mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e7f272a6772062da12e882bdf8af2636fbf508e
object-browser/restapi/config.go
Lenin Alevski 1e7f272a67 MCS service account authentication with Mkube (#166) 
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)

Kubernetes

The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.

Development

If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI

Extract the Service account token and use it with MCS

For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:

```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```

Then run the mcs server

```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```

Self-signed certificates and Custom certificate authority for Mkube

If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable

````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
2020-06-23 11:37:46 -07:00

231 lines
7.3 KiB
Go
Raw Blame History

// This file is part of MinIO Console Server
// Copyright (c) 2020 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package restapi
import (
"fmt"
"strconv"
"strings"
"github.com/minio/minio/pkg/env"
)
// Port mcs default port
var Port = "9090"
// Hostname mcs hostname
var Hostname = "0.0.0.0"
// TLSHostname mcs tls hostname
var TLSHostname = "0.0.0.0"
// TLSPort mcs tls port
var TLSPort = "9443"
// TLSRedirect mcs tls redirect rule
var TLSRedirect = "off"
func getAccessKey() string {
return env.Get(McsAccessKey, "minioadmin")
}
func getSecretKey() string {
return env.Get(McsSecretKey, "minioadmin")
}
func getMinIOServer() string {
return strings.TrimSpace(env.Get(McsMinIOServer, "http://localhost:9000"))
}
// If MCS_MINIO_SERVER_TLS_ROOT_CAS is true mcs will load a list of certificates into the
// http.client rootCAs store, this is useful for testing or when working with self-signed certificates
func getMinioServerTLSRootCAs() []string {
caCertFileNames := strings.TrimSpace(env.Get(McsMinIOServerTLSRootCAs, ""))
if caCertFileNames == "" {
return []string{}
}
return strings.Split(caCertFileNames, ",")
}
func getMinIOEndpoint() string {
server := getMinIOServer()
if strings.Contains(server, "://") {
parts := strings.Split(server, "://")
if len(parts) > 1 {
server = parts[1]
}
}
return server
}
func getMinIOEndpointIsSecure() bool {
server := getMinIOServer()
if strings.Contains(server, "://") {
parts := strings.Split(server, "://")
if len(parts) > 1 {
if parts[0] == "https" {
return true
}
}
}
return false
}
func getProductionMode() bool {
return strings.ToLower(env.Get(McsProductionMode, "on")) == "on"
}
// GetHostname gets mcs hostname set on env variable,
// default one or defined on run command
func GetHostname() string {
return strings.ToLower(env.Get(McsHostname, Hostname))
}
// GetPort gets mcs por set on env variable
// or default one
func GetPort() int {
port, err := strconv.Atoi(env.Get(McsPort, Port))
if err != nil {
port = 9090
}
return port
}
// GetSSLHostname gets mcs ssl hostname set on env variable
// or default one
func GetSSLHostname() string {
return strings.ToLower(env.Get(McsTLSHostname, TLSHostname))
}
// GetSSLPort gets mcs ssl port set on env variable
// or default one
func GetSSLPort() int {
port, err := strconv.Atoi(env.Get(McsTLSPort, TLSPort))
if err != nil {
port = 9443
}
return port
}
// Get secure middleware env variable configurations
func getSecureAllowedHosts() []string {
allowedHosts := env.Get(McsSecureAllowedHosts, "")
if allowedHosts != "" {
return strings.Split(allowedHosts, ",")
}
return []string{}
}
// AllowedHostsAreRegex determines, if the provided AllowedHosts slice contains valid regular expressions. Default is false.
func getSecureAllowedHostsAreRegex() bool {
return strings.ToLower(env.Get(McsSecureAllowedHostsAreRegex, "off")) == "on"
}
// If FrameDeny is set to true, adds the X-Frame-Options header with the value of `DENY`. Default is true.
func getSecureFrameDeny() bool {
return strings.ToLower(env.Get(McsSecureFrameDeny, "on")) == "on"
}
// If ContentTypeNosniff is true, adds the X-Content-Type-Options header with the value `nosniff`. Default is true.
func getSecureContentTypeNonSniff() bool {
return strings.ToLower(env.Get(McsSecureContentTypeNoSniff, "on")) == "on"
}
// If BrowserXssFilter is true, adds the X-XSS-Protection header with the value `1; mode=block`. Default is true.
func getSecureBrowserXSSFilter() bool {
return strings.ToLower(env.Get(McsSecureBrowserXSSFilter, "on")) == "on"
}
// ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value. Default is "".
// Passing a template string will replace `$NONCE` with a dynamic nonce value of 16 bytes for each request which can be
// later retrieved using the Nonce function.
func getSecureContentSecurityPolicy() string {
return env.Get(McsSecureContentSecurityPolicy, "")
}
// ContentSecurityPolicyReportOnly allows the Content-Security-Policy-Report-Only header value to be set with a custom value. Default is "".
func getSecureContentSecurityPolicyReportOnly() string {
return env.Get(McsSecureContentSecurityPolicyReportOnly, "")
}
// HostsProxyHeaders is a set of header keys that may hold a proxied hostname value for the request.
func getSecureHostsProxyHeaders() []string {
allowedHosts := env.Get(McsSecureHostsProxyHeaders, "")
if allowedHosts != "" {
return strings.Split(allowedHosts, ",")
}
return []string{}
}
// If SSLRedirect is set to true, then only allow HTTPS requests. Default is true.
func getSSLRedirect() bool {
return strings.ToLower(env.Get(McsSecureSSLRedirect, TLSRedirect)) == "on"
}
// SSLHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
func getSecureSSLHost() string {
return env.Get(McsSecureSSLHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
}
// STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
func getSecureSTSSeconds() int64 {
seconds, err := strconv.Atoi(env.Get(McsSecureSTSSeconds, "0"))
if err != nil {
seconds = 0
}
return int64(seconds)
}
// If STSIncludeSubdomains is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. Default is false.
func getSecureSTSIncludeSubdomains() bool {
return strings.ToLower(env.Get(McsSecureSTSIncludeSubdomains, "off")) == "on"
}
// If STSPreload is set to true, the `preload` flag will be appended to the Strict-Transport-Security header. Default is false.
func getSecureSTSPreload() bool {
return strings.ToLower(env.Get(McsSecureSTSPreload, "off")) == "on"
}
// If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
func getSecureSSLTemporaryRedirect() bool {
return strings.ToLower(env.Get(McsSecureSSLTemporaryRedirect, "off")) == "on"
}
// STS header is only included when the connection is HTTPS.
func getSecureForceSTSHeader() bool {
return strings.ToLower(env.Get(McsSecureForceSTSHeader, "off")) == "on"
}
// PublicKey implements HPKP to prevent MITM attacks with forged certificates. Default is "".
func getSecurePublicKey() string {
return env.Get(McsSecurePublicKey, "")
}
// ReferrerPolicy allows the Referrer-Policy header with the value to be set with a custom value. Default is "".
func getSecureReferrerPolicy() string {
return env.Get(McsSecureReferrerPolicy, "")
}
// FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "".
func getSecureFeaturePolicy() string {
return env.Get(McsSecureFeaturePolicy, "")
}
func getSecureExpectCTHeader() string {
return env.Get(McsSecureExpectCTHeader, "")
}
Reference in New Issue View Git Blame Copy Permalink