diff --git a/pkg/cmd/server/origin/auth.go b/pkg/cmd/server/origin/auth.go index cc394e64b244..3bbb092b945a 100644 --- a/pkg/cmd/server/origin/auth.go +++ b/pkg/cmd/server/origin/auth.go @@ -76,10 +76,13 @@ var ( ) type AuthConfig struct { - MasterAddr string - MasterRoots *x509.CertPool - SessionSecrets []string - EtcdHelper tools.EtcdHelper + // URL to call internally during token request + MasterAddr string + // URL to direct browsers to the master on + MasterPublicAddr string + MasterRoots *x509.CertPool + SessionSecrets []string + EtcdHelper tools.EtcdHelper } // InstallAPI starts an OAuth2 server and registers the supported REST APIs @@ -122,9 +125,9 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) []string { ) server.Install(mux, OpenShiftOAuthAPIPrefix) - CreateOrUpdateDefaultOAuthClients(c.MasterAddr, oauthEtcd) + CreateOrUpdateDefaultOAuthClients(c.MasterPublicAddr, oauthEtcd) osOAuthClientConfig := c.NewOpenShiftOAuthClientConfig(&OSBrowserClientBase) - osOAuthClientConfig.RedirectUrl = c.MasterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint + osOAuthClientConfig.RedirectUrl = c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig) if c.MasterRoots != nil { @@ -157,14 +160,14 @@ func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.Client) *osi ClientSecret: client.Secret, ErrorsInStatusCode: true, SendClientSecretInParams: true, - AuthorizeUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/authorize", + AuthorizeUrl: c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + "/authorize", TokenUrl: c.MasterAddr + OpenShiftOAuthAPIPrefix + "/token", Scope: "", } return config } -func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthclient.Registry) { +func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, clientRegistry oauthclient.Registry) { clientsToEnsure := []*oauthapi.Client{ { ObjectMeta: kapi.ObjectMeta{ @@ -172,7 +175,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl }, Secret: OSBrowserClientBase.Secret, RespondWithChallenges: OSBrowserClientBase.RespondWithChallenges, - RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, + RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, }, { ObjectMeta: kapi.ObjectMeta{ @@ -180,7 +183,7 @@ func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthcl }, Secret: OSCliClientBase.Secret, RespondWithChallenges: OSCliClientBase.RespondWithChallenges, - RedirectURIs: []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, + RedirectURIs: []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint}, }, } @@ -256,7 +259,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, sessionStore sess } state := external.DefaultState() - oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterAddr+callbackPath, successHandler, errorHandler, identityMapper) + oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterPublicAddr+callbackPath, successHandler, errorHandler, identityMapper) if err != nil { glog.Fatalf("unexpected error: %v", err) } diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go index 28bc409494ea..aec36ce117ed 100644 --- a/pkg/cmd/server/origin/master.go +++ b/pkg/cmd/server/origin/master.go @@ -80,13 +80,18 @@ const ( // MasterConfig defines the required parameters for starting the OpenShift master type MasterConfig struct { - BindAddr string - MasterAddr string - AssetAddr string + // host:port to bind master to + MasterBindAddr string + // host:port to bind asset server to + AssetBindAddr string + // url to access the master API on within the cluster + MasterAddr string + // url to access kubernetes API on within the cluster KubernetesAddr string // external clients may need to access APIs at different addresses than internal components do MasterPublicAddr string KubernetesPublicAddr string + AssetPublicAddr string TLS bool @@ -299,7 +304,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) { } server := &http.Server{ - Addr: c.BindAddr, + Addr: c.MasterBindAddr, Handler: handler, ReadTimeout: 5 * time.Minute, WriteTimeout: 5 * time.Minute, @@ -325,7 +330,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) { }, 0) // Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try) - cmdutil.WaitForSuccessfulDial("tcp", c.BindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) + cmdutil.WaitForSuccessfulDial("tcp", c.MasterBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) } // wireAuthenticationHandling creates and binds all the objects that we only care about if authentication is turned on. It's pulled out @@ -421,7 +426,7 @@ func (c *MasterConfig) RunAssetServer() { ) server := &http.Server{ - Addr: c.AssetAddr, + Addr: c.AssetBindAddr, Handler: mux, ReadTimeout: 5 * time.Minute, WriteTimeout: 5 * time.Minute, @@ -437,16 +442,18 @@ func (c *MasterConfig) RunAssetServer() { // This allows certificates to be validated by authenticators, while still allowing other auth types ClientAuth: tls.RequestClientCert, } - glog.Infof("Started OpenShift static asset server at https://%s", c.AssetAddr) + glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr) glog.Fatal(server.ListenAndServeTLS(c.AssetCertFile, c.AssetKeyFile)) } else { - glog.Infof("Started OpenShift static asset server at http://%s", c.AssetAddr) + glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr) glog.Fatal(server.ListenAndServe()) } }, 0) // Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try) - cmdutil.WaitForSuccessfulDial("tcp", c.AssetAddr, 100*time.Millisecond, 100*time.Millisecond, 100) + cmdutil.WaitForSuccessfulDial("tcp", c.AssetBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100) + + glog.Infof("OpenShift UI available at %s", c.AssetPublicAddr) } // RunBuildController starts the build sync loop for builds and buildConfig processing. diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go index 5a7026fde98f..bc1191a86bce 100644 --- a/pkg/cmd/server/start.go +++ b/pkg/cmd/server/start.go @@ -110,8 +110,8 @@ func NewCommandStartServer(name string) *cobra.Command { EtcdAddr: flagtypes.Addr{Value: "0.0.0.0:4001", DefaultScheme: "http", DefaultPort: 4001}.Default(), KubernetesAddr: flagtypes.Addr{DefaultScheme: "https", DefaultPort: 8443}.Default(), PortalNet: flagtypes.DefaultIPNet("172.30.17.0/24"), - MasterPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443, AllowPrefix: true}.Default(), - KubernetesPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443}.Default(), + MasterPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(), + KubernetesPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(), Hostname: hostname, NodeList: flagtypes.StringList{"127.0.0.1"}, @@ -246,20 +246,27 @@ func start(cfg *config, args []string) error { k8sPublicAddr = cfg.KubernetesAddr } - assetAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1)) + // Derive the asset bind address by incrementing the master bind address port by 1 + assetBindAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1)) + // Derive the asset public address by incrementing the master public address port by 1 + assetPublicAddr := *masterPublicAddr.URL + assetPublicAddr.Host = net.JoinHostPort(masterPublicAddr.Host, strconv.Itoa(masterPublicAddr.Port+1)) // always include the all-in-one server's web console as an allowed CORS origin // always include localhost as an allowed CORS origin // always include master and kubernetes public addresses as an allowed CORS origin - cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, assetAddr, "localhost", "127.0.0.1", - cfg.MasterPublicAddr.URL.Host, cfg.KubernetesPublicAddr.URL.Host) + for _, origin := range []string{assetPublicAddr.Host, masterPublicAddr.URL.Host, k8sPublicAddr.URL.Host, "localhost", "127.0.0.1"} { + // TODO: check if origin is already allowed + cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, origin) + } osmaster := &origin.MasterConfig{ - TLS: cfg.MasterAddr.URL.Scheme == "https", - BindAddr: cfg.BindAddr.URL.Host, + TLS: cfg.BindAddr.URL.Scheme == "https", + MasterBindAddr: cfg.BindAddr.URL.Host, MasterAddr: cfg.MasterAddr.URL.String(), MasterPublicAddr: masterPublicAddr.URL.String(), - AssetAddr: assetAddr, + AssetBindAddr: assetBindAddr, + AssetPublicAddr: assetPublicAddr.String(), KubernetesAddr: cfg.KubernetesAddr.URL.String(), KubernetesPublicAddr: k8sPublicAddr.URL.String(), EtcdHelper: etcdHelper, @@ -344,10 +351,11 @@ func start(cfg *config, args []string) error { osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins) auth := &origin.AuthConfig{ - MasterAddr: cfg.MasterAddr.URL.String(), - MasterRoots: roots, - SessionSecrets: []string{"secret"}, - EtcdHelper: etcdHelper, + MasterAddr: cfg.MasterAddr.URL.String(), + MasterPublicAddr: masterPublicAddr.URL.String(), + MasterRoots: roots, + SessionSecrets: []string{"secret"}, + EtcdHelper: etcdHelper, } if startKube {