Documentation ¶
Overview ¶
Package origin provides objects for creating an OpenShift Origin server
Index ¶
- Constants
- Variables
- func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, ...)
- func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)
- func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)
- func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)
- func OpenShiftOAuthAuthorizeURL(masterAddr string) string
- func OpenShiftOAuthTokenURL(masterAddr string) string
- type APIInstallFunc
- type APIInstaller
- type AssetConfig
- type AuthConfig
- type AuthHandlerType
- type AuthRequestHandlerType
- type GrantHandlerType
- type MasterConfig
- func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) BuildLogClient() *kclient.Client
- func (c *MasterConfig) DNSServerClient() *kclient.Client
- func (c *MasterConfig) DeployerClientConfig() *kclient.Config
- func (c *MasterConfig) DeploymentClient() *kclient.Client
- func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client
- func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client
- func (c *MasterConfig) ImageImportControllerClient() *osclient.Client
- func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string
- func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string
- func (c *MasterConfig) KubeClient() *kclient.Client
- func (c *MasterConfig) OriginNamespaceControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) PolicyClient() *osclient.Client
- func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController
- func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
- func (c *MasterConfig) RunAssetServer()
- func (c *MasterConfig) RunBuildController()
- func (c *MasterConfig) RunBuildImageChangeTriggerController()
- func (c *MasterConfig) RunBuildPodController()
- func (c *MasterConfig) RunDNSServer()
- func (c *MasterConfig) RunDeployerPodController()
- func (c *MasterConfig) RunDeploymentConfigChangeController()
- func (c *MasterConfig) RunDeploymentConfigController()
- func (c *MasterConfig) RunDeploymentController() error
- func (c *MasterConfig) RunDeploymentImageChangeTriggerController()
- func (c *MasterConfig) RunImageImportController()
- func (c *MasterConfig) RunOriginNamespaceController()
- func (c *MasterConfig) RunPolicyCache()
- func (c *MasterConfig) RunProjectAuthorizationCache()
- func (c *MasterConfig) WebHookClient() *osclient.Client
- type PasswordAuthType
- type TokenStoreType
Constants ¶
const ( OpenShiftOAuthAPIPrefix = "/oauth" OpenShiftLoginPrefix = "/login" OpenShiftApprovePrefix = "/oauth/approve" OpenShiftOAuthCallbackPrefix = "/oauth2callback" OpenShiftWebConsoleClientID = "openshift-web-console" )
const ( OpenShiftAPIPrefix = "/osapi" // TODO: make configurable KubernetesAPIPrefix = "/api" // TODO: make configurable OpenShiftAPIV1Beta1 = "v1beta1" OpenShiftAPIPrefixV1Beta1 = OpenShiftAPIPrefix + "/" + OpenShiftAPIV1Beta1 OpenShiftRouteSubdomain = "router.default.local" )
Variables ¶
var ( OSWebConsoleClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: OpenShiftWebConsoleClientID, }, Secret: uuid.NewUUID().String(), } // OSBrowserClientBase is used as a skeleton for building a Client. We can't set the allowed redirecturis because we don't yet know the host:port of the auth server OSBrowserClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: "openshift-browser-client", }, Secret: uuid.NewUUID().String(), } OSCliClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: "openshift-challenging-client", }, Secret: uuid.NewUUID().String(), RespondWithChallenges: true, } )
Functions ¶
func CreateOrUpdateDefaultOAuthClients ¶ added in v0.2.1
func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, clientRegistry oauthclient.Registry)
func GetCSVTokenAuthenticator ¶ added in v0.2.2
func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)
func GetEtcdTokenAuthenticator ¶ added in v0.2.2
func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)
func NewEtcdHelper ¶
func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)
NewEtcdHelper returns an EtcdHelper for the provided arguments or an error if the version is incorrect.
func OpenShiftOAuthAuthorizeURL ¶ added in v0.2.2
func OpenShiftOAuthTokenURL ¶ added in v0.2.2
Types ¶
type APIInstallFunc ¶ added in v0.2.2
APIInstallFunc is a function for installing APIs
func (APIInstallFunc) InstallAPI ¶ added in v0.2.2
func (fn APIInstallFunc) InstallAPI(container *restful.Container) []string
InstallAPI implements APIInstaller
type APIInstaller ¶
type APIInstaller interface { // Returns an array of strings describing what was installed InstallAPI(*restful.Container) []string }
APIInstaller installs additional API components into this server
type AssetConfig ¶ added in v0.4.2
type AssetConfig struct {
Options configapi.AssetConfig
}
MasterConfig defines the required parameters for starting the OpenShift master
func BuildAssetConfig ¶ added in v0.4.2
func BuildAssetConfig(options configapi.AssetConfig) (*AssetConfig, error)
func (*AssetConfig) InstallAPI ¶ added in v0.4.2
func (c *AssetConfig) InstallAPI(container *restful.Container) []string
InstallAPI adds handlers for serving static assets into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).
func (*AssetConfig) Run ¶ added in v0.4.2
func (c *AssetConfig) Run()
Run starts an http server for the static assets listening on the configured bind address
type AuthConfig ¶
type AuthConfig struct { // URL to call internally during token request MasterAddr string // URL to direct browsers to the master on MasterPublicAddr string // Valid redirectURI prefixes to direct browsers to the web console AssetPublicAddresses []string MasterRoots *x509.CertPool EtcdHelper tools.EtcdHelper UserRegistry userregistry.Registry IdentityRegistry identityregistry.Registry // Max age of authorize tokens AuthorizeTokenMaxAgeSeconds int32 // Max age of access tokens AccessTokenMaxAgeSeconds int32 // AuthRequestHandlers contains an ordered list of authenticators that decide if a request is authenticated AuthRequestHandlers []AuthRequestHandlerType // AuthHandler specifies what handles unauthenticated requests AuthHandler AuthHandlerType // GrantHandler specifies what handles requests for new client authorizations GrantHandler GrantHandlerType // PasswordAuth specifies how to validate username/passwords. Used by AuthRequestHandlerBasicAuth and AuthHandlerLogin PasswordAuth PasswordAuthType // BasicAuthURL specifies the remote URL to validate username/passwords against using basic auth. Used by PasswordAuthBasicAuthURL. BasicAuthURL string // HTPasswdFile specifies the path to an htpasswd file to validate username/passwords against. Used by PasswordAuthHTPasswd. HTPasswdFile string // TokenStore specifies how to validate bearer tokens. Used by AuthRequestHandlerBearer. TokenStore TokenStoreType // TokenFilePath is a path to a CSV file to load valid tokens from. Used by TokenStoreFile. TokenFilePath string // RequestHeaders lists the headers to check (in order) for a username. Used by AuthRequestHandlerRequestHeader RequestHeaders []string // RequestHeaderCAFile specifies the path to a PEM-encoded certificate bundle. // If set, a client certificate must be presented and validate against the CA before the request headers are checked for usernames RequestHeaderCAFile string // SessionSecrets list the secret(s) to use to encrypt created sessions. Used by AuthRequestHandlerSession SessionSecrets []string // SessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession SessionMaxAgeSeconds int32 // SessionName is the cookie name used to store the session SessionName string // GoogleClientID is the client_id of a client registered with the Google OAuth provider. // It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/google // Used by AuthHandlerGoogle GoogleClientID string // GoogleClientID is the client_secret of a client registered with the Google OAuth provider. GoogleClientSecret string // GithubClientID is the client_id of a client registered with the GitHub OAuth provider. // It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/github // Used by AuthHandlerGithub GithubClientID string // GithubClientID is the client_secret of a client registered with the GitHub OAuth provider. GithubClientSecret string // contains filtered or unexported fields }
func BuildAuthConfig ¶ added in v0.4.2
func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error)
func (*AuthConfig) InstallAPI ¶
func (c *AuthConfig) InstallAPI(container *restful.Container) []string
InstallSupport registers endpoints for an OAuth2 server into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).
func (*AuthConfig) NewOpenShiftOAuthClientConfig ¶ added in v0.2.1
func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.OAuthClient) *osincli.ClientConfig
NewOpenShiftOAuthClientConfig provides config for OpenShift OAuth client
type AuthHandlerType ¶ added in v0.2.2
type AuthHandlerType string
const ( // AuthHandlerLogin redirects unauthenticated requests to a login page, or sends a www-authenticate challenge. Logins are validated using the specified PasswordAuth AuthHandlerLogin AuthHandlerType = "login" // AuthHandlerGithub redirects unauthenticated requests to GitHub to request an OAuth token. AuthHandlerGithub AuthHandlerType = "github" // AuthHandlerGoogle redirects unauthenticated requests to Google to request an OAuth token. AuthHandlerGoogle AuthHandlerType = "google" // AuthHandlerDeny treats unauthenticated requests as failures AuthHandlerDeny AuthHandlerType = "deny" )
type AuthRequestHandlerType ¶ added in v0.2.2
type AuthRequestHandlerType string
const ( // AuthRequestHandlerBearer validates a passed "Authorization: Bearer" token, using the specified TokenStore AuthRequestHandlerBearer AuthRequestHandlerType = "bearer" // AuthRequestHandlerRequestHeader treats any request with a value in one of the RequestHeaders headers as authenticated AuthRequestHandlerRequestHeader AuthRequestHandlerType = "requestheader" // AuthRequestHandlerBasicAuth validates a passed "Authorization: Basic" header using the specified PasswordAuth AuthRequestHandlerBasicAuth AuthRequestHandlerType = "basicauth" // AuthRequestHandlerSession authenticates requests containing user information in the request session AuthRequestHandlerSession AuthRequestHandlerType = "session" )
func ParseAuthRequestHandlerTypes ¶ added in v0.2.2
func ParseAuthRequestHandlerTypes(types string) []AuthRequestHandlerType
type GrantHandlerType ¶ added in v0.2.2
type GrantHandlerType string
const ( // GrantHandlerAuto auto-approves client authorization grant requests GrantHandlerAuto GrantHandlerType = "auto" // GrantHandlerPrompt prompts the user to approve new client authorization grant requests GrantHandlerPrompt GrantHandlerType = "prompt" // GrantHandlerDeny auto-denies client authorization grant requests GrantHandlerDeny GrantHandlerType = "deny" )
type MasterConfig ¶
type MasterConfig struct { Options configapi.MasterConfig Authenticator authenticator.Request Authorizer authorizer.Authorizer AuthorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder PolicyCache *policycache.PolicyCache ProjectAuthorizationCache *projectauth.AuthorizationCache // Map requests to contexts RequestContextMapper kapi.RequestContextMapper AdmissionControl admission.Interface TLS bool // a function that returns the appropriate image to use for a named component ImageFor func(component string) string EtcdHelper tools.EtcdHelper // ClientCAs will be used to request client certificates in connections to the API. // This CertPool should contain all the CAs that will be used for client certificate verification. ClientCAs *x509.CertPool // APIClientCAs is used to verify client certificates presented for API auth APIClientCAs *x509.CertPool // KubeClientConfig is the client configuration used to call Kubernetes APIs from system components. // To apply different access control to a system component, create a client config specifically for that component. KubeClientConfig kclient.Config // OSClientConfig is the client configuration used to call OpenShift APIs from system components // To apply different access control to a system component, create a client config specifically for that component. OSClientConfig kclient.Config // DeployerOSClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods DeployerOSClientConfig kclient.Config // kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig. // It should only be accessed via the *Client() helper methods. // To apply different access control to a system component, create a separate client/config specifically for that component. KubernetesClient *kclient.Client // osClient is the client used to call OpenShift APIs from system components, built from OSClientConfig. // It should only be accessed via the *Client() helper methods. // To apply different access control to a system component, create a separate client/config specifically for that component. OSClient *osclient.Client }
MasterConfig defines the required parameters for starting the OpenShift master
func BuildMasterConfig ¶ added in v0.3.3
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error)
func (*MasterConfig) BuildControllerClients ¶ added in v0.2.1
func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)
BuildControllerClients returns the build controller client objects
func (*MasterConfig) BuildLogClient ¶ added in v0.2.1
func (c *MasterConfig) BuildLogClient() *kclient.Client
BuildLogClient returns the build log client object
func (*MasterConfig) DNSServerClient ¶ added in v0.4.2
func (c *MasterConfig) DNSServerClient() *kclient.Client
DNSServerClient returns the DNS server client object It must have the following capabilities:
list, watch all services in all namespaces
func (*MasterConfig) DeployerClientConfig ¶ added in v0.2.1
func (c *MasterConfig) DeployerClientConfig() *kclient.Config
DeployerClientConfig returns the client configuration a Deployer instance launched in a pod should use when making API calls.
func (*MasterConfig) DeploymentClient ¶ added in v0.2.1
func (c *MasterConfig) DeploymentClient() *kclient.Client
DeploymentClient returns the deployment client object
func (*MasterConfig) DeploymentConfigChangeControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)
func (*MasterConfig) DeploymentConfigControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)
func (*MasterConfig) DeploymentControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)
DeploymentControllerClients returns the deployment controller client object
func (*MasterConfig) DeploymentImageChangeControllerClient ¶ added in v0.2.1
func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client
func (*MasterConfig) ImageChangeControllerClient ¶ added in v0.2.1
func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client
ImageChangeControllerClient returns the openshift client object
func (*MasterConfig) ImageImportControllerClient ¶ added in v0.4.2
func (c *MasterConfig) ImageImportControllerClient() *osclient.Client
ImageImportControllerClient returns the deployment client object
func (*MasterConfig) InstallProtectedAPI ¶ added in v0.2.2
func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string
func (*MasterConfig) InstallUnprotectedAPI ¶ added in v0.2.2
func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string
func (*MasterConfig) KubeClient ¶
func (c *MasterConfig) KubeClient() *kclient.Client
KubeClient returns the kubernetes client object
func (*MasterConfig) OriginNamespaceControllerClients ¶ added in v0.4.2
func (c *MasterConfig) OriginNamespaceControllerClients() (*osclient.Client, *kclient.Client)
OriginNamespaceControllerClients returns a client for openshift and kubernetes. The openshift client object must have authority to delete openshift content in any namespace The kubernetes client object must have authority to execute a finalize request on a namespace
func (*MasterConfig) PolicyClient ¶ added in v0.3.2
func (c *MasterConfig) PolicyClient() *osclient.Client
PolicyClient returns the policy client object It must have the following capabilities:
list, watch all policyBindings in all namespaces list, watch all policies in all namespaces create resourceAccessReviews in all namespaces
func (*MasterConfig) RouteAllocator ¶ added in v0.4.2
func (c *MasterConfig) RouteAllocator() *routeallocationcontroller.RouteAllocationController
RouteAllocator returns a route allocation controller.
func (*MasterConfig) Run ¶ added in v0.2.1
func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
Run launches the OpenShift master. It takes optional installers that may install additional endpoints into the server. All endpoints get configured CORS behavior Protected installers' endpoints are protected by API authentication and authorization. Unprotected installers' endpoints do not have any additional protection added.
func (*MasterConfig) RunAssetServer ¶
func (c *MasterConfig) RunAssetServer()
RunAssetServer starts the asset server for the OpenShift UI.
func (*MasterConfig) RunBuildController ¶
func (c *MasterConfig) RunBuildController()
RunBuildController starts the build sync loop for builds and buildConfig processing.
func (*MasterConfig) RunBuildImageChangeTriggerController ¶ added in v0.2.1
func (c *MasterConfig) RunBuildImageChangeTriggerController()
RunBuildImageChangeTriggerController starts the build image change trigger controller process.
func (*MasterConfig) RunBuildPodController ¶ added in v0.4.1
func (c *MasterConfig) RunBuildPodController()
RunBuildPodController starts the build/pod status sync loop for build status
func (*MasterConfig) RunDNSServer ¶ added in v0.4.2
func (c *MasterConfig) RunDNSServer()
func (*MasterConfig) RunDeployerPodController ¶ added in v0.3.4
func (c *MasterConfig) RunDeployerPodController()
RunDeployerPodController starts the deployer pod controller process.
func (*MasterConfig) RunDeploymentConfigChangeController ¶
func (c *MasterConfig) RunDeploymentConfigChangeController()
func (*MasterConfig) RunDeploymentConfigController ¶
func (c *MasterConfig) RunDeploymentConfigController()
func (*MasterConfig) RunDeploymentController ¶ added in v0.2.1
func (c *MasterConfig) RunDeploymentController() error
RunDeploymentController starts the deployment controller process.
func (*MasterConfig) RunDeploymentImageChangeTriggerController ¶
func (c *MasterConfig) RunDeploymentImageChangeTriggerController()
func (*MasterConfig) RunImageImportController ¶ added in v0.4.2
func (c *MasterConfig) RunImageImportController()
func (*MasterConfig) RunOriginNamespaceController ¶ added in v0.4.2
func (c *MasterConfig) RunOriginNamespaceController()
RunOriginNamespaceController starts the controller that takes part in namespace termination of openshift content
func (*MasterConfig) RunPolicyCache ¶ added in v0.3.3
func (c *MasterConfig) RunPolicyCache()
RunPolicyCache starts the policy cache
func (*MasterConfig) RunProjectAuthorizationCache ¶ added in v0.3.2
func (c *MasterConfig) RunProjectAuthorizationCache()
RunProjectAuthorizationCache starts the project authorization cache
func (*MasterConfig) WebHookClient ¶ added in v0.2.1
func (c *MasterConfig) WebHookClient() *osclient.Client
WebHookClient returns the webhook client object
type PasswordAuthType ¶ added in v0.2.2
type PasswordAuthType string
const ( // PasswordAuthAnyPassword treats any non-empty username and password combination as a successful authentication PasswordAuthAnyPassword PasswordAuthType = "anypassword" // PasswordAuthBasicAuthURL validates password credentials by making a request to a remote url using basic auth. See basicauthpassword.Authenticator PasswordAuthBasicAuthURL PasswordAuthType = "basicauthurl" // PasswordAuthHTPasswd validates usernames and passwords against an htpasswd file PasswordAuthHTPasswd PasswordAuthType = "htpasswd" // PasswordAuthDeny treats any username and password combination as an unsuccessful authentication PasswordAuthDeny PasswordAuthType = "deny" )
type TokenStoreType ¶ added in v0.2.2
type TokenStoreType string
const ( // Validate bearer tokens by looking in the OAuth access token registry TokenStoreOAuth TokenStoreType = "oauth" // Validate bearer tokens by looking in a CSV file located at the specified TokenFilePath TokenStoreFile TokenStoreType = "file" )