Documentation ¶
Overview ¶
Package origin provides objects for creating an OpenShift Origin server
Index ¶
- Constants
- Variables
- func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, ...)
- func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)
- func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)
- func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)
- func OpenShiftOAuthAuthorizeURL(masterAddr string) string
- func OpenShiftOAuthTokenURL(masterAddr string) string
- type APIInstallFunc
- type APIInstaller
- type AuthConfig
- type AuthHandlerType
- type AuthRequestHandlerType
- type GrantHandlerType
- type MasterConfig
- func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) BuildLogClient() *kclient.Client
- func (c *MasterConfig) DeployerClientConfig() *kclient.Config
- func (c *MasterConfig) DeploymentClient() *kclient.Client
- func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)
- func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client
- func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client
- func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string
- func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string
- func (c *MasterConfig) KubeClient() *kclient.Client
- func (c *MasterConfig) PolicyClient() *osclient.Client
- func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
- func (c *MasterConfig) RunAssetServer()
- func (c *MasterConfig) RunBuildController()
- func (c *MasterConfig) RunBuildImageChangeTriggerController()
- func (c *MasterConfig) RunDeploymentConfigChangeController()
- func (c *MasterConfig) RunDeploymentConfigController()
- func (c *MasterConfig) RunDeploymentController()
- func (c *MasterConfig) RunDeploymentImageChangeTriggerController()
- func (c *MasterConfig) RunPolicyCache()
- func (c *MasterConfig) RunProjectAuthorizationCache()
- func (c *MasterConfig) WebHookClient() *osclient.Client
- type MasterConfigParameters
- type PasswordAuthType
- type TokenStoreType
Constants ¶
const ( OpenShiftOAuthAPIPrefix = "/oauth" OpenShiftLoginPrefix = "/login" OpenShiftApprovePrefix = "/oauth/approve" OpenShiftOAuthCallbackPrefix = "/oauth2callback" OpenShiftWebConsoleClientID = "openshift-web-console" )
const ( OpenShiftAPIPrefix = "/osapi" OpenShiftAPIV1Beta1 = "v1beta1" OpenShiftAPIPrefixV1Beta1 = OpenShiftAPIPrefix + "/" + OpenShiftAPIV1Beta1 )
Variables ¶
var ( OSWebConsoleClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: OpenShiftWebConsoleClientID, }, Secret: uuid.NewUUID().String(), } // OSBrowserClientBase is used as a skeleton for building a Client. We can't set the allowed redirecturis because we don't yet know the host:port of the auth server OSBrowserClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: "openshift-browser-client", }, Secret: uuid.NewUUID().String(), } OSCliClientBase = oauthapi.OAuthClient{ ObjectMeta: kapi.ObjectMeta{ Name: "openshift-challenging-client", }, Secret: uuid.NewUUID().String(), RespondWithChallenges: true, } )
Functions ¶
func CreateOrUpdateDefaultOAuthClients ¶ added in v0.2.1
func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, clientRegistry oauthclient.Registry)
func GetCSVTokenAuthenticator ¶ added in v0.2.2
func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)
func GetEtcdTokenAuthenticator ¶ added in v0.2.2
func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)
func NewEtcdHelper ¶
func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)
NewEtcdHelper returns an EtcdHelper for the provided arguments or an error if the version is incorrect.
func OpenShiftOAuthAuthorizeURL ¶ added in v0.2.2
func OpenShiftOAuthTokenURL ¶ added in v0.2.2
Types ¶
type APIInstallFunc ¶ added in v0.2.2
APIInstallFunc is a function for installing APIs
func (APIInstallFunc) InstallAPI ¶ added in v0.2.2
func (fn APIInstallFunc) InstallAPI(container *restful.Container) []string
InstallAPI implements APIInstaller
type APIInstaller ¶
type APIInstaller interface { // Returns an array of strings describing what was installed InstallAPI(*restful.Container) []string }
APIInstaller installs additional API components into this server
type AuthConfig ¶
type AuthConfig struct { // URL to call internally during token request MasterAddr string // URL to direct browsers to the master on MasterPublicAddr string // Valid redirectURI prefixes to direct browsers to the web console AssetPublicAddresses []string MasterRoots *x509.CertPool EtcdHelper tools.EtcdHelper // Max age of authorize tokens AuthorizeTokenMaxAgeSeconds int32 // Max age of access tokens AccessTokenMaxAgeSeconds int32 // AuthRequestHandlers contains an ordered list of authenticators that decide if a request is authenticated AuthRequestHandlers []AuthRequestHandlerType // AuthHandler specifies what handles unauthenticated requests AuthHandler AuthHandlerType // GrantHandler specifies what handles requests for new client authorizations GrantHandler GrantHandlerType // PasswordAuth specifies how to validate username/passwords. Used by AuthRequestHandlerBasicAuth and AuthHandlerLogin PasswordAuth PasswordAuthType // BasicAuthURL specifies the remote URL to validate username/passwords against using basic auth. Used by PasswordAuthBasicAuthURL. BasicAuthURL string // HTPasswdFile specifies the path to an htpasswd file to validate username/passwords against. Used by PasswordAuthHTPasswd. HTPasswdFile string // TokenStore specifies how to validate bearer tokens. Used by AuthRequestHandlerBearer. TokenStore TokenStoreType // TokenFilePath is a path to a CSV file to load valid tokens from. Used by TokenStoreFile. TokenFilePath string // RequestHeaders lists the headers to check (in order) for a username. Used by AuthRequestHandlerRequestHeader RequestHeaders []string // SessionSecrets list the secret(s) to use to encrypt created sessions. Used by AuthRequestHandlerSession SessionSecrets []string // SessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession SessionMaxAgeSeconds int32 // SessionName is the cookie name used to store the session SessionName string // GoogleClientID is the client_id of a client registered with the Google OAuth provider. // It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/google // Used by AuthHandlerGoogle GoogleClientID string // GoogleClientID is the client_secret of a client registered with the Google OAuth provider. GoogleClientSecret string // GithubClientID is the client_id of a client registered with the GitHub OAuth provider. // It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/github // Used by AuthHandlerGithub GithubClientID string // GithubClientID is the client_secret of a client registered with the GitHub OAuth provider. GithubClientSecret string // contains filtered or unexported fields }
func (*AuthConfig) InstallAPI ¶
func (c *AuthConfig) InstallAPI(container *restful.Container) []string
InstallSupport registers endpoints for an OAuth2 server into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).
func (*AuthConfig) NewOpenShiftOAuthClientConfig ¶ added in v0.2.1
func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.OAuthClient) *osincli.ClientConfig
NewOpenShiftOAuthClientConfig provides config for OpenShift OAuth client
type AuthHandlerType ¶ added in v0.2.2
type AuthHandlerType string
const ( // AuthHandlerLogin redirects unauthenticated requests to a login page, or sends a www-authenticate challenge. Logins are validated using the specified PasswordAuth AuthHandlerLogin AuthHandlerType = "login" // AuthHandlerGithub redirects unauthenticated requests to GitHub to request an OAuth token. AuthHandlerGithub AuthHandlerType = "github" // AuthHandlerGoogle redirects unauthenticated requests to Google to request an OAuth token. AuthHandlerGoogle AuthHandlerType = "google" // AuthHandlerDeny treats unauthenticated requests as failures AuthHandlerDeny AuthHandlerType = "deny" )
type AuthRequestHandlerType ¶ added in v0.2.2
type AuthRequestHandlerType string
const ( // AuthRequestHandlerBearer validates a passed "Authorization: Bearer" token, using the specified TokenStore AuthRequestHandlerBearer AuthRequestHandlerType = "bearer" // AuthRequestHandlerRequestHeader treats any request with a value in one of the RequestHeaders headers as authenticated AuthRequestHandlerRequestHeader AuthRequestHandlerType = "requestheader" // AuthRequestHandlerBasicAuth validates a passed "Authorization: Basic" header using the specified PasswordAuth AuthRequestHandlerBasicAuth AuthRequestHandlerType = "basicauth" // AuthRequestHandlerSession authenticates requests containing user information in the request session AuthRequestHandlerSession AuthRequestHandlerType = "session" )
func ParseAuthRequestHandlerTypes ¶ added in v0.2.2
func ParseAuthRequestHandlerTypes(types string) []AuthRequestHandlerType
type GrantHandlerType ¶ added in v0.2.2
type GrantHandlerType string
const ( // GrantHandlerAuto auto-approves client authorization grant requests GrantHandlerAuto GrantHandlerType = "auto" // GrantHandlerPrompt prompts the user to approve new client authorization grant requests GrantHandlerPrompt GrantHandlerType = "prompt" // GrantHandlerDeny auto-denies client authorization grant requests GrantHandlerDeny GrantHandlerType = "deny" )
type MasterConfig ¶
type MasterConfig struct { MasterConfigParameters Authenticator authenticator.Request Authorizer authorizer.Authorizer AuthorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder PolicyCache *policycache.PolicyCache ProjectAuthorizationCache *projectauth.AuthorizationCache // Map requests to contexts RequestContextMapper kapi.RequestContextMapper AdmissionControl admission.Interface // a function that returns the appropriate image to use for a named component ImageFor func(component string) string TLS bool }
MasterConfig defines the required parameters for starting the OpenShift master
func BuildMasterConfig ¶ added in v0.3.3
func BuildMasterConfig(configParams MasterConfigParameters) (*MasterConfig, error)
func (*MasterConfig) BuildControllerClients ¶ added in v0.2.1
func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)
BuildControllerClients returns the build controller client objects
func (*MasterConfig) BuildLogClient ¶ added in v0.2.1
func (c *MasterConfig) BuildLogClient() *kclient.Client
BuildLogClient returns the build log client object
func (*MasterConfig) DeployerClientConfig ¶ added in v0.2.1
func (c *MasterConfig) DeployerClientConfig() *kclient.Config
DeployerClientConfig returns the client configuration a Deployer instance launched in a pod should use when making API calls.
func (*MasterConfig) DeploymentClient ¶ added in v0.2.1
func (c *MasterConfig) DeploymentClient() *kclient.Client
DeploymentClient returns the deployment client object
func (*MasterConfig) DeploymentConfigChangeControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)
func (*MasterConfig) DeploymentConfigControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)
func (*MasterConfig) DeploymentControllerClients ¶ added in v0.2.1
func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)
DeploymentControllerClients returns the deployment controller client object
func (*MasterConfig) DeploymentImageChangeControllerClient ¶ added in v0.2.1
func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client
func (*MasterConfig) ImageChangeControllerClient ¶ added in v0.2.1
func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client
ImageChangeControllerClient returns the openshift client object
func (*MasterConfig) InstallProtectedAPI ¶ added in v0.2.2
func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string
func (*MasterConfig) InstallUnprotectedAPI ¶ added in v0.2.2
func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string
func (*MasterConfig) KubeClient ¶
func (c *MasterConfig) KubeClient() *kclient.Client
KubeClient returns the kubernetes client object
func (*MasterConfig) PolicyClient ¶ added in v0.3.2
func (c *MasterConfig) PolicyClient() *osclient.Client
PolicyClient returns the policy client object It must have the following capabilities:
list, watch all policyBindings in all namespaces list, watch all policies in all namespaces create resourceAccessReviews in all namespaces
func (*MasterConfig) Run ¶ added in v0.2.1
func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
Run launches the OpenShift master. It takes optional installers that may install additional endpoints into the server. All endpoints get configured CORS behavior Protected installers' endpoints are protected by API authentication and authorization. Unprotected installers' endpoints do not have any additional protection added.
func (*MasterConfig) RunAssetServer ¶
func (c *MasterConfig) RunAssetServer()
RunAssetServer starts the asset server for the OpenShift UI.
func (*MasterConfig) RunBuildController ¶
func (c *MasterConfig) RunBuildController()
RunBuildController starts the build sync loop for builds and buildConfig processing.
func (*MasterConfig) RunBuildImageChangeTriggerController ¶ added in v0.2.1
func (c *MasterConfig) RunBuildImageChangeTriggerController()
RunDeploymentController starts the build image change trigger controller process.
func (*MasterConfig) RunDeploymentConfigChangeController ¶
func (c *MasterConfig) RunDeploymentConfigChangeController()
func (*MasterConfig) RunDeploymentConfigController ¶
func (c *MasterConfig) RunDeploymentConfigController()
func (*MasterConfig) RunDeploymentController ¶ added in v0.2.1
func (c *MasterConfig) RunDeploymentController()
RunDeploymentController starts the deployment controller process.
func (*MasterConfig) RunDeploymentImageChangeTriggerController ¶
func (c *MasterConfig) RunDeploymentImageChangeTriggerController()
func (*MasterConfig) RunPolicyCache ¶ added in v0.3.3
func (c *MasterConfig) RunPolicyCache()
RunPolicyCache starts the policy cache
func (*MasterConfig) RunProjectAuthorizationCache ¶ added in v0.3.2
func (c *MasterConfig) RunProjectAuthorizationCache()
RunProjectAuthorizationCache starts the project authorization cache
func (*MasterConfig) WebHookClient ¶ added in v0.2.1
func (c *MasterConfig) WebHookClient() *osclient.Client
WebHookClient returns the webhook client object
type MasterConfigParameters ¶ added in v0.3.3
type MasterConfigParameters struct { // host:port to bind master to MasterBindAddr string // host:port to bind asset server to AssetBindAddr string // url to access the master API on within the cluster MasterAddr string // url to access kubernetes API on within the cluster KubernetesAddr string // external clients may need to access APIs at different addresses than internal components do MasterPublicAddr string KubernetesPublicAddr string AssetPublicAddr string // LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console. // If not specified, the built-in logout page is shown. LogoutURI string CORSAllowedOrigins []string EtcdHelper tools.EtcdHelper MasterCertFile string MasterKeyFile string AssetCertFile string AssetKeyFile string // ClientCAs will be used to request client certificates in connections to the API. // This CertPool should contain all the CAs that will be used for client certificate verification. ClientCAs *x509.CertPool MasterAuthorizationNamespace string // kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig. // It should only be accessed via the *Client() helper methods. // To apply different access control to a system component, create a separate client/config specifically for that component. KubeClient *kclient.Client // KubeClientConfig is the client configuration used to call Kubernetes APIs from system components. // To apply different access control to a system component, create a client config specifically for that component. KubeClientConfig kclient.Config // osClient is the client used to call OpenShift APIs from system components, built from OSClientConfig. // It should only be accessed via the *Client() helper methods. // To apply different access control to a system component, create a separate client/config specifically for that component. OSClient *osclient.Client // OSClientConfig is the client configuration used to call OpenShift APIs from system components // To apply different access control to a system component, create a client config specifically for that component. OSClientConfig kclient.Config // DeployerOSClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods DeployerOSClientConfig kclient.Config }
type PasswordAuthType ¶ added in v0.2.2
type PasswordAuthType string
const ( // PasswordAuthAnyPassword treats any non-empty username and password combination as a successful authentication PasswordAuthAnyPassword PasswordAuthType = "anypassword" // PasswordAuthBasicAuthURL validates password credentials by making a request to a remote url using basic auth. See basicauthpassword.Authenticator PasswordAuthBasicAuthURL PasswordAuthType = "basicauthurl" // PasswordAuthHTPasswd validates usernames and passwords against an htpasswd file PasswordAuthHTPasswd PasswordAuthType = "htpasswd" // PasswordAuthDeny treats any username and password combination as an unsuccessful authentication PasswordAuthDeny PasswordAuthType = "deny" )
type TokenStoreType ¶ added in v0.2.2
type TokenStoreType string
const ( // Validate bearer tokens by looking in the OAuth access token registry TokenStoreOAuth TokenStoreType = "oauth" // Validate bearer tokens by looking in a CSV file located at the specified TokenFilePath TokenStoreFile TokenStoreType = "file" )