Mirroristas/bigchaindb
2
0
Fork 0
mirror of https://github.com/bigchaindb/bigchaindb.git synced 2024-10-13 13:34:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Problem: K8s deployment with Access Token Authorization expects Access Token for GET calls and others (#2134)

Browse Source 
* Fix for access token authorization for GET calls

- Naming inconsistency for cluster-fqdn causing issues
- Change cluster-frontend-port to node-frontend-port

* Change hardcoded 9984 to configurable
This commit is contained in:
Ahmed Muawia Khan 2018-03-15 16:20:15 +01:00 committed by vrde
parent 8c32ae798b
commit 0125368d8e
11 changed files with 51 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
k8s/bigchaindb/bigchaindb-dep.yaml
View File

@ -48,7 +48,7 @@ spec:
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: vars name: vars
key: cluster-fqdn key: node-fqdn
- name: BIGCHAINDB_WSSERVER_PORT - name: BIGCHAINDB_WSSERVER_PORT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -58,7 +58,7 @@ spec:
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: vars name: vars
key: cluster-frontend-port key: node-frontend-port
- name: BIGCHAINDB_WSSERVER_ADVERTISED_SCHEME - name: BIGCHAINDB_WSSERVER_ADVERTISED_SCHEME
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

8
k8s/configuration/config-map.yaml
View File

@ -7,12 +7,12 @@ metadata:
name: vars name: vars
namespace: default namespace: default
data: data:
# cluster-fqdn is the DNS name registered for your HTTPS certificate. # node-fqdn is the DNS name registered for your HTTPS certificate.
cluster-fqdn: "bdb.example.com" node-fqdn: "bdb.example.com"
# cluster-frontend-port is the port number on which this node's services # node-frontend-port is the port number on which this node's services
# are available to external clients. # are available to external clients.
cluster-frontend-port: "443" node-frontend-port: "443"
# cluster-health-check-port is the port number on which an external load # cluster-health-check-port is the port number on which an external load
# balancer can check the status/liveness of the external/public server. # balancer can check the status/liveness of the external/public server.

2
k8s/nginx-http/container/nginx.conf.template
View File

@ -59,7 +59,7 @@ http {
# Frontend server for the external clients # Frontend server for the external clients
server { server {
listen CLUSTER_FRONTEND_PORT; listen NODE_FRONTEND_PORT;
underscores_in_headers on; underscores_in_headers on;
# Forward websockets to backend BDB at 9985. # Forward websockets to backend BDB at 9985.

8
k8s/nginx-http/container/nginx_entrypoint.bash
View File

@ -2,7 +2,7 @@
set -euo pipefail set -euo pipefail
# Cluster vars # Cluster vars
cluster_frontend_port=`printenv CLUSTER_FRONTEND_PORT` node_frontend_port=`printenv NODE_FRONTEND_PORT`
# NGINX vars # NGINX vars
@ -23,7 +23,7 @@ bdb_ws_port=`printenv BIGCHAINDB_WS_PORT`
# sanity check # sanity check
if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!}" || \ if [[ -z "${node_frontend_port:?NODE_FRONTEND_PORT not specified. Exiting!}" || \
-z "${mongo_frontend_port:?MONGODB_FRONTEND_PORT not specified. Exiting!}" || \ -z "${mongo_frontend_port:?MONGODB_FRONTEND_PORT not specified. Exiting!}" || \
-z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \ -z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \
-z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \ -z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \
@ -37,7 +37,7 @@ if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!
-z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" ]]; then -z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" ]]; then
exit 1 exit 1
else else
echo CLUSTER_FRONTEND_PORT="$cluster_frontend_port" echo NODE_FRONTEND_PORT="$node_frontend_port"
echo DNS_SERVER="$dns_server" echo DNS_SERVER="$dns_server"
echo HEALTH_CHECK_PORT="$health_check_port" echo HEALTH_CHECK_PORT="$health_check_port"
echo MONGODB_FRONTEND_PORT="$mongo_frontend_port" echo MONGODB_FRONTEND_PORT="$mongo_frontend_port"
@ -54,7 +54,7 @@ fi
NGINX_CONF_FILE=/etc/nginx/nginx.conf NGINX_CONF_FILE=/etc/nginx/nginx.conf
# configure the nginx.conf file with env variables # configure the nginx.conf file with env variables
sed -i "s|CLUSTER_FRONTEND_PORT|${cluster_frontend_port}|g" ${NGINX_CONF_FILE} sed -i "s|NODE_FRONTEND_PORT|${node_frontend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_FRONTEND_PORT|${mongo_frontend_port}|g" ${NGINX_CONF_FILE} sed -i "s|MONGODB_FRONTEND_PORT|${mongo_frontend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE} sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE} sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}

6
k8s/nginx-http/nginx-http-dep.yaml
View File

@ -15,11 +15,11 @@ spec:
image: bigchaindb/nginx_http:unstable image: bigchaindb/nginx_http:unstable
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: CLUSTER_FRONTEND_PORT - name: NODE_FRONTEND_PORT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: vars name: vars
key: cluster-frontend-port key: node-frontend-port
- name: HEALTH_CHECK_PORT - name: HEALTH_CHECK_PORT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
@ -74,7 +74,7 @@ spec:
- containerPort: "<cluster-health-check-port from ConfigMap>" - containerPort: "<cluster-health-check-port from ConfigMap>"
protocol: TCP protocol: TCP
name: ngx-health name: ngx-health
- containerPort: "<cluster-frontend-port from ConfigMap>" - containerPort: "<node-frontend-port from ConfigMap>"
protocol: TCP protocol: TCP
- containerPort: "<tm-pub-key-access from ConfigMap>" - containerPort: "<tm-pub-key-access from ConfigMap>"
protocol: TCP protocol: TCP

6
k8s/nginx-http/nginx-http-svc.yaml
View File

@ -13,9 +13,9 @@ spec:
selector: selector:
app: ngx-instance-0-dep app: ngx-instance-0-dep
ports: ports:
- port: "<cluster-frontend-port from ConfigMap>" - port: "<node-frontend-port from ConfigMap>"
targetPort: "<cluster-frontend-port from ConfigMap>" targetPort: "<node-frontend-port from ConfigMap>"
name: public-cluster-port name: public-node-port
protocol: TCP protocol: TCP
- port: "<tm-pub-key-access from ConfigMap>" - port: "<tm-pub-key-access from ConfigMap>"
targetPort: "<tm-pub-key-access from ConfigMap>" targetPort: "<tm-pub-key-access from ConfigMap>"

45
k8s/nginx-https/container/nginx.conf.template
View File

@ -61,7 +61,7 @@ http {
# Frontend server for the external clients; acts as HTTPS termination point. # Frontend server for the external clients; acts as HTTPS termination point.
server { server {
listen CLUSTER_FRONTEND_PORT ssl; listen NODE_FRONTEND_PORT ssl;
server_name "NODE_FQDN"; server_name "NODE_FQDN";
ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate /etc/nginx/ssl/cert.pem;
@ -86,6 +86,7 @@ http {
# Forward other URL paths as per business logic/use case to BDB or # Forward other URL paths as per business logic/use case to BDB or
# OpenResty instance. # OpenResty instance.
location / { location / {
set $auth_check 1; #Flag to authorize POST requests
proxy_ignore_client_abort on; proxy_ignore_client_abort on;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -93,35 +94,39 @@ http {
# max client request body size: avg transaction size. # max client request body size: avg transaction size.
client_max_body_size 15k; client_max_body_size 15k;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Secret-Access-Token,User-Agent';
add_header 'Access-Control-Max-Age' 43200;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ( $http_x_secret_access_token != "SECRET_ACCESS_TOKEN" ) {
set $auth_check 0;
}
if ($request_method = POST ) {
set $auth_check "${auth_check}1";
}
if ( $auth_check = "01" ) {
return 403;
}
# No auth for GETs, forward directly to BDB. # No auth for GETs, forward directly to BDB.
if ($request_method = GET) { if ($request_method = GET) {
proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT; proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
} }
# OPTIONS requests handling for CORS.
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Secret-Access-Token,User-Agent';
add_header 'Access-Control-Max-Age' 43200;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
# Check for security header to authorize POST requests
if ( $http_x_secret_access_token != "SECRET_ACCESS_TOKEN" ) {
return 403;
}
# POST requests get forwarded to BDB.
if ($request_method = POST ) { if ($request_method = POST ) {
proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT; proxy_pass http://$bdb_backend:BIGCHAINDB_API_PORT;
} }
# Only return this reponse if request_method is neither POST|GET|OPTIONS # Only return this reponse if request_method is neither POST|GET|OPTIONS
if ($request_method !~ ^(GET|OPTIONS|POST)$) { if ($request_method !~ ^(GET|OPTIONS|POST)$) {
return 444; return 444;
} }
} }
} }

2
k8s/nginx-https/container/nginx.conf.threescale.template
View File

@ -63,7 +63,7 @@ http {
# Frontend server for the external clients; acts as HTTPS termination point. # Frontend server for the external clients; acts as HTTPS termination point.
server { server {
listen CLUSTER_FRONTEND_PORT ssl; listen NODE_FRONTEND_PORT ssl;
server_name "NODE_FQDN"; server_name "NODE_FQDN";
ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate /etc/nginx/ssl/cert.pem;

8
k8s/nginx-https/container/nginx_entrypoint.bash
View File

@ -8,7 +8,7 @@ secret_token_auth_mode="secret-token"
# Cluster vars # Cluster vars
node_fqdn=`printenv NODE_FQDN` node_fqdn=`printenv NODE_FQDN`
cluster_frontend_port=`printenv CLUSTER_FRONTEND_PORT` node_frontend_port=`printenv NODE_FRONTEND_PORT`
# NGINX vars # NGINX vars
@ -36,7 +36,7 @@ tm_p2p_port=`printenv TM_P2P_PORT`
# sanity check # sanity check
if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!}" || \ if [[ -z "${node_frontend_port:?NODE_FRONTEND_PORT not specified. Exiting!}" || \
-z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \ -z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \
-z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \ -z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \
-z "${openresty_backend_port:?OPENRESTY_BACKEND_PORT not specified. Exiting!}" || \ -z "${openresty_backend_port:?OPENRESTY_BACKEND_PORT not specified. Exiting!}" || \
@ -54,7 +54,7 @@ if [[ -z "${cluster_frontend_port:?CLUSTER_FRONTEND_PORT not specified. Exiting!
exit 1 exit 1
else else
echo NODE_FQDN="$node_fqdn" echo NODE_FQDN="$node_fqdn"
echo CLUSTER_FRONTEND_PORT="$cluster_frontend_port" echo NODE_FRONTEND_PORT="$node_frontend_port"
echo DNS_SERVER="$dns_server" echo DNS_SERVER="$dns_server"
echo HEALTH_CHECK_PORT="$health_check_port" echo HEALTH_CHECK_PORT="$health_check_port"
echo MONGODB_BACKEND_HOST="$mongo_backend_host" echo MONGODB_BACKEND_HOST="$mongo_backend_host"
@ -84,7 +84,7 @@ fi
# configure the nginx.conf file with env variables # configure the nginx.conf file with env variables
sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE} sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE}
sed -i "s|CLUSTER_FRONTEND_PORT|${cluster_frontend_port}|g" ${NGINX_CONF_FILE} sed -i "s|NODE_FRONTEND_PORT|${node_frontend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE} sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE} sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|BIGCHAINDB_BACKEND_HOST|${bdb_backend_host}|g" ${NGINX_CONF_FILE} sed -i "s|BIGCHAINDB_BACKEND_HOST|${bdb_backend_host}|g" ${NGINX_CONF_FILE}

4
k8s/nginx-https/nginx-https-dep.yaml
View File

@ -15,11 +15,11 @@ spec:
image: bigchaindb/nginx_https:unstable image: bigchaindb/nginx_https:unstable
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: CLUSTER_FRONTEND_PORT - name: NODE_FRONTEND_PORT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:
name: vars name: vars
key: cluster-frontend-port key: node-frontend-port
- name: HEALTH_CHECK_PORT - name: HEALTH_CHECK_PORT
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef:

4
k8s/scripts/functions
View File

@ -238,9 +238,9 @@ data:
# node-fqdn is the DNS name registered for your HTTPS certificate. # node-fqdn is the DNS name registered for your HTTPS certificate.
node-fqdn: "${node_fqdn}" node-fqdn: "${node_fqdn}"
# cluster-frontend-port is the port number on which this node's services # node-frontend-port is the port number on which this node's services
# are available to external clients. # are available to external clients.
cluster-frontend-port: "443" node-frontend-port: "443"
# cluster-health-check-port is the port number on which an external load # cluster-health-check-port is the port number on which an external load
# balancer can check the status/liveness of the external/public server. # balancer can check the status/liveness of the external/public server.