Setup oadp-cli binary server on operator startup - First pass, route and ConsoleCLIDownload will be moved into a controller

Joeavaikath · Joeavaikath · commit 654ea6931963 · 2025-10-23T23:39:16.000-04:00
Signed-off-by: Joseph &lt;jvaikath@redhat.com&gt;
diff --git a/bundle/manifests/oadp-operator.clusterserviceversion.yaml b/bundle/manifests/oadp-operator.clusterserviceversion.yaml
@@ -896,6 +896,18 @@ spec:
           - get
           - list
           - watch
+        - apiGroups:
+          - console.openshift.io
+          resources:
+          - consoleclidownloads
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - coordination.k8s.io
           - corev1
@@ -1190,6 +1202,40 @@ spec:
                       path: token
               - emptyDir: {}
                 name: tmp-dir
+      - label:
+          app: oadp-cli
+        name: openshift-adp-oadp-cli-server
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              app: oadp-cli
+          strategy: {}
+          template:
+            metadata:
+              labels:
+                app: oadp-cli
+            spec:
+              containers:
+              - image: quay.io/rh_ee_jvaikath/oadp-cli-binaries
+                name: oadp-cli-server
+                resources:
+                  limits:
+                    cpu: 100m
+                    memory: 64Mi
+                  requests:
+                    cpu: 50m
+                    memory: 32Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
+                  readOnlyRootFilesystem: true
+              securityContext:
+                runAsNonRoot: true
+              serviceAccountName: openshift-adp-controller-manager
+              terminationGracePeriodSeconds: 10
       permissions:
       - rules:
         - apiGroups:
diff --git a/bundle/manifests/oadp-operator.oadp-cli.yaml b/bundle/manifests/oadp-operator.oadp-cli.yaml
diff --git a/bundle/manifests/openshift-adp-cli-server_v1_service.yaml b/bundle/manifests/openshift-adp-cli-server_v1_service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  creationTimestamp: null
+  name: openshift-adp-cli-server
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: oadp-cli
+  type: ClusterIP
+status:
+  loadBalancer: {}
diff --git a/cmd/main.go b/cmd/main.go
@@ -23,22 +23,28 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"time"
 
+	"github.com/go-logr/logr"
 	snapshotv1api "github.com/kubernetes-csi/external-snapshotter/client/v6/apis/volumesnapshot/v1"
 	configv1 "github.com/openshift/api/config/v1"
+	consolev1 "github.com/openshift/api/console/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	security "github.com/openshift/api/security/v1"
 	monitor "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -54,6 +60,7 @@ import (
 	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/internal/controller"
 	pkgclient "github.com/openshift/oadp-operator/pkg/client"
+
 	//+kubebuilder:scaffold:imports
 	"github.com/openshift/oadp-operator/pkg/credentials/stsflow"
 	"github.com/openshift/oadp-operator/pkg/leaderelection"
@@ -86,6 +93,32 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
+// oadpCLISetupRunnable implements manager.Runnable to set up OADP CLI downloads after cache starts
+type oadpCLISetupRunnable struct {
+	client    client.Client
+	namespace string
+	log       logr.Logger
+}
+
+func (r *oadpCLISetupRunnable) Start(ctx context.Context) error {
+	// Run setup in a goroutine and keep the runnable alive
+	go func() {
+		r.log.Info("setting up OADP CLI download resources")
+		if err := setupOADPCLIDownload(ctx, r.client, r.namespace); err != nil {
+			r.log.Error(err, "unable to setup OADP CLI download, continuing anyway")
+		}
+	}()
+
+	// Block until context is cancelled (manager shutdown)
+	<-ctx.Done()
+	return nil
+}
+
+// NeedLeaderElection returns false so this runs even if not the leader
+func (r *oadpCLISetupRunnable) NeedLeaderElection() bool {
+	return true
+}
+
 func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
@@ -200,6 +233,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := consolev1.AddToScheme(mgr.GetScheme()); err != nil {
+		setupLog.Error(err, "unable to add OpenShift console API to scheme")
+		os.Exit(1)
+	}
+
 	if err := velerov1.AddToScheme(mgr.GetScheme()); err != nil {
 		setupLog.Error(err, "unable to add Velero APIs to scheme")
 		os.Exit(1)
@@ -275,6 +313,16 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Add OADP CLI download setup as a manager runnable
+	if err := mgr.Add(&oadpCLISetupRunnable{
+		client:    mgr.GetClient(),
+		namespace: watchNamespace,
+		log:       setupLog,
+	}); err != nil {
+		setupLog.Error(err, "unable to add OADP CLI setup runnable")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")
@@ -348,3 +396,95 @@ func DoesCRDExist(CRDGroupVersion, CRDName string, kubeconf *rest.Config) (bool,
 	}
 	return discoveryResult, nil
 }
+
+func setupOADPCLIDownload(ctx context.Context, c client.Client, namespace string) error {
+	// Create Route, wait for hostname, create ConsoleCLIDownload
+	// Implementation goes here
+	route := &routev1.Route{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "openshift-adp-cli-server-route",
+			Namespace: namespace,
+		},
+		Spec: routev1.RouteSpec{
+			To: routev1.RouteTargetReference{
+				Kind: "Service",
+				Name: "openshift-adp-cli-server",
+			},
+			Port: &routev1.RoutePort{
+				TargetPort: intstr.FromString("http"),
+			},
+			TLS: &routev1.TLSConfig{
+				Termination:                   routev1.TLSTerminationEdge,
+				InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
+			},
+		},
+	}
+	err := c.Create(ctx, route)
+	if err != nil && !errors.IsAlreadyExists(err) {
+		return err
+	}
+	if errors.IsAlreadyExists(err) {
+		// Route already exists, just get it
+		err = c.Get(ctx, client.ObjectKey{
+			Name:      "openshift-adp-cli-server-route",
+			Namespace: namespace,
+		}, route)
+		if err != nil {
+			return fmt.Errorf("failed to get existing route: %w", err)
+		}
+	}
+
+	hostname := ""
+	// 2. Get hostname from Status
+	for i := 0; i < 3; i++ {
+		err = c.Get(ctx, client.ObjectKey{
+			Name:      "openshift-adp-cli-server-route",
+			Namespace: namespace,
+		}, route)
+
+		if err != nil {
+			return fmt.Errorf("failed to get route: %w", err)
+		}
+
+		// Check if hostname is assigned
+		if len(route.Status.Ingress) > 0 && route.Status.Ingress[0].Host != "" {
+			hostname = route.Status.Ingress[0].Host
+			break
+		}
+
+		// Backoff: wait 2^i seconds (1s, 2s, 4s)
+		if i < 2 {
+			setupLog.Info("route hostname not ready, retrying...", "attempt", i+1)
+			time.Sleep(time.Duration(1<<uint(i)) * time.Second)
+		}
+	}
+
+	if hostname == "" {
+		return fmt.Errorf("failed to get route hostname, oadp-cli-server is not ready")
+	}
+
+	// 3. Create ConsoleCLIDownload with the hostname
+	downloadURL := fmt.Sprintf("https://%s/", hostname)
+
+	// Create the ConsoleCLIDownload (cluster-scoped resource, no namespace)
+	consoleCLIDownload := &consolev1.ConsoleCLIDownload{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "openshift-adp-oadp-cli",
+		},
+		Spec: consolev1.ConsoleCLIDownloadSpec{
+			Description: "OADP operator Command Line Interface (CLI)",
+			DisplayName: "oadp - OADP operator Command Line Interface (CLI)",
+			Links: []consolev1.CLIDownloadLink{
+				{
+					Href: downloadURL,
+					Text: "Download OADP CLI for Linux x86_64",
+				},
+			},
+		},
+	}
+	err = c.Create(ctx, consoleCLIDownload)
+	if err != nil && !errors.IsAlreadyExists(err) {
+		return fmt.Errorf("failed to create ConsoleCLIDownload: %w", err)
+	}
+	return nil
+}
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
 - ../crd
 - ../rbac
 - ../manager
+- ../oadp-cli
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
diff --git a/config/oadp-cli/binary-deployment.yaml b/config/oadp-cli/binary-deployment.yaml
@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oadp-cli-server
+  namespace: system
+  labels:
+    app: oadp-cli
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oadp-cli
+  template:
+    metadata:
+      labels:
+        app: oadp-cli
+    spec:
+      serviceAccountName: controller-manager
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: oadp-cli-server
+        image: quay.io/rh_ee_jvaikath/oadp-cli-binaries
+        resources:
+          limits:
+            cpu: 100m
+            memory: 64Mi
+          requests:
+            cpu: 50m
+            memory: 32Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      terminationGracePeriodSeconds: 10
diff --git a/config/oadp-cli/kustomization.yaml b/config/oadp-cli/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- binary-deployment.yaml
+- service.yaml
diff --git a/config/oadp-cli/service.yaml b/config/oadp-cli/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: cli-server
+  namespace: system
+spec:
+  selector:
+    app: oadp-cli
+  ports:
+  - name: http
+    port: 80  # Standard HTTP port
+    targetPort: 8080  # But your container still listens on 8080
+    protocol: TCP
+  type: ClusterIP
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -64,6 +64,18 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - console.openshift.io
+  resources:
+  - consoleclidownloads
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - coordination.k8s.io
   - corev1
diff --git a/internal/controller/dataprotectionapplication_controller.go b/internal/controller/dataprotectionapplication_controller.go
@@ -71,6 +71,7 @@ var debugMode = os.Getenv("DEBUG") == "true"
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch
 //+kubebuilder:rbac:groups=apps,resources=deployments;daemonsets,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=console.openshift.io,resources=consoleclidownloads,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete
 
 // Reconcile is part of the main Kubernetes reconciliation loop which aims to
