-
Notifications
You must be signed in to change notification settings - Fork 0
/
server.go
145 lines (121 loc) · 6.11 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
package server
import (
"context"
"net/http"
"github.com/gorilla/mux"
"github.com/rancher/rancher/pkg/api/controllers/dynamiclistener"
"github.com/rancher/rancher/pkg/api/customization/clusterregistrationtokens"
managementapi "github.com/rancher/rancher/pkg/api/server"
"github.com/rancher/rancher/pkg/audit"
"github.com/rancher/rancher/pkg/auth/providers/publicapi"
"github.com/rancher/rancher/pkg/auth/providers/saml"
"github.com/rancher/rancher/pkg/auth/requests"
"github.com/rancher/rancher/pkg/auth/requests/sar"
"github.com/rancher/rancher/pkg/auth/tokens"
"github.com/rancher/rancher/pkg/clustermanager"
rancherdialer "github.com/rancher/rancher/pkg/dialer"
"github.com/rancher/rancher/pkg/httpproxy"
k8sProxyPkg "github.com/rancher/rancher/pkg/k8sproxy"
"github.com/rancher/rancher/pkg/pipeline/hooks"
"github.com/rancher/rancher/pkg/rkenodeconfigserver"
"github.com/rancher/rancher/pkg/telemetry"
"github.com/rancher/rancher/pkg/websocket"
"github.com/rancher/rancher/server/capabilities"
"github.com/rancher/rancher/server/responsewriter"
"github.com/rancher/rancher/server/ui"
"github.com/rancher/rancher/server/whitelist"
managementSchema "github.com/rancher/types/apis/management.cattle.io/v3/schema"
"github.com/rancher/types/config"
)
func Start(ctx context.Context, httpPort, httpsPort int, localClusterEnabled bool, scaledContext *config.ScaledContext, clusterManager *clustermanager.Manager, auditLogWriter *audit.LogWriter) error {
tokenAPI, err := tokens.NewAPIHandler(ctx, scaledContext)
if err != nil {
return err
}
publicAPI, err := publicapi.NewHandler(ctx, scaledContext)
if err != nil {
return err
}
k8sProxy := k8sProxyPkg.New(scaledContext, scaledContext.Dialer)
managementAPI, err := managementapi.New(ctx, scaledContext, clusterManager, k8sProxy, localClusterEnabled)
if err != nil {
return err
}
root := mux.NewRouter()
root.UseEncodedPath()
rawAuthedAPIs := newAuthed(tokenAPI, managementAPI, k8sProxy, scaledContext)
sar := sar.NewSubjectAccessReview(clusterManager)
authedHandler, err := requests.NewAuthenticationFilter(ctx, scaledContext, rawAuthedAPIs, sar)
if err != nil {
return err
}
websocketHandler := websocket.NewWebsocketHandler(authedHandler)
auditHandler := audit.NewAuditLogFilter(ctx, auditLogWriter, websocketHandler)
webhookHandler := hooks.New(scaledContext)
connectHandler, connectConfigHandler := connectHandlers(scaledContext)
samlRoot := saml.AuthHandler()
chain := responsewriter.NewMiddlewareChain(responsewriter.Gzip, responsewriter.NoCache, responsewriter.DenyFrameOptions, responsewriter.ContentType, ui.UI)
chainGzip := responsewriter.NewMiddlewareChain(responsewriter.Gzip, responsewriter.ContentType)
root.Handle("/", chain.Handler(managementAPI))
root.PathPrefix("/v3-public").Handler(publicAPI)
root.Handle("/v3/import/{token}.yaml", http.HandlerFunc(clusterregistrationtokens.ClusterImportHandler))
root.Handle("/v3/connect", connectHandler)
root.Handle("/v3/connect/register", connectHandler)
root.Handle("/v3/connect/config", connectConfigHandler)
root.Handle("/v3/settings/cacerts", rawAuthedAPIs).Methods(http.MethodGet)
root.Handle("/v3/settings/first-login", rawAuthedAPIs).Methods(http.MethodGet)
root.Handle("/v3/settings/ui-pl", rawAuthedAPIs).Methods(http.MethodGet)
root.PathPrefix("/v3").Handler(chainGzip.Handler(auditHandler))
root.PathPrefix("/hooks").Handler(webhookHandler)
root.PathPrefix("/k8s/clusters/").Handler(auditHandler)
root.PathPrefix("/meta").Handler(auditHandler)
root.PathPrefix("/v1-telemetry").Handler(auditHandler)
root.NotFoundHandler = ui.UI(http.NotFoundHandler())
root.PathPrefix("/v1-saml").Handler(samlRoot)
// UI
uiContent := responsewriter.NewMiddlewareChain(responsewriter.Gzip, responsewriter.DenyFrameOptions, responsewriter.CacheMiddleware("json", "js", "css")).Handler(ui.Content())
root.PathPrefix("/assets").Handler(uiContent)
root.PathPrefix("/translations").Handler(uiContent)
root.PathPrefix("/ember-fetch").Handler(uiContent)
root.PathPrefix("/engines-dist").Handler(uiContent)
root.Handle("/asset-manifest.json", uiContent)
root.Handle("/crossdomain.xml", uiContent)
root.Handle("/humans.txt", uiContent)
root.Handle("/index.html", uiContent)
root.Handle("/robots.txt", uiContent)
root.Handle("/VERSION.txt", uiContent)
//API UI
root.PathPrefix("/api-ui").Handler(uiContent)
registerHealth(root)
dynamiclistener.Start(ctx, scaledContext, httpPort, httpsPort, root)
return nil
}
func newAuthed(tokenAPI http.Handler, managementAPI http.Handler, k8sproxy http.Handler, scaledContext *config.ScaledContext) *mux.Router {
authed := mux.NewRouter()
authed.UseEncodedPath()
authed.Path("/meta/gkeMachineTypes").Handler(capabilities.NewGKEMachineTypesHandler())
authed.Path("/meta/gkeVersions").Handler(capabilities.NewGKEVersionsHandler())
authed.Path("/meta/gkeZones").Handler(capabilities.NewGKEZonesHandler())
authed.Path("/meta/gkeNetworks").Handler(capabilities.NewGKENetworksHandler())
authed.Path("/meta/gkeSubnetworks").Handler(capabilities.NewGKESubnetworksHandler())
authed.Path("/meta/gkeServiceAccounts").Handler(capabilities.NewGKEServiceAccountsHandler())
authed.Path("/meta/aksVersions").Handler(capabilities.NewAKSVersionsHandler())
authed.Path("/meta/aksVirtualNetworks").Handler(capabilities.NewAKSVirtualNetworksHandler())
authed.PathPrefix("/meta/proxy").Handler(newProxy(scaledContext))
authed.PathPrefix("/meta").Handler(managementAPI)
authed.PathPrefix("/v3/identit").Handler(tokenAPI)
authed.PathPrefix("/v3/token").Handler(tokenAPI)
authed.PathPrefix("/k8s/clusters/").Handler(k8sproxy)
authed.PathPrefix("/v1-telemetry").Handler(telemetry.NewProxy())
authed.PathPrefix(managementSchema.Version.Path).Handler(managementAPI)
return authed
}
func connectHandlers(scaledContext *config.ScaledContext) (http.Handler, http.Handler) {
if f, ok := scaledContext.Dialer.(*rancherdialer.Factory); ok {
return f.TunnelServer, rkenodeconfigserver.Handler(f.TunnelAuthorizer, scaledContext)
}
return http.NotFoundHandler(), http.NotFoundHandler()
}
func newProxy(scaledContext *config.ScaledContext) http.Handler {
return httpproxy.NewProxy("/proxy/", whitelist.Proxy.Get, scaledContext)
}