayed.

Other observations

• A browser default favicon is displayed
• A VSHN favicon is shown (presumably from the IdP).

Expected Behavior

A favicon is displayed

Implementation idea

This is a known upstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1844883. The upstream issue explains how to work around. We can implement that into this component using an existing favicon (the default shown when no logo is configured).

Optional for bonus points: allow configuring also a custom favicon.

Context

The component currently uses resource-locker.libjsonnet which is deprecated in multiple places. We should update the code to use patch-operator.libsonnet directly.

This issue provides visibility into Renovate updates and their statuses. Learn more

This repository currently has no open or pending branches.

• Check this box to trigger a request for Renovate to run again on this repository