in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-01 Thread Andre Dietisheim

Hi

In OpenShift 4.2 "/apis" started only being accessible to authorized 
users. This causes troubles for the Eclipse tooling and the java client 
library openshift-restclient-java 
(https://github.com/openshift/openshift-restclient-java) which tries to 
discover endpoints before authenticating.


Thus my question(s):

* Is this the new default?
* if this restriction is deliberate, what's the reasoning behind it?
* Is there a workaround?

Thanks for your answers!
André

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-01 Thread Andre Dietisheim

Hi Akram

Thanks for the answer. Insightful.
For now we can't easily switch libraries given the extent of usage and 
amount of work to migrate.


Cheers
André

Am 01.10.19 um 16:34 schrieb Akram Ben Aissi:

Hi André,

indeed this is the new default. And, historically, because of a CVE 
raising an issue about it, dropping discovery of /api has been removed 
but then temporary restored in 4.1 and removed in 4.2.

See this https://bugzilla.redhat.com/show_bug.cgi?id=1711533

On the Jenkins plugins we were about to fix similar issues, cause 
/oapi was deprecated in OCP 4.2 . We depends on kubernetes-client Java 
library which fixed this.
https://github.com/fabric8io/kubernetes-client/issues/1587 and follow 
the different PR. If you depend on this library also, maybe you have 
your fix in a recent version.


Otherwise, IIRC, the eclipse plugin required credentials (or a token) 
to connect to openshift server, so in your case, you maybe "just" need 
to use them to then get the endpoints.


Akram


Le mar. 1 oct. 2019 à 15:38, Andre Dietisheim <mailto:adiet...@redhat.com>> a écrit :


Hi

In OpenShift 4.2 "/apis" started only being accessible to authorized
users. This causes troubles for the Eclipse tooling and the java
client
library openshift-restclient-java
(https://github.com/openshift/openshift-restclient-java) which
tries to
discover endpoints before authenticating.

Thus my question(s):

* Is this the new default?
* if this restriction is deliberate, what's the reasoning behind it?
* Is there a workaround?

Thanks for your answers!
André

___
dev mailing list
dev@lists.openshift.redhat.com <mailto:dev@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


how to get URL for the Web ui if you have the URL to the endpoint?

2019-09-30 Thread Andre Dietisheim

Hi

In the Eclipse endpoint we face the following problem: We connect to the 
REST endpoint where we authenticate, deal with resources etc. Current 
Eclipse tooling (which also deals with OS3) allows users to open the 
web-ui in a browser. In OS4, how do we get the URL for the web-ui given 
the URL for the REST endpoint?


Any help appreciated, thanks!

Cheers
Andre

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


Re: how to get URL for the Web ui if you have the URL to the endpoint?

2019-09-30 Thread Andre Dietisheim

Hi Sam

> config map `console-public` in the `openshift-config-managed` 
namespace, key `consoleURL`


wow, nice, that's exactly what we needed (yes, accessible to non-admin 
users). Thanks a lot!


Cheers
André

Am 30.09.19 um 17:19 schrieb Sam Padgett:
You can get the public URL of console from the config map 
`console-public` in the `openshift-config-managed` namespace, key 
`consoleURL`. Let us know if this is what you need. Thanks!


Sam

On Mon, Sep 30, 2019 at 10:22 AM Andre Dietisheim <mailto:adiet...@redhat.com>> wrote:


Hi

In the Eclipse endpoint we face the following problem: We connect
to the
REST endpoint where we authenticate, deal with resources etc. Current
Eclipse tooling (which also deals with OS3) allows users to open the
web-ui in a browser. In OS4, how do we get the URL for the web-ui
given
the URL for the REST endpoint?

Any help appreciated, thanks!

Cheers
Andre

___
dev mailing list
dev@lists.openshift.redhat.com <mailto:dev@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


Re: How to identify OpenShift v4?

2019-10-03 Thread Andre Dietisheim

Hi Gabe

great pointers, exactly what I needed, thanks a lot!

Cheers
Andre

Am 03.10.19 um 18:44 schrieb Gabe Montero:



On Thu, Oct 3, 2019 at 11:47 AM Andre Dietisheim <mailto:adiet...@redhat.com>> wrote:


Hi

Since the endpoint "/version/openshift" is gone, how can a client
library identify the OpenShift version it deals with?


I believe "/version" still exists, just not "/version/openshift".

Here is how the openshift jenkins login plugin does it:

https://github.com/openshift/jenkins-openshift-login-plugin/blob/master/src/main/java/org/openshift/jenkins/plugins/openshiftlogin/OpenShiftOAuth2SecurityRealm.java#L640-L678

Here is how `oc` does it:

https://github.com/openshift/oc/blob/master/pkg/cli/version/version.go#L109-L172
and
https://github.com/openshift/oc/blob/master/vendor/k8s.io/client-go/discovery/discovery_client.go#L407-L418

where you can see it going after /version


Thanks for your pointers!

Cheers
André


___
dev mailing list
dev@lists.openshift.redhat.com <mailto:dev@lists.openshift.redhat.com>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


How to identify OpenShift v4?

2019-10-03 Thread Andre Dietisheim

Hi

Since the endpoint "/version/openshift" is gone, how can a client 
library identify the OpenShift version it deals with?


Thanks for your pointers!

Cheers
André


___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev