MC-544-QE.md

Overview of Changes:

This PR configures spec.reporting-operator.spec.authProxy by default. Like other PRs, we do this using the top-level spec.tls.enabled key, which is set to true by default.

When you run a minimal meteringconfig CR (still need to specify some sort of storage), the ansible-operator will set authProxy.enabled: true.

We check if a authProxy.cookie.secretName: reporting-operator-auth-proxy-cookie-seed already exists. If it does, we pull the existing data out, and let ansible re-template/re-create that secret. However, if that secret name doesn't exist, we generate a random 32-bit character string, and create the cookie seed secret using that value.

As a reminder, if you want to manually configure TLS/auth yourself, you would need to set spec.tls.enabled: false in your meteringconfig CR. Note: this would disable Presto TLS/auth, Presto to reporting-operator TLS/auth, and reporting-operator TLS/auth.

Case 1 - Let Ansible/metering do all the TLS work:

apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
  name: "operator-metering"
spec: {}
...

Again, you would need to fill in storage so the ansible-operator doesn't complain during the validation tasks.

Then we need to install:

./hack/openshift-install.sh

Once everything is up and running, we should see this:

NAME                                      READY     STATUS    RESTARTS   AGE
pod/hdfs-datanode-0                       1/1       Running   0          1h
pod/hdfs-namenode-0                       1/1       Running   0          1h
pod/hive-metastore-0                      1/1       Running   0          1h
pod/hive-server-0                         1/1       Running   0          1h
pod/presto-coordinator-0                  1/1       Running   0          1h
pod/reporting-operator-6d6d446445-lshjj   2/2       Running   0          1h

NAME                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                               AGE
service/hdfs-datanode        ClusterIP   None             <none>        9866/TCP,9864/TCP,9867/TCP,8082/TCP   4d
service/hdfs-datanode-web    ClusterIP   172.30.22.246    <none>        9864/TCP                              4d
service/hdfs-namenode        ClusterIP   None             <none>        9820/TCP,9870/TCP,8082/TCP            4d
service/hdfs-namenode-web    ClusterIP   172.30.182.188   <none>        9870/TCP                              4d
service/hive-metastore       ClusterIP   172.30.71.134    <none>        9083/TCP,8082/TCP,8443/TCP            4d
service/hive-server          ClusterIP   172.30.172.37    <none>        10000/TCP,10002/TCP,8082/TCP          4d
service/presto               ClusterIP   172.30.206.129   <none>        8080/TCP,8082/TCP                     4d
service/presto-nodes         ClusterIP   None             <none>        8080/TCP                              4d
service/presto-worker        ClusterIP   172.30.162.173   <none>        8080/TCP,8082/TCP                     4d
service/reporting-operator   ClusterIP   172.30.179.156   <none>        8080/TCP,8082/TCP                     4d

NAME                                 DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/reporting-operator   1         1         1            1           4d

NAME                                            DESIRED   CURRENT   READY     AGE
replicaset.apps/reporting-operator-6d6d446445   1         1         1         1h

NAME                                  DESIRED   CURRENT   AGE
statefulset.apps/hdfs-datanode        1         1         4d
statefulset.apps/hdfs-namenode        1         1         4d
statefulset.apps/hive-metastore       1         1         4d
statefulset.apps/hive-server          1         1         4d
statefulset.apps/presto-coordinator   1         1         4d
statefulset.apps/presto-worker        0         0         4d

NAME                                HOST/PORT                                                                    PATH      SERVICES             PORT      TERMINATION       WILDCARD
route.route.openshift.io/metering   metering-metering-tflannag.apps.metering-ci-3.origin-gce.dev.openshift.com             reporting-operator   http      reencrypt/Allow   None

Notice that the reporting-operator deployment produces two containers (auth-proxy side-care container) and a route is created.

Set your metering namespace:

export METERING_NAMESPACE="..."

In order to verify this is working, you can view a report using the commands from the reporting-operator docs:

METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host')
TOKEN=$(oc -n $METERING_NAMESPACE serviceaccounts get-token reporting-operator)

curl -H "Authorization: Bearer $TOKEN" -k "https://$METERING_ROUTE_HOSTNAME/api/v1/reports/get?name=cluster-memory-capacity-hourly&namespace=$METERING_NAMESPACE&format=tab"

In the command above, you would need to replace name=cluster-memory-capacity-hourly with whatever report you want to run.

Verify that the command above produced report output.

We can then, repeat the same process as above, but change the value of the environment variable $TOKEN. For example, we can set the token value to use the presto service account token:

TOKEN=$(oc -n $METERING_NAMESPACE serviceaccounts get-token presto)

Re-run the curl command above, and verify that you get a block of html/css/etc returned, and not the report data.

Case 2 - Extend Case #1 with ...authProxy.htpasswd:

apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
  name: "operator-metering"
spec:
  reporting-operator:
    spec:
      authProxy:
        # htpasswd.data can contain htpasswd file contents for allowing auth
        # using a static list of usernames and their password hashes.
        #
        # username is 'testuser' password is 'password123'
        # generated htpasswdData using: `htpasswd -nb -s testuser password123`
        # htpasswd:
        #   data: |
        #     testuser:{SHA}y/2sYAj5yrQIN4TL0YdPdmGNKpc=
        #
        htpasswd:
          data |
            REPLACEME

I was using http://www.htaccesstools.com/htpasswd-generator/ to generate a username/password htpasswd combination.

Verify that the .data section of the reporting-operator-auth-proxy-htpasswd secret is non-empty:

oc get secrets reporting-operator-auth-proxy-htpasswd -o json

Verify that you can properly view reports:

METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host')
curl -u testuser:password123 -k "https://$METERING_ROUTE_HOSTNAME/api/v1/reports/get?name=[Report Name]&namespace=$METERING_NAMESPACE&format=[Format]"

Replace testuser:password123 with a valid username/password combination specified in htpasswd.data section.

Verify that you cannot view reports with an invalid username/password combination (you can just run the above command as testuser:password123 should be an invalid user/pass.)

Case 3 - Manually configure the reporting-operator

apiVersion: metering.openshift.io/v1alpha1
kind: MeteringConfig
metadata:
  name: "operator-metering"
spec:
  tls:
    enabled: false
 
  reporting-operator:
    spec:
      authProxy:
        enabled: true
        
        cookie:
          # cookieSeed is used to protect the cookie created if accessing the API
          # via your browser.
          #
          # generate a 32 character random string using a command of your choice,
          # for example: `openssl rand -base64 32 | head -c32; echo`
          # seed: "RCFE+QpwGWL2bupP+wv4EIOnYlbaRmto"
          seed: ""
        
        htpasswd:
          data |
            REPLACEME

Verify that oauth-proxy still works (follow the same steps as previous cases, the process should be the same.)

your commnd METERING_ROUTE_HOSTNAME=$(oc -n $METERING_NAMESPACE get routes metering -o json | jq '.status.ingress[].host') returns a quoted metering route, I have this and it works $(oc -n $METERING_NAMESPACE get route metering -o json | jq -r '.spec.host') without the double quotes