Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Replace node.js proxy with oauth-proxy

Josef Karasek 6 years ago
parent
c469d4d5b3
commit
71661be7ea
3 changed files with 15 additions and 41 deletions
Split View Show Diff Stats
  1. 1 1
      roles/openshift_logging_defaults/defaults/main.yml
  2. 1 1
      roles/openshift_logging_kibana/tasks/main.yaml
  3. 13 39
      roles/openshift_logging_kibana/templates/kibana.j2

+ 1 - 1
roles/openshift_logging_defaults/defaults/main.yml
View File 

@@ -27,5 +27,5 @@ openshift_logging_elasticsearch_image: "{{ l_os_registry_url | regex_replace(l_o
 
 openshift_logging_elasticsearch_proxy_image: "{{ l2_os_logging_proxy_image }}"
 
 openshift_logging_fluentd_image: "{{ l_os_registry_url | regex_replace(l_openshift_logging_search | regex_escape, 'logging-fluentd') }}"
 
 openshift_logging_kibana_image: "{{ l_os_registry_url | regex_replace(l_openshift_logging_search | regex_escape, 'logging-kibana5') }}"
 
-openshift_logging_kibana_proxy_image: "{{ l_os_registry_url | regex_replace(l_openshift_logging_search | regex_escape, 'logging-auth-proxy') }}"
 
+openshift_logging_kibana_proxy_image: "{{ l2_os_logging_proxy_image }}"
 
 openshift_logging_mux_image: "{{ openshift_logging_fluentd_image }}"

+ 1 - 1
roles/openshift_logging_kibana/tasks/main.yaml
View File 

@@ -61,7 +61,7 @@
 
 # gen session_secret if necessary
 
 - name: Generate session secret
 
   copy:
 
-    content: "{{ 200 | lib_utils_oo_random_word }}"
 
+    content: "{{ 32 | lib_utils_oo_random_word }}"
 
     dest: "{{ generated_certs_dir }}/session_secret"
 
   when:
 
     - not session_secret_file.stat.exists

+ 13 - 39
roles/openshift_logging_kibana/templates/kibana.j2
View File 

@@ -95,6 +95,19 @@ spec:
 
           name: "kibana-proxy"
 
           image: "{{ openshift_logging_kibana_proxy_image }}"
 
           imagePullPolicy: IfNotPresent
 
+          args:
 
+            - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 
+            - --https-address=:3000
 
+            - -provider=openshift
 
+            - -client-id=kibana-proxy
 
+            - -client-secret-file=/secret/oauth-secret
 
+            - -cookie-secret-file=/secret/session-secret
 
+            - -upstream=http://localhost:5601
 
+            - "-scope=user:info user:check-access user:list-projects"
 
+            - --tls-cert=/secret/server-cert
 
+            - --tls-key=/secret/server-key
 
+            - -pass-access-token
 
+            - -skip-provider-button
 
 {% if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") or (kibana_proxy_cpu_request is defined and kibana_proxy_cpu_request is not none and kibana_proxy_cpu_request != "") %}
 
           resources:
 
 {%   if (kibana_proxy_memory_limit is defined and kibana_proxy_memory_limit is not none and kibana_proxy_memory_limit != "") or (kibana_proxy_cpu_limit is defined and kibana_proxy_cpu_limit is not none and kibana_proxy_cpu_limit != "") %}
 
@@ -122,48 +135,9 @@ spec:
 
               containerPort: 3000
 
           env:
 
             -
 
-             name: "OAP_BACKEND_URL"
 
-             value: "http://localhost:5601"
 
-            -
 
-             name: "OAP_AUTH_MODE"
 
-             value: "oauth2"
 
-            -
 
-             name: "OAP_TRANSFORM"
 
-             value: "user_header,token_header"
 
-            -
 
-             name: "OAP_OAUTH_ID"
 
-             value: kibana-proxy
 
-            -
 
-             name: "OAP_MASTER_URL"
 
-             value: {{ openshift_logging_kibana_master_url }}
 
-            -
 
-             name: "OAP_PUBLIC_MASTER_URL"
 
-             value: {{ openshift_logging_kibana_master_public_url }}
 
-            -
 
-             name: "OAP_LOGOUT_REDIRECT"
 
-             value: {{ openshift_logging_kibana_master_public_url }}/console/logout
 
-            -
 
-             name: "OAP_MASTER_CA_FILE"
 
-             value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 
-            -
 
              name: "OAP_DEBUG"
 
              value: "{{ openshift_logging_kibana_proxy_debug }}"
 
             -
 
-             name: "OAP_OAUTH_SECRET_FILE"
 
-             value: "/secret/oauth-secret"
 
-            -
 
-             name: "OAP_SERVER_CERT_FILE"
 
-             value: "/secret/server-cert"
 
-            -
 
-             name: "OAP_SERVER_KEY_FILE"
 
-             value: "/secret/server-key"
 
-            -
 
-             name: "OAP_SERVER_TLS_FILE"
 
-             value: "/secret/server-tls.json"
 
-            -
 
-             name: "OAP_SESSION_SECRET_FILE"
 
-             value: "/secret/session-secret"
 
-            -
 
              name: "OCP_AUTH_PROXY_MEMORY_LIMIT"
 
              valueFrom:
 
                resourceFieldRef: