CONSOLE-5124: Multi-domain console backend support

[Leo6Leo]

Analysis / Root cause:

RFE-3615 / Epic CONSOLE-5121: The OpenShift web console needs to be accessible at multiple URLs on different domains/IngressControllers simultaneously. This enables operators to expose the console on both public and internal networks.

Stories: CONSOLE-5124 (Dynamic auth per hostname), CONSOLE-5125 (Dynamic CSRF).

Solution description:

This PR adds backend support for hosting the console at multiple URLs. The console-operator (separate PR) populates additionalConsoleBaseAddresses in the console ConfigMap when additional componentRoutes are configured in ingress.config.openshift.io/cluster.

Commit 1 — Config type: Adds AdditionalConsoleBaseAddresses []string to the ClusterInfo struct in the server config.

Commit 2 — Config wiring & CLI flag: Registers --additional-base-addresses CLI flag, parses comma-separated URLs, wires through config file parsing, and adds the AdditionalBaseURLs field to the Server struct. Includes test coverage for config round-trip.

Commit 3 — Multi-URL CSRF (CONSOLE-5125): Changes CSRFVerifier to accept a slice of allowed referer URLs instead of a single URL. The verifier loops over all configured URLs and accepts the request if any match. Includes 12 new test cases covering primary, secondary, port-based, and rejected scenarios.

Commit 4 — Dynamic OAuth redirect (CONSOLE-5124): Adds oauth2ConfigForHost() which rewrites the OAuth redirect_uri based on the incoming request's Host header, validated against an operator-provided allowlist. Updates LoginFunc and CallbackFunc to use the dynamic config. Switches login URLs from absolute to relative paths so they resolve correctly on any domain. Includes 8 new test cases.

All changes are backward compatible — when no additional base addresses are configured, behavior is identical to before.

Screenshots / screen recording:

Backend-only changes, no UI modifications. The feature was validated end-to-end with a POC on a live AWS cluster including external OIDC (Keycloak) across multiple domains.

Test setup:

No special setup required to run tests. For end-to-end testing, the console-operator must be updated to populate additionalConsoleBaseAddresses in the console ConfigMap (separate PR).

Test cases:

• go test ./pkg/serverconfig/... — config parsing round-trip
• go test ./pkg/auth/csrfverifier/... — multi-URL CSRF verification (primary, secondary, port-based, rejected)
• go test ./pkg/auth/oauth2/... — dynamic redirect_uri rewriting, nil allowlist fallback, LoginFunc host selection
• go build ./cmd/bridge/... — clean compilation
• E2E: Console accessible on multiple domains with correct OAuth redirects (requires operator changes)

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Backend-only changes; browser testing not applicable for this PR.

Additional info:

This is part of a multi-repo effort:

• openshift/api — CONSOLE-5163: Add labels field to ComponentRouteSpec (PR Enable YAML schema sidebar on create #2845)
• console-operator — Route creation, OAuth redirect URI registration, ConfigMap updates (upcoming)
• console (this PR) — Backend auth and CSRF changes

Summary by CodeRabbit

• New Features

  • Added support for multiple console base URLs via a new additional-base-addresses configuration/flag for multi-domain deployments.
  • OAuth login now dynamically uses an allowed per-host redirect URI to keep sign-in working across supported domains.

• Bug Fixes

  • Improved CSRF validation to accept requests from any configured allowed Referer/Origin URL (not just one).
  • Login-related links now construct URLs using the configured base path more consistently.

• Tests

  • Expanded coverage for multi-URL CSRF and host-specific OAuth redirect behavior.

[openshift-ci-robot]

@Leo6Leo: This pull request references CONSOLE-5124 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Analysis / Root cause:

RFE-3615 / Epic CONSOLE-5121: The OpenShift web console needs to be accessible at multiple URLs on different domains/IngressControllers simultaneously. This enables operators to expose the console on both public and internal networks.

Stories: CONSOLE-5124 (Dynamic auth per hostname), CONSOLE-5125 (Dynamic CSRF).

Solution description:

This PR adds backend support for hosting the console at multiple URLs. The console-operator (separate PR) populates additionalConsoleBaseAddresses in the console ConfigMap when additional componentRoutes are configured in ingress.config.openshift.io/cluster.

Commit 1 — Config type: Adds AdditionalConsoleBaseAddresses []string to the ClusterInfo struct in the server config.

Commit 2 — Config wiring & CLI flag: Registers --additional-base-addresses CLI flag, parses comma-separated URLs, wires through config file parsing, and adds the AdditionalBaseURLs field to the Server struct. Includes test coverage for config round-trip.

Commit 3 — Multi-URL CSRF (CONSOLE-5125): Changes CSRFVerifier to accept a slice of allowed referer URLs instead of a single URL. The verifier loops over all configured URLs and accepts the request if any match. Includes 12 new test cases covering primary, secondary, port-based, and rejected scenarios.

Commit 4 — Dynamic OAuth redirect (CONSOLE-5124): Adds oauth2ConfigForHost() which rewrites the OAuth redirect_uri based on the incoming request's Host header, validated against an operator-provided allowlist. Updates LoginFunc and CallbackFunc to use the dynamic config. Switches login URLs from absolute to relative paths so they resolve correctly on any domain. Includes 8 new test cases.

All changes are backward compatible — when no additional base addresses are configured, behavior is identical to before.

Screenshots / screen recording:

Backend-only changes, no UI modifications. The feature was validated end-to-end with a POC on a live AWS cluster including external OIDC (Keycloak) across multiple domains.

Test setup:

No special setup required to run tests. For end-to-end testing, the console-operator must be updated to populate additionalConsoleBaseAddresses in the console ConfigMap (separate PR).

Test cases:

• go test ./pkg/serverconfig/... — config parsing round-trip
• go test ./pkg/auth/csrfverifier/... — multi-URL CSRF verification (primary, secondary, port-based, rejected)
• go test ./pkg/auth/oauth2/... — dynamic redirect_uri rewriting, nil allowlist fallback, LoginFunc host selection
• go build ./cmd/bridge/... — clean compilation
• E2E: Console accessible on multiple domains with correct OAuth redirects (requires operator changes)

Browser conformance:

• Chrome
• Firefox
• Safari (or Epiphany on Linux)

Backend-only changes; browser testing not applicable for this PR.

Additional info:

This is part of a multi-repo effort:

• openshift/api — CONSOLE-5163: Add labels field to ComponentRouteSpec (PR Enable YAML schema sidebar on create #2845)
• console-operator — Route creation, OAuth redirect URI registration, ConfigMap updates (upcoming)
• console (this PR) — Backend auth and CSRF changes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4a3f4b88-3fde-4749-ae2e-7c634c23ce83

📥 Commits

Reviewing files that changed from the base of the PR and between d759f67 and 434bb84.

📒 Files selected for processing (10)

• cmd/bridge/config/auth/authoptions.go
• cmd/bridge/main.go
• pkg/auth/csrfverifier/csfr_test.go
• pkg/auth/csrfverifier/csrf.go
• pkg/auth/oauth2/auth.go
• pkg/auth/oauth2/auth_test.go
• pkg/server/server.go
• pkg/serverconfig/config.go
• pkg/serverconfig/config_test.go
• pkg/serverconfig/types.go

Walkthrough

Adds multi-domain console support via a new --additional-base-addresses flag and matching config field. The extra URLs flow into server wiring, CSRF validation, and OAuth2 redirect handling with host-based allowlists.

Changes

Multi-domain console support

Layer / File(s)	Summary
Config and flag surface pkg/serverconfig/types.go, pkg/serverconfig/config.go, pkg/serverconfig/config_test.go, cmd/bridge/main.go, pkg/server/server.go	ClusterInfo gains AdditionalConsoleBaseAddresses, config-to-flag mapping adds additional-base-addresses, and the bridge CLI parses extra base URLs into Server.AdditionalBaseURLs.
Auth wiring and console URLs cmd/bridge/config/auth/authoptions.go, pkg/server/server.go	ApplyTo passes additional base URLs into auth setup, builds CSRF and redirect allowlists from all base URLs, and switches login URL construction to BaseURL.Path.
CSRF multi-URL verification pkg/auth/csrfverifier/csrf.go, pkg/auth/csrfverifier/csfr_test.go	CSRFVerifier now checks the request source against multiple allowed referer URLs, with tests covering multi-URL origin and referer cases.
OAuth2 redirect host rewriting pkg/auth/oauth2/auth.go, pkg/auth/oauth2/auth_test.go	OAuth2 config now rewrites redirect URIs for allowed request hosts, and tests cover rewrite, fallback, and login flow behavior.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• jhadvig
• stefanonardo
• TheRealJon

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors, 1 warning)

Check name	Status	Explanation	Resolution
No-Weak-Crypto	❌ Error	pkg/auth/oauth2/auth.go compares OAuth state with urlState != cookieState.Value, a non-constant-time token check.	Use crypto/subtle.ConstantTimeCompare for the state token (or equivalent) after normalizing input lengths.
No-Sensitive-Data-In-Logs	❌ Error	New logs print raw user-provided URLs/hosts: invalid additional base address in cmd/bridge/main.go and redirect URL parse failures in pkg/auth/oauth2/auth.go.	Avoid logging raw address/URL inputs; redact hostnames/credentials or log only a generic validation failure without the user-supplied value.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: multi-domain console backend support.
Description check	✅ Passed	The description is mostly complete and covers the required sections, with only minor template details left unfilled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	New/changed test titles are static and descriptive; no dynamic identifiers, timestamps, IPs, or generated suffixes appear in the added Test/t.Run names.
Test Structure And Quality	✅ Passed	The PR adds only standard Go unit tests, not Ginkgo; they’re table-driven, use defer cleanup, and contain no cluster waits/timeouts to review.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed tests are unit tests using httptest/testify, not MicroShift-sensitive OpenShift APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the changed tests are plain testing unit tests and show no SNO-sensitive multi-node assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	No deployment/controller or pod-scheduling changes were introduced; the PR only adds config/auth URL handling and a topology string flag, with no affinity/toleration/replica logic.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes were added; main only writes errors to stderr, and vendored klog defaults to stderr.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo/e2e tests were added; the new tests are unit tests using httptest and example.com strings only, with no IPv4 or external connectivity assumptions.
Container-Privileges	✅ Passed	PR changes are backend Go-only; no Kubernetes manifests or privileged pod settings were introduced.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Leo6Leo
Once this PR has been reviewed and has the lgtm label, please assign jhadvig for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• cmd/OWNERS
• pkg/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (4)

cmd/bridge/main.go (1)

209-225: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Keep additional base URL validation aligned with --base-address.

BaseURL and AdditionalBaseURLs are treated as peers downstream in the CSRF and OAuth setup, but they are validated through different code paths here. Reusing the same URL validator (or a shared helper) would prevent the primary and additional domain inputs from drifting on accepted formats and normalization.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/bridge/main.go` around lines 209 - 225, Keep the validation for
AdditionalBaseURLs aligned with the existing --base-address handling by reusing
the same URL validation/normalization logic instead of parsing it separately in
main. Update the additional base address loop in cmd/bridge/main.go so it goes
through the same helper or validator used for BaseURL, ensuring both paths
accept and normalize URLs consistently before appending to additionalBaseURLs.

pkg/auth/oauth2/auth_test.go (2)

277-322: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add callback coverage for request-host redirect selection.

The production change updates both login and callback paths, but this test only verifies LoginFunc. Add a focused callback test so a regression in CallbackFunc using the default redirect URL during code exchange is caught.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/auth/oauth2/auth_test.go` around lines 277 - 322, Add a focused test for
CallbackFunc request-host redirect selection, since the current coverage only
checks LoginFunc. In pkg/auth/oauth2/auth_test.go, extend the existing
request-host setup around NewOAuth2Authenticator and mockOIDCProvider to
exercise CallbackFunc with a request to console-alt.example.com, and assert it
uses the host-derived callback URL instead of the default RedirectURL during
code exchange.

---

171-232: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Cover configured scheme handling for additional redirect URLs.

These cases only prove host replacement with the primary scheme. Add coverage for a mixed-scheme additional base URL, or assert that such configuration is rejected, so the URL-to-host allowlist contract cannot silently drop scheme information.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/auth/oauth2/auth_test.go` around lines 171 - 232, The
TestOAuth2ConfigForHost coverage only verifies host replacement against the
primary redirect scheme, so the additional redirect URL contract could miss
mixed-scheme behavior. Update TestOAuth2ConfigForHost in auth_test.go to either
add a case for a configured additional base URL with a different scheme and
assert the expected outcome, or assert that such mixed-scheme configuration is
rejected by NewOAuth2Authenticator. Use the existing Config,
AllowedRedirectHosts, and NewOAuth2Authenticator symbols to keep the test
aligned with the redirect URL validation behavior.

pkg/auth/csrfverifier/csfr_test.go (1)

65-90: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add a non-root base-path boundary case.

The new table only covers / base paths, so it would not catch /console-evil being accepted for a configured /console base path. Add a rejected regression case alongside the multi-URL tests.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/auth/csrfverifier/csfr_test.go` around lines 65 - 90, Add a rejected
regression case to TestRefererMultipleURLs that covers a non-root base path
boundary, since the current table only exercises "/" paths. Update the
CSRFVerifier referer test setup to include a configured URL with a base path
like "/console", then assert that a lookalike prefix such as "/console-evil" is
rejected while the intended base path remains accepted. Use the existing
TestRefererMultipleURLs and CSRFVerifier symbols to place the new case alongside
the current multi-URL table.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/bridge/config/auth/authoptions.go`:
- Line 281: Remove the dead `oidcClientSecret` assignment in the auth options
setup: it is initialized from `c.ClientSecret` in the var block but then
immediately overwritten before first use, triggering `ineffassign`. Update the
initialization flow in `authoptions.go` so `oidcClientSecret` is assigned only
once and the later redundant reassignment is removed, keeping the value used by
the `oidcClientConfig`/OIDC auth path consistent.

In `@pkg/auth/csrfverifier/csrf.go`:
- Around line 93-103: The Referer path check in csrfverifier’s validation logic
is using a raw prefix match, which can incorrectly accept sibling paths like
/console-evil. Update the path comparison inside the loop in csrf.go to use a
boundary-aware helper for refererURL.Path and u.Path, allowing either an exact
match or a trailing “/” segment match for non-empty paths while preserving the
existing hostname, port, and scheme checks.

In `@pkg/auth/oauth2/auth.go`:
- Around line 69-71: The dynamic OAuth redirect allowlist is currently storing
only hosts, so the code in AllowedRedirectHosts and the redirect selection path
around the OAuth redirect_uri builder can silently reuse the primary RedirectURL
scheme for an additional base URL that was configured with a different scheme.
Update the allowlist representation and the redirect construction logic so the
allowed additional base address preserves scheme plus host (or validate and
reject mixed-scheme additional base URLs before they reach the allowlist), and
ensure the redirect URI generated from RedirectURL uses the scheme associated
with the matched allowed address rather than always inheriting the primary one.

In `@pkg/serverconfig/config.go`:
- Around line 263-264: The addClusterInfo helper currently ignores the error
returned by fs.Set when setting additional-base-addresses, which can hide flag
rename or invalid value failures. Update addClusterInfo to capture and propagate
the fs.Set error, and make SetFlagsFromConfig return that failure instead of
continuing silently. Use the existing addClusterInfo and SetFlagsFromConfig
symbols to route the error back to the caller.

---

Nitpick comments:
In `@cmd/bridge/main.go`:
- Around line 209-225: Keep the validation for AdditionalBaseURLs aligned with
the existing --base-address handling by reusing the same URL
validation/normalization logic instead of parsing it separately in main. Update
the additional base address loop in cmd/bridge/main.go so it goes through the
same helper or validator used for BaseURL, ensuring both paths accept and
normalize URLs consistently before appending to additionalBaseURLs.

In `@pkg/auth/csrfverifier/csfr_test.go`:
- Around line 65-90: Add a rejected regression case to TestRefererMultipleURLs
that covers a non-root base path boundary, since the current table only
exercises "/" paths. Update the CSRFVerifier referer test setup to include a
configured URL with a base path like "/console", then assert that a lookalike
prefix such as "/console-evil" is rejected while the intended base path remains
accepted. Use the existing TestRefererMultipleURLs and CSRFVerifier symbols to
place the new case alongside the current multi-URL table.

In `@pkg/auth/oauth2/auth_test.go`:
- Around line 277-322: Add a focused test for CallbackFunc request-host redirect
selection, since the current coverage only checks LoginFunc. In
pkg/auth/oauth2/auth_test.go, extend the existing request-host setup around
NewOAuth2Authenticator and mockOIDCProvider to exercise CallbackFunc with a
request to console-alt.example.com, and assert it uses the host-derived callback
URL instead of the default RedirectURL during code exchange.
- Around line 171-232: The TestOAuth2ConfigForHost coverage only verifies host
replacement against the primary redirect scheme, so the additional redirect URL
contract could miss mixed-scheme behavior. Update TestOAuth2ConfigForHost in
auth_test.go to either add a case for a configured additional base URL with a
different scheme and assert the expected outcome, or assert that such
mixed-scheme configuration is rejected by NewOAuth2Authenticator. Use the
existing Config, AllowedRedirectHosts, and NewOAuth2Authenticator symbols to
keep the test aligned with the redirect URL validation behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9d966753-aff0-4266-a961-93f7e085cfb4

📥 Commits

Reviewing files that changed from the base of the PR and between d759f67 and 1a81c9b.

📒 Files selected for processing (10)

• cmd/bridge/config/auth/authoptions.go
• cmd/bridge/main.go
• pkg/auth/csrfverifier/csfr_test.go
• pkg/auth/csrfverifier/csrf.go
• pkg/auth/oauth2/auth.go
• pkg/auth/oauth2/auth_test.go
• pkg/server/server.go
• pkg/serverconfig/config.go
• pkg/serverconfig/config_test.go
• pkg/serverconfig/types.go

[openshift-ci]

@Leo6Leo: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Leo6Leo]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[Leo6Leo]

@coderabbitai review again, and resolve the comments that are addressed

[coderabbitai]

@Leo6Leo Re-running the review and resolving the CodeRabbit comments that have already been addressed.

✅ Action performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

---

Full review finished.

[Leo6Leo]

Manually verified with multiple domains, things are working as expected.

Code review:
/assign @TheRealJon @jhadvig