feat: rfe-7592: Add support for custom login server URL in console

[sandert-k8s]

Community contribution.

Adds RFE-7592. Adds the possibility to use the Capsule Proxy as a Server Address. It's only a optical change, it doesn't change anything to the api itself.

Should be reviewed/implemented together with openshift/console#16125

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@sandert-k8s: This pull request references rfe-7592 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the feature request to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Community contribution.

Adds RFE-7592. Adds the possibility to use the Capsule Proxy as a Server Address. It's only a optical change, it doesn't change anything to the api itself.

Should be reviewed/implemented together with openshift/console#16125

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@sandert-k8s has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 58 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 43c9a1f3-a620-441f-b21c-876f8eeb6d4c

📥 Commits

Reviewing files that changed from the base of the PR and between 7918d1d and 7949bd3.

⛔ Files ignored due to path filters (2)

• operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.featuregated-crd-manifests/consoles.operator.openshift.io/ConsoleCustomLoginServerURL.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**

📒 Files selected for processing (2)

• features/features.go
• operator/v1/types_console.go

📝 Walkthrough

Walkthrough

A new optional CustomLoginServerURL field was added to the ConsoleCustomization type in operator/v1/types_console.go. The field accepts string values with a validation pattern that permits either empty values or valid HTTPS URLs. The field includes accompanying comments that describe its purpose and fallback behavior. The change comprises 10 added lines.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding support for a custom login server URL in the console, with specific RFE reference.
Description check	✅ Passed	The description is clearly related to the changeset, explaining the purpose (Capsule Proxy support) and referencing the corresponding console PR for coordinated review.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The PR only modifies operator/v1/types_console.go to add a new field and makes no changes to test files, including Ginkgo-based tests.
Test Structure And Quality	✅ Passed	The custom check for Test Structure and Quality is not applicable to this PR as it only modifies type definitions without test code changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add custom login server URL support to console customization

✨ Enhancement

Walkthroughs

Description

• Add customLoginServerURL field to ConsoleCustomization struct
• Allows overriding server address in 'oc login' command
• Enables use of Capsule Proxy or alternative API endpoints
• Includes HTTPS URL validation pattern

Diagram

flowchart LR
  A["ConsoleCustomization struct"] -->|"adds field"| B["customLoginServerURL"]
  B -->|"overrides"| C["oc login command display"]
  C -->|"enables"| D["Capsule Proxy or alternative endpoints"]

Loading

File Changes

1. operator/v1/types_console.go ✨ Enhancement +10/-0

Add customLoginServerURL field with HTTPS validation

• Added customLoginServerURL optional field to ConsoleCustomization struct
• Field allows customizing the server address displayed in 'oc login' command
• Includes comprehensive documentation explaining use case for proxies
• Implements HTTPS URL validation using kubebuilder pattern constraint

operator/v1/types_console.go

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. CustomLoginServerURL missing FeatureGate ☑ 📘 Rule violation ✓ Correctness

Description

A new field was added to a stable operator/v1 API without being introduced behind a FeatureGate.
This breaks the requirement to gate new fields on stable APIs to preserve compatibility guarantees.

Code

operator/v1/types_console.go[R341-350]

+	// customLoginServerURL is an optional field that, when set, overrides the server
+	// address displayed in the 'oc login' command shown in the console. Use this
+	// to advertise an alternative API endpoint (for example, a Proxy
+	// or any other front-end that accepts oc login traffic) without changing
+	// how the console itself communicates with the Kubernetes API server.
+	// When omitted, the console falls back to the standard cluster API server URL.
+	// Must be a valid HTTPS URL.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^$|^https://[^\s].*$`
+	CustomLoginServerURL string `json:"customLoginServerURL,omitempty"`

Evidence

PR Compliance ID 3 requires newly added fields to stable (v1) APIs to be guarded by a FeatureGate
marker and corresponding registration, but the added CustomLoginServerURL field only includes
+optional and a Pattern validation and no +openshift:enable:FeatureGate=... marker.

AGENTS.md
operator/v1/types_console.go[341-350]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A new field (`CustomLoginServerURL`) was added to a stable `operator/v1` API without being introduced behind a FeatureGate.
## Issue Context
Compliance requires that new fields in stable APIs are gated so they can be selectively enabled/validated across profiles.
## Fix Focus Areas
- operator/v1/types_console.go[341-350]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. CRD missing new field ☑ 🐞 Bug ✓ Correctness

Description

ConsoleCustomization.customLoginServerURL is added to the Go API type but is absent from the
generated Console CRD schemas, so the published CRD will not expose/validate this field and the
feature cannot be configured via the CRD manifests shipped in this repo.

Code

operator/v1/types_console.go[R341-350]

+	// customLoginServerURL is an optional field that, when set, overrides the server
+	// address displayed in the 'oc login' command shown in the console. Use this
+	// to advertise an alternative API endpoint (for example, a Proxy
+	// or any other front-end that accepts oc login traffic) without changing
+	// how the console itself communicates with the Kubernetes API server.
+	// When omitted, the console falls back to the standard cluster API server URL.
+	// Must be a valid HTTPS URL.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^$|^https://[^\s].*$`
+	CustomLoginServerURL string `json:"customLoginServerURL,omitempty"`

Evidence

The Go API introduces customLoginServerURL, but in the generated CRD manifests the
spec.customization schema ends (closing type: object) immediately after
quickStarts/perspectives without any customLoginServerURL property, proving the manifests were
not regenerated to include the new field.

operator/v1/types_console.go[341-350]
operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml[740-825]
operator/v1/zz_generated.featuregated-crd-manifests/consoles.operator.openshift.io/AAA_ungated.yaml[250-277]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A new API field (`spec.customization.customLoginServerURL`) was added to the Go type, but the generated CRD YAMLs were not updated. This means the CRD manifests shipped from this repo do not expose/validate the field.
### Issue Context
The field exists in `operator/v1/types_console.go`, but is missing from the generated CRD schema under `spec.customization`.
### Fix Focus Areas
- operator/v1/types_console.go[341-350]
- operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml[740-825]
- operator/v1/zz_generated.featuregated-crd-manifests/consoles.operator.openshift.io/AAA_ungated.yaml[250-277]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Pattern constraint under-documented ☑ 📘 Rule violation ✓ Correctness

Description

The field uses a kubebuilder Pattern marker but the comment does not fully describe the actual
allowed values implied by the regex (including the empty-string allowance). This reduces clarity and
reviewability of the API contract.

Code

operator/v1/types_console.go[R347-350]

+	// Must be a valid HTTPS URL.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^$|^https://[^\s].*$`
+	CustomLoginServerURL string `json:"customLoginServerURL,omitempty"`

Evidence

PR Compliance ID 6 requires field comments to document constraints implied by kubebuilder markers;
the regex ^$|^https://[^\s].*$ allows either an empty string or a https://... value with a
non-whitespace character after the scheme, but the comment only states "Must be a valid HTTPS URL"
without describing these specifics.

AGENTS.md
operator/v1/types_console.go[347-350]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The kubebuilder `Pattern` constraint for `CustomLoginServerURL` is not fully documented in the field comment.
## Issue Context
The regex permits either an empty string or a value starting with `https://` and containing at least one non-whitespace character after the scheme; this should be explicitly stated in the comment to meet documentation requirements for validation markers.
## Fix Focus Areas
- operator/v1/types_console.go[347-350]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. URL validation too permissive ☑ 🐞 Bug ✓ Correctness

Description

CustomLoginServerURL is documented as “Must be a valid HTTPS URL”, but its regex
^$|^https://[^\s].*$ allows whitespace and other invalid URL characters after the first
post-scheme character, so invalid values can pass validation and produce a broken/misleading `oc
login` server address display.

Code

operator/v1/types_console.go[R347-350]

+	// Must be a valid HTTPS URL.
+	// +optional
+	// +kubebuilder:validation:Pattern=`^$|^https://[^\s].*$`
+	CustomLoginServerURL string `json:"customLoginServerURL,omitempty"`

Evidence

The new field’s regex ends with .*, which permits spaces after the first non-whitespace character
(e.g., https://a b). Elsewhere in this repo, URL-ish fields use stricter no-whitespace patterns
(\S+) or explicit URL/scheme CEL validations, indicating the new validation does not meet the
stated requirement.

operator/v1/types_console.go[341-350]
operator/v1/types_insights.go[99-102]
operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml[828-845]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The `CustomLoginServerURL` field claims to require a valid HTTPS URL, but its current regex allows invalid values (notably whitespace after the first character), so invalid configuration can pass CRD validation.
### Issue Context
Other URL-like fields in this repo either disallow whitespace via `\S+` or use CEL URL parsing (`isURL`, `url(self).getScheme()`).
### Fix Focus Areas
- operator/v1/types_console.go[341-350]
- operator/v1/types_insights.go[99-102]
- operator/v1/zz_generated.crd-manifests/0000_50_console_01_consoles.crd.yaml[828-845]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign joelspeed for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hello @sandert-k8s! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

Hi @sandert-k8s. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@operator/v1/types_console.go`:
- Around line 341-350: The CustomLoginServerURL field currently only has a loose
regex; replace that Pattern annotation with the same CEL-based validation and
MaxLength used by ConsoleURL and ClientDownloadsURL so the field enforces a
well-formed HTTPS URL and max length 1024; specifically, remove the current
+kubebuilder:validation:Pattern for CustomLoginServerURL and add the CEL
validation rule and +kubebuilder:validation:MaxLength=1024 exactly as applied to
ConsoleURL and ClientDownloadsURL to ensure identical strictness and
compatibility.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8df23883-9243-449c-9a27-c692238e9ab8

📥 Commits

Reviewing files that changed from the base of the PR and between 7127010 and 7918d1d.

📒 Files selected for processing (1)

• operator/v1/types_console.go

[JoelSpeed]

@jhadvig is this on your radar?