mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remove various unexpected features in console (#782)

Browse Source 
- Unix listeners are removed
- KeepAlive, IdleTimeout etc are removed
- Authorization logic is simplified
- Added support for MINIO_PROMETHEUS_JOB_ID
This commit is contained in:
Harshavardhana
2021-06-03 18:04:08 -07:00
committed by GitHub
parent b1aedf813f
commit 83d6620fe3
8 changed files with 116 additions and 287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/console/server.go
View File

@@ -130,9 +130,8 @@ func StartServer(ctx *cli.Context) error {
server.Host = ctx.String("host")
server.Port = ctx.Int("port")
restapi.Hostname = ctx.String("host")
restapi.Port = strconv.Itoa(ctx.Int("port"))
restapi.Hostname = server.Host
restapi.Port = strconv.Itoa(server.Port)
// Set all certs and CAs directories path
certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
@@ -149,21 +148,21 @@ func StartServer(ctx *cli.Context) error {
// TLS flags from swagger server, used to support VMware vsphere operator version.
swaggerServerCertificate := ctx.String("tls-certificate")
swaggerServerCertificateKey := ctx.String("tls-key")
SwaggerServerCACertificate := ctx.String("tls-ca")
swaggerServerCACertificate := ctx.String("tls-ca")
// load tls cert and key from swagger server tls-certificate and tls-key flags
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
if errAddCert := certs.AddCertificate(context.Background(),
restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
log.Println(errAddCert)
if err = certs.AddCertificate(context.Background(),
restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); err != nil {
log.Fatalln(err)
}
if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
if x509Certs, err := certs.ParsePublicCertFile(swaggerServerCertificate); err == nil {
restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
}
}
// load ca cert from swagger server tls-ca flag
if SwaggerServerCACertificate != "" {
caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
if swaggerServerCACertificate != "" {
caCert, caCertErr := ioutil.ReadFile(swaggerServerCACertificate)
if caCertErr == nil {
restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
}
@@ -175,9 +174,8 @@ func StartServer(ctx *cli.Context) error {
// plain HTTP connections to HTTPS server
server.EnabledListeners = []string{"http", "https"}
server.TLSPort = ctx.Int("tls-port")
server.TLSHost = ctx.String("tls-host")
// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
restapi.TLSPort = strconv.Itoa(server.TLSPort)
restapi.Hostname = ctx.String("host")
restapi.TLSRedirect = ctx.String("tls-redirect")
}

31
pkg/auth/token.go
View File

@@ -32,8 +32,8 @@ import (
"log"
"net/http"
"strings"
"time"
"github.com/go-openapi/swag"
"github.com/minio/console/models"
"github.com/minio/console/pkg/auth/token"
"github.com/minio/minio-go/v7/pkg/credentials"
@@ -43,8 +43,10 @@ import (
"golang.org/x/crypto/pbkdf2"
)
// Session token errors
var (
errNoAuthToken = errors.New("session token missing")
ErrNoAuthToken = errors.New("session token missing")
errTokenExpired = errors.New("session token has expired")
errReadingToken = errors.New("session token internal data is malformed")
errClaimsFormat = errors.New("encrypted session token claims not in the right format")
errorGeneric = errors.New("an error has occurred")
@@ -82,7 +84,7 @@ type TokenClaims struct {
// }
func SessionTokenAuthenticate(token string) (*TokenClaims, error) {
if token == "" {
return nil, errNoAuthToken
return nil, ErrNoAuthToken
}
// decrypt encrypted token
claimTokens, err := decryptClaims(token)
@@ -289,25 +291,18 @@ func decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) {
// either defined on a cookie `token` or on Authorization header.
//
// Authorization Header needs to be like "Authorization Bearer <token>"
func GetTokenFromRequest(r *http.Request) (*string, error) {
// Get Auth token
var reqToken string
func GetTokenFromRequest(r *http.Request) (string, error) {
// Token might come either as a Cookie or as a Header
// if not set in cookie, check if it is set on Header.
tokenCookie, err := r.Cookie("token")
if err != nil {
headerToken := r.Header.Get("Authorization")
// reqToken should come as "Bearer <token>"
splitHeaderToken := strings.Split(headerToken, "Bearer")
if len(splitHeaderToken) <= 1 {
return nil, errNoAuthToken
}
reqToken = strings.TrimSpace(splitHeaderToken[1])
} else {
reqToken = strings.TrimSpace(tokenCookie.Value)
return "", ErrNoAuthToken
}
return swag.String(reqToken), nil
currentTime := time.Now()
if tokenCookie.Expires.After(currentTime) {
return "", errTokenExpired
}
return strings.TrimSpace(tokenCookie.Value), nil
}
func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
@@ -317,7 +312,7 @@ func GetClaimsFromTokenInRequest(req *http.Request) (*models.Principal, error) {
}
// Perform decryption of the session token, if Console is able to decrypt the session token that means a valid session
// was used in the first place to get it
claims, err := SessionTokenAuthenticate(*sessionID)
claims, err := SessionTokenAuthenticate(sessionID)
if err != nil {
return nil, err
}

99
restapi/admin_info.go
View File

@@ -151,7 +151,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "time() - max(minio_node_process_starttime_seconds)",
Expr: `time() - max(minio_node_process_starttime_seconds{job="${jobid}"})`,
LegendFormat: "{{instance}}",
Step: 60,
},
@@ -177,7 +177,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum by (instance) (minio_s3_traffic_received_bytes{job=\"minio-job\"})",
Expr: `sum by (instance) (minio_s3_traffic_received_bytes{job="${jobid}"})`,
LegendFormat: "{{instance}}",
Step: 60,
},
@@ -203,7 +203,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "topk(1, sum(minio_cluster_capacity_usable_free_bytes) by (instance))",
Expr: `topk(1, sum(minio_cluster_capacity_usable_free_bytes{job="${jobid}"}) by (instance))`,
LegendFormat: "",
Step: 300,
},
@@ -221,7 +221,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum(minio_bucket_usage_total_bytes) by (instance)",
Expr: `sum(minio_bucket_usage_total_bytes{job="${jobid}"}) by (instance)`,
LegendFormat: "Used Capacity",
},
},
@@ -245,7 +245,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "max by (range) (minio_bucket_objects_size_distribution)",
Expr: `max by (range) (minio_bucket_objects_size_distribution{job="${jobid}"})`,
LegendFormat: "{{range}}",
Step: 300,
},
@@ -271,7 +271,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum (minio_node_file_descriptor_open_total)",
Expr: `sum(minio_node_file_descriptor_open_total{job="${jobid}"})`,
LegendFormat: "",
Step: 60,
},
@@ -297,7 +297,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum by (instance) (minio_s3_traffic_sent_bytes{job=\"minio-job\"})",
Expr: `sum by (instance) (minio_s3_traffic_sent_bytes{job="${jobid}"})`,
LegendFormat: "",
Step: 60,
},
@@ -323,7 +323,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum without (server,instance) (minio_node_go_routine_total)",
Expr: `sum without (server,instance) (minio_node_go_routine_total{job="${jobid}"})`,
LegendFormat: "",
Step: 60,
},
@@ -349,7 +349,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_cluster_nodes_online_total",
Expr: `minio_cluster_nodes_online_total{job="${jobid}"}`,
LegendFormat: "",
Step: 60,
},
@@ -375,7 +375,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_cluster_disk_online_total",
Expr: `minio_cluster_disk_online_total{job="${jobid}"}`,
LegendFormat: "Total online disks in MinIO Cluster",
Step: 60,
},
@@ -401,7 +401,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "count(count by (bucket) (minio_bucket_usage_total_bytes))",
Expr: `count(count by (bucket) (minio_bucket_usage_total_bytes{job="${jobid}"}))`,
LegendFormat: "",
},
},
@@ -418,7 +418,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum by (server) (rate(minio_s3_traffic_received_bytes[$__interval]))",
Expr: `sum by (server) (rate(minio_s3_traffic_received_bytes{job="${jobid}"}[$__interval]))`,
LegendFormat: "Data Received [{{server}}]",
},
},
@@ -435,7 +435,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum by (server) (rate(minio_s3_traffic_sent_bytes[$__interval]))",
Expr: `sum by (server) (rate(minio_s3_traffic_sent_bytes{job="${jobid}"}[$__interval]))`,
LegendFormat: "Data Sent [{{server}}]",
},
},
@@ -460,7 +460,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_cluster_nodes_offline_total",
Expr: `minio_cluster_nodes_offline_total{job="${jobid}"}`,
LegendFormat: "",
Step: 60,
},
@@ -486,7 +486,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_cluster_disk_offline_total",
Expr: `minio_cluster_disk_offline_total{job="${jobid}"}`,
LegendFormat: "",
Step: 60,
},
@@ -512,7 +512,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "topk(1, sum(minio_bucket_usage_object_total) by (instance))",
Expr: `topk(1, sum(minio_bucket_usage_object_total{job="${jobid}"}) by (instance))`,
LegendFormat: "",
},
},
@@ -537,7 +537,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_heal_time_last_activity_nano_seconds",
Expr: `minio_heal_time_last_activity_nano_seconds{job="${jobid}"}`,
LegendFormat: "{{server}}",
Step: 60,
},
@@ -563,7 +563,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_usage_last_activity_nano_seconds",
Expr: `minio_usage_last_activity_nano_seconds{job="${jobid}"}`,
LegendFormat: "{{server}}",
Step: 60,
},
@@ -581,7 +581,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "sum by (server,api) (rate(minio_s3_requests_total[$__interval]))",
Expr: `sum by (server,api) (rate(minio_s3_requests_total{job="${jobid}"}[$__interval]))`,
LegendFormat: "{{server,api}}",
},
},
@@ -598,7 +598,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "rate(minio_s3_requests_errors_total[$__interval])",
Expr: `rate(minio_s3_requests_errors_total{job="${jobid}"}[$__interval])`,
LegendFormat: "{{server,api}}",
},
},
@@ -615,13 +615,13 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])",
Expr: `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`,
LegendFormat: "Internode Bytes Received [{{server}}]",
Step: 4,
},
{
Expr: "rate(minio_inter_node_traffic_sent_bytes{job=\"minio-job\"}[$__interval])",
Expr: `rate(minio_inter_node_traffic_sent_bytes{job="${jobid}"}[$__interval])`,
LegendFormat: "Internode Bytes Received [{{server}}]",
},
},
@@ -638,7 +638,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "rate(minio_node_process_cpu_total_seconds[$__interval])",
Expr: `rate(minio_node_process_cpu_total_seconds{job="${jobid}"}[$__interval])`,
LegendFormat: "CPU Usage Rate [{{server}}]",
},
},
@@ -655,7 +655,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_node_process_resident_memory_bytes",
Expr: `minio_node_process_resident_memory_bytes{job="${jobid}"}`,
LegendFormat: "Memory Used [{{server}}]",
},
},
@@ -672,7 +672,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_node_disk_used_bytes",
Expr: `minio_node_disk_used_bytes{job="${jobid}"}`,
LegendFormat: "Used Capacity [{{server}}:{{disk}}]",
},
},
@@ -689,7 +689,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_cluster_disk_free_inodes",
Expr: `minio_cluster_disk_free_inodes{job="${jobid}"}`,
LegendFormat: "Free Inodes [{{server}}:{{disk}}]",
},
},
@@ -706,13 +706,13 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "rate(minio_node_syscall_read_total[$__interval])",
Expr: `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`,
LegendFormat: "Read Syscalls [{{server}}]",
Step: 60,
},
{
Expr: "rate(minio_node_syscall_read_total[$__interval])",
Expr: `rate(minio_node_syscall_read_total{job="${jobid}"}[$__interval])`,
LegendFormat: "Read Syscalls [{{server}}]",
},
},
@@ -729,7 +729,7 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "minio_node_file_descriptor_open_total",
Expr: `minio_node_file_descriptor_open_total{job="${jobid}"}`,
LegendFormat: "Open FDs [{{server}}]",
},
},
@@ -746,12 +746,12 @@ var widgets = []Metric{
},
Targets: []Target{
{
Expr: "rate(minio_node_io_rchar_bytes[$__interval])",
Expr: `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`,
LegendFormat: "Node RChar [{{server}}]",
},
{
Expr: "rate(minio_node_io_rchar_bytes[$__interval])",
Expr: `rate(minio_node_io_rchar_bytes{job="${jobid}"}[$__interval])`,
LegendFormat: "Node RChar [{{server}}]",
},
},
@@ -786,8 +786,6 @@ type LabelResults struct {
Response LabelResponse
}
var jobRegex = regexp.MustCompile(`(?m)\{[a-z]+\=\".*?\"\}`)
// getAdminInfoResponse returns the response containing total buckets, objects and usage.
func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse, *models.Error) {
prometheusURL := getPrometheusURL()
@@ -846,6 +844,7 @@ func getAdminInfoResponse(session *models.Principal) (*models.AdminInfoResponse,
func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (*models.WidgetDetails, *models.Error) {
prometheusURL := getPrometheusURL()
prometheusJobID := getPrometheusJobID()
labelResultsCh := make(chan LabelResults)
@@ -858,14 +857,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (
log.Println(err)
return
}
defer func() {
if err := resp.Body.Close(); err != nil {
log.Println(err)
}
}()
if resp.StatusCode != 200 {
body, err := ioutil.ReadAll(resp.Body)
resp.Body.Close()
if err != nil {
log.Println(err)
return
@@ -878,7 +872,9 @@ func getAdminInfoWidgetResponse(params admin_api.DashboardWidgetDetailsParams) (
var response LabelResponse
jd := json.NewDecoder(resp.Body)
if err = jd.Decode(&response); err != nil {
err = jd.Decode(&response)
resp.Body.Close()
if err != nil {
log.Println(err)
return
}
@@ -947,13 +943,8 @@ LabelsWaitLoop:
}
}
// replace the weird {job="asd"} in the exp
if strings.Contains(queryExpr, "job=") {
queryExpr = jobRegex.ReplaceAllString(queryExpr, "")
}
endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", getPrometheusURL(), apiType, url.QueryEscape(queryExpr), extraParamters)
queryExpr = strings.Replace(queryExpr, "${jobid}", prometheusJobID, -1)
endpoint := fmt.Sprintf("%s/api/v1/%s?query=%s%s", prometheusURL, apiType, url.QueryEscape(queryExpr), extraParamters)
resp, err := http.Get(endpoint)
if err != nil {
log.Println(err)
@@ -983,11 +974,6 @@ LabelsWaitLoop:
log.Println(err)
return
}
//body, _ := ioutil.ReadAll(resp.Body)
//err = json.Unmarshal(body, &response)
//if err != nil {
// log.Println(err)
//}
targetResult := models.ResultTarget{
LegendFormat: target.LegendFormat,
@@ -1000,15 +986,6 @@ LabelsWaitLoop:
})
}
//xx, err := json.Marshal(response)
//if err != nil {
// log.Println(err)
//}
//log.Println("----", m.Title)
//log.Println(string(body))
//log.Println(string(xx))
//log.Println("=====")
targetResults <- &targetResult
}(target, params)

28
restapi/admin_subscription.go
View File

@@ -412,24 +412,22 @@ func RefreshLicense() error {
if err != nil {
return err
}
if refreshedLicenseKey == "" {
return errors.New("license expired, please open a support ticket at https://subnet.min.io/")
}
// store new license in memory for console ui
LicenseKey = refreshedLicenseKey
// Update in memory license and update k8s secret
if refreshedLicenseKey != "" {
if acl.GetOperatorMode() {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
clientSet, err := cluster.K8sClient(saK8SToken)
if err != nil {
return err
}
k8sClient := k8sClient{
client: clientSet,
}
if err = saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey); err != nil {
return err
}
if acl.GetOperatorMode() {
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
clientSet, err := cluster.K8sClient(saK8SToken)
if err != nil {
return err
}
k8sClient := k8sClient{
client: clientSet,
}
return saveSubscriptionLicense(ctx, &k8sClient, refreshedLicenseKey)
}
return nil
}

43
restapi/config.go
View File

@@ -22,7 +22,6 @@ import (
"net"
"strconv"
"strings"
"sync"
"time"
"github.com/minio/pkg/certs"
@@ -53,14 +52,21 @@ var (
)
var (
logSearchAPI string
logSearchURL string
prometheusURL string
consoleImage string
once sync.Once
logSearchAPI string
logSearchURL string
prometheusURL string
prometheusJobID string
consoleImage string
)
func init() {
logSearchAPI = env.Get(LogSearchQueryAuthToken, "")
logSearchURL = env.Get(LogSearchURL, "http://localhost:8080")
prometheusURL = env.Get(PrometheusURL, "")
prometheusJobID = env.Get(PrometheusJobID, "minio-job")
consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion)
}
func getMinIOServer() string {
return strings.TrimSpace(env.Get(ConsoleMinIOServer, "http://localhost:9000"))
}
@@ -238,26 +244,21 @@ func getSecureExpectCTHeader() string {
}
func getLogSearchAPIToken() string {
once.Do(func() {
initVars()
})
return logSearchAPI
}
func getLogSearchURL() string {
once.Do(func() {
initVars()
})
return logSearchURL
}
func getPrometheusURL() string {
once.Do(func() {
initVars()
})
return prometheusURL
}
func getPrometheusJobID() string {
return prometheusJobID
}
// GetSubnetLicense returns the current subnet jwt license
func GetSubnetLicense() string {
// if we have a license key in memory return that
@@ -269,13 +270,6 @@ func GetSubnetLicense() string {
return LicenseKey
}
func initVars() {
logSearchAPI = env.Get(LogSearchQueryAuthToken, "")
logSearchURL = env.Get(LogSearchURL, "http://localhost:8080")
prometheusURL = env.Get(PrometheusURL, "")
consoleImage = env.Get(ConsoleOperatorConsoleImage, ConsoleImageDefaultVersion)
}
var (
// GlobalRootCAs is CA root certificates, a nil value means system certs pool will be used
GlobalRootCAs *x509.CertPool
@@ -296,8 +290,5 @@ func getK8sSAToken() string {
}
func getConsoleImage() string {
once.Do(func() {
initVars()
})
return consoleImage
}

35
restapi/configure_console.go
View File

@@ -21,7 +21,6 @@ package restapi
import (
"bytes"
"crypto/tls"
"fmt"
"io"
"io/fs"
"log"
@@ -169,13 +168,6 @@ func configureTLS(tlsConfig *tls.Config) {
}
}
// As soon as server is initialized but not run yet, this function will be called.
// If you need to modify a config, store server instance to stop it individually later, this is the place.
// This function can be called multiple times, depending on the number of serving schemes.
// scheme value will be set accordingly: "http", "https" or "unix"
func configureServer(s *http.Server, scheme, addr string) {
}
// The middleware configuration is for the handler executors. These do not apply to the swagger.json document.
// The middleware executes after routing but before authentication, binding and validation
func setupMiddlewares(handler http.Handler) http.Handler {
@@ -215,30 +207,22 @@ func setupGlobalMiddleware(handler http.Handler) http.Handler {
IsDevelopment: !getProductionMode(),
}
secureMiddleware := secure.New(secureOptions)
app := secureMiddleware.Handler(next)
return app
return secureMiddleware.Handler(next)
}
func AuthenticationMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// prioritize authorization header and skip
if r.Header.Get("Authorization") != "" {
next.ServeHTTP(w, r)
token, err := auth.GetTokenFromRequest(r)
if err != nil && err != auth.ErrNoAuthToken {
http.Error(w, err.Error(), http.StatusUnauthorized)
return
}
tokenCookie, err := r.Cookie("token")
if err != nil {
next.ServeHTTP(w, r)
return
}
currentTime := time.Now()
if tokenCookie.Expires.After(currentTime) {
next.ServeHTTP(w, r)
return
}
token := tokenCookie.Value
// All handlers handle appropriately to return errors
// based on their swagger rules, we do not need to
// additionally return error here, let the next ServeHTTPs
// handle it appropriately.
if token != "" {
r.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
r.Header.Add("Authorization", "Bearer "+token)
}
next.ServeHTTP(w, r)
})
@@ -259,7 +243,6 @@ func FileServerMiddleware(next http.Handler) http.Handler {
panic(err)
}
wrapHandlerSinglePageApplication(http.FileServer(http.FS(buildFs))).ServeHTTP(w, r)
}
})
}

1
restapi/consts.go
View File

@@ -52,6 +52,7 @@ const (
ConsoleOperatorConsoleImage = "CONSOLE_OPERATOR_CONSOLE_IMAGE"
LogSearchURL = "CONSOLE_LOG_QUERY_URL"
PrometheusURL = "CONSOLE_PROMETHEUS_URL"
PrometheusJobID = "CONSOLE_PROMETHEUS_JOB_ID"
LogSearchQueryAuthToken = "LOGSEARCH_QUERY_AUTH_TOKEN"
// Constants for prometheus annotations

144
restapi/server.go
View File

@@ -38,9 +38,7 @@ import (
"time"
"github.com/go-openapi/runtime/flagext"
"github.com/go-openapi/swag"
flags "github.com/jessevdk/go-flags"
"golang.org/x/net/netutil"
"github.com/minio/console/restapi/operations"
)
@@ -48,7 +46,6 @@ import (
const (
schemeHTTP = "http"
schemeHTTPS = "https"
schemeUnix = "unix"
)
var defaultSchemes []string
@@ -86,30 +83,19 @@ func (s *Server) ConfigureFlags() {
// Server for the console API
type Server struct {
EnabledListeners []string `long:"scheme" description:"the listeners to enable, this can be repeated and defaults to the schemes in the swagger spec"`
CleanupTimeout time.Duration `long:"cleanup-timeout" description:"grace period for which to wait before killing idle connections" default:"10s"`
GracefulTimeout time.Duration `long:"graceful-timeout" description:"grace period for which to wait before shutting down the server" default:"15s"`
MaxHeaderSize flagext.ByteSize `long:"max-header-size" description:"controls the maximum number of bytes the server will read parsing the request header's keys and values, including the request line. It does not limit the size of the request body." default:"1MiB"`
SocketPath flags.Filename `long:"socket-path" description:"the unix socket to listen on" default:"/var/run/console.sock"`
domainSocketL net.Listener
Host string `long:"host" description:"the IP to listen on" default:"localhost" env:"HOST"`
Port int `long:"port" description:"the port to listen on for insecure connections, defaults to a random value" env:"PORT"`
ListenLimit int `long:"listen-limit" description:"limit the number of outstanding requests"`
KeepAlive time.Duration `long:"keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)" default:"3m"`
Host string `long:"host" description:"the IP to listen on"`
Port int `long:"port" description:"the port to listen on for insecure connections, defaults to 9090"`
ReadTimeout time.Duration `long:"read-timeout" description:"maximum duration before timing out read of the request" default:"30s"`
WriteTimeout time.Duration `long:"write-timeout" description:"maximum duration before timing out write of the response" default:"60s"`
httpServerL net.Listener
TLSHost string `long:"tls-host" description:"the IP to listen on for tls, when not specified it's the same as --host" env:"TLS_HOST"`
TLSPort int `long:"tls-port" description:"the port to listen on for secure connections, defaults to a random value" env:"TLS_PORT"`
TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections" env:"TLS_CERTIFICATE"`
TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections" env:"TLS_PRIVATE_KEY"`
TLSCACertificate flags.Filename `long:"tls-ca" description:"the certificate authority file to be used with mutual tls auth" env:"TLS_CA_CERTIFICATE"`
TLSListenLimit int `long:"tls-listen-limit" description:"limit the number of outstanding requests"`
TLSKeepAlive time.Duration `long:"tls-keep-alive" description:"sets the TCP keep-alive timeouts on accepted connections. It prunes dead TCP connections ( e.g. closing laptop mid-download)"`
TLSReadTimeout time.Duration `long:"tls-read-timeout" description:"maximum duration before timing out read of the request"`
TLSWriteTimeout time.Duration `long:"tls-write-timeout" description:"maximum duration before timing out write of the response"`
TLSPort int `long:"tls-port" description:"the port to listen on for secure connections, defaults to 9443"`
TLSCertificate flags.Filename `long:"tls-certificate" description:"the certificate to use for secure connections"`
TLSCertificateKey flags.Filename `long:"tls-key" description:"the private key to use for secure connections"`
TLSCACertificate flags.Filename `long:"tls-ca" description:"the certificate authority file to be used to trust MinIO server"`
httpsServerL net.Listener
api *operations.ConsoleAPI
@@ -191,46 +177,13 @@ func (s *Server) Serve() (err error) {
servers := []*http.Server{}
if s.hasScheme(schemeUnix) {
domainSocket := new(http.Server)
domainSocket.MaxHeaderBytes = int(s.MaxHeaderSize)
domainSocket.Handler = s.handler
if int64(s.CleanupTimeout) > 0 {
domainSocket.IdleTimeout = s.CleanupTimeout
}
configureServer(domainSocket, "unix", string(s.SocketPath))
servers = append(servers, domainSocket)
wg.Add(1)
s.Logf("Serving console at unix://%s", s.SocketPath)
go func(l net.Listener) {
defer wg.Done()
if err := domainSocket.Serve(l); err != nil && err != http.ErrServerClosed {
s.Fatalf("%v", err)
}
s.Logf("Stopped serving console at unix://%s", s.SocketPath)
}(s.domainSocketL)
}
if s.hasScheme(schemeHTTP) {
httpServer := new(http.Server)
httpServer.MaxHeaderBytes = int(s.MaxHeaderSize)
httpServer.ReadTimeout = s.ReadTimeout
httpServer.WriteTimeout = s.WriteTimeout
httpServer.SetKeepAlivesEnabled(int64(s.KeepAlive) > 0)
if s.ListenLimit > 0 {
s.httpServerL = netutil.LimitListener(s.httpServerL, s.ListenLimit)
}
if int64(s.CleanupTimeout) > 0 {
httpServer.IdleTimeout = s.CleanupTimeout
}
httpServer.Handler = s.handler
configureServer(httpServer, "http", s.httpServerL.Addr().String())
servers = append(servers, httpServer)
wg.Add(1)
s.Logf("Serving console at http://%s", s.httpServerL.Addr())
@@ -246,15 +199,8 @@ func (s *Server) Serve() (err error) {
if s.hasScheme(schemeHTTPS) {
httpsServer := new(http.Server)
httpsServer.MaxHeaderBytes = int(s.MaxHeaderSize)
httpsServer.ReadTimeout = s.TLSReadTimeout
httpsServer.WriteTimeout = s.TLSWriteTimeout
httpsServer.SetKeepAlivesEnabled(int64(s.TLSKeepAlive) > 0)
if s.TLSListenLimit > 0 {
s.httpsServerL = netutil.LimitListener(s.httpsServerL, s.TLSListenLimit)
}
if int64(s.CleanupTimeout) > 0 {
httpsServer.IdleTimeout = s.CleanupTimeout
}
httpsServer.ReadTimeout = s.ReadTimeout
httpsServer.WriteTimeout = s.WriteTimeout
httpsServer.Handler = s.handler
// Inspired by https://blog.bracebin.com/achieving-perfect-ssl-labs-score-with-go
@@ -307,7 +253,7 @@ func (s *Server) Serve() (err error) {
// call custom TLS configurator
configureTLS(httpsServer.TLSConfig)
if len(httpsServer.TLSConfig.Certificates) == 0 && httpsServer.TLSConfig.GetCertificate == nil {
if len(httpsServer.TLSConfig.Certificates) == 0 || httpsServer.TLSConfig.GetCertificate == nil {
// after standard and custom config are passed, this ends up with no certificate
if s.TLSCertificate == "" {
if s.TLSCertificateKey == "" {
@@ -325,8 +271,6 @@ func (s *Server) Serve() (err error) {
// must have at least one certificate or panics
httpsServer.TLSConfig.BuildNameToCertificate()
configureServer(httpsServer, "https", s.httpsServerL.Addr().String())
servers = append(servers, httpsServer)
wg.Add(1)
s.Logf("Serving console at https://%s", s.httpsServerL.Addr())
@@ -340,7 +284,7 @@ func (s *Server) Serve() (err error) {
}
wg.Add(1)
go s.handleShutdown(wg, &servers)
go s.handleShutdown(wg, servers)
wg.Wait()
return nil
@@ -352,65 +296,19 @@ func (s *Server) Listen() error {
return nil
}
if s.hasScheme(schemeHTTPS) {
// Use http host if https host wasn't defined
if s.TLSHost == "" {
s.TLSHost = s.Host
}
// Use http listen limit if https listen limit wasn't defined
if s.TLSListenLimit == 0 {
s.TLSListenLimit = s.ListenLimit
}
// Use http tcp keep alive if https tcp keep alive wasn't defined
if int64(s.TLSKeepAlive) == 0 {
s.TLSKeepAlive = s.KeepAlive
}
// Use http read timeout if https read timeout wasn't defined
if int64(s.TLSReadTimeout) == 0 {
s.TLSReadTimeout = s.ReadTimeout
}
// Use http write timeout if https write timeout wasn't defined
if int64(s.TLSWriteTimeout) == 0 {
s.TLSWriteTimeout = s.WriteTimeout
}
}
if s.hasScheme(schemeUnix) {
domSockListener, err := net.Listen("unix", string(s.SocketPath))
if err != nil {
return err
}
s.domainSocketL = domSockListener
}
var err error
if s.hasScheme(schemeHTTP) {
listener, err := net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port)))
s.httpServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.Port)))
if err != nil {
return err
}
h, p, err := swag.SplitHostPort(listener.Addr().String())
if err != nil {
return err
}
s.Host = h
s.Port = p
s.httpServerL = listener
}
if s.hasScheme(schemeHTTPS) {
tlsListener, err := net.Listen("tcp", net.JoinHostPort(s.TLSHost, strconv.Itoa(s.TLSPort)))
s.httpsServerL, err = net.Listen("tcp", net.JoinHostPort(s.Host, strconv.Itoa(s.TLSPort)))
if err != nil {
return err
}
sh, sp, err := swag.SplitHostPort(tlsListener.Addr().String())
if err != nil {
return err
}
s.TLSHost = sh
s.TLSPort = sp
s.httpsServerL = tlsListener
}
s.hasListeners = true
@@ -425,16 +323,14 @@ func (s *Server) Shutdown() error {
return nil
}
func (s *Server) handleShutdown(wg *sync.WaitGroup, serversPtr *[]*http.Server) {
func (s *Server) handleShutdown(wg *sync.WaitGroup, servers []*http.Server) {
// wg.Done must occur last, after s.api.ServerShutdown()
// (to preserve old behaviour)
defer wg.Done()
<-s.shutdown
servers := *serversPtr
ctx, cancel := context.WithTimeout(context.TODO(), s.GracefulTimeout)
ctx, cancel := context.WithTimeout(context.Background(), s.GracefulTimeout)
defer cancel()
// first execute the pre-shutdown hook
@@ -477,16 +373,6 @@ func (s *Server) SetHandler(handler http.Handler) {
s.handler = handler
}
// UnixListener returns the domain socket listener
func (s *Server) UnixListener() (net.Listener, error) {
if !s.hasListeners {
if err := s.Listen(); err != nil {
return nil, err
}
}
return s.domainSocketL, nil
}
// HTTPListener returns the http listener
func (s *Server) HTTPListener() (net.Listener, error) {
if !s.hasListeners {