Skip to content

Commit

Permalink
Merge pull request #1 from liggitt/public_bind
Browse files Browse the repository at this point in the history
Separate asset bind and asset public addr
  • Loading branch information
sosiouxme committed Jan 23, 2015
2 parents e3a2c83 + 82d1ecc commit 483faf9
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 32 deletions.
25 changes: 14 additions & 11 deletions pkg/cmd/server/origin/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,13 @@ var (
)

type AuthConfig struct {
MasterAddr string
MasterRoots *x509.CertPool
SessionSecrets []string
EtcdHelper tools.EtcdHelper
// URL to call internally during token request
MasterAddr string
// URL to direct browsers to the master on
MasterPublicAddr string
MasterRoots *x509.CertPool
SessionSecrets []string
EtcdHelper tools.EtcdHelper
}

// InstallAPI starts an OAuth2 server and registers the supported REST APIs
Expand Down Expand Up @@ -122,9 +125,9 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) []string {
)
server.Install(mux, OpenShiftOAuthAPIPrefix)

CreateOrUpdateDefaultOAuthClients(c.MasterAddr, oauthEtcd)
CreateOrUpdateDefaultOAuthClients(c.MasterPublicAddr, oauthEtcd)
osOAuthClientConfig := c.NewOpenShiftOAuthClientConfig(&OSBrowserClientBase)
osOAuthClientConfig.RedirectUrl = c.MasterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint
osOAuthClientConfig.RedirectUrl = c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint

osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig)
if c.MasterRoots != nil {
Expand Down Expand Up @@ -157,30 +160,30 @@ func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.Client) *osi
ClientSecret: client.Secret,
ErrorsInStatusCode: true,
SendClientSecretInParams: true,
AuthorizeUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/authorize",
AuthorizeUrl: c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + "/authorize",
TokenUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/token",
Scope: "",
}
return config
}

func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthclient.Registry) {
func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, clientRegistry oauthclient.Registry) {
clientsToEnsure := []*oauthapi.Client{
{
ObjectMeta: kapi.ObjectMeta{
Name: OSBrowserClientBase.Name,
},
Secret: OSBrowserClientBase.Secret,
RespondWithChallenges: OSBrowserClientBase.RespondWithChallenges,
RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
},
{
ObjectMeta: kapi.ObjectMeta{
Name: OSCliClientBase.Name,
},
Secret: OSCliClientBase.Secret,
RespondWithChallenges: OSCliClientBase.RespondWithChallenges,
RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
},
}

Expand Down Expand Up @@ -256,7 +259,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, sessionStore sess
}

state := external.DefaultState()
oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterAddr+callbackPath, successHandler, errorHandler, identityMapper)
oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterPublicAddr+callbackPath, successHandler, errorHandler, identityMapper)
if err != nil {
glog.Fatalf("unexpected error: %v", err)
}
Expand Down
25 changes: 16 additions & 9 deletions pkg/cmd/server/origin/master.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,13 +80,18 @@ const (

// MasterConfig defines the required parameters for starting the OpenShift master
type MasterConfig struct {
BindAddr string
MasterAddr string
AssetAddr string
// host:port to bind master to
MasterBindAddr string
// host:port to bind asset server to
AssetBindAddr string
// url to access the master API on within the cluster
MasterAddr string
// url to access kubernetes API on within the cluster
KubernetesAddr string
// external clients may need to access APIs at different addresses than internal components do
MasterPublicAddr string
KubernetesPublicAddr string
AssetPublicAddr string

TLS bool

Expand Down Expand Up @@ -299,7 +304,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {
}

server := &http.Server{
Addr: c.BindAddr,
Addr: c.MasterBindAddr,
Handler: handler,
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
Expand All @@ -325,7 +330,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {
}, 0)

// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
cmdutil.WaitForSuccessfulDial("tcp", c.BindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
cmdutil.WaitForSuccessfulDial("tcp", c.MasterBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
}

// wireAuthenticationHandling creates and binds all the objects that we only care about if authentication is turned on. It's pulled out
Expand Down Expand Up @@ -421,7 +426,7 @@ func (c *MasterConfig) RunAssetServer() {
)

server := &http.Server{
Addr: c.AssetAddr,
Addr: c.AssetBindAddr,
Handler: mux,
ReadTimeout: 5 * time.Minute,
WriteTimeout: 5 * time.Minute,
Expand All @@ -437,16 +442,18 @@ func (c *MasterConfig) RunAssetServer() {
// This allows certificates to be validated by authenticators, while still allowing other auth types
ClientAuth: tls.RequestClientCert,
}
glog.Infof("Started OpenShift static asset server at https://%s", c.AssetAddr)
glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)
glog.Fatal(server.ListenAndServeTLS(c.AssetCertFile, c.AssetKeyFile))
} else {
glog.Infof("Started OpenShift static asset server at http://%s", c.AssetAddr)
glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)
glog.Fatal(server.ListenAndServe())
}
}, 0)

// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
cmdutil.WaitForSuccessfulDial("tcp", c.AssetAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
cmdutil.WaitForSuccessfulDial("tcp", c.AssetBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)

glog.Infof("OpenShift UI available at %s", c.AssetPublicAddr)
}

// RunBuildController starts the build sync loop for builds and buildConfig processing.
Expand Down
32 changes: 20 additions & 12 deletions pkg/cmd/server/start.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,8 +110,8 @@ func NewCommandStartServer(name string) *cobra.Command {
EtcdAddr: flagtypes.Addr{Value: "0.0.0.0:4001", DefaultScheme: "http", DefaultPort: 4001}.Default(),
KubernetesAddr: flagtypes.Addr{DefaultScheme: "https", DefaultPort: 8443}.Default(),
PortalNet: flagtypes.DefaultIPNet("172.30.17.0/24"),
MasterPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443, AllowPrefix: true}.Default(),
KubernetesPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443}.Default(),
MasterPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),
KubernetesPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),

Hostname: hostname,
NodeList: flagtypes.StringList{"127.0.0.1"},
Expand Down Expand Up @@ -246,20 +246,27 @@ func start(cfg *config, args []string) error {
k8sPublicAddr = cfg.KubernetesAddr
}

assetAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))
// Derive the asset bind address by incrementing the master bind address port by 1
assetBindAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))
// Derive the asset public address by incrementing the master public address port by 1
assetPublicAddr := *masterPublicAddr.URL
assetPublicAddr.Host = net.JoinHostPort(masterPublicAddr.Host, strconv.Itoa(masterPublicAddr.Port+1))

// always include the all-in-one server's web console as an allowed CORS origin
// always include localhost as an allowed CORS origin
// always include master and kubernetes public addresses as an allowed CORS origin
cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, assetAddr, "localhost", "127.0.0.1",
cfg.MasterPublicAddr.URL.Host, cfg.KubernetesPublicAddr.URL.Host)
for _, origin := range []string{assetPublicAddr.Host, masterPublicAddr.URL.Host, k8sPublicAddr.URL.Host, "localhost", "127.0.0.1"} {
// TODO: check if origin is already allowed
cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, origin)
}

osmaster := &origin.MasterConfig{
TLS: cfg.MasterAddr.URL.Scheme == "https",
BindAddr: cfg.BindAddr.URL.Host,
TLS: cfg.BindAddr.URL.Scheme == "https",
MasterBindAddr: cfg.BindAddr.URL.Host,
MasterAddr: cfg.MasterAddr.URL.String(),
MasterPublicAddr: masterPublicAddr.URL.String(),
AssetAddr: assetAddr,
AssetBindAddr: assetBindAddr,
AssetPublicAddr: assetPublicAddr.String(),
KubernetesAddr: cfg.KubernetesAddr.URL.String(),
KubernetesPublicAddr: k8sPublicAddr.URL.String(),
EtcdHelper: etcdHelper,
Expand Down Expand Up @@ -344,10 +351,11 @@ func start(cfg *config, args []string) error {
osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins)

auth := &origin.AuthConfig{
MasterAddr: cfg.MasterAddr.URL.String(),
MasterRoots: roots,
SessionSecrets: []string{"secret"},
EtcdHelper: etcdHelper,
MasterAddr: cfg.MasterAddr.URL.String(),
MasterPublicAddr: masterPublicAddr.URL.String(),
MasterRoots: roots,
SessionSecrets: []string{"secret"},
EtcdHelper: etcdHelper,
}

if startKube {
Expand Down

0 comments on commit 483faf9

Please sign in to comment.