Skip to content
This repository has been archived by the owner on Feb 13, 2020. It is now read-only.

WIP Proxy to devconsole api #86

Open
wants to merge 5 commits into
base: master-next
Choose a base branch
from
Open

WIP Proxy to devconsole api #86

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a869461
Proxy to devconsole api
sbose78 May 10, 2019
00df126
make it in-cluster
sbose78 May 10, 2019
92619a6
fix service name
sbose78 May 10, 2019
68360b9
removing println
tinakurian May 14, 2019
e4dabc0
removing addition
tinakurian May 14, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions cmd/bridge/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ const (

// Well-known location of Alert Manager service for OpenShift. This is only accessible in-cluster.
openshiftAlertManagerHost = "alertmanager-main.openshift-monitoring.svc:9094"

// Well-known location of DevConsole App Service for OpenShift. This is only accessible in-cluster after
// the developer perspective is enabled using the operator.
openshiftDevConsoleAppServiceHost = "devconsole.openshift-operators.svc:8080" // TODO:use a different namespace?
)

func main() {
Expand Down Expand Up @@ -271,6 +275,14 @@ func main() {
}
}

srv.DevConsoleAppServiceProxyConfig = &proxy.Config{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS,
},
HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
Endpoint: &url.URL{Scheme: "http", Host: openshiftDevConsoleAppServiceHost, Path: ""},
}

case "off-cluster":
k8sEndpoint = validateFlagIsURL("k8s-mode-off-cluster-endpoint", *fK8sModeOffClusterEndpoint)

Expand All @@ -281,6 +293,14 @@ func main() {
HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
Endpoint: k8sEndpoint,
}
// TODO: remove this later
srv.DevConsoleAppServiceProxyConfig = &proxy.Config{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move this to in-cluster? Or are we doing this at a later time?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you check https://pr-86-openshift-console.apps.rohit13.devcluster.openshift.com/k8s/ns/openshift-console/deploymentconfigs/pr-86/yaml , console is started with

command:
            - /opt/bridge/bin/bridge
            - '--public-dir=/opt/bridge/static'
            - '--config=/var/console-config/console-config.yaml'
            - '--service-ca-file=/var/service-ca/service-ca.crt'

and the config looks like

kind: ConsoleConfig
apiVersion: console.openshift.io/v1beta1
auth:
  clientID: pr-86
  clientSecretFile: /var/oauth-config/clientSecret
  logoutRedirect: ""
  oauthEndpointCAFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
clusterInfo:
  consoleBaseAddress: https://pr-86-openshift-console.apps.rohit13.devcluster.openshift.com
  consoleBasePath: ""
  masterPublicURL: https://https://api.rohit13.devcluster.openshift.com:6443
customization:
  branding: ocp
  documentationBaseURL: https://docs.openshift.com/container-platform/4.0/
servingInfo:
  bindAddress: https://0.0.0.0:8443
  certFile: /var/serving-cert/tls.crt
  keyFile: /var/serving-cert/tls.key

so, probably, it uses in-cluster , let me put the code in off-cluster

TLSClientConfig: &tls.Config{
InsecureSkipVerify: *fK8sModeOffClusterSkipVerifyTLS,
},
HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
Endpoint: &url.URL{Scheme: "http", Host: openshiftDevConsoleAppServiceHost, Path: ""},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this service will be available in-cluster? If so, we should use https and the service-ca certificate like we do for prometheus

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sam, Right! Will do that.

}
default:
flagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster")
}
Expand Down
52 changes: 39 additions & 13 deletions server/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,16 @@ const (
indexPageTemplateName = "index.html"
tokenizerPageTemplateName = "tokener.html"

authLoginEndpoint = "/auth/login"
AuthLoginCallbackEndpoint = "/auth/callback"
AuthLoginSuccessEndpoint = "/"
AuthLoginErrorEndpoint = "/error"
authLogoutEndpoint = "/auth/logout"
k8sProxyEndpoint = "/api/kubernetes/"
prometheusProxyEndpoint = "/api/prometheus"
prometheusTenancyProxyEndpoint = "/api/prometheus-tenancy"
alertManagerProxyEndpoint = "/api/alertmanager"
authLoginEndpoint = "/auth/login"
AuthLoginCallbackEndpoint = "/auth/callback"
AuthLoginSuccessEndpoint = "/"
AuthLoginErrorEndpoint = "/error"
authLogoutEndpoint = "/auth/logout"
k8sProxyEndpoint = "/api/kubernetes/"
prometheusProxyEndpoint = "/api/prometheus"
prometheusTenancyProxyEndpoint = "/api/prometheus-tenancy"
alertManagerProxyEndpoint = "/api/alertmanager"
devConsoleAppServiceProxyEndpoint = "/api/devconsole/"
)

var (
Expand All @@ -57,6 +58,7 @@ type jsGlobals struct {
DocumentationBaseURL string `json:"documentationBaseURL"`
GoogleTagManagerID string `json:"googleTagManagerID"`
LoadTestFactor int `json:"loadTestFactor"`
AppServiceBaseURL string `json:"appServiceBaseURL"`
}

type Server struct {
Expand All @@ -76,16 +78,21 @@ type Server struct {
LoadTestFactor int
DexClient api.DexClient
// A client with the correct TLS setup for communicating with the API server.
K8sClient *http.Client
PrometheusProxyConfig *proxy.Config
PrometheusTenancyProxyConfig *proxy.Config
AlertManagerProxyConfig *proxy.Config
K8sClient *http.Client
PrometheusProxyConfig *proxy.Config
PrometheusTenancyProxyConfig *proxy.Config
AlertManagerProxyConfig *proxy.Config
DevConsoleAppServiceProxyConfig *proxy.Config
}

func (s *Server) authDisabled() bool {
return s.Auther == nil
}

func (s *Server) devConsoleAppServiceProxyEnabled() bool {
return s.DevConsoleAppServiceProxyConfig != nil
}

func (s *Server) prometheusProxyEnabled() bool {
return s.PrometheusProxyConfig != nil && s.PrometheusTenancyProxyConfig != nil
}
Expand Down Expand Up @@ -214,6 +221,20 @@ func (s *Server) HTTPHandler() http.Handler {
)
}

if s.devConsoleAppServiceProxyEnabled() {
appServiceProxyAPIPath := devConsoleAppServiceProxyEndpoint
appServiceProxy := proxy.NewProxy(s.DevConsoleAppServiceProxyConfig)

handle(appServiceProxyAPIPath, http.StripPrefix(
proxy.SingleJoiningSlash(s.BaseURL.Path, appServiceProxyAPIPath),
authHandlerWithUser(func(user *auth.User, w http.ResponseWriter, r *http.Request) {
r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", user.Token))
appServiceProxy.ServeHTTP(w, r)
})),
)
fmt.Println("enabling proxy for " + proxy.SingleJoiningSlash(s.BaseURL.Path, appServiceProxyAPIPath))
}

handle("/api/tectonic/version", authHandler(s.versionHandler))
mux.HandleFunc(s.BaseURL.Path, s.indexHandler)

Expand Down Expand Up @@ -272,6 +293,11 @@ func (s *Server) indexHandler(w http.ResponseWriter, r *http.Request) {
jsg.AlertManagerBaseURL = proxy.SingleJoiningSlash(s.BaseURL.Path, alertManagerProxyEndpoint)
}

if s.devConsoleAppServiceProxyEnabled() {
jsg.AppServiceBaseURL = proxy.SingleJoiningSlash(s.BaseURL.Path, devConsoleAppServiceProxyEndpoint)
fmt.Println(jsg.AppServiceBaseURL)
tinakurian marked this conversation as resolved.
Show resolved Hide resolved
}

if !s.authDisabled() {
s.Auther.SetCSRFCookie(s.BaseURL.Path, &w)
}
Expand Down