Add proxy for GitOps backend service

The GitOps operator will deploy the backend service with a known route pattern. The UI can use this proxy to fetch the GitOps dashboard information from the service. In this commit the proxy exposes the following endpoint: API pattern: GET /api/gitops/
christianaranda · Jul 30, 2020 · 64ff45e · 64ff45e
1 parent 3ffbdd9
commit 64ff45e
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 0 deletions.
diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -53,6 +53,9 @@ const (
 
  // Well-known location of metering service for OpenShift. This is only accessible in-cluster.
  openshiftMeteringHost = "reporting-operator.openshift-metering.svc:8080"
+
+ // Well-known location of the GitOps service. This is only accessible in-cluster
+ openshiftGitOpsHost = "cluster.openshift-pipelines-app-delivery.svc:8080"
 )
 
 func main() {
@@ -89,6 +92,8 @@ func main() {
  fK8sAuth := fs.String("k8s-auth", "service-account", "service-account | bearer-token | oidc | openshift")
  fK8sAuthBearerToken := fs.String("k8s-auth-bearer-token", "", "Authorization token to send with proxied Kubernetes API requests.")
 
+ fK8sModeOffClusterGitOps := fs.String("k8s-mode-off-cluster-gitops", "", "DEV ONLY. URL of the GitOps backend service")
+
  fRedirectPort := fs.Int("redirect-port", 0, "Port number under which the console should listen for custom hostname redirect.")
  fLogLevel := fs.String("log-level", "", "level of logging information by package (pkg=level).")
  fPublicDir := fs.String("public-dir", "./frontend/public/dist", "directory containing static web assets.")
@@ -357,6 +362,12 @@ func main() {
  Endpoint: &url.URL{Scheme: "https", Host: openshiftMeteringHost, Path: "/api"},
  }
  srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
+
+ srv.GitOpsProxyConfig = &proxy.Config{
+ TLSClientConfig: serviceProxyTLSConfig,
+ HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+ Endpoint: &url.URL{Scheme: "https", Host: openshiftGitOpsHost},
+ }
  }
 
  case "off-cluster":
@@ -413,6 +424,15 @@ func main() {
 
  srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
 
+ if *fK8sModeOffClusterGitOps != "" {
+ offClusterGitOpsURL := bridge.ValidateFlagIsURL("k8s-mode-off-cluster-gitops", *fK8sModeOffClusterGitOps)
+ srv.GitOpsProxyConfig = &proxy.Config{
+ TLSClientConfig: serviceProxyTLSConfig,
+ HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
+ Endpoint: offClusterGitOpsURL,
+ }
+ }
+
  default:
  bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster")
  }

diff --git a/contrib/oc-environment.sh b/contrib/oc-environment.sh
@@ -31,6 +31,12 @@ export BRIDGE_K8S_MODE_OFF_CLUSTER_THANOS
 BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER=$(oc -n openshift-config-managed get configmap monitoring-shared-config -o jsonpath='{.data.alertmanagerPublicURL}')
 export BRIDGE_K8S_MODE_OFF_CLUSTER_ALERTMANAGER
 
+GITOPS_HOSTNAME=$(oc -n openshift-pipelines-app-delivery get route cluster -o jsonpath='{.spec.host}' 2> /dev/null)
+if [ -n "$GITOPS_HOSTNAME" ]; then
+ BRIDGE_K8S_MODE_OFF_CLUSTER_GITOPS="https://$GITOPS_HOSTNAME"
+ export BRIDGE_K8S_MODE_OFF_CLUSTER_GITOPS
+fi
+
 BRIDGE_K8S_AUTH="bearer-token"
 export BRIDGE_K8S_AUTH
 

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -47,6 +47,7 @@ const (
  meteringProxyEndpoint = "/api/metering"
  customLogoEndpoint = "/custom-logo"
  helmChartRepoProxyEndpoint = "/api/helm/charts/"
+ gitopsEndpoint = "/api/gitops/"
 )
 
 var (
@@ -112,6 +113,7 @@ type Server struct {
  AlertManagerProxyConfig *proxy.Config
  MeteringProxyConfig *proxy.Config
  TerminalProxyTLSConfig *tls.Config
+ GitOpsProxyConfig *proxy.Config
  // A lister for resource listing of a particular kind
  MonitoringDashboardConfigMapLister ResourceLister
  KnativeEventSourceCRDLister ResourceLister
@@ -142,6 +144,10 @@ func (s *Server) meteringProxyEnabled() bool {
  return s.MeteringProxyConfig != nil
 }
 
+func (s *Server) gitopsProxyEnabled() bool {
+ return s.GitOpsProxyConfig != nil
+}
+
 func (s *Server) HTTPHandler() http.Handler {
  mux := http.NewServeMux()
 
@@ -400,6 +406,18 @@ func (s *Server) HTTPHandler() http.Handler {
  proxy.SingleJoiningSlash(s.BaseURL.Path, helmChartRepoProxyEndpoint),
  http.HandlerFunc(helmChartRepoProxy.ServeHTTP)))
 
+ // GitOps proxy endpoints
+ if s.gitopsProxyEnabled() {
+ gitopsProxy := proxy.NewProxy(s.GitOpsProxyConfig)
+ handle(gitopsEndpoint, http.StripPrefix(
+ proxy.SingleJoiningSlash(s.BaseURL.Path, gitopsEndpoint),
+ authHandlerWithUser(func(user *auth.User, w http.ResponseWriter, r *http.Request) {
+ r.Header.Set("Authorization", fmt.Sprintf("Bearer %s", user.Token))
+ gitopsProxy.ServeHTTP(w, r)
+ })),
+ )
+ }
+
  mux.HandleFunc(s.BaseURL.Path, s.indexHandler)
 
  return securityHeadersMiddleware(http.Handler(mux))