... | ... |
@@ -76,10 +76,13 @@ var ( |
76 | 76 |
) |
77 | 77 |
|
78 | 78 |
type AuthConfig struct { |
79 |
- MasterAddr string |
|
80 |
- MasterRoots *x509.CertPool |
|
81 |
- SessionSecrets []string |
|
82 |
- EtcdHelper tools.EtcdHelper |
|
79 |
+ // URL to call internally during token request |
|
80 |
+ MasterAddr string |
|
81 |
+ // URL to direct browsers to the master on |
|
82 |
+ MasterPublicAddr string |
|
83 |
+ MasterRoots *x509.CertPool |
|
84 |
+ SessionSecrets []string |
|
85 |
+ EtcdHelper tools.EtcdHelper |
|
83 | 86 |
} |
84 | 87 |
|
85 | 88 |
// InstallAPI starts an OAuth2 server and registers the supported REST APIs |
... | ... |
@@ -122,9 +125,9 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) []string { |
122 | 122 |
) |
123 | 123 |
server.Install(mux, OpenShiftOAuthAPIPrefix) |
124 | 124 |
|
125 |
- CreateOrUpdateDefaultOAuthClients(c.MasterAddr, oauthEtcd) |
|
125 |
+ CreateOrUpdateDefaultOAuthClients(c.MasterPublicAddr, oauthEtcd) |
|
126 | 126 |
osOAuthClientConfig := c.NewOpenShiftOAuthClientConfig(&OSBrowserClientBase) |
127 |
- osOAuthClientConfig.RedirectUrl = c.MasterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint |
|
127 |
+ osOAuthClientConfig.RedirectUrl = c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint |
|
128 | 128 |
|
129 | 129 |
osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig) |
130 | 130 |
if c.MasterRoots != nil { |
... | ... |
@@ -157,14 +160,14 @@ func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.Client) *osi |
157 | 157 |
ClientSecret: client.Secret, |
158 | 158 |
ErrorsInStatusCode: true, |
159 | 159 |
SendClientSecretInParams: true, |
160 |
- AuthorizeUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/authorize", |
|
160 |
+ AuthorizeUrl: c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + "/authorize", |
|
161 | 161 |
TokenUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/token", |
162 | 162 |
Scope: "", |
163 | 163 |
} |
164 | 164 |
return config |
165 | 165 |
} |
166 | 166 |
|
167 |
-func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthclient.Registry) { |
|
167 |
+func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, clientRegistry oauthclient.Registry) { |
|
168 | 168 |
clientsToEnsure := []*oauthapi.Client{ |
169 | 169 |
{ |
170 | 170 |
ObjectMeta: kapi.ObjectMeta{ |
... | ... |
@@ -172,7 +175,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl |
172 | 172 |
}, |
173 | 173 |
Secret: OSBrowserClientBase.Secret, |
174 | 174 |
RespondWithChallenges: OSBrowserClientBase.RespondWithChallenges, |
175 |
- RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, |
|
175 |
+ RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, |
|
176 | 176 |
}, |
177 | 177 |
{ |
178 | 178 |
ObjectMeta: kapi.ObjectMeta{ |
... | ... |
@@ -180,7 +183,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl |
180 | 180 |
}, |
181 | 181 |
Secret: OSCliClientBase.Secret, |
182 | 182 |
RespondWithChallenges: OSCliClientBase.RespondWithChallenges, |
183 |
- RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, |
|
183 |
+ RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, |
|
184 | 184 |
}, |
185 | 185 |
} |
186 | 186 |
|
... | ... |
@@ -256,7 +259,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, sessionStore sess |
256 | 256 |
} |
257 | 257 |
|
258 | 258 |
state := external.DefaultState() |
259 |
- oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterAddr+callbackPath, successHandler, errorHandler, identityMapper) |
|
259 |
+ oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterPublicAddr+callbackPath, successHandler, errorHandler, identityMapper) |
|
260 | 260 |
if err != nil { |
261 | 261 |
glog.Fatalf("unexpected error: %v", err) |
262 | 262 |
} |
... | ... |
@@ -80,13 +80,18 @@ const ( |
80 | 80 |
|
81 | 81 |
// MasterConfig defines the required parameters for starting the OpenShift master |
82 | 82 |
type MasterConfig struct { |
83 |
- BindAddr string |
|
84 |
- MasterAddr string |
|
85 |
- AssetAddr string |
|
83 |
+ // host:port to bind master to |
|
84 |
+ MasterBindAddr string |
|
85 |
+ // host:port to bind asset server to |
|
86 |
+ AssetBindAddr string |
|
87 |
+ // url to access the master API on within the cluster |
|
88 |
+ MasterAddr string |
|
89 |
+ // url to access kubernetes API on within the cluster |
|
86 | 90 |
KubernetesAddr string |
87 | 91 |
// external clients may need to access APIs at different addresses than internal components do |
88 | 92 |
MasterPublicAddr string |
89 | 93 |
KubernetesPublicAddr string |
94 |
+ AssetPublicAddr string |
|
90 | 95 |
|
91 | 96 |
TLS bool |
92 | 97 |
|
... | ... |
@@ -299,7 +304,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) { |
299 | 299 |
} |
300 | 300 |
|
301 | 301 |
server := &http.Server{ |
302 |
- Addr: c.BindAddr, |
|
302 |
+ Addr: c.MasterBindAddr, |
|
303 | 303 |
Handler: handler, |
304 | 304 |
ReadTimeout: 5 * time.Minute, |
305 | 305 |
WriteTimeout: 5 * time.Minute, |
... | ... |
@@ -325,7 +330,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) { |
325 | 325 |
}, 0) |
326 | 326 |
|
327 | 327 |
// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try) |
328 |
- cmdutil.WaitForSuccessfulDial("tcp", c.BindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) |
|
328 |
+ cmdutil.WaitForSuccessfulDial("tcp", c.MasterBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) |
|
329 | 329 |
} |
330 | 330 |
|
331 | 331 |
// wireAuthenticationHandling creates and binds all the objects that we only care about if authentication is turned on. It's pulled out |
... | ... |
@@ -421,7 +426,7 @@ func (c *MasterConfig) RunAssetServer() { |
421 | 421 |
) |
422 | 422 |
|
423 | 423 |
server := &http.Server{ |
424 |
- Addr: c.AssetAddr, |
|
424 |
+ Addr: c.AssetBindAddr, |
|
425 | 425 |
Handler: mux, |
426 | 426 |
ReadTimeout: 5 * time.Minute, |
427 | 427 |
WriteTimeout: 5 * time.Minute, |
... | ... |
@@ -437,16 +442,18 @@ func (c *MasterConfig) RunAssetServer() { |
437 | 437 |
// This allows certificates to be validated by authenticators, while still allowing other auth types |
438 | 438 |
ClientAuth: tls.RequestClientCert, |
439 | 439 |
} |
440 |
- glog.Infof("Started OpenShift static asset server at https://%s", c.AssetAddr) |
|
440 |
+ glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr) |
|
441 | 441 |
glog.Fatal(server.ListenAndServeTLS(c.AssetCertFile, c.AssetKeyFile)) |
442 | 442 |
} else { |
443 |
- glog.Infof("Started OpenShift static asset server at http://%s", c.AssetAddr) |
|
443 |
+ glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr) |
|
444 | 444 |
glog.Fatal(server.ListenAndServe()) |
445 | 445 |
} |
446 | 446 |
}, 0) |
447 | 447 |
|
448 | 448 |
// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try) |
449 |
- cmdutil.WaitForSuccessfulDial("tcp", c.AssetAddr, 100*time.Millisecond, 100*time.Millisecond, 100) |
|
449 |
+ cmdutil.WaitForSuccessfulDial("tcp", c.AssetBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) |
|
450 |
+ |
|
451 |
+ glog.Infof("OpenShift UI available at %s", c.AssetPublicAddr) |
|
450 | 452 |
} |
451 | 453 |
|
452 | 454 |
// RunBuildController starts the build sync loop for builds and buildConfig processing. |
... | ... |
@@ -110,8 +110,8 @@ func NewCommandStartServer(name string) *cobra.Command { |
110 | 110 |
EtcdAddr: flagtypes.Addr{Value: "0.0.0.0:4001", DefaultScheme: "http", DefaultPort: 4001}.Default(), |
111 | 111 |
KubernetesAddr: flagtypes.Addr{DefaultScheme: "https", DefaultPort: 8443}.Default(), |
112 | 112 |
PortalNet: flagtypes.DefaultIPNet("172.30.17.0/24"), |
113 |
- MasterPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443, AllowPrefix: true}.Default(), |
|
114 |
- KubernetesPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443}.Default(), |
|
113 |
+ MasterPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(), |
|
114 |
+ KubernetesPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(), |
|
115 | 115 |
|
116 | 116 |
Hostname: hostname, |
117 | 117 |
NodeList: flagtypes.StringList{"127.0.0.1"}, |
... | ... |
@@ -246,20 +246,27 @@ func start(cfg *config, args []string) error { |
246 | 246 |
k8sPublicAddr = cfg.KubernetesAddr |
247 | 247 |
} |
248 | 248 |
|
249 |
- assetAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1)) |
|
249 |
+ // Derive the asset bind address by incrementing the master bind address port by 1 |
|
250 |
+ assetBindAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1)) |
|
251 |
+ // Derive the asset public address by incrementing the master public address port by 1 |
|
252 |
+ assetPublicAddr := *masterPublicAddr.URL |
|
253 |
+ assetPublicAddr.Host = net.JoinHostPort(masterPublicAddr.Host, strconv.Itoa(masterPublicAddr.Port+1)) |
|
250 | 254 |
|
251 | 255 |
// always include the all-in-one server's web console as an allowed CORS origin |
252 | 256 |
// always include localhost as an allowed CORS origin |
253 | 257 |
// always include master and kubernetes public addresses as an allowed CORS origin |
254 |
- cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, assetAddr, "localhost", "127.0.0.1", |
|
255 |
- cfg.MasterPublicAddr.URL.Host, cfg.KubernetesPublicAddr.URL.Host) |
|
258 |
+ for _, origin := range []string{assetPublicAddr.Host, masterPublicAddr.URL.Host, k8sPublicAddr.URL.Host, "localhost", "127.0.0.1"} { |
|
259 |
+ // TODO: check if origin is already allowed |
|
260 |
+ cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, origin) |
|
261 |
+ } |
|
256 | 262 |
|
257 | 263 |
osmaster := &origin.MasterConfig{ |
258 |
- TLS: cfg.MasterAddr.URL.Scheme == "https", |
|
259 |
- BindAddr: cfg.BindAddr.URL.Host, |
|
264 |
+ TLS: cfg.BindAddr.URL.Scheme == "https", |
|
265 |
+ MasterBindAddr: cfg.BindAddr.URL.Host, |
|
260 | 266 |
MasterAddr: cfg.MasterAddr.URL.String(), |
261 | 267 |
MasterPublicAddr: masterPublicAddr.URL.String(), |
262 |
- AssetAddr: assetAddr, |
|
268 |
+ AssetBindAddr: assetBindAddr, |
|
269 |
+ AssetPublicAddr: assetPublicAddr.String(), |
|
263 | 270 |
KubernetesAddr: cfg.KubernetesAddr.URL.String(), |
264 | 271 |
KubernetesPublicAddr: k8sPublicAddr.URL.String(), |
265 | 272 |
EtcdHelper: etcdHelper, |
... | ... |
@@ -344,10 +351,11 @@ func start(cfg *config, args []string) error { |
344 | 344 |
osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins) |
345 | 345 |
|
346 | 346 |
auth := &origin.AuthConfig{ |
347 |
- MasterAddr: cfg.MasterAddr.URL.String(), |
|
348 |
- MasterRoots: roots, |
|
349 |
- SessionSecrets: []string{"secret"}, |
|
350 |
- EtcdHelper: etcdHelper, |
|
347 |
+ MasterAddr: cfg.MasterAddr.URL.String(), |
|
348 |
+ MasterPublicAddr: masterPublicAddr.URL.String(), |
|
349 |
+ MasterRoots: roots, |
|
350 |
+ SessionSecrets: []string{"secret"}, |
|
351 |
+ EtcdHelper: etcdHelper, |
|
351 | 352 |
} |
352 | 353 |
|
353 | 354 |
if startKube { |