origin

package
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 31, 2015 License: Apache-2.0 Imports: 134 Imported by: 0

Documentation

Overview

Package origin provides objects for creating an OpenShift Origin server

Index

Constants

View Source
const (
	OpenShiftOAuthAPIPrefix      = "/oauth"
	OpenShiftLoginPrefix         = "/login"
	OpenShiftApprovePrefix       = "/oauth/approve"
	OpenShiftOAuthCallbackPrefix = "/oauth2callback"
	OpenShiftWebConsoleClientID  = "openshift-web-console"
)
View Source
const (
	OpenShiftAPIPrefix        = "/osapi" // TODO: make configurable
	KubernetesAPIPrefix       = "/api"   // TODO: make configurable
	OpenShiftAPIV1Beta1       = "v1beta1"
	OpenShiftAPIPrefixV1Beta1 = OpenShiftAPIPrefix + "/" + OpenShiftAPIV1Beta1
	OpenShiftRouteSubdomain   = "router.default.local"
)

Variables

View Source
var (
	OSWebConsoleClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: OpenShiftWebConsoleClientID,
		},
		Secret: uuid.NewUUID().String(),
	}
	// OSBrowserClientBase is used as a skeleton for building a Client.  We can't set the allowed redirecturis because we don't yet know the host:port of the auth server
	OSBrowserClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: "openshift-browser-client",
		},
		Secret: uuid.NewUUID().String(),
	}
	OSCliClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: "openshift-challenging-client",
		},
		Secret:                uuid.NewUUID().String(),
		RespondWithChallenges: true,
	}
)

Functions

func CreateOrUpdateDefaultOAuthClients added in v0.2.1

func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, clientRegistry oauthclient.Registry)

func GetCSVTokenAuthenticator added in v0.2.2

func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)

func GetEtcdTokenAuthenticator added in v0.2.2

func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)

func NewEtcdHelper

func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)

NewEtcdHelper returns an EtcdHelper for the provided arguments or an error if the version is incorrect.

func OpenShiftOAuthAuthorizeURL added in v0.2.2

func OpenShiftOAuthAuthorizeURL(masterAddr string) string

func OpenShiftOAuthTokenURL added in v0.2.2

func OpenShiftOAuthTokenURL(masterAddr string) string

Types

type APIInstallFunc added in v0.2.2

type APIInstallFunc func(*restful.Container) []string

APIInstallFunc is a function for installing APIs

func (APIInstallFunc) InstallAPI added in v0.2.2

func (fn APIInstallFunc) InstallAPI(container *restful.Container) []string

InstallAPI implements APIInstaller

type APIInstaller

type APIInstaller interface {
	// Returns an array of strings describing what was installed
	InstallAPI(*restful.Container) []string
}

APIInstaller installs additional API components into this server

type AssetConfig added in v0.4.2

type AssetConfig struct {
	Options configapi.AssetConfig
}

MasterConfig defines the required parameters for starting the OpenShift master

func BuildAssetConfig added in v0.4.2

func BuildAssetConfig(options configapi.AssetConfig) (*AssetConfig, error)

func (*AssetConfig) InstallAPI added in v0.4.2

func (c *AssetConfig) InstallAPI(container *restful.Container) []string

InstallAPI adds handlers for serving static assets into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).

func (*AssetConfig) Run added in v0.4.2

func (c *AssetConfig) Run()

Run starts an http server for the static assets listening on the configured bind address

type AuthConfig

type AuthConfig struct {
	// URL to call internally during token request
	MasterAddr string
	// URL to direct browsers to the master on
	MasterPublicAddr string
	// Valid redirectURI prefixes to direct browsers to the web console
	AssetPublicAddresses []string
	MasterRoots          *x509.CertPool
	EtcdHelper           tools.EtcdHelper

	UserRegistry     userregistry.Registry
	IdentityRegistry identityregistry.Registry

	// Max age of authorize tokens
	AuthorizeTokenMaxAgeSeconds int32
	// Max age of access tokens
	AccessTokenMaxAgeSeconds int32

	// AuthRequestHandlers contains an ordered list of authenticators that decide if a request is authenticated
	AuthRequestHandlers []AuthRequestHandlerType

	// AuthHandler specifies what handles unauthenticated requests
	AuthHandler AuthHandlerType

	// GrantHandler specifies what handles requests for new client authorizations
	GrantHandler GrantHandlerType

	// PasswordAuth specifies how to validate username/passwords. Used by AuthRequestHandlerBasicAuth and AuthHandlerLogin
	PasswordAuth PasswordAuthType
	// BasicAuthURL specifies the remote URL to validate username/passwords against using basic auth. Used by PasswordAuthBasicAuthURL.
	BasicAuthURL string
	// HTPasswdFile specifies the path to an htpasswd file to validate username/passwords against. Used by PasswordAuthHTPasswd.
	HTPasswdFile string

	// TokenStore specifies how to validate bearer tokens. Used by AuthRequestHandlerBearer.
	TokenStore TokenStoreType
	// TokenFilePath is a path to a CSV file to load valid tokens from. Used by TokenStoreFile.
	TokenFilePath string

	// RequestHeaders lists the headers to check (in order) for a username. Used by AuthRequestHandlerRequestHeader
	RequestHeaders []string
	// RequestHeaderCAFile specifies the path to a PEM-encoded certificate bundle.
	// If set, a client certificate must be presented and validate against the CA before the request headers are checked for usernames
	RequestHeaderCAFile string

	// SessionSecrets list the secret(s) to use to encrypt created sessions. Used by AuthRequestHandlerSession
	SessionSecrets []string
	// SessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession
	SessionMaxAgeSeconds int32
	// SessionName is the cookie name used to store the session
	SessionName string

	// GoogleClientID is the client_id of a client registered with the Google OAuth provider.
	// It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/google
	// Used by AuthHandlerGoogle
	GoogleClientID string
	// GoogleClientID is the client_secret of a client registered with the Google OAuth provider.
	GoogleClientSecret string

	// GithubClientID is the client_id of a client registered with the GitHub OAuth provider.
	// It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/github
	// Used by AuthHandlerGithub
	GithubClientID string
	// GithubClientID is the client_secret of a client registered with the GitHub OAuth provider.
	GithubClientSecret string
	// contains filtered or unexported fields
}

func BuildAuthConfig added in v0.4.2

func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error)

func (*AuthConfig) InstallAPI

func (c *AuthConfig) InstallAPI(container *restful.Container) []string

InstallSupport registers endpoints for an OAuth2 server into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).

func (*AuthConfig) NewOpenShiftOAuthClientConfig added in v0.2.1

func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.OAuthClient) *osincli.ClientConfig

NewOpenShiftOAuthClientConfig provides config for OpenShift OAuth client

type AuthHandlerType added in v0.2.2

type AuthHandlerType string
const (
	// AuthHandlerLogin redirects unauthenticated requests to a login page, or sends a www-authenticate challenge. Logins are validated using the specified PasswordAuth
	AuthHandlerLogin AuthHandlerType = "login"
	// AuthHandlerGithub redirects unauthenticated requests to GitHub to request an OAuth token.
	AuthHandlerGithub AuthHandlerType = "github"
	// AuthHandlerGoogle redirects unauthenticated requests to Google to request an OAuth token.
	AuthHandlerGoogle AuthHandlerType = "google"
	// AuthHandlerDeny treats unauthenticated requests as failures
	AuthHandlerDeny AuthHandlerType = "deny"
)

type AuthRequestHandlerType added in v0.2.2

type AuthRequestHandlerType string
const (
	// AuthRequestHandlerBearer validates a passed "Authorization: Bearer" token, using the specified TokenStore
	AuthRequestHandlerBearer AuthRequestHandlerType = "bearer"
	// AuthRequestHandlerRequestHeader treats any request with a value in one of the RequestHeaders headers as authenticated
	AuthRequestHandlerRequestHeader AuthRequestHandlerType = "requestheader"
	// AuthRequestHandlerBasicAuth validates a passed "Authorization: Basic" header using the specified PasswordAuth
	AuthRequestHandlerBasicAuth AuthRequestHandlerType = "basicauth"
	// AuthRequestHandlerSession authenticates requests containing user information in the request session
	AuthRequestHandlerSession AuthRequestHandlerType = "session"
)

func ParseAuthRequestHandlerTypes added in v0.2.2

func ParseAuthRequestHandlerTypes(types string) []AuthRequestHandlerType

type GrantHandlerType added in v0.2.2

type GrantHandlerType string
const (
	// GrantHandlerAuto auto-approves client authorization grant requests
	GrantHandlerAuto GrantHandlerType = "auto"
	// GrantHandlerPrompt prompts the user to approve new client authorization grant requests
	GrantHandlerPrompt GrantHandlerType = "prompt"
	// GrantHandlerDeny auto-denies client authorization grant requests
	GrantHandlerDeny GrantHandlerType = "deny"
)

type MasterConfig

type MasterConfig struct {
	Options configapi.MasterConfig

	Authenticator                 authenticator.Request
	Authorizer                    authorizer.Authorizer
	AuthorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder

	PolicyCache               *policycache.PolicyCache
	ProjectAuthorizationCache *projectauth.AuthorizationCache

	// Map requests to contexts
	RequestContextMapper kapi.RequestContextMapper

	AdmissionControl admission.Interface

	TLS bool

	// a function that returns the appropriate image to use for a named component
	ImageFor func(component string) string

	EtcdHelper tools.EtcdHelper

	// ClientCAs will be used to request client certificates in connections to the API.
	// This CertPool should contain all the CAs that will be used for client certificate verification.
	ClientCAs *x509.CertPool
	// APIClientCAs is used to verify client certificates presented for API auth
	APIClientCAs *x509.CertPool

	// KubeClientConfig is the client configuration used to call Kubernetes APIs from system components.
	// To apply different access control to a system component, create a client config specifically for that component.
	KubeClientConfig kclient.Config
	// OSClientConfig is the client configuration used to call OpenShift APIs from system components
	// To apply different access control to a system component, create a client config specifically for that component.
	OSClientConfig kclient.Config
	// DeployerOSClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods
	DeployerOSClientConfig kclient.Config

	// kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig.
	// It should only be accessed via the *Client() helper methods.
	// To apply different access control to a system component, create a separate client/config specifically for that component.
	KubernetesClient *kclient.Client
	// osClient is the client used to call OpenShift APIs from system components, built from OSClientConfig.
	// It should only be accessed via the *Client() helper methods.
	// To apply different access control to a system component, create a separate client/config specifically for that component.
	OSClient *osclient.Client
}

MasterConfig defines the required parameters for starting the OpenShift master

func BuildMasterConfig added in v0.3.3

func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error)

func (*MasterConfig) BuildControllerClients added in v0.2.1

func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)

BuildControllerClients returns the build controller client objects

func (*MasterConfig) BuildLogClient added in v0.2.1

func (c *MasterConfig) BuildLogClient() *kclient.Client

BuildLogClient returns the build log client object

func (*MasterConfig) DNSServerClient added in v0.4.2

func (c *MasterConfig) DNSServerClient() *kclient.Client

DNSServerClient returns the DNS server client object It must have the following capabilities:

list, watch all services in all namespaces

func (*MasterConfig) DeployerClientConfig added in v0.2.1

func (c *MasterConfig) DeployerClientConfig() *kclient.Config

DeployerClientConfig returns the client configuration a Deployer instance launched in a pod should use when making API calls.

func (*MasterConfig) DeploymentClient added in v0.2.1

func (c *MasterConfig) DeploymentClient() *kclient.Client

DeploymentClient returns the deployment client object

func (*MasterConfig) DeploymentConfigChangeControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)

func (*MasterConfig) DeploymentConfigControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)

func (*MasterConfig) DeploymentControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)

DeploymentControllerClients returns the deployment controller client object

func (*MasterConfig) DeploymentImageChangeControllerClient added in v0.2.1

func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client

func (*MasterConfig) ImageChangeControllerClient added in v0.2.1

func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client

ImageChangeControllerClient returns the openshift client object

func (*MasterConfig) ImageImportControllerClient added in v0.4.2

func (c *MasterConfig) ImageImportControllerClient() *osclient.Client

ImageImportControllerClient returns the deployment client object

func (*MasterConfig) InstallProtectedAPI added in v0.2.2

func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string

func (*MasterConfig) InstallUnprotectedAPI added in v0.2.2

func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string

func (*MasterConfig) KubeClient

func (c *MasterConfig) KubeClient() *kclient.Client

KubeClient returns the kubernetes client object

func (*MasterConfig) OriginNamespaceControllerClients added in v0.4.2

func (c *MasterConfig) OriginNamespaceControllerClients() (*osclient.Client, *kclient.Client)

OriginNamespaceControllerClients returns a client for openshift and kubernetes. The openshift client object must have authority to delete openshift content in any namespace The kubernetes client object must have authority to execute a finalize request on a namespace

func (*MasterConfig) PolicyClient added in v0.3.2

func (c *MasterConfig) PolicyClient() *osclient.Client

PolicyClient returns the policy client object It must have the following capabilities:

list, watch all policyBindings in all namespaces
list, watch all policies in all namespaces
create resourceAccessReviews in all namespaces

func (*MasterConfig) RouteAllocator added in v0.4.2

RouteAllocator returns a route allocation controller.

func (*MasterConfig) Run added in v0.2.1

func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)

Run launches the OpenShift master. It takes optional installers that may install additional endpoints into the server. All endpoints get configured CORS behavior Protected installers' endpoints are protected by API authentication and authorization. Unprotected installers' endpoints do not have any additional protection added.

func (*MasterConfig) RunAssetServer

func (c *MasterConfig) RunAssetServer()

RunAssetServer starts the asset server for the OpenShift UI.

func (*MasterConfig) RunBuildController

func (c *MasterConfig) RunBuildController()

RunBuildController starts the build sync loop for builds and buildConfig processing.

func (*MasterConfig) RunBuildImageChangeTriggerController added in v0.2.1

func (c *MasterConfig) RunBuildImageChangeTriggerController()

RunBuildImageChangeTriggerController starts the build image change trigger controller process.

func (*MasterConfig) RunBuildPodController added in v0.4.1

func (c *MasterConfig) RunBuildPodController()

RunBuildPodController starts the build/pod status sync loop for build status

func (*MasterConfig) RunDNSServer added in v0.4.2

func (c *MasterConfig) RunDNSServer()

func (*MasterConfig) RunDeployerPodController added in v0.3.4

func (c *MasterConfig) RunDeployerPodController()

RunDeployerPodController starts the deployer pod controller process.

func (*MasterConfig) RunDeploymentConfigChangeController

func (c *MasterConfig) RunDeploymentConfigChangeController()

func (*MasterConfig) RunDeploymentConfigController

func (c *MasterConfig) RunDeploymentConfigController()

func (*MasterConfig) RunDeploymentController added in v0.2.1

func (c *MasterConfig) RunDeploymentController() error

RunDeploymentController starts the deployment controller process.

func (*MasterConfig) RunDeploymentImageChangeTriggerController

func (c *MasterConfig) RunDeploymentImageChangeTriggerController()

func (*MasterConfig) RunImageImportController added in v0.4.2

func (c *MasterConfig) RunImageImportController()

func (*MasterConfig) RunOriginNamespaceController added in v0.4.2

func (c *MasterConfig) RunOriginNamespaceController()

RunOriginNamespaceController starts the controller that takes part in namespace termination of openshift content

func (*MasterConfig) RunPolicyCache added in v0.3.3

func (c *MasterConfig) RunPolicyCache()

RunPolicyCache starts the policy cache

func (*MasterConfig) RunProjectAuthorizationCache added in v0.3.2

func (c *MasterConfig) RunProjectAuthorizationCache()

RunProjectAuthorizationCache starts the project authorization cache

func (*MasterConfig) WebHookClient added in v0.2.1

func (c *MasterConfig) WebHookClient() *osclient.Client

WebHookClient returns the webhook client object

type PasswordAuthType added in v0.2.2

type PasswordAuthType string
const (
	// PasswordAuthAnyPassword treats any non-empty username and password combination as a successful authentication
	PasswordAuthAnyPassword PasswordAuthType = "anypassword"
	// PasswordAuthBasicAuthURL validates password credentials by making a request to a remote url using basic auth. See basicauthpassword.Authenticator
	PasswordAuthBasicAuthURL PasswordAuthType = "basicauthurl"
	// PasswordAuthHTPasswd validates usernames and passwords against an htpasswd file
	PasswordAuthHTPasswd PasswordAuthType = "htpasswd"
	// PasswordAuthDeny treats any username and password combination as an unsuccessful authentication
	PasswordAuthDeny PasswordAuthType = "deny"
)

type TokenStoreType added in v0.2.2

type TokenStoreType string
const (
	// Validate bearer tokens by looking in the OAuth access token registry
	TokenStoreOAuth TokenStoreType = "oauth"
	// Validate bearer tokens by looking in a CSV file located at the specified TokenFilePath
	TokenStoreFile TokenStoreType = "file"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL