Expose Routes externally with front door

Originating issue: [IBMPrivateCloud/roadmap#66643](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/66643)

Signed-off-by: Rob Hundley <[email protected]>

Author: rwhundley

controllers/operator/configmap.go

@@ -834,7 +834,7 @@ func (r *AuthenticationReconciler) generateCNCFClusterInfo(ctx context.Context,
 	clusterAddress := strings.Join([]string{strings.Join([]string{"cp-console", authCR.Namespace}, "-"), domainName}, ".")
 	clusterEndpoint := "https://" + clusterAddress
 	clusterAddressAuth := clusterAddress
-	if authCR.Spec.Config.ZenFrontDoor && ctrlcommon.ClusterHasZenExtensionGroupVersion(&r.DiscoveryClient) {
+	if shouldUseCPDHost(authCR, &r.DiscoveryClient) {
 		zenHost, err = r.getZenHost(ctx, authCR)
 		if err == nil {
 			clusterAddressAuth = zenHost
@@ -903,7 +903,7 @@ func (r *AuthenticationReconciler) generateOCPClusterInfo(ctx context.Context, a
 	clusterAddress := domainName
 	clusterEndpoint := "https://" + clusterAddress
 	clusterAddressAuth := clusterAddress
-	if authCR.Spec.Config.ZenFrontDoor && ctrlcommon.ClusterHasZenExtensionGroupVersion(&r.DiscoveryClient) {
+	if shouldUseCPDHost(authCR, &r.DiscoveryClient) {
 		zenHost, err = r.getZenHost(ctx, authCR)
 		if err == nil {
 			clusterAddressAuth = zenHost

controllers/operator/routes.go

@@ -93,7 +93,7 @@ func (r *AuthenticationReconciler) handleRoutes(ctx context.Context, req ctrl.Re
 // traffic.
 func (r *AuthenticationReconciler) checkForZenFrontDoor(ctx context.Context, authCR *operatorv1alpha1.Authentication) (result *ctrl.Result, err error) {
 	reqLogger := logf.FromContext(ctx)
-	if shouldHaveRoutes(authCR, &r.DiscoveryClient) {
+	if shouldNotUseCPDHost(authCR, &r.DiscoveryClient) {
 		reqLogger.Info("IM Routes will be created")
 		return subreconciler.ContinueReconciling()
 	}
@@ -320,37 +320,10 @@ func (r *AuthenticationReconciler) reconcileRoute(authCR *operatorv1alpha1.Authe
 		reqLogger.Info("Reconciling route", "annotations", fields.Annotations, "routeHost", fields.RouteHost, "routePath", fields.RoutePath)
 
 		fCtx := logf.IntoContext(ctx, reqLogger)
-		if fields.Name != IMCrtAuthRouteName {
-			if shouldNotHaveRoutes(authCR, &r.DiscoveryClient) {
-				return r.ensureRouteDoesNotExist(fCtx, authCR, fields)
-			}
-		}
-
 		return r.ensureRouteExists(fCtx, authCR, fields)
 	}
 }
 
-func (r *AuthenticationReconciler) ensureRouteDoesNotExist(ctx context.Context, authCR *operatorv1alpha1.Authentication, fields *reconcileRouteFields) (result *ctrl.Result, err error) {
-	reqLogger := logf.FromContext(ctx)
-	reqLogger.Info("Determined Route should not exist; removing if present")
-	observedRoute := &routev1.Route{}
-	err = r.Get(ctx, types.NamespacedName{Name: fields.Name, Namespace: authCR.Namespace}, observedRoute)
-	if k8sErrors.IsNotFound(err) {
-		return subreconciler.ContinueReconciling()
-	} else if err != nil {
-		reqLogger.Error(err, "Failed to get existing route for reconciliation")
-		return subreconciler.RequeueWithError(err)
-	}
-	err = r.Delete(ctx, observedRoute)
-	if err != nil {
-		reqLogger.Error(err, "Failed to delete the Route")
-		return subreconciler.RequeueWithError(err)
-	}
-	reqLogger.Info("Successfully deleted the Route")
-
-	return subreconciler.RequeueWithDelay(defaultLowerWait)
-}
-
 func (r *AuthenticationReconciler) ensureRouteExists(ctx context.Context, authCR *operatorv1alpha1.Authentication, fields *reconcileRouteFields) (result *ctrl.Result, err error) {
 	reqLogger := logf.FromContext(ctx)
 	calculatedRoute, err := r.newRoute(authCR, fields)
@@ -436,12 +409,12 @@ func (r *AuthenticationReconciler) ensureRouteExists(ctx context.Context, authCR
 	return subreconciler.ContinueReconciling()
 }
 
-func shouldNotHaveRoutes(authCR *operatorv1alpha1.Authentication, dc *discovery.DiscoveryClient) bool {
+func shouldUseCPDHost(authCR *operatorv1alpha1.Authentication, dc *discovery.DiscoveryClient) bool {
 	return authCR.Spec.Config.ZenFrontDoor && ctrlcommon.ClusterHasZenExtensionGroupVersion(dc)
 }
 
-func shouldHaveRoutes(authCR *operatorv1alpha1.Authentication, dc *discovery.DiscoveryClient) bool {
-	return !shouldNotHaveRoutes(authCR, dc)
+func shouldNotUseCPDHost(authCR *operatorv1alpha1.Authentication, dc *discovery.DiscoveryClient) bool {
+	return !shouldUseCPDHost(authCR, dc)
 }
 
 // Use DeepEqual to determine if 2 routes are equal.
@@ -588,6 +561,9 @@ func (r *AuthenticationReconciler) getClusterAddress(authCR *operatorv1alpha1.Au
 		clusterInfoConfigMap := &corev1.ConfigMap{}
 
 		clusterAddressFieldName := "cluster_address"
+		if shouldUseCPDHost(authCR, &r.DiscoveryClient) {
+			clusterAddressFieldName = "cluster_address_auth"
+		}
 
 		fns := []subreconciler.Fn{
 			r.getClusterInfoConfigMap(authCR, clusterInfoConfigMap),

controllers/operator/zenextension.go

@@ -69,15 +69,6 @@ location /idprovider/ {
   proxy_buffers   4 256k;
   proxy_read_timeout 180s;
 }
-location /login {
-  proxy_set_header Host $host;
-  proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-  proxy_pass https://platform-identity-provider.%[1]s.svc:4300/;
-  proxy_buffer_size   256k;
-  proxy_buffers   4 256k;
-  proxy_read_timeout 180s;
-  rewrite /login /v1/auth/authorize?client_id=%s&redirect_uri=https://%s/auth/liberty/callback&response_type=code&scope=openid+email+profile&orig=/login  break;
-}
 location /oidc {
   proxy_set_header Host $host;
   proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubDomains";