Merge pull request #1 from liggitt/public_bind

Separate asset bind and asset public addr

Author: sosiouxme

pkg/cmd/server/origin/auth.go

@@ -76,10 +76,13 @@ var (
 )
 
 type AuthConfig struct {
-	MasterAddr     string
-	MasterRoots    *x509.CertPool
-	SessionSecrets []string
-	EtcdHelper     tools.EtcdHelper
+	// URL to call internally during token request
+	MasterAddr string
+	// URL to direct browsers to the master on
+	MasterPublicAddr string
+	MasterRoots      *x509.CertPool
+	SessionSecrets   []string
+	EtcdHelper       tools.EtcdHelper
 }
 
 // InstallAPI starts an OAuth2 server and registers the supported REST APIs
@@ -122,9 +125,9 @@ func (c *AuthConfig) InstallAPI(container *restful.Container) []string {
 	)
 	server.Install(mux, OpenShiftOAuthAPIPrefix)
 
-	CreateOrUpdateDefaultOAuthClients(c.MasterAddr, oauthEtcd)
+	CreateOrUpdateDefaultOAuthClients(c.MasterPublicAddr, oauthEtcd)
 	osOAuthClientConfig := c.NewOpenShiftOAuthClientConfig(&OSBrowserClientBase)
-	osOAuthClientConfig.RedirectUrl = c.MasterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint
+	osOAuthClientConfig.RedirectUrl = c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint
 
 	osOAuthClient, _ := osincli.NewClient(osOAuthClientConfig)
 	if c.MasterRoots != nil {
@@ -157,30 +160,30 @@ func (c *AuthConfig) NewOpenShiftOAuthClientConfig(client *oauthapi.Client) *osi
 		ClientSecret:             client.Secret,
 		ErrorsInStatusCode:       true,
 		SendClientSecretInParams: true,
-		AuthorizeUrl:             c.MasterAddr + OpenShiftOAuthAPIPrefix + "/authorize",
+		AuthorizeUrl:             c.MasterPublicAddr + OpenShiftOAuthAPIPrefix + "/authorize",
 		TokenUrl:                 c.MasterAddr + OpenShiftOAuthAPIPrefix + "/token",
 		Scope:                    "",
 	}
 	return config
 }
 
-func CreateOrUpdateDefaultOAuthClients(masterAddr string, clientRegistry oauthclient.Registry) {
+func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, clientRegistry oauthclient.Registry) {
 	clientsToEnsure := []*oauthapi.Client{
 		{
 			ObjectMeta: kapi.ObjectMeta{
 				Name: OSBrowserClientBase.Name,
 			},
 			Secret:                OSBrowserClientBase.Secret,
 			RespondWithChallenges: OSBrowserClientBase.RespondWithChallenges,
-			RedirectURIs:          []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
+			RedirectURIs:          []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
 		},
 		{
 			ObjectMeta: kapi.ObjectMeta{
 				Name: OSCliClientBase.Name,
 			},
 			Secret:                OSCliClientBase.Secret,
 			RespondWithChallenges: OSCliClientBase.RespondWithChallenges,
-			RedirectURIs:          []string{masterAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
+			RedirectURIs:          []string{masterPublicAddr + OpenShiftOAuthAPIPrefix + tokenrequest.DisplayTokenEndpoint},
 		},
 	}
 
@@ -256,7 +259,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, sessionStore sess
 		}
 
 		state := external.DefaultState()
-		oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterAddr+callbackPath, successHandler, errorHandler, identityMapper)
+		oauthHandler, err := external.NewExternalOAuthRedirector(oauthProvider, state, c.MasterPublicAddr+callbackPath, successHandler, errorHandler, identityMapper)
 		if err != nil {
 			glog.Fatalf("unexpected error: %v", err)
 		}

pkg/cmd/server/origin/master.go

@@ -80,13 +80,18 @@ const (
 
 // MasterConfig defines the required parameters for starting the OpenShift master
 type MasterConfig struct {
-	BindAddr       string
-	MasterAddr     string
-	AssetAddr      string
+	// host:port to bind master to
+	MasterBindAddr string
+	// host:port to bind asset server to
+	AssetBindAddr string
+	// url to access the master API on within the cluster
+	MasterAddr string
+	// url to access kubernetes API on within the cluster
 	KubernetesAddr string
 	// external clients may need to access APIs at different addresses than internal components do
 	MasterPublicAddr     string
 	KubernetesPublicAddr string
+	AssetPublicAddr      string
 
 	TLS bool
 
@@ -299,7 +304,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {
 	}
 
 	server := &http.Server{
-		Addr:           c.BindAddr,
+		Addr:           c.MasterBindAddr,
 		Handler:        handler,
 		ReadTimeout:    5 * time.Minute,
 		WriteTimeout:   5 * time.Minute,
@@ -325,7 +330,7 @@ func (c *MasterConfig) RunAPI(installers ...APIInstaller) {
 	}, 0)
 
 	// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
-	cmdutil.WaitForSuccessfulDial("tcp", c.BindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
+	cmdutil.WaitForSuccessfulDial("tcp", c.MasterBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
 }
 
 // wireAuthenticationHandling creates and binds all the objects that we only care about if authentication is turned on.  It's pulled out
@@ -421,7 +426,7 @@ func (c *MasterConfig) RunAssetServer() {
 	)
 
 	server := &http.Server{
-		Addr:           c.AssetAddr,
+		Addr:           c.AssetBindAddr,
 		Handler:        mux,
 		ReadTimeout:    5 * time.Minute,
 		WriteTimeout:   5 * time.Minute,
@@ -437,16 +442,18 @@ func (c *MasterConfig) RunAssetServer() {
 				// This allows certificates to be validated by authenticators, while still allowing other auth types
 				ClientAuth: tls.RequestClientCert,
 			}
-			glog.Infof("Started OpenShift static asset server at https://%s", c.AssetAddr)
+			glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)
 			glog.Fatal(server.ListenAndServeTLS(c.AssetCertFile, c.AssetKeyFile))
 		} else {
-			glog.Infof("Started OpenShift static asset server at http://%s", c.AssetAddr)
+			glog.Infof("OpenShift UI listening at https://%s", c.AssetBindAddr)
 			glog.Fatal(server.ListenAndServe())
 		}
 	}, 0)
 
 	// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
-	cmdutil.WaitForSuccessfulDial("tcp", c.AssetAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
+	cmdutil.WaitForSuccessfulDial("tcp", c.AssetBindAddr, 100*time.Millisecond, 100*time.Millisecond, 100)
+
+	glog.Infof("OpenShift UI available at %s", c.AssetPublicAddr)
 }
 
 // RunBuildController starts the build sync loop for builds and buildConfig processing.

pkg/cmd/server/start.go

@@ -110,8 +110,8 @@ func NewCommandStartServer(name string) *cobra.Command {
 		EtcdAddr:             flagtypes.Addr{Value: "0.0.0.0:4001", DefaultScheme: "http", DefaultPort: 4001}.Default(),
 		KubernetesAddr:       flagtypes.Addr{DefaultScheme: "https", DefaultPort: 8443}.Default(),
 		PortalNet:            flagtypes.DefaultIPNet("172.30.17.0/24"),
-		MasterPublicAddr:     flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443, AllowPrefix: true}.Default(),
-		KubernetesPublicAddr: flagtypes.Addr{Value: hostname, DefaultScheme: "https", DefaultPort: 443}.Default(),
+		MasterPublicAddr:     flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),
+		KubernetesPublicAddr: flagtypes.Addr{Value: "localhost:8443", DefaultScheme: "https", DefaultPort: 8443, AllowPrefix: true}.Default(),
 
 		Hostname: hostname,
 		NodeList: flagtypes.StringList{"127.0.0.1"},
@@ -246,20 +246,27 @@ func start(cfg *config, args []string) error {
 			k8sPublicAddr = cfg.KubernetesAddr
 		}
 
-		assetAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))
+		// Derive the asset bind address by incrementing the master bind address port by 1
+		assetBindAddr := net.JoinHostPort(cfg.BindAddr.Host, strconv.Itoa(cfg.BindAddr.Port+1))
+		// Derive the asset public address by incrementing the master public address port by 1
+		assetPublicAddr := *masterPublicAddr.URL
+		assetPublicAddr.Host = net.JoinHostPort(masterPublicAddr.Host, strconv.Itoa(masterPublicAddr.Port+1))
 
 		// always include the all-in-one server's web console as an allowed CORS origin
 		// always include localhost as an allowed CORS origin
 		// always include master and kubernetes public addresses as an allowed CORS origin
-		cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, assetAddr, "localhost", "127.0.0.1",
-			cfg.MasterPublicAddr.URL.Host, cfg.KubernetesPublicAddr.URL.Host)
+		for _, origin := range []string{assetPublicAddr.Host, masterPublicAddr.URL.Host, k8sPublicAddr.URL.Host, "localhost", "127.0.0.1"} {
+			// TODO: check if origin is already allowed
+			cfg.CORSAllowedOrigins = append(cfg.CORSAllowedOrigins, origin)
+		}
 
 		osmaster := &origin.MasterConfig{
-			TLS:                   cfg.MasterAddr.URL.Scheme == "https",
-			BindAddr:              cfg.BindAddr.URL.Host,
+			TLS:                   cfg.BindAddr.URL.Scheme == "https",
+			MasterBindAddr:        cfg.BindAddr.URL.Host,
 			MasterAddr:            cfg.MasterAddr.URL.String(),
 			MasterPublicAddr:      masterPublicAddr.URL.String(),
-			AssetAddr:             assetAddr,
+			AssetBindAddr:         assetBindAddr,
+			AssetPublicAddr:       assetPublicAddr.String(),
 			KubernetesAddr:        cfg.KubernetesAddr.URL.String(),
 			KubernetesPublicAddr:  k8sPublicAddr.URL.String(),
 			EtcdHelper:            etcdHelper,
@@ -344,10 +351,11 @@ func start(cfg *config, args []string) error {
 		osmaster.EnsureCORSAllowedOrigins(cfg.CORSAllowedOrigins)
 
 		auth := &origin.AuthConfig{
-			MasterAddr:     cfg.MasterAddr.URL.String(),
-			MasterRoots:    roots,
-			SessionSecrets: []string{"secret"},
-			EtcdHelper:     etcdHelper,
+			MasterAddr:       cfg.MasterAddr.URL.String(),
+			MasterPublicAddr: masterPublicAddr.URL.String(),
+			MasterRoots:      roots,
+			SessionSecrets:   []string{"secret"},
+			EtcdHelper:       etcdHelper,
 		}
 
 		if startKube {