// NewDefaultNodeArgs creates NodeArgs with sub-objects created and default values set.
func NewDefaultNodeArgs() *NodeArgs {
hostname, err := defaultHostname()
if err != nil {
hostname = "localhost"
}
var dnsIP net.IP
if clusterDNS := cmdutil.Env("OPENSHIFT_DNS_ADDR", ""); len(clusterDNS) > 0 {
dnsIP = net.ParseIP(clusterDNS)
}
config := &NodeArgs{
NodeName: hostname,
MasterCertDir: "openshift.local.config/master/certificates",
ClusterDomain: cmdutil.Env("OPENSHIFT_DNS_DOMAIN", "cluster.local"),
ClusterDNS: dnsIP,
NetworkPluginName: "",
ListenArg: NewDefaultListenArg(),
ImageFormatArgs: NewDefaultImageFormatArgs(),
KubeConnectionArgs: NewDefaultKubeConnectionArgs(),
}
config.ConfigDir.Default("openshift.local.config/node")
return config
}
func startProfiler() {
if cmdutil.Env("OPENSHIFT_PROFILE", "") == "web" {
go func() {
glog.Infof("Starting profiling endpoint at http://127.0.0.1:6060/debug/pprof/")
glog.Fatal(http.ListenAndServe("127.0.0.1:6060", nil))
}()
}
}
// NewCommandDeployer provides a CLI handler for deploy.
func NewCommandDeployer(name string) *cobra.Command {
cfg := &config{
Config: clientcmd.NewConfig(),
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s%s", name, clientcmd.ConfigSyntax),
Short: "Run the OpenShift deployer",
Long: deployerLong,
Run: func(c *cobra.Command, args []string) {
_, kClient, err := cfg.Config.Clients()
if err != nil {
glog.Fatal(err)
}
if len(cfg.DeploymentName) == 0 {
glog.Fatal("deployment is required")
}
if len(cfg.Namespace) == 0 {
glog.Fatal("namespace is required")
}
deployer := NewDeployer(kClient)
if err = deployer.Deploy(cfg.Namespace, cfg.DeploymentName); err != nil {
glog.Fatal(err)
}
},
}
cmd.AddCommand(version.NewVersionCommand(name))
flag := cmd.Flags()
cfg.Config.Bind(flag)
flag.StringVar(&cfg.DeploymentName, "deployment", util.Env("OPENSHIFT_DEPLOYMENT_NAME", ""), "The deployment name to start")
flag.StringVar(&cfg.Namespace, "namespace", util.Env("OPENSHIFT_DEPLOYMENT_NAMESPACE", ""), "The deployment namespace")
return cmd
}
// NewCommndTemplateRouter provides CLI handler for the template router backend
func NewCommandTemplateRouter(name string) *cobra.Command {
cfg := &templateRouterConfig{
Config: clientcmd.NewConfig(),
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s%s", name, clientcmd.ConfigSyntax),
Short: "Start an OpenShift router",
Long: routerLong,
Run: func(c *cobra.Command, args []string) {
defaultCert := util.Env("DEFAULT_CERTIFICATE", "")
if len(defaultCert) > 0 {
cfg.DefaultCertificate = defaultCert
}
routerSvcNamespace := util.Env("ROUTER_SERVICE_NAMESPACE", "")
routerSvcName := util.Env("ROUTER_SERVICE_NAME", "")
cfg.RouterService = ktypes.NamespacedName{
Namespace: routerSvcNamespace,
Name: routerSvcName,
}
plugin, err := makeTemplatePlugin(cfg)
if err != nil {
glog.Fatal(err)
}
if err = start(cfg.Config, plugin); err != nil {
glog.Fatal(err)
}
},
}
cmd.AddCommand(version.NewVersionCommand(name))
flag := cmd.Flags()
cfg.Config.Bind(flag)
flag.StringVar(&cfg.TemplateFile, "template", util.Env("TEMPLATE_FILE", ""), "The path to the template file to use")
flag.StringVar(&cfg.ReloadScript, "reload", util.Env("RELOAD_SCRIPT", ""), "The path to the reload script to use")
flag.StringVar(&cfg.StatsPort, "stats-port", util.Env("STATS_PORT", ""), "If the underlying router implementation can provide statistics this is a hint to expose it on this port.")
flag.StringVar(&cfg.StatsPassword, "stats-password", util.Env("STATS_PASSWORD", ""), "If the underlying router implementation can provide statistics this is the requested password for auth.")
flag.StringVar(&cfg.StatsUsername, "stats-user", util.Env("STATS_USERNAME", ""), "If the underlying router implementation can provide statistics this is the requested username for auth.")
return cmd
}
func (args MasterArgs) BuildSerializeableOAuthConfig() (*configapi.OAuthConfig, error) {
masterAddr, err := args.GetMasterAddress()
if err != nil {
return nil, err
}
masterPublicAddr, err := args.GetMasterPublicAddress()
if err != nil {
return nil, err
}
assetPublicAddr, err := args.GetAssetPublicAddress()
if err != nil {
return nil, err
}
config := &configapi.OAuthConfig{
MasterURL: masterAddr.String(),
MasterPublicURL: masterPublicAddr.String(),
AssetPublicURL: assetPublicAddr.String(),
IdentityProviders: []configapi.IdentityProvider{},
GrantConfig: configapi.GrantConfig{
Method: "auto",
},
SessionConfig: &configapi.SessionConfig{
SessionSecretsFile: "",
SessionMaxAgeSeconds: 5 * 60, // 5 minutes
SessionName: "ssn",
},
TokenConfig: configapi.TokenConfig{
AuthorizeTokenMaxAgeSeconds: 5 * 60, // 5 minutes
AccessTokenMaxAgeSeconds: 24 * 60 * 60, // 1 day
},
}
// Make sure we don't start up in a permissive auth mode they don't expect
if cmdutil.Env("OPENSHIFT_OAUTH_HANDLER", "login") != "login" {
return nil, fmt.Errorf("OPENSHIFT_OAUTH_HANDLER is deprecated. Use the master configuration file to configure OAuth.")
}
if cmdutil.Env("OPENSHIFT_OAUTH_PASSWORD_AUTH", "anypassword") != "anypassword" {
return nil, fmt.Errorf("OPENSHIFT_OAUTH_PASSWORD_AUTH is deprecated. Use the master configuration file to configure OAuth.")
}
// Warn about deprecation
// TODO: remove before 3.0
deprecated := []string{
"OPENSHIFT_OAUTH_ACCESS_TOKEN_MAX_AGE_SECONDS",
"OPENSHIFT_OAUTH_AUTHORIZE_TOKEN_MAX_AGE_SECONDS",
"OPENSHIFT_OAUTH_GRANT_HANDLER",
"OPENSHIFT_OAUTH_HANDLER",
"OPENSHIFT_OAUTH_PASSWORD_AUTH",
"OPENSHIFT_OAUTH_REQUEST_HANDLERS",
"OPENSHIFT_OAUTH_SESSION_MAX_AGE_SECONDS",
"OPENSHIFT_OAUTH_SESSION_NAME",
"OPENSHIFT_OAUTH_SESSION_SECRET",
}
for _, key := range deprecated {
if value := cmdutil.Env(key, ""); len(value) != 0 {
glog.Warningf("%s is deprecated. Use the master configuration file to configure OAuth.", key)
}
}
config.IdentityProviders = append(config.IdentityProviders,
configapi.IdentityProvider{
Name: "anypassword",
UseAsChallenger: true,
UseAsLogin: true,
Provider: runtime.EmbeddedObject{
&configapi.AllowAllPasswordIdentityProvider{},
},
},
)
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error) {
kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
var dnsIP net.IP
if len(options.DNSIP) > 0 {
dnsIP = net.ParseIP(options.DNSIP)
if dnsIP == nil {
return nil, fmt.Errorf("Invalid DNS IP: %s", options.DNSIP)
}
}
clientCAs, err := util.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
var dockerExecHandler dockertools.ExecHandler
switch options.DockerConfig.ExecHandlerName {
case configapi.DockerExecHandlerNative:
dockerExecHandler = &dockertools.NativeExecHandler{}
case configapi.DockerExecHandlerNsenter:
dockerExecHandler = &dockertools.NsenterExecHandler{}
}
kubeAddress, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
address := util.IP{}
if err := address.Set(kubeAddress); err != nil {
return nil, err
}
// declare the OpenShift defaults from config
server := kapp.NewKubeletServer()
server.Config = path
server.RootDirectory = options.VolumeDirectory
server.HostnameOverride = options.NodeName
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = address
server.Port = uint(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.ClusterDNS = util.IP(dnsIP)
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkPluginName
server.HostNetworkSources = strings.Join([]string{kubelet.ApiserverSource, kubelet.FileSource}, ",")
server.HTTPCheckFrequency = 0 // no remote HTTP pod creation access
server.FileCheckFrequency = time.Duration(fileCheckInterval) * time.Second
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
if value := cmdutil.Env("OPENSHIFT_CONTAINERIZED", ""); len(value) > 0 {
server.Containerized = value == "true"
}
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, errors.NewAggregate(err)
}
cfg, err := server.KubeletConfig()
if err != nil {
return nil, err
}
// provide any config overrides
cfg.StreamingConnectionIdleTimeout = 5 * time.Minute // TODO: should be set
cfg.KubeClient = kubeClient
cfg.DockerExecHandler = dockerExecHandler
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
cfg.TLSOptions = &kubelet.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
},
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletConfig: cfg,
}
return config, nil
}
// GetBaseDir returns the base directory used for test.
func GetBaseDir() string {
return cmdutil.Env("BASETMPDIR", path.Join(os.TempDir(), "openshift-"+Namespace()))
}