origin

package
v0.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 27, 2015 License: Apache-2.0 Imports: 112 Imported by: 0

Documentation

Overview

Package origin provides objects for creating an OpenShift Origin server

Index

Constants

View Source
const (
	OpenShiftOAuthAPIPrefix      = "/oauth"
	OpenShiftLoginPrefix         = "/login"
	OpenShiftApprovePrefix       = "/oauth/approve"
	OpenShiftOAuthCallbackPrefix = "/oauth2callback"
	OpenShiftWebConsoleClientID  = "openshift-web-console"
)
View Source
const (
	OpenShiftAPIPrefix        = "/osapi"
	OpenShiftAPIV1Beta1       = "v1beta1"
	OpenShiftAPIPrefixV1Beta1 = OpenShiftAPIPrefix + "/" + OpenShiftAPIV1Beta1
)

Variables

View Source
var (
	OSWebConsoleClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: OpenShiftWebConsoleClientID,
		},
		Secret: uuid.NewUUID().String(),
	}
	// OSBrowserClientBase is used as a skeleton for building a Client.  We can't set the allowed redirecturis because we don't yet know the host:port of the auth server
	OSBrowserClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: "openshift-browser-client",
		},
		Secret: uuid.NewUUID().String(),
	}
	OSCliClientBase = oauthapi.OAuthClient{
		ObjectMeta: kapi.ObjectMeta{
			Name: "openshift-challenging-client",
		},
		Secret:                uuid.NewUUID().String(),
		RespondWithChallenges: true,
	}
)

Functions

func CreateOrUpdateDefaultOAuthClients added in v0.2.1

func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddresses []string, clientRegistry oauthclient.Registry)

func GetCSVTokenAuthenticator added in v0.2.2

func GetCSVTokenAuthenticator(path string) (authenticator.Token, error)

func GetEtcdTokenAuthenticator added in v0.2.2

func GetEtcdTokenAuthenticator(etcdHelper tools.EtcdHelper) (authenticator.Token, error)

func NewEtcdHelper

func NewEtcdHelper(version string, client *etcdclient.Client) (helper tools.EtcdHelper, err error)

NewEtcdHelper returns an EtcdHelper for the provided arguments or an error if the version is incorrect.

func OpenShiftOAuthAuthorizeURL added in v0.2.2

func OpenShiftOAuthAuthorizeURL(masterAddr string) string

func OpenShiftOAuthTokenURL added in v0.2.2

func OpenShiftOAuthTokenURL(masterAddr string) string

Types

type APIInstallFunc added in v0.2.2

type APIInstallFunc func(*restful.Container) []string

APIInstallFunc is a function for installing APIs

func (APIInstallFunc) InstallAPI added in v0.2.2

func (fn APIInstallFunc) InstallAPI(container *restful.Container) []string

InstallAPI implements APIInstaller

type APIInstaller

type APIInstaller interface {
	// Returns an array of strings describing what was installed
	InstallAPI(*restful.Container) []string
}

APIInstaller installs additional API components into this server

type AuthConfig

type AuthConfig struct {
	// URL to call internally during token request
	MasterAddr string
	// URL to direct browsers to the master on
	MasterPublicAddr string
	// Valid redirectURI prefixes to direct browsers to the web console
	AssetPublicAddresses []string
	MasterRoots          *x509.CertPool
	EtcdHelper           tools.EtcdHelper

	// Max age of authorize tokens
	AuthorizeTokenMaxAgeSeconds int32
	// Max age of access tokens
	AccessTokenMaxAgeSeconds int32

	// AuthRequestHandlers contains an ordered list of authenticators that decide if a request is authenticated
	AuthRequestHandlers []AuthRequestHandlerType

	// AuthHandler specifies what handles unauthenticated requests
	AuthHandler AuthHandlerType

	// GrantHandler specifies what handles requests for new client authorizations
	GrantHandler GrantHandlerType

	// PasswordAuth specifies how to validate username/passwords. Used by AuthRequestHandlerBasicAuth and AuthHandlerLogin
	PasswordAuth PasswordAuthType
	// BasicAuthURL specifies the remote URL to validate username/passwords against using basic auth. Used by PasswordAuthBasicAuthURL.
	BasicAuthURL string
	// HTPasswdFile specifies the path to an htpasswd file to validate username/passwords against. Used by PasswordAuthHTPasswd.
	HTPasswdFile string

	// TokenStore specifies how to validate bearer tokens. Used by AuthRequestHandlerBearer.
	TokenStore TokenStoreType
	// TokenFilePath is a path to a CSV file to load valid tokens from. Used by TokenStoreFile.
	TokenFilePath string

	// RequestHeaders lists the headers to check (in order) for a username. Used by AuthRequestHandlerRequestHeader
	RequestHeaders []string

	// SessionSecrets list the secret(s) to use to encrypt created sessions. Used by AuthRequestHandlerSession
	SessionSecrets []string
	// SessionMaxAgeSeconds specifies how long created sessions last. Used by AuthRequestHandlerSession
	SessionMaxAgeSeconds int32
	// SessionName is the cookie name used to store the session
	SessionName string

	// GoogleClientID is the client_id of a client registered with the Google OAuth provider.
	// It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/google
	// Used by AuthHandlerGoogle
	GoogleClientID string
	// GoogleClientID is the client_secret of a client registered with the Google OAuth provider.
	GoogleClientSecret string

	// GithubClientID is the client_id of a client registered with the GitHub OAuth provider.
	// It must be authorized to redirect to {MasterPublicAddr}/oauth2callback/github
	// Used by AuthHandlerGithub
	GithubClientID string
	// GithubClientID is the client_secret of a client registered with the GitHub OAuth provider.
	GithubClientSecret string
	// contains filtered or unexported fields
}

func (*AuthConfig) InstallAPI

func (c *AuthConfig) InstallAPI(container *restful.Container) []string

InstallSupport registers endpoints for an OAuth2 server into the provided mux, then returns an array of strings indicating what endpoints were started (these are format strings that will expect to be sent a single string value).

func (*AuthConfig) NewOpenShiftOAuthClientConfig added in v0.2.1

func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.OAuthClient) *osincli.ClientConfig

NewOpenShiftOAuthClientConfig provides config for OpenShift OAuth client

type AuthHandlerType added in v0.2.2

type AuthHandlerType string
const (
	// AuthHandlerLogin redirects unauthenticated requests to a login page, or sends a www-authenticate challenge. Logins are validated using the specified PasswordAuth
	AuthHandlerLogin AuthHandlerType = "login"
	// AuthHandlerGithub redirects unauthenticated requests to GitHub to request an OAuth token.
	AuthHandlerGithub AuthHandlerType = "github"
	// AuthHandlerGoogle redirects unauthenticated requests to Google to request an OAuth token.
	AuthHandlerGoogle AuthHandlerType = "google"
	// AuthHandlerDeny treats unauthenticated requests as failures
	AuthHandlerDeny AuthHandlerType = "deny"
)

type AuthRequestHandlerType added in v0.2.2

type AuthRequestHandlerType string
const (
	// AuthRequestHandlerBearer validates a passed "Authorization: Bearer" token, using the specified TokenStore
	AuthRequestHandlerBearer AuthRequestHandlerType = "bearer"
	// AuthRequestHandlerRequestHeader treats any request with a value in one of the RequestHeaders headers as authenticated
	AuthRequestHandlerRequestHeader AuthRequestHandlerType = "requestheader"
	// AuthRequestHandlerBasicAuth validates a passed "Authorization: Basic" header using the specified PasswordAuth
	AuthRequestHandlerBasicAuth AuthRequestHandlerType = "basicauth"
	// AuthRequestHandlerSession authenticates requests containing user information in the request session
	AuthRequestHandlerSession AuthRequestHandlerType = "session"
)

func ParseAuthRequestHandlerTypes added in v0.2.2

func ParseAuthRequestHandlerTypes(types string) []AuthRequestHandlerType

type GrantHandlerType added in v0.2.2

type GrantHandlerType string
const (
	// GrantHandlerAuto auto-approves client authorization grant requests
	GrantHandlerAuto GrantHandlerType = "auto"
	// GrantHandlerPrompt prompts the user to approve new client authorization grant requests
	GrantHandlerPrompt GrantHandlerType = "prompt"
	// GrantHandlerDeny auto-denies client authorization grant requests
	GrantHandlerDeny GrantHandlerType = "deny"
)

type MasterConfig

type MasterConfig struct {
	MasterConfigParameters

	Authenticator                 authenticator.Request
	Authorizer                    authorizer.Authorizer
	AuthorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder

	PolicyCache               *policycache.PolicyCache
	ProjectAuthorizationCache *projectauth.AuthorizationCache

	// Map requests to contexts
	RequestContextMapper kapi.RequestContextMapper

	AdmissionControl admission.Interface

	// a function that returns the appropriate image to use for a named component
	ImageFor func(component string) string

	TLS bool
}

MasterConfig defines the required parameters for starting the OpenShift master

func BuildMasterConfig added in v0.3.3

func BuildMasterConfig(configParams MasterConfigParameters) (*MasterConfig, error)

func (*MasterConfig) BuildControllerClients added in v0.2.1

func (c *MasterConfig) BuildControllerClients() (*osclient.Client, *kclient.Client)

BuildControllerClients returns the build controller client objects

func (*MasterConfig) BuildLogClient added in v0.2.1

func (c *MasterConfig) BuildLogClient() *kclient.Client

BuildLogClient returns the build log client object

func (*MasterConfig) DeployerClientConfig added in v0.2.1

func (c *MasterConfig) DeployerClientConfig() *kclient.Config

DeployerClientConfig returns the client configuration a Deployer instance launched in a pod should use when making API calls.

func (*MasterConfig) DeploymentClient added in v0.2.1

func (c *MasterConfig) DeploymentClient() *kclient.Client

DeploymentClient returns the deployment client object

func (*MasterConfig) DeploymentConfigChangeControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentConfigChangeControllerClients() (*osclient.Client, *kclient.Client)

func (*MasterConfig) DeploymentConfigControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentConfigControllerClients() (*osclient.Client, *kclient.Client)

func (*MasterConfig) DeploymentControllerClients added in v0.2.1

func (c *MasterConfig) DeploymentControllerClients() (*osclient.Client, *kclient.Client)

DeploymentControllerClients returns the deployment controller client object

func (*MasterConfig) DeploymentImageChangeControllerClient added in v0.2.1

func (c *MasterConfig) DeploymentImageChangeControllerClient() *osclient.Client

func (*MasterConfig) ImageChangeControllerClient added in v0.2.1

func (c *MasterConfig) ImageChangeControllerClient() *osclient.Client

ImageChangeControllerClient returns the openshift client object

func (*MasterConfig) InstallProtectedAPI added in v0.2.2

func (c *MasterConfig) InstallProtectedAPI(container *restful.Container) []string

func (*MasterConfig) InstallUnprotectedAPI added in v0.2.2

func (c *MasterConfig) InstallUnprotectedAPI(container *restful.Container) []string

func (*MasterConfig) KubeClient

func (c *MasterConfig) KubeClient() *kclient.Client

KubeClient returns the kubernetes client object

func (*MasterConfig) PolicyClient added in v0.3.2

func (c *MasterConfig) PolicyClient() *osclient.Client

PolicyClient returns the policy client object It must have the following capabilities:

list, watch all policyBindings in all namespaces
list, watch all policies in all namespaces
create resourceAccessReviews in all namespaces

func (*MasterConfig) Run added in v0.2.1

func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)

Run launches the OpenShift master. It takes optional installers that may install additional endpoints into the server. All endpoints get configured CORS behavior Protected installers' endpoints are protected by API authentication and authorization. Unprotected installers' endpoints do not have any additional protection added.

func (*MasterConfig) RunAssetServer

func (c *MasterConfig) RunAssetServer()

RunAssetServer starts the asset server for the OpenShift UI.

func (*MasterConfig) RunBuildController

func (c *MasterConfig) RunBuildController()

RunBuildController starts the build sync loop for builds and buildConfig processing.

func (*MasterConfig) RunBuildImageChangeTriggerController added in v0.2.1

func (c *MasterConfig) RunBuildImageChangeTriggerController()

RunDeploymentController starts the build image change trigger controller process.

func (*MasterConfig) RunDeploymentConfigChangeController

func (c *MasterConfig) RunDeploymentConfigChangeController()

func (*MasterConfig) RunDeploymentConfigController

func (c *MasterConfig) RunDeploymentConfigController()

func (*MasterConfig) RunDeploymentController added in v0.2.1

func (c *MasterConfig) RunDeploymentController()

RunDeploymentController starts the deployment controller process.

func (*MasterConfig) RunDeploymentImageChangeTriggerController

func (c *MasterConfig) RunDeploymentImageChangeTriggerController()

func (*MasterConfig) RunPolicyCache added in v0.3.3

func (c *MasterConfig) RunPolicyCache()

RunPolicyCache starts the policy cache

func (*MasterConfig) RunProjectAuthorizationCache added in v0.3.2

func (c *MasterConfig) RunProjectAuthorizationCache()

RunProjectAuthorizationCache starts the project authorization cache

func (*MasterConfig) WebHookClient added in v0.2.1

func (c *MasterConfig) WebHookClient() *osclient.Client

WebHookClient returns the webhook client object

type MasterConfigParameters added in v0.3.3

type MasterConfigParameters struct {
	// host:port to bind master to
	MasterBindAddr string
	// host:port to bind asset server to
	AssetBindAddr string
	// url to access the master API on within the cluster
	MasterAddr string
	// url to access kubernetes API on within the cluster
	KubernetesAddr string
	// external clients may need to access APIs at different addresses than internal components do
	MasterPublicAddr     string
	KubernetesPublicAddr string
	AssetPublicAddr      string
	// LogoutURI is an optional, absolute URI to redirect web browsers to after logging out of the web console.
	// If not specified, the built-in logout page is shown.
	LogoutURI string

	CORSAllowedOrigins []string

	EtcdHelper tools.EtcdHelper

	MasterCertFile string
	MasterKeyFile  string
	AssetCertFile  string
	AssetKeyFile   string

	// ClientCAs will be used to request client certificates in connections to the API.
	// This CertPool should contain all the CAs that will be used for client certificate verification.
	ClientCAs *x509.CertPool

	MasterAuthorizationNamespace string

	// kubeClient is the client used to call Kubernetes APIs from system components, built from KubeClientConfig.
	// It should only be accessed via the *Client() helper methods.
	// To apply different access control to a system component, create a separate client/config specifically for that component.
	KubeClient *kclient.Client
	// KubeClientConfig is the client configuration used to call Kubernetes APIs from system components.
	// To apply different access control to a system component, create a client config specifically for that component.
	KubeClientConfig kclient.Config

	// osClient is the client used to call OpenShift APIs from system components, built from OSClientConfig.
	// It should only be accessed via the *Client() helper methods.
	// To apply different access control to a system component, create a separate client/config specifically for that component.
	OSClient *osclient.Client
	// OSClientConfig is the client configuration used to call OpenShift APIs from system components
	// To apply different access control to a system component, create a client config specifically for that component.
	OSClientConfig kclient.Config

	// DeployerOSClientConfig is the client configuration used to call OpenShift APIs from launched deployer pods
	DeployerOSClientConfig kclient.Config
}

type PasswordAuthType added in v0.2.2

type PasswordAuthType string
const (
	// PasswordAuthAnyPassword treats any non-empty username and password combination as a successful authentication
	PasswordAuthAnyPassword PasswordAuthType = "anypassword"
	// PasswordAuthBasicAuthURL validates password credentials by making a request to a remote url using basic auth. See basicauthpassword.Authenticator
	PasswordAuthBasicAuthURL PasswordAuthType = "basicauthurl"
	// PasswordAuthHTPasswd validates usernames and passwords against an htpasswd file
	PasswordAuthHTPasswd PasswordAuthType = "htpasswd"
	// PasswordAuthDeny treats any username and password combination as an unsuccessful authentication
	PasswordAuthDeny PasswordAuthType = "deny"
)

type TokenStoreType added in v0.2.2

type TokenStoreType string
const (
	// Validate bearer tokens by looking in the OAuth access token registry
	TokenStoreOAuth TokenStoreType = "oauth"
	// Validate bearer tokens by looking in a CSV file located at the specified TokenFilePath
	TokenStoreFile TokenStoreType = "file"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL