2022-01-25 10:48:49 -08:00
|
|
|
// This file is part of MinIO Console Server
|
2021-01-19 17:04:13 -06:00
|
|
|
// Copyright (c) 2021 MinIO, Inc.
|
2020-05-08 17:11:47 -07:00
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
// (at your option) any later version.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
|
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
|
|
package restapi
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"net"
|
|
|
|
|
"net/http"
|
|
|
|
|
"time"
|
|
|
|
|
)
|
|
|
|
|
|
2020-08-09 14:36:55 -07:00
|
|
|
func prepareSTSClientTransport(insecure bool) *http.Transport {
|
2021-06-01 11:34:55 -07:00
|
|
|
// This takes github.com/minio/madmin-go/transport.go as an example
|
2020-05-08 17:11:47 -07:00
|
|
|
//
|
|
|
|
|
// DefaultTransport - this default transport is similar to
|
|
|
|
|
// http.DefaultTransport but with additional param DisableCompression
|
|
|
|
|
// is set to true to avoid decompressing content with 'gzip' encoding.
|
|
|
|
|
DefaultTransport := &http.Transport{
|
|
|
|
|
Proxy: http.ProxyFromEnvironment,
|
|
|
|
|
DialContext: (&net.Dialer{
|
|
|
|
|
Timeout: 5 * time.Second,
|
|
|
|
|
KeepAlive: 15 * time.Second,
|
|
|
|
|
}).DialContext,
|
|
|
|
|
MaxIdleConns: 1024,
|
|
|
|
|
MaxIdleConnsPerHost: 1024,
|
|
|
|
|
ResponseHeaderTimeout: 60 * time.Second,
|
|
|
|
|
IdleConnTimeout: 60 * time.Second,
|
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
|
ExpectContinueTimeout: 1 * time.Second,
|
|
|
|
|
DisableCompression: true,
|
2020-08-11 11:32:44 -07:00
|
|
|
TLSClientConfig: &tls.Config{
|
2020-05-08 17:11:47 -07:00
|
|
|
// Can't use SSLv3 because of POODLE and BEAST
|
|
|
|
|
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
|
|
|
|
|
// Can't use TLSv1.1 because of RC4 cipher usage
|
2020-08-11 11:32:44 -07:00
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
|
InsecureSkipVerify: insecure,
|
2020-10-29 22:26:48 -07:00
|
|
|
RootCAs: GlobalRootCAs,
|
2020-08-11 11:32:44 -07:00
|
|
|
},
|
2020-05-08 17:11:47 -07:00
|
|
|
}
|
|
|
|
|
return DefaultTransport
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-16 12:09:03 -07:00
|
|
|
// PrepareConsoleHTTPClient returns an http.Client with custom configurations need it by *credentials.STSAssumeRole
|
MCS service account authentication with Mkube (#166)
`MCS` will authenticate against `Mkube`using bearer tokens via HTTP
`Authorization` header. The user will provide this token once
in the login form, MCS will validate it against Mkube (list tenants) and
if valid will generate and return a new MCS sessions
with encrypted claims (the user Service account token will be inside the
JWT in the data field)
Kubernetes
The provided `JWT token` corresponds to the `Kubernetes service account`
that `Mkube` will use to run tasks on behalf of the
user, ie: list, create, edit, delete tenants, storage class, etc.
Development
If you are running mcs in your local environment and wish to make
request to `Mkube` you can set `MCS_M3_HOSTNAME`, if
the environment variable is not present by default `MCS` will use
`"http://m3:8787"`, additionally you will need to set the
`MCS_MKUBE_ADMIN_ONLY=on` variable to make MCS display the Mkube UI
Extract the Service account token and use it with MCS
For local development you can use the jwt associated to the `m3-sa`
service account, you can get the token running
the following command in your terminal:
```
kubectl get secret $(kubectl get serviceaccount m3-sa -o
jsonpath="{.secrets[0].name}") -o jsonpath="{.data.token}" | base64
--decode
```
Then run the mcs server
```
MCS_M3_HOSTNAME=http://localhost:8787 MCS_MKUBE_ADMIN_ONLY=on ./mcs
server
```
Self-signed certificates and Custom certificate authority for Mkube
If Mkube uses TLS with a self-signed certificate, or a certificate
issued by a custom certificate authority you can add those
certificates usinng the `MCS_M3_SERVER_TLS_CA_CERTIFICATE` env variable
````
MCS_M3_SERVER_TLS_CA_CERTIFICATE=cert1.pem,cert2.pem,cert3.pem ./mcs
server
````
2020-06-23 11:37:46 -07:00
|
|
|
// custom configurations include the use of CA certificates
|
2021-08-16 12:09:03 -07:00
|
|
|
func PrepareConsoleHTTPClient(insecure bool) *http.Client {
|
2020-08-09 14:36:55 -07:00
|
|
|
transport := prepareSTSClientTransport(insecure)
|
2020-05-08 17:11:47 -07:00
|
|
|
// Return http client with default configuration
|
2020-08-09 14:36:55 -07:00
|
|
|
c := &http.Client{
|
2020-05-08 17:11:47 -07:00
|
|
|
Transport: transport,
|
|
|
|
|
}
|
2020-08-09 14:36:55 -07:00
|
|
|
return c
|
2020-05-08 17:11:47 -07:00
|
|
|
}
|