func (o MasterOptions) CreateCerts() error {
masterAddr, err := o.MasterArgs.GetMasterAddress()
if err != nil {
return err
}
publicMasterAddr, err := o.MasterArgs.GetMasterPublicAddress()
if err != nil {
return err
}
signerName := admin.DefaultSignerName()
hostnames, err := o.MasterArgs.GetServerCertHostnames()
if err != nil {
return err
}
mintAllCertsOptions := admin.CreateMasterCertsOptions{
CertDir: o.MasterArgs.ConfigDir.Value(),
SignerName: signerName,
Hostnames: hostnames.List(),
APIServerURL: masterAddr.String(),
APIServerCAFiles: o.MasterArgs.APIServerCAFiles,
CABundleFile: admin.DefaultCABundleFile(o.MasterArgs.ConfigDir.Value()),
PublicAPIServerURL: publicMasterAddr.String(),
Output: cmdutil.NewGLogWriterV(3),
}
if err := mintAllCertsOptions.Validate(nil); err != nil {
return err
}
if err := mintAllCertsOptions.CreateMasterCerts(); err != nil {
return err
}
return nil
}
func (o NodeOptions) CreateNodeConfig() error {
getSignerOptions := &admin.SignerCertOptions{
CertFile: admin.DefaultCertFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),
KeyFile: admin.DefaultKeyFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),
SerialFile: admin.DefaultSerialFilename(o.NodeArgs.MasterCertDir, admin.CAFilePrefix),
}
var dnsIP string
if len(o.NodeArgs.ClusterDNS) > 0 {
dnsIP = o.NodeArgs.ClusterDNS.String()
}
masterAddr, err := o.NodeArgs.KubeConnectionArgs.GetKubernetesAddress(o.NodeArgs.DefaultKubernetesURL)
if err != nil {
return err
}
hostnames, err := o.NodeArgs.GetServerCertHostnames()
if err != nil {
return err
}
nodeConfigDir := o.NodeArgs.ConfigDir.Value()
createNodeConfigOptions := admin.CreateNodeConfigOptions{
SignerCertOptions: getSignerOptions,
NodeConfigDir: nodeConfigDir,
NodeName: o.NodeArgs.NodeName,
Hostnames: hostnames.List(),
VolumeDir: o.NodeArgs.VolumeDir,
ImageTemplate: o.NodeArgs.ImageFormatArgs.ImageTemplate,
AllowDisabledDocker: o.NodeArgs.AllowDisabledDocker,
DNSDomain: o.NodeArgs.ClusterDomain,
DNSIP: dnsIP,
ListenAddr: o.NodeArgs.ListenArg.ListenAddr,
NetworkPluginName: o.NodeArgs.NetworkPluginName,
APIServerURL: masterAddr.String(),
APIServerCAFiles: []string{admin.DefaultCABundleFile(o.NodeArgs.MasterCertDir)},
NodeClientCAFile: getSignerOptions.CertFile,
ExpireDays: o.ExpireDays,
Output: cmdutil.NewGLogWriterV(3),
}
if err := createNodeConfigOptions.Validate(nil); err != nil {
return err
}
if err := createNodeConfigOptions.CreateNodeFolder(); err != nil {
return err
}
return nil
}
// Run launches the OpenShift master. It takes optional installers that may install additional endpoints into the server.
// All endpoints get configured CORS behavior
// Protected installers' endpoints are protected by API authentication and authorization.
// Unprotected installers' endpoints do not have any additional protection added.
func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller) {
var extra []string
safe := genericapiserver.NewHandlerContainer(http.NewServeMux(), kapi.Codecs)
open := genericapiserver.NewHandlerContainer(http.NewServeMux(), kapi.Codecs)
// enforce authentication on protected endpoints
protected = append(protected, APIInstallFunc(c.InstallProtectedAPI))
for _, i := range protected {
msgs, err := i.InstallAPI(safe)
if err != nil {
glog.Fatalf("error installing api %v", err)
}
extra = append(extra, msgs...)
}
handler := c.versionSkewFilter(safe)
handler = c.authorizationFilter(handler)
handler = c.impersonationFilter(handler)
// audit handler must comes before the impersonationFilter to read the original user
if c.Options.AuditConfig.Enabled {
attributeGetter := apiserver.NewRequestAttributeGetter(c.getRequestContextMapper(), c.getRequestInfoResolver())
var writer io.Writer
if len(c.Options.AuditConfig.AuditFilePath) > 0 {
writer = &lumberjack.Logger{
Filename: c.Options.AuditConfig.AuditFilePath,
MaxAge: c.Options.AuditConfig.MaximumFileRetentionDays,
MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
MaxSize: c.Options.AuditConfig.MaximumFileSizeMegabytes,
}
} else {
// backwards compatible writer to regular log
writer = cmdutil.NewGLogWriterV(0)
}
handler = audit.WithAudit(handler, attributeGetter, writer)
}
handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())
handler = namespacingFilter(handler, c.getRequestContextMapper())
handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
// unprotected resources
unprotected = append(unprotected, APIInstallFunc(c.InstallUnprotectedAPI))
for _, i := range unprotected {
msgs, err := i.InstallAPI(open)
if err != nil {
glog.Fatalf("error installing api %v", err)
}
extra = append(extra, msgs...)
}
var kubeAPILevels []string
if c.Options.KubernetesMasterConfig != nil {
kubeAPILevels = configapi.GetEnabledAPIVersionsForGroup(*c.Options.KubernetesMasterConfig, kapi.GroupName)
}
handler = indexAPIPaths(c.Options.APILevels, kubeAPILevels, handler)
open.Handle("/", handler)
// install swagger
swaggerConfig := swagger.Config{
WebServicesUrl: c.Options.MasterPublicURL,
WebServices: append(safe.RegisteredWebServices(), open.RegisteredWebServices()...),
ApiPath: swaggerAPIPrefix,
PostBuildHandler: customizeSwaggerDefinition,
}
// log nothing from swagger
swagger.LogInfo = func(format string, v ...interface{}) {}
swagger.RegisterSwaggerService(swaggerConfig, open)
extra = append(extra, fmt.Sprintf("Started Swagger Schema API at %%s%s", swaggerAPIPrefix))
openAPIConfig := openapi.Config{
SwaggerConfig: &swaggerConfig,
IgnorePrefixes: []string{"/swaggerapi"},
Info: &spec.Info{
InfoProps: spec.InfoProps{
Title: "OpenShift API (with Kubernetes)",
Version: version.Get().String(),
License: &spec.License{
Name: "Apache 2.0 (ASL2.0)",
URL: "http://www.apache.org/licenses/LICENSE-2.0",
},
Description: heredoc.Doc(`
OpenShift provides builds, application lifecycle, image content management,
and administrative policy on top of Kubernetes. The API allows consistent
management of those objects.
All API operations are authenticated via an Authorization bearer token that
is provided for service accounts as a generated secret (in JWT form) or via
the native OAuth endpoint located at /oauth/authorize. Core infrastructure
components may use client certificates that require no authentication.
All API operations return a 'resourceVersion' string that represents the
version of the object in the underlying storage. The standard LIST operation
performs a snapshot read of the underlying objects, returning a resourceVersion
representing a consistent version of the listed objects. The WATCH operation
allows all updates to a set of objects after the provided resourceVersion to
be observed by a client. By listing and beginning a watch from the returned
resourceVersion, clients may observe a consistent view of the state of one
or more objects. Note that WATCH always returns the update after the provided
resourceVersion. Watch may be extended a limited time in the past - using
etcd 2 the watch window is 1000 events (which on a large cluster may only
be a few tens of seconds) so clients must explicitly handle the "watch
to old error" by re-listing.
Objects are divided into two rough categories - those that have a lifecycle
and must reflect the state of the cluster, and those that have no state.
Objects with lifecycle typically have three main sections:
* 'metadata' common to all objects
* a 'spec' that represents the desired state
* a 'status' that represents how much of the desired state is reflected on
the cluster at the current time
Objects that have no state have 'metadata' but may lack a 'spec' or 'status'
section.
Objects are divided into those that are namespace scoped (only exist inside
of a namespace) and those that are cluster scoped (exist outside of
a namespace). A namespace scoped resource will be deleted when the namespace
is deleted and cannot be created if the namespace has not yet been created
or is in the process of deletion. Cluster scoped resources are typically
only accessible to admins - resources like nodes, persistent volumes, and
cluster policy.
All objects have a schema that is a combination of the 'kind' and
'apiVersion' fields. This schema is additive only for any given version -
no backwards incompatible changes are allowed without incrementing the
apiVersion. The server will return and accept a number of standard
responses that share a common schema - for instance, the common
error type is 'unversioned.Status' (described below) and will be returned
on any error from the API server.
The API is available in multiple serialization formats - the default is
JSON (Accept: application/json and Content-Type: application/json) but
clients may also use YAML (application/yaml) or the native Protobuf
schema (application/vnd.kubernetes.protobuf). Note that the format
of the WATCH API call is slightly different - for JSON it returns newline
delimited objects while for Protobuf it returns length-delimited frames
(4 bytes in network-order) that contain a 'versioned.Watch' Protobuf
object.
See the OpenShift documentation at https://docs.openshift.org for more
information.
`),
},
},
DefaultResponse: &spec.Response{
ResponseProps: spec.ResponseProps{
Description: "Default Response.",
},
},
}
err := openapi.RegisterOpenAPIService(&openAPIConfig, open)
if err != nil {
glog.Fatalf("Failed to generate open api spec: %v", err)
}
extra = append(extra, fmt.Sprintf("Started OpenAPI Schema at %%s%s", openapi.OpenAPIServePath))
handler = open
// add CORS support
if origins := c.ensureCORSAllowedOrigins(); len(origins) != 0 {
handler = apiserver.CORS(handler, origins, nil, nil, "true")
}
if c.WebConsoleEnabled() {
handler = assetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
}
// Make the outermost filter the requestContextMapper to ensure all components share the same context
if contextHandler, err := kapi.NewRequestContextFilter(c.getRequestContextMapper(), handler); err != nil {
glog.Fatalf("Error setting up request context filter: %v", err)
} else {
handler = contextHandler
}
longRunningRequestCheck := apiserver.BasicLongRunningRequestCheck(longRunningRE, map[string]string{"watch": "true"})
// TODO: MaxRequestsInFlight should be subdivided by intent, type of behavior, and speed of
// execution - updates vs reads, long reads vs short reads, fat reads vs skinny reads.
if c.Options.ServingInfo.MaxRequestsInFlight > 0 {
sem := make(chan bool, c.Options.ServingInfo.MaxRequestsInFlight)
handler = apiserver.MaxInFlightLimit(sem, longRunningRequestCheck, handler)
}
c.serve(handler, extra)
// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
cmdutil.WaitForSuccessfulDial(c.TLS, c.Options.ServingInfo.BindNetwork, c.Options.ServingInfo.BindAddress, 100*time.Millisecond, 100*time.Millisecond, 100)
}
func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Handler, *genericapiserver.Config) (secure, insecure http.Handler), []string, error) {
var messages []string
if c.Options.OAuthConfig != nil {
messages = append(messages, fmt.Sprintf("Started OAuth2 API at %%s%s", OpenShiftOAuthAPIPrefix))
}
if assetConfig != nil {
publicURL, err := url.Parse(assetConfig.Options.PublicURL)
if err != nil {
return nil, nil, err
}
messages = append(messages, fmt.Sprintf("Started Web Console %%s%s", publicURL.Path))
}
// TODO(sttts): resync with upstream handler chain and re-use upstream filters as much as possible
return func(apiHandler http.Handler, kc *genericapiserver.Config) (secure, insecure http.Handler) {
attributeGetter := kapiserverfilters.NewRequestAttributeGetter(c.RequestContextMapper)
handler := c.versionSkewFilter(apiHandler, c.getRequestContextMapper())
handler = c.authorizationFilter(handler)
handler = c.impersonationFilter(handler)
// audit handler must comes before the impersonationFilter to read the original user
if c.Options.AuditConfig.Enabled {
var writer io.Writer
if len(c.Options.AuditConfig.AuditFilePath) > 0 {
writer = &lumberjack.Logger{
Filename: c.Options.AuditConfig.AuditFilePath,
MaxAge: c.Options.AuditConfig.MaximumFileRetentionDays,
MaxBackups: c.Options.AuditConfig.MaximumRetainedFiles,
MaxSize: c.Options.AuditConfig.MaximumFileSizeMegabytes,
}
} else {
// backwards compatible writer to regular log
writer = cmdutil.NewGLogWriterV(0)
}
handler = kapiserverfilters.WithAudit(handler, attributeGetter, writer)
}
handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper())
handler = namespacingFilter(handler, c.getRequestContextMapper())
handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached
if c.Options.OAuthConfig != nil {
authConfig, err := BuildAuthConfig(c)
if err != nil {
glog.Fatalf("Failed to setup OAuth2: %v", err)
}
handler, err = authConfig.WithOAuth(handler)
if err != nil {
glog.Fatalf("Failed to setup OAuth2: %v", err)
}
}
handler, err := assetConfig.WithAssets(handler)
if err != nil {
glog.Fatalf("Failed to setup serving of assets: %v", err)
}
// skip authz/n for the index handler
handler = WithPatternsHandler(handler, apiHandler, "/", "")
if c.WebConsoleEnabled() {
handler = WithAssetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
}
handler = kgenericfilters.WithCORS(handler, c.Options.CORSAllowedOrigins, nil, nil, nil, "true")
handler = kgenericfilters.WithPanicRecovery(handler, c.RequestContextMapper)
handler = kgenericfilters.WithTimeoutForNonLongRunningRequests(handler, kc.LongRunningFunc)
// TODO: MaxRequestsInFlight should be subdivided by intent, type of behavior, and speed of
// execution - updates vs reads, long reads vs short reads, fat reads vs skinny reads.
// NOTE: read vs. write is implemented in Kube 1.6+
handler = kgenericfilters.WithMaxInFlightLimit(handler, kc.MaxRequestsInFlight, kc.LongRunningFunc)
handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(kc), kc.RequestContextMapper)
handler = kapi.WithRequestContext(handler, kc.RequestContextMapper)
return handler, nil
}, messages, nil
}