Update login templates to PatternFly 4 design

[rhamilto]

The raw templates can be viewed at:

• https://rhamilto.github.io/oauth-templates/ocp/errors.html
• https://rhamilto.github.io/oauth-templates/ocp/login.html
• https://rhamilto.github.io/oauth-templates/ocp/providers.html

How to test:

1. Scale cluster-version-operator to zero pods by visiting k8s/ns/openshift-cluster-version/deployments/cluster-version-operator and using the pod donut controls to set pods to zero. Additionally, pause rollouts via Actions > Pause Rollouts.
2. Delete the existing branding secret via oc delete secret v4-0-config-system-ocp-branding-template -n openshift-authentication
3. Recreate the branding secret via oc create -f https://raw.githubusercontent.com/openshift/cluster-authentication-operator/<HASH>/manifests/06_branding_secret.yaml
4. Delete existing openshift-authentication pods so they are regenerated with the new branding secret via oc delete pods --all -n openshift-authentication

cc: @spadgett, @benjaminapetersen

[benjaminapetersen]

@rhamilto I think you can take that file & oc apply -f <secret-file> and it should replace whats deployed. If I run:

oc get secret -n openshift-authentication
NAME                                       TYPE                                  DATA   AGE
builder-dockercfg-rmgb2                    kubernetes.io/dockercfg               1      4d20h
builder-token-gnwst                        kubernetes.io/service-account-token   4      4d20h
builder-token-z7h8z                        kubernetes.io/service-account-token   4      4d20h
default-dockercfg-29j8n                    kubernetes.io/dockercfg               1      4d20h
default-token-5sn44                        kubernetes.io/service-account-token   4      4d20h
default-token-d59zb                        kubernetes.io/service-account-token   4      4d21h
deployer-dockercfg-zfzrt                   kubernetes.io/dockercfg               1      4d20h
deployer-token-s4jw8                       kubernetes.io/service-account-token   4      4d20h
deployer-token-vc6tc                       kubernetes.io/service-account-token   4      4d20h
oauth-openshift-dockercfg-zdpjj            kubernetes.io/dockercfg               1      4d20h
oauth-openshift-token-598h8                kubernetes.io/service-account-token   4      4d21h
oauth-openshift-token-9hjl8                kubernetes.io/service-account-token   4      4d20h
# here is your name: v4-0-config-system-ocp-branding-template
v4-0-config-system-ocp-branding-template   Opaque                                3      4d21h
v4-0-config-system-router-certs            Opaque                                1      4d20h
v4-0-config-system-serving-cert            kubernetes.io/tls                     2      4d20h
v4-0-config-system-session                 Opaque                                1      4d20h

Correction, you cannot oc apply -f as apply stores previous state on annotations, and the data in the secret is significant. You have to oc delete secret v4-0-config-system-ocp-branding-template -n openshift-authentication followed by oc create -f https://raw.githubusercontent.com/openshift/cluster-authentication-operator/5e39fab0df6ba997fa0428ea9b0738c393a80001/manifests/06_branding_secret.yaml

Step 2, oc delete pods --all -n openshift-authentication to redeploy the pods (so they update the volume mount for the secret).

When I did the above the login page became:

Note however, I did have alternative auth providers setup via HTPSSWD and I no longer had the opportunity to select one of them.

[stlaz]

@benjaminapetersen is the console-login test failing because of the new template?

[stlaz]

Small correction to the testing comment:
Step 0: disable CVO managing the secret so that you don't have to try to compete with it.

I couldn't get a cluster up yet since we seem to be hitting AWS limits against, I'll try that afterwards, including the oauth-server.

The IdM selection is a must-have though, if it's not there yet, add it, please.

[rhamilto]

@benjaminapetersen is the console-login test failing because of the new template?

Indeed it is. Tests are looking for the old PF3 login class (.login-pf) that has been changed to the new PF4 login class (.pf-c-login). Lemme update the tests in a way that will work with both the old and new login templates.

[rhamilto]

ci/prow/e2e-aws-console-login should pass once openshift/console#4029 merges.

[stlaz]

tested in my cluster with 2 IdPs, selecting an IdP worked so I think we can merge this once the tests pass.

[stlaz]

/test e2e-aws-upgrade

[stlaz]

/retest

[rhamilto]

/retest

[spadgett]

I've confirmed the stable:console-tests image used in the last run didn't have the test changes from openshift/console#4029, which is why e2e-aws-console-login failed

[rhamilto]

/retest

[rhamilto]

/retest

[rhamilto]

/retest

[stlaz]

/retest

[stlaz]

/lgtm
installation seems to be in quite a bad shape lately, let's have /retests automatically

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rhamilto, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment