Enable TLS

Explicitly set scheme in node redirects

Plumb ports to support TLS

Generate self-signed certs, plumb in env vars to infrastructure pods

Add docker loopback to master cert

Make scheme and port configurable in e2e

Change default to SSL

Simplify bootstrapping

Move crypto package, persist serial numbers between starts, make helper functions private

Use generic crypto.PublicKey/PrivateKey interface

Build assets

Change OSC default scheme/port, generate .kubernetes_auth files

Doc update to TLS

Use .kubeconfig for cert config in tests

Override default server host to https://localhost:8443

Use api object to write .kubeconfig

Author: liggitt

Dockerfile

@@ -20,6 +20,6 @@ RUN go get github.com/openshift/origin && \
     cp _output/local/go/bin/* /usr/bin/ && \
     mkdir -p /var/lib/openshift
 
-EXPOSE 8080
+EXPOSE 8080 8443
 WORKDIR /var/lib/openshift
 ENTRYPOINT ["/usr/bin/openshift"]

README.md

@@ -57,6 +57,7 @@ The simplest way to run OpenShift Origin is in a Docker container:
 Once the container is started, you can jump into a console inside the container and run the CLI.
 
     $ docker exec -it openshift-origin bash
+    $ ln -s /var/lib/openshift/openshift.local.certificates/admin/.kubernetes_auth $HOME/.kubernetes_auth
     $ osc --help
 
 
@@ -120,43 +121,43 @@ If you run into difficulties running OpenShift, start by reading through the [tr
 API
 ---
 
-The OpenShift APIs are exposed at `http://localhost:8080/osapi/v1beta1/*`.
+The OpenShift APIs are exposed at `https://localhost:8443/osapi/v1beta1/*`.
 
 * Builds
- * `http://localhost:8080/osapi/v1beta1/builds`
- * `http://localhost:8080/osapi/v1beta1/buildConfigs`
- * `http://localhost:8080/osapi/v1beta1/buildLogs`
- * `http://localhost:8080/osapi/v1beta1/buildConfigHooks`
+ * `https://localhost:8443/osapi/v1beta1/builds`
+ * `https://localhost:8443/osapi/v1beta1/buildConfigs`
+ * `https://localhost:8443/osapi/v1beta1/buildLogs`
+ * `https://localhost:8443/osapi/v1beta1/buildConfigHooks`
 * Deployments
- * `http://localhost:8080/osapi/v1beta1/deployments`
- * `http://localhost:8080/osapi/v1beta1/deploymentConfigs`
+ * `https://localhost:8443/osapi/v1beta1/deployments`
+ * `https://localhost:8443/osapi/v1beta1/deploymentConfigs`
 * Images
- * `http://localhost:8080/osapi/v1beta1/images`
- * `http://localhost:8080/osapi/v1beta1/imageRepositories`
- * `http://localhost:8080/osapi/v1beta1/imageRepositoryMappings`
+ * `https://localhost:8443/osapi/v1beta1/images`
+ * `https://localhost:8443/osapi/v1beta1/imageRepositories`
+ * `https://localhost:8443/osapi/v1beta1/imageRepositoryMappings`
 * Templates
- * `http://localhost:8080/osapi/v1beta1/templateConfigs`
+ * `https://localhost:8443/osapi/v1beta1/templateConfigs`
 * Routes
- * `http://localhost:8080/osapi/v1beta1/routes`
+ * `https://localhost:8443/osapi/v1beta1/routes`
 * Projects
- * `http://localhost:8080/osapi/v1beta1/projects`
+ * `https://localhost:8443/osapi/v1beta1/projects`
 * Users
- * `http://localhost:8080/osapi/v1beta1/users`
- * `http://localhost:8080/osapi/v1beta1/userIdentityMappings`
+ * `https://localhost:8443/osapi/v1beta1/users`
+ * `https://localhost:8443/osapi/v1beta1/userIdentityMappings`
 * OAuth
- * `http://localhost:8080/osapi/v1beta1/accessTokens`
- * `http://localhost:8080/osapi/v1beta1/authorizeTokens`
- * `http://localhost:8080/osapi/v1beta1/clients`
- * `http://localhost:8080/osapi/v1beta1/clientAuthorizations`
+ * `https://localhost:8443/osapi/v1beta1/accessTokens`
+ * `https://localhost:8443/osapi/v1beta1/authorizeTokens`
+ * `https://localhost:8443/osapi/v1beta1/clients`
+ * `https://localhost:8443/osapi/v1beta1/clientAuthorizations`
 
-The Kubernetes APIs are exposed at `http://localhost:8080/api/v1beta1/*`:
+The Kubernetes APIs are exposed at `https://localhost:8443/api/v1beta1/*`:
 
-* `http://localhost:8080/api/v1beta1/pods`
-* `http://localhost:8080/api/v1beta1/services`
-* `http://localhost:8080/api/v1beta1/replicationControllers`
-* `http://localhost:8080/api/v1beta1/operations`
+* `https://localhost:8443/api/v1beta1/pods`
+* `https://localhost:8443/api/v1beta1/services`
+* `https://localhost:8443/api/v1beta1/replicationControllers`
+* `https://localhost:8443/api/v1beta1/operations`
 
-OpenShift and Kubernetes integrate with the [Swagger 2.0 API framework](http://swagger.io) which aims to make it easier to document and write clients for RESTful APIs.  When you start OpenShift, the Swagger API endpoint is exposed at `http://localhost:8080/swaggerapi`. The Swagger UI makes it easy to view your documentation - to view the docs for your local version of OpenShift start the server with CORS enabled:
+OpenShift and Kubernetes integrate with the [Swagger 2.0 API framework](http://swagger.io) which aims to make it easier to document and write clients for RESTful APIs.  When you start OpenShift, the Swagger API endpoint is exposed at `https://localhost:8443/swaggerapi`. The Swagger UI makes it easy to view your documentation - to view the docs for your local version of OpenShift start the server with CORS enabled:
 
     $ openshift start --cors-allowed-origins=.*
 

Vagrantfile

@@ -116,6 +116,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       # sudo ipfw add 100 fwd 127.0.0.1,1080 tcp from any to any 80 in
       config.vm.network "forwarded_port", guest: 80, host: 1080
       config.vm.network "forwarded_port", guest: 8080, host: 8080
+      config.vm.network "forwarded_port", guest: 8443, host: 8443
     end
 
     config.vm.provider "libvirt" do |libvirt, override|

assets/Gruntfile.js

@@ -70,6 +70,7 @@ module.exports = function (grunt) {
     // The actual grunt server settings
     connect: {
       options: {
+        protocol: grunt.option('scheme') || 'https',
         port: grunt.option('port') || 9000,
         // Change this to '0.0.0.0' to access the server from outside.
         hostname: grunt.option('hostname') || 'localhost',

assets/app/config.js

@@ -4,11 +4,11 @@
 window.OPENSHIFT_CONFIG = {
   api: {
     openshift: {
-      hostPort: "localhost:8080",
+      hostPort: "localhost:8443",
       prefix: "/osapi"
     },
     k8s: {
-      hostPort: "localhost:8080",
+      hostPort: "localhost:8443",
       prefix: "/api"
     }
   }

assets/test/karma.conf.js

@@ -50,7 +50,7 @@ module.exports = function(config) {
     exclude: [],
 
     // web server port
-    port: 8080,
+    port: 8443,
 
     // Start these browsers, currently available:
     // - Chrome

examples/examples_test.go

@@ -151,6 +151,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 		"../examples/sample-app": {
 			"github-webhook-example":           nil, // Skip.
 			"docker-registry-config":           &configapi.Config{},
+			"docker-registry-template":         &templateapi.Template{},
 			"application-template-stibuild":    &templateapi.Template{},
 			"application-template-dockerbuild": &templateapi.Template{},
 			"application-template-custombuild": &templateapi.Template{},

examples/jenkins/docker-registry-config.json

@@ -64,7 +64,7 @@
                         "readOnly":false
                       }
                     ],
-                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=http://${KUBERNETES_SERVICE_HOST}:443/osapi/v1beta1 exec docker-registry"]
+                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=https://${KUBERNETES_SERVICE_HOST}:443/osapi/v1beta1 OPENSHIFT_INSECURE=true exec docker-registry"]
                   }
                 ],
                 "version":"v1beta1",

examples/jenkins/job.xml

@@ -9,7 +9,7 @@
         <hudson.model.StringParameterDefinition>
           <name>OPENSHIFT_HOST</name>
           <description>host/port of openshift api server.</description>
-          <defaultValue>http://172.17.42.1:8080</defaultValue>
+          <defaultValue>https://172.17.42.1:8443</defaultValue>
         </hudson.model.StringParameterDefinition>
       </parameterDefinitions>
     </hudson.model.ParametersDefinitionProperty>

examples/sample-app/README.md

@@ -112,14 +112,14 @@ All commands assume the `openshift` binary is in your path (normally located und
 
         $ openshift cli create Project -f project.json
 
-8. *Optional:* View the OpenShift web console in your browser by browsing to `http://[host machine ip]:8081`
+8. *Optional:* View the OpenShift web console in your browser by browsing to `https://<host>:8444`
     If you click the `Hello OpenShift` project and leave the tab open, you'll see the page update as you deploy objects into the project and run builds.
 
 9. Fork the [ruby sample repository](https://github.com/openshift/ruby-hello-world)
 
 10. *Optional:* Add the following webhook to your new github repository:
 
-        $ http://<host>:8080/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/github?namespace=test
+        $ https://<host>:8443/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/github?namespace=test
   * Note: Using the webhook requires your OpenShift server be publicly accessible so github can reach it to invoke the hook.
 
 11. Edit application-template-stibuild.json
@@ -136,7 +136,7 @@ All commands assume the `openshift` binary is in your path (normally located und
  * If you setup the github webhook in step 10, push a change to app.rb in your ruby sample repository from step 9.
  * Otherwise you can simulate the webhook invocation by running:
 
-            $ curl -X POST http://localhost:8080/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/generic?namespace=test
+            $ curl -X POST https://localhost:8443/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/generic?namespace=test
 
 14. Monitor the builds and wait for the status to go to "complete" (this can take a few mins):
 
@@ -194,7 +194,7 @@ All commands assume the `openshift` binary is in your path (normally located und
 
  * If you do not have the webhook enabled, you'll have to manually trigger another build:
 
-            $ curl -X POST http://localhost:8080/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/generic?namespace=test
+            $ curl -X POST https://localhost:8443/osapi/v1beta1/buildConfigHooks/ruby-sample-build/secret101/generic?namespace=test
 
 
 19. Repeat step 14 (waiting for the build to complete).  Once the build is complete, refreshing your browser should show your changes.

examples/sample-app/docker-registry-config.json

@@ -65,8 +65,8 @@
                         "readOnly":false
                       }
                     ],
-                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=http://${KUBERNETES_SERVICE_HOST}:443/osapi/v1beta1 exec docker-registry"],
-		    "privileged":true
+                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/osapi/v1beta1 OPENSHIFT_INSECURE=true exec docker-registry"],
+                    "privileged": true
                   }
                 ],
                 "version":"v1beta1",

examples/sample-app/docker-registry-template.json

@@ -0,0 +1,133 @@
+{
+  "kind":"Template",
+  "metadata": {
+      "name": "docker-registry-template",
+      "annotations": {
+          "description": "Template for launching a docker-registry pod"
+      }
+  },
+  "parameters": [
+      {
+          "name": "OPENSHIFT_MASTER",
+          "description": "OpenShift master",
+          "value": "http://localhost:8080"
+      },
+      {
+          "name": "OPENSHIFT_CA_DATA",
+          "description": "OpenShift root certificates",
+      },
+      {
+          "name": "OPENSHIFT_CERT_DATA",
+          "description": "OpenShift client certificate",
+      },
+      {
+          "name": "OPENSHIFT_KEY_DATA",
+          "description": "OpenShift client certificate key",
+      }
+  ],
+  "apiVersion":"v1beta1",
+  "creationTimestamp":"2014-09-18T18:28:38-04:00",
+  "items":[
+    {
+      "apiVersion":"v1beta2",
+      "creationTimestamp":null,
+      "id":"docker-registry",
+      "kind":"Service",
+      "portalIp": "172.30.17.3",
+      "port":5001,
+      "containerPort":5000,
+      "selector":{
+        "name":"registrypod"
+      }
+    },
+    {
+      "metadata":{
+        "name":"docker-registry",
+      },
+      "kind":"DeploymentConfig",
+      "apiVersion":"v1beta1",
+      "triggers":[
+        {
+          "type":"ConfigChange",
+        }
+      ],
+      "template":{
+        "strategy":{
+          "type":"Recreate"
+        },
+        "controllerTemplate":{
+          "replicas":1,
+          "replicaSelector":{
+            "name":"registrypod"
+          },
+          "podTemplate":{
+            "desiredState":{
+              "manifest":{
+                "containers":[
+                  {
+                    "image":"openshift/docker-registry",
+                    "imagePullPolicy":"PullIfNotPresent",
+                    "name":"registry-container",
+                    "ports":[
+                      {
+                        "containerPort":5000,
+                        "protocol":"TCP"
+                      }
+                    ],
+                    "env":[
+                      {
+                        "name":"STORAGE_PATH",
+                        "value":"/tmp/openshift.local.registry"
+                      },
+                      {
+                          "name": "OPENSHIFT_MASTER",
+                          "value": "${OPENSHIFT_MASTER}"
+                      },
+                      {
+                          "name": "OPENSHIFT_CA_DATA",
+                          "value": "${OPENSHIFT_CA_DATA}"
+                      },
+                      {
+                          "name": "OPENSHIFT_CERT_DATA",
+                          "value": "${OPENSHIFT_CERT_DATA}"
+                      },
+                      {
+                          "name": "OPENSHIFT_KEY_DATA",
+                          "value": "${OPENSHIFT_KEY_DATA}"
+                      }
+                    ],
+                    "volumeMounts":[
+                      {
+                        "name":"registry-storage",
+                        "mountPath":"/tmp/openshift.local.registry",
+                        "readOnly":false
+                      }
+                    ],
+                    "command": ["sh", "-c", "echo \"$OPENSHIFT_CA_DATA\" > $STORAGE_PATH/root.crt && REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=${OPENSHIFT_MASTER}/osapi/v1beta1 OPENSHIFT_CA_BUNDLE=$STORAGE_PATH/root.crt exec docker-registry"]
+                  }
+                ],
+                "version":"v1beta1",
+                "volumes":[
+                  {
+                    "name":"registry-storage",
+                    "source":{
+                      "hostDir":{
+                        "path":"/tmp/openshift.local.registry"
+                      }
+                    }
+                  }
+                ]
+              },
+              "restartpolicy":{
+
+              }
+            },
+            "labels":{
+              "name":"registrypod"
+            }
+          }
+        }
+      }
+    }
+  ]
+}

hack/serve-local-assets.sh

@@ -5,9 +5,10 @@ set -e
 OS_ROOT=$(dirname "${BASH_SOURCE}")/..
 source "${OS_ROOT}/hack/common.sh"
 
+GRUNT_SCHEME=${GRUNT_SCHEME:-https}
 GRUNT_PORT=${GRUNT_PORT:-9000}
 GRUNT_HOSTNAME=${GRUNT_HOSTNAME:-localhost}
 
 pushd "${OS_ROOT}/assets" > /dev/null
-  grunt serve --port=$GRUNT_PORT --hostname=$GRUNT_HOSTNAME
+  grunt serve --scheme=$GRUNT_SCHEME --port=$GRUNT_PORT --hostname=$GRUNT_HOSTNAME
 popd > /dev/null

hack/test-cmd.sh

@@ -29,12 +29,15 @@ USE_LOCAL_IMAGES=${USE_LOCAL_IMAGES:-true}
 
 ETCD_HOST=${ETCD_HOST:-127.0.0.1}
 ETCD_PORT=${ETCD_PORT:-4001}
-API_PORT=${API_PORT:-8080}
+API_SCHEME=${API_SCHEME:-https}
+API_PORT=${API_PORT:-8443}
 API_HOST=${API_HOST:-127.0.0.1}
+KUBELET_SCHEME=${KUBELET_SCHEME:-http}
 KUBELET_PORT=${KUBELET_PORT:-10250}
 
 ETCD_DATA_DIR=$(mktemp -d /tmp/openshift.local.etcd.XXXX)
 VOLUME_DIR=$(mktemp -d /tmp/openshift.local.volumes.XXXX)
+CERT_DIR=$(mktemp -d /tmp/openshift.local.certificates.XXXX)
 
 # set path so OpenShift is available
 GO_OUT="${OS_ROOT}/_output/local/go/bin"
@@ -45,13 +48,23 @@ out=$(openshift version)
 echo openshift: $out
 
 # Start openshift
-openshift start --master="${API_HOST}:${API_PORT}" --volume-dir="${VOLUME_DIR}" --etcd-dir="${ETCD_DATA_DIR}" 1>&2 &
+openshift start --master="${API_SCHEME}://${API_HOST}:${API_PORT}" --listen="${API_SCHEME}://0.0.0.0:${API_PORT}" --volume-dir="${VOLUME_DIR}" --etcd-dir="${ETCD_DATA_DIR}" --cert-dir="${CERT_DIR}" 1>&2 &
 OS_PID=$!
 
-wait_for_url "http://localhost:${KUBELET_PORT}/healthz" "kubelet: " 1 30
-wait_for_url "http://${API_HOST}:${API_PORT}/healthz" "apiserver: "
+if [[ "$API_SCHEME" == "https" ]]; then
+	export CURL_CA_BUNDLE="$CERT_DIR/admin/root.crt"
+fi
 
-export KUBERNETES_MASTER="${API_HOST}:${API_PORT}"
+wait_for_url "${KUBELET_SCHEME}://${API_HOST}:${KUBELET_PORT}/healthz" "kubelet: " 1 30
+wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz" "apiserver: "
+
+# Set KUBERNETES_MASTER for osc
+export KUBERNETES_MASTER="${API_SCHEME}://${API_HOST}:${API_PORT}"
+if [[ "$API_SCHEME" == "https" ]]; then
+	# Make osc use $CERT_DIR/admin/.kubeconfig, and ignore anything in the running user's $HOME dir
+	export HOME=$CERT_DIR/admin
+	export KUBECONFIG=$CERT_DIR/admin/.kubeconfig
+fi
 
 #
 # Begin tests