diff --git a/cmd/console/server.go b/cmd/console/server.go index ab5f0915b..530c0dee6 100644 --- a/cmd/console/server.go +++ b/cmd/console/server.go @@ -23,6 +23,7 @@ import ( "log" "os" "path/filepath" + "strconv" "time" "github.com/go-openapi/loads" @@ -38,32 +39,37 @@ var serverCmd = cli.Command{ Name: "server", Aliases: []string{"srv"}, Usage: "starts Console server", - Action: startServer, + Action: StartServer, Flags: []cli.Flag{ cli.StringFlag{ Name: "host", Value: restapi.GetHostname(), - Usage: "HTTP server hostname", + Usage: "hostname", }, cli.IntFlag{ Name: "port", Value: restapi.GetPort(), - Usage: "HTTP Server port", + Usage: "HTTP port", }, + // This is kept here for backward compatibility, + // hostname's do not have HTTP or HTTPs + // hostnames are opaque so using --host + // works for both HTTP and HTTPS setup. cli.StringFlag{ - Name: "tls-host", - Value: restapi.GetTLSHostname(), - Usage: "HTTPS server hostname", + Name: "tls-host", + Value: restapi.GetHostname(), + Usage: "HTTPS hostname", + Hidden: true, }, cli.IntFlag{ Name: "tls-port", Value: restapi.GetTLSPort(), - Usage: "HTTPS server port", + Usage: "HTTPS port", }, cli.StringFlag{ Name: "tls-redirect", Value: restapi.GetTLSRedirect(), - Usage: "HTTPS redirect by default", + Usage: "toggle HTTP->HTTPS redirect", }, cli.StringFlag{ Name: "certs-dir", @@ -73,23 +79,23 @@ var serverCmd = cli.Command{ cli.StringFlag{ Name: "tls-certificate", Value: "", - Usage: "path tls certificate", + Usage: "path to TLS public certificate", }, cli.StringFlag{ Name: "tls-key", Value: "", - Usage: "path tls key", + Usage: "path to TLS private key", }, cli.StringFlag{ Name: "tls-ca", Value: "", - Usage: "path tls ca", + Usage: "path to TLS Certificate Authority", }, }, } -// starts the controller -func startServer(ctx *cli.Context) error { +// StartServer starts the console service +func StartServer(ctx *cli.Context) error { swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON) if err != nil { log.Fatalln(err) @@ -126,7 +132,7 @@ func startServer(ctx *cli.Context) error { server.Port = ctx.Int("port") restapi.Hostname = ctx.String("host") - restapi.Port = fmt.Sprintf("%v", ctx.Int("port")) + restapi.Port = strconv.Itoa(ctx.Int("port")) // Set all certs and CAs directories path certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get) @@ -139,26 +145,28 @@ func startServer(ctx *cli.Context) error { // load the certificates and the CAs restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs() - // TLS flags from swagger server, used to support older versions of minio-operator - swaggerServerCertificate := ctx.String("tls-certificate") - swaggerServerCertificateKey := ctx.String("tls-key") - SwaggerServerCACertificate := ctx.String("tls-ca") - // load tls cert and key from swagger server tls-certificate and tls-key flags - if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" { - if errAddCert := certs.AddCertificate(context.Background(), restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil { - log.Println(errAddCert) - } - if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil { - if len(x509Certs) > 0 { - restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0]) + { + // TLS flags from swagger server, used to support VMware vsphere operator version. + swaggerServerCertificate := ctx.String("tls-certificate") + swaggerServerCertificateKey := ctx.String("tls-key") + SwaggerServerCACertificate := ctx.String("tls-ca") + // load tls cert and key from swagger server tls-certificate and tls-key flags + if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" { + if errAddCert := certs.AddCertificate(context.Background(), + restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil { + log.Println(errAddCert) + } + if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil { + restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...) } } - } - // load ca cert from swagger server tls-ca flag - if SwaggerServerCACertificate != "" { - caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate) - if caCertErr == nil { - restapi.GlobalRootCAs.AppendCertsFromPEM(caCert) + + // load ca cert from swagger server tls-ca flag + if SwaggerServerCACertificate != "" { + caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate) + if caCertErr == nil { + restapi.GlobalRootCAs.AppendCertsFromPEM(caCert) + } } } @@ -170,7 +178,7 @@ func startServer(ctx *cli.Context) error { server.TLSHost = ctx.String("tls-host") // Need to store tls-port, tls-host un config variables so secure.middleware can read from there restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port")) - restapi.TLSHostname = ctx.String("tls-host") + restapi.Hostname = ctx.String("host") restapi.TLSRedirect = ctx.String("tls-redirect") } diff --git a/restapi/config.go b/restapi/config.go index 11dc310d4..1c340dcca 100644 --- a/restapi/config.go +++ b/restapi/config.go @@ -18,8 +18,8 @@ package restapi import ( "crypto/x509" - "fmt" "io/ioutil" + "net" "strconv" "strings" "sync" @@ -34,10 +34,10 @@ var ( Port = "9090" // Hostname console hostname - Hostname = "0.0.0.0" - - // TLSHostname console tls hostname - TLSHostname = "0.0.0.0" + // avoid listening on 0.0.0.0 by default + // instead listen on all IPv4 and IPv6 + // - Hostname should be empty. + Hostname = "" // TLSPort console tls port TLSPort = "9443" @@ -116,7 +116,7 @@ func GetPort() int { // GetTLSHostname gets console tls hostname set on env variable // or default one func GetTLSHostname() string { - return strings.ToLower(env.Get(ConsoleTLSHostname, TLSHostname)) + return strings.ToLower(env.Get(ConsoleTLSHostname, Hostname)) } // GetTLSPort gets console tls port set on env variable @@ -186,7 +186,7 @@ func getSecureHostsProxyHeaders() []string { // TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host. func getSecureTLSHost() string { - return env.Get(ConsoleSecureTLSHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort)) + return env.Get(ConsoleSecureTLSHost, net.JoinHostPort(Hostname, TLSPort)) } // STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.