authenticate when kiali is deployed behind openshift route with non-standard port

[jmazzitelli]

fixes: #6180

• backport PR to v1.65: [v1.65] authenticate when kiali is deployed behind openshift route with non-standard port #6194
• backport PR to v1.57: [v1.57] authenticate when kiali is deployed behind openshift route with non-standard port #6195

[jmazzitelli]

Here is how to test this. You need to configure OpenShift so its ingress router binds to port 31102 for https (not the default 443).

Before you start, make sure your dev environment has both this server PR and the operator PR pulled locally. You need both.

1. Install OpenShift via CRC: hack/crc-openshift.sh start
2. Install Istio: hack/istio/install-istio-via-istioctl.sh
3. Edit the ingress operator: oc edit ingresscontrollers.operator.openshift.io default -n openshift-ingress-operator
   Add the following section in spec (note the value of httpsPort):

  endpointPublishingStrategy:
    hostNetwork:
      httpPort: 80
      httpsPort: 31102
      protocol: TCP
      statsPort: 1936
    type: HostNetwork

4. In order to test this in our dev environment, we need to change Kiali's make/Makefile.cluster.mk - make this 1-line change (this is simply appending ":31102" to the end of the CLUSTER_REPO env var value):

index 7827d784a..396622c1b 100644
--- a/make/Makefile.cluster.mk
+++ b/make/Makefile.cluster.mk
@@ -11,7 +11,7 @@
 
 .prepare-ocp: .ensure-oc-exists .prepare-ocp-image-registry
        @$(eval CLUSTER_REPO_INTERNAL ?= $(shell ${OC} get image.config.openshift.io/cluster -o custom-columns=INT:.status.internalRegistryHostname --no-headers 2>/dev/null))
-       @$(eval CLUSTER_REPO ?= $(shell ${OC} get image.config.openshift.io/cluster -o custom-columns=EXT:.status.externalRegistryHostnames[0] --no-headers 2>/dev/null))
+       @$(eval CLUSTER_REPO ?= "$(shell ${OC} get image.config.openshift.io/cluster -o custom-columns=EXT:.status.externalRegistryHostnames[0] --no-headers 2>/dev/null):31102")
        @$(eval CLUSTER_KIALI_INTERNAL_NAME ?= ${CLUSTER_REPO_INTERNAL}/${CONTAINER_NAME})

5. Log into the cluster image registry via podman - the registry should be bound to 31102, so the command would be this:

podman login --tls-verify=false -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing:31102

6. SOMEHOW YOU NEED A PROXY SO THAT REQUESTS TO oauth-openshift.apps-crc.testing ON PORT 443 ARE FORWARD TO PORT 31102. I DO NOT KNOW HOW TO DO THIS. If you can't do this, manual steps will have to be performed later; these extra steps will be specified in the steps below when required.
7. Build and push a dev build of Kiali operator and server and then create a Kiali CR to deploy kiali: make build build-ui cluster-push operator-create kiali-create
8. Once Kiali is deployed and the pod is running, point your browser to the correct Kiali URL which is on port 31102: https://kiali-istio-system.apps-crc.testing:31102 - this should result in an error. (If you could not perform step 6, modify the URL in the browser address bar by adding :31102 to the hostname oauth-openshift.apps-crc.testing - you will still see an error, but this time its the error that is expected).
9. Edit the Kiali CR via oc edit kiali kiali -n kiali-operator and add this to the spec section:

server:
  web_port: "31102"

(note: the port value must be a string - so ensure you wrap the number in quotes)
10. Wait for the operator to fully reconcile the CR (watch oc get kiali kiali -n kiali-operator -oyaml and wait for it to finish and wait for the Kiali server pod to come up into the running state).
11. Confirm the OAuthClient now has a redirectURI with the custom port:

$ oc get oauthclient kiali-istio-system -o jsonpath='{.redirectURIs}{"\n"}'
["https://kiali-istio-system.apps-crc.testing","https://kiali-istio-system.apps-crc.testing:31102"]

12. Attempt to log in again at https://kiali-istio-system.apps-crc.testing:31102 using username/password of kiali/kiali. This should now work successfully. If you could not perform step 6, modify the URL in the browser address bar by adding :31102 to the hostname oauth-openshift.apps-crc.testing when you get the cannot connect error - you will get to the Kiali login page after you do this. Continue to log in.

[jshaughn]

I tested this against 1.65 (ossm 2.4) and it is working.