forked from openshift/origin
/
server.go
92 lines (75 loc) · 3.65 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package openshift_integrated_oauth_server
import (
"errors"
"k8s.io/apiserver/pkg/authentication/user"
genericapiserver "k8s.io/apiserver/pkg/server"
genericapiserveroptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/kubernetes/pkg/api/legacyscheme"
osinv1 "github.com/openshift/api/osin/v1"
"github.com/openshift/library-go/pkg/config/helpers"
"github.com/openshift/origin/pkg/cmd/openshift-apiserver/openshiftapiserver/configprocessing"
"github.com/openshift/origin/pkg/oauthserver/oauthserver"
// for metrics
_ "k8s.io/kubernetes/pkg/client/metrics/prometheus"
)
func RunOsinServer(osinConfig *osinv1.OsinServerConfig, stopCh <-chan struct{}) error {
if osinConfig == nil {
return errors.New("osin server requires non-empty oauthConfig")
}
oauthServerConfig, err := newOAuthServerConfig(osinConfig)
if err != nil {
return err
}
oauthServer, err := oauthServerConfig.Complete().New(genericapiserver.NewEmptyDelegate())
if err != nil {
return err
}
oauthServer.GenericAPIServer.AddPostStartHookOrDie("oauth.openshift.io-startoauthclientsbootstrapping", oauthServerConfig.StartOAuthClientsBootstrapping)
return oauthServer.GenericAPIServer.PrepareRun().Run(stopCh)
}
func newOAuthServerConfig(osinConfig *osinv1.OsinServerConfig) (*oauthserver.OAuthServerConfig, error) {
genericConfig := genericapiserver.NewRecommendedConfig(legacyscheme.Codecs)
servingOptions, err := configprocessing.ToServingOptions(osinConfig.ServingInfo)
if err != nil {
return nil, err
}
if err := servingOptions.ApplyTo(&genericConfig.Config.SecureServing, &genericConfig.Config.LoopbackClientConfig); err != nil {
return nil, err
}
// the oauth-server must only run in http1 to avoid http2 connection re-use problems when improperly re-using a wildcard certificate
genericConfig.Config.SecureServing.HTTP1Only = true
authenticationOptions := genericapiserveroptions.NewDelegatingAuthenticationOptions()
authenticationOptions.ClientCert.ClientCA = osinConfig.ServingInfo.ClientCA
authenticationOptions.RemoteKubeConfigFile = osinConfig.KubeClientConfig.KubeConfig
if err := authenticationOptions.ApplyTo(&genericConfig.Authentication, genericConfig.SecureServing, genericConfig.OpenAPIConfig); err != nil {
return nil, err
}
authorizationOptions := genericapiserveroptions.NewDelegatingAuthorizationOptions().
// TODO better formalize / generate this list as trailing * matters
WithAlwaysAllowPaths( // The five sections are:
"/healthz", "/healthz/", // 1. Health checks (root, no wildcard)
"/oauth/*", // 2. OAuth (wildcard)
"/login", "/login/*", // 3. Login (both root and wildcard)
"/logout", "/logout/", // 4. Logout (root, no wildcard)
"/oauth2callback/*", // 5. OAuth callbacks (wildcard)
).
WithAlwaysAllowGroups(user.SystemPrivilegedGroup)
authorizationOptions.RemoteKubeConfigFile = osinConfig.KubeClientConfig.KubeConfig
if err := authorizationOptions.ApplyTo(&genericConfig.Authorization); err != nil {
return nil, err
}
// TODO You need real overrides for rate limiting
kubeClientConfig, err := helpers.GetKubeConfigOrInClusterConfig(osinConfig.KubeClientConfig.KubeConfig, osinConfig.KubeClientConfig.ConnectionOverrides)
if err != nil {
return nil, err
}
oauthServerConfig, err := oauthserver.NewOAuthServerConfig(osinConfig.OAuthConfig, kubeClientConfig, genericConfig)
if err != nil {
return nil, err
}
// TODO you probably want to set this
oauthServerConfig.GenericConfig.CorsAllowedOriginList = osinConfig.CORSAllowedOrigins
//oauthServerConfig.GenericConfig.AuditBackend = genericConfig.AuditBackend
//oauthServerConfig.GenericConfig.AuditPolicyChecker = genericConfig.AuditPolicyChecker
return oauthServerConfig, nil
}