allow console to listen on ipv6 (#781)
also converge tls-host and host, because hostnames have nothing to do with HTTP or HTTPs they are the same for both HTTP and HTTPs. Deprecating the older flag `--tls-host` but it will still be honored as hidden flag.
This commit is contained in:
Harshavardhana
GitHub
@@ -23,6 +23,7 @@ import (
|
|||||||
"log"
|
"log"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"strconv"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/go-openapi/loads"
|
"github.com/go-openapi/loads"
|
||||||
@@ -38,32 +39,37 @@ var serverCmd = cli.Command{
|
|||||||
Name: "server",
|
Name: "server",
|
||||||
Aliases: []string{"srv"},
|
Aliases: []string{"srv"},
|
||||||
Usage: "starts Console server",
|
Usage: "starts Console server",
|
||||||
Action: startServer,
|
Action: StartServer,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "host",
|
Name: "host",
|
||||||
Value: restapi.GetHostname(),
|
Value: restapi.GetHostname(),
|
||||||
Usage: "HTTP server hostname",
|
Usage: "hostname",
|
||||||
},
|
},
|
||||||
cli.IntFlag{
|
cli.IntFlag{
|
||||||
Name: "port",
|
Name: "port",
|
||||||
Value: restapi.GetPort(),
|
Value: restapi.GetPort(),
|
||||||
Usage: "HTTP Server port",
|
Usage: "HTTP port",
|
||||||
},
|
},
|
||||||
|
// This is kept here for backward compatibility,
|
||||||
|
// hostname's do not have HTTP or HTTPs
|
||||||
|
// hostnames are opaque so using --host
|
||||||
|
// works for both HTTP and HTTPS setup.
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "tls-host",
|
Name: "tls-host",
|
||||||
Value: restapi.GetTLSHostname(),
|
Value: restapi.GetHostname(),
|
||||||
Usage: "HTTPS server hostname",
|
Usage: "HTTPS hostname",
|
||||||
|
Hidden: true,
|
||||||
},
|
},
|
||||||
cli.IntFlag{
|
cli.IntFlag{
|
||||||
Name: "tls-port",
|
Name: "tls-port",
|
||||||
Value: restapi.GetTLSPort(),
|
Value: restapi.GetTLSPort(),
|
||||||
Usage: "HTTPS server port",
|
Usage: "HTTPS port",
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "tls-redirect",
|
Name: "tls-redirect",
|
||||||
Value: restapi.GetTLSRedirect(),
|
Value: restapi.GetTLSRedirect(),
|
||||||
Usage: "HTTPS redirect by default",
|
Usage: "toggle HTTP->HTTPS redirect",
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "certs-dir",
|
Name: "certs-dir",
|
||||||
@@ -73,23 +79,23 @@ var serverCmd = cli.Command{
|
|||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "tls-certificate",
|
Name: "tls-certificate",
|
||||||
Value: "",
|
Value: "",
|
||||||
Usage: "path tls certificate",
|
Usage: "path to TLS public certificate",
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "tls-key",
|
Name: "tls-key",
|
||||||
Value: "",
|
Value: "",
|
||||||
Usage: "path tls key",
|
Usage: "path to TLS private key",
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "tls-ca",
|
Name: "tls-ca",
|
||||||
Value: "",
|
Value: "",
|
||||||
Usage: "path tls ca",
|
Usage: "path to TLS Certificate Authority",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
// starts the controller
|
// StartServer starts the console service
|
||||||
func startServer(ctx *cli.Context) error {
|
func StartServer(ctx *cli.Context) error {
|
||||||
swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
|
swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalln(err)
|
log.Fatalln(err)
|
||||||
@@ -126,7 +132,7 @@ func startServer(ctx *cli.Context) error {
|
|||||||
server.Port = ctx.Int("port")
|
server.Port = ctx.Int("port")
|
||||||
|
|
||||||
restapi.Hostname = ctx.String("host")
|
restapi.Hostname = ctx.String("host")
|
||||||
restapi.Port = fmt.Sprintf("%v", ctx.Int("port"))
|
restapi.Port = strconv.Itoa(ctx.Int("port"))
|
||||||
|
|
||||||
// Set all certs and CAs directories path
|
// Set all certs and CAs directories path
|
||||||
certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
|
certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
|
||||||
@@ -139,26 +145,28 @@ func startServer(ctx *cli.Context) error {
|
|||||||
// load the certificates and the CAs
|
// load the certificates and the CAs
|
||||||
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
|
restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
|
||||||
|
|
||||||
// TLS flags from swagger server, used to support older versions of minio-operator
|
{
|
||||||
swaggerServerCertificate := ctx.String("tls-certificate")
|
// TLS flags from swagger server, used to support VMware vsphere operator version.
|
||||||
swaggerServerCertificateKey := ctx.String("tls-key")
|
swaggerServerCertificate := ctx.String("tls-certificate")
|
||||||
SwaggerServerCACertificate := ctx.String("tls-ca")
|
swaggerServerCertificateKey := ctx.String("tls-key")
|
||||||
// load tls cert and key from swagger server tls-certificate and tls-key flags
|
SwaggerServerCACertificate := ctx.String("tls-ca")
|
||||||
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
|
// load tls cert and key from swagger server tls-certificate and tls-key flags
|
||||||
if errAddCert := certs.AddCertificate(context.Background(), restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
|
if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
|
||||||
log.Println(errAddCert)
|
if errAddCert := certs.AddCertificate(context.Background(),
|
||||||
}
|
restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
|
||||||
if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
|
log.Println(errAddCert)
|
||||||
if len(x509Certs) > 0 {
|
}
|
||||||
restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0])
|
if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
|
||||||
|
restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
// load ca cert from swagger server tls-ca flag
|
// load ca cert from swagger server tls-ca flag
|
||||||
if SwaggerServerCACertificate != "" {
|
if SwaggerServerCACertificate != "" {
|
||||||
caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
|
caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
|
||||||
if caCertErr == nil {
|
if caCertErr == nil {
|
||||||
restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
|
restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -170,7 +178,7 @@ func startServer(ctx *cli.Context) error {
|
|||||||
server.TLSHost = ctx.String("tls-host")
|
server.TLSHost = ctx.String("tls-host")
|
||||||
// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
|
// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
|
||||||
restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
|
restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
|
||||||
restapi.TLSHostname = ctx.String("tls-host")
|
restapi.Hostname = ctx.String("host")
|
||||||
restapi.TLSRedirect = ctx.String("tls-redirect")
|
restapi.TLSRedirect = ctx.String("tls-redirect")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -18,8 +18,8 @@ package restapi
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"fmt"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"net"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
@@ -34,10 +34,10 @@ var (
|
|||||||
Port = "9090"
|
Port = "9090"
|
||||||
|
|
||||||
// Hostname console hostname
|
// Hostname console hostname
|
||||||
Hostname = "0.0.0.0"
|
// avoid listening on 0.0.0.0 by default
|
||||||
|
// instead listen on all IPv4 and IPv6
|
||||||
// TLSHostname console tls hostname
|
// - Hostname should be empty.
|
||||||
TLSHostname = "0.0.0.0"
|
Hostname = ""
|
||||||
|
|
||||||
// TLSPort console tls port
|
// TLSPort console tls port
|
||||||
TLSPort = "9443"
|
TLSPort = "9443"
|
||||||
@@ -116,7 +116,7 @@ func GetPort() int {
|
|||||||
// GetTLSHostname gets console tls hostname set on env variable
|
// GetTLSHostname gets console tls hostname set on env variable
|
||||||
// or default one
|
// or default one
|
||||||
func GetTLSHostname() string {
|
func GetTLSHostname() string {
|
||||||
return strings.ToLower(env.Get(ConsoleTLSHostname, TLSHostname))
|
return strings.ToLower(env.Get(ConsoleTLSHostname, Hostname))
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetTLSPort gets console tls port set on env variable
|
// GetTLSPort gets console tls port set on env variable
|
||||||
@@ -186,7 +186,7 @@ func getSecureHostsProxyHeaders() []string {
|
|||||||
|
|
||||||
// TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
|
// TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
|
||||||
func getSecureTLSHost() string {
|
func getSecureTLSHost() string {
|
||||||
return env.Get(ConsoleSecureTLSHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
|
return env.Get(ConsoleSecureTLSHost, net.JoinHostPort(Hostname, TLSPort))
|
||||||
}
|
}
|
||||||
|
|
||||||
// STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
|
// STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
|
||||||
|
|||||||
Reference in New Issue
Block a user