allow console to listen on ipv6 (#781)

also converge tls-host and host, because hostnames
have nothing to do with HTTP or HTTPs they are the
same for both HTTP and HTTPs. Deprecating the
older flag `--tls-host` but it will still be honored
as hidden flag.

Author: harshavardhana

cmd/console/server.go

@@ -23,6 +23,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 	"time"
 
 	"github.com/go-openapi/loads"
@@ -38,32 +39,37 @@ var serverCmd = cli.Command{
 	Name:    "server",
 	Aliases: []string{"srv"},
 	Usage:   "starts Console server",
-	Action:  startServer,
+	Action:  StartServer,
 	Flags: []cli.Flag{
 		cli.StringFlag{
 			Name:  "host",
 			Value: restapi.GetHostname(),
-			Usage: "HTTP server hostname",
+			Usage: "hostname",
 		},
 		cli.IntFlag{
 			Name:  "port",
 			Value: restapi.GetPort(),
-			Usage: "HTTP Server port",
+			Usage: "HTTP port",
 		},
+		// This is kept here for backward compatibility,
+		// hostname's do not have HTTP or HTTPs
+		// hostnames are opaque so using --host
+		// works for both HTTP and HTTPS setup.
 		cli.StringFlag{
-			Name:  "tls-host",
-			Value: restapi.GetTLSHostname(),
-			Usage: "HTTPS server hostname",
+			Name:   "tls-host",
+			Value:  restapi.GetHostname(),
+			Usage:  "HTTPS hostname",
+			Hidden: true,
 		},
 		cli.IntFlag{
 			Name:  "tls-port",
 			Value: restapi.GetTLSPort(),
-			Usage: "HTTPS server port",
+			Usage: "HTTPS port",
 		},
 		cli.StringFlag{
 			Name:  "tls-redirect",
 			Value: restapi.GetTLSRedirect(),
-			Usage: "HTTPS redirect by default",
+			Usage: "toggle HTTP->HTTPS redirect",
 		},
 		cli.StringFlag{
 			Name:  "certs-dir",
@@ -73,23 +79,23 @@ var serverCmd = cli.Command{
 		cli.StringFlag{
 			Name:  "tls-certificate",
 			Value: "",
-			Usage: "path tls certificate",
+			Usage: "path to TLS public certificate",
 		},
 		cli.StringFlag{
 			Name:  "tls-key",
 			Value: "",
-			Usage: "path tls key",
+			Usage: "path to TLS private key",
 		},
 		cli.StringFlag{
 			Name:  "tls-ca",
 			Value: "",
-			Usage: "path tls ca",
+			Usage: "path to TLS Certificate Authority",
 		},
 	},
 }
 
-// starts the controller
-func startServer(ctx *cli.Context) error {
+// StartServer starts the console service
+func StartServer(ctx *cli.Context) error {
 	swaggerSpec, err := loads.Embedded(restapi.SwaggerJSON, restapi.FlatSwaggerJSON)
 	if err != nil {
 		log.Fatalln(err)
@@ -126,7 +132,7 @@ func startServer(ctx *cli.Context) error {
 	server.Port = ctx.Int("port")
 
 	restapi.Hostname = ctx.String("host")
-	restapi.Port = fmt.Sprintf("%v", ctx.Int("port"))
+	restapi.Port = strconv.Itoa(ctx.Int("port"))
 
 	// Set all certs and CAs directories path
 	certs.GlobalCertsDir, _ = certs.NewConfigDirFromCtx(ctx, "certs-dir", certs.DefaultCertsDir.Get)
@@ -139,26 +145,28 @@ func startServer(ctx *cli.Context) error {
 	// load the certificates and the CAs
 	restapi.GlobalRootCAs, restapi.GlobalPublicCerts, restapi.GlobalTLSCertsManager = certs.GetAllCertificatesAndCAs()
 
-	// TLS flags from swagger server, used to support older versions of minio-operator
-	swaggerServerCertificate := ctx.String("tls-certificate")
-	swaggerServerCertificateKey := ctx.String("tls-key")
-	SwaggerServerCACertificate := ctx.String("tls-ca")
-	// load tls cert and key from swagger server tls-certificate and tls-key flags
-	if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
-		if errAddCert := certs.AddCertificate(context.Background(), restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
-			log.Println(errAddCert)
-		}
-		if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
-			if len(x509Certs) > 0 {
-				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs[0])
+	{
+		// TLS flags from swagger server, used to support VMware vsphere operator version.
+		swaggerServerCertificate := ctx.String("tls-certificate")
+		swaggerServerCertificateKey := ctx.String("tls-key")
+		SwaggerServerCACertificate := ctx.String("tls-ca")
+		// load tls cert and key from swagger server tls-certificate and tls-key flags
+		if swaggerServerCertificate != "" && swaggerServerCertificateKey != "" {
+			if errAddCert := certs.AddCertificate(context.Background(),
+				restapi.GlobalTLSCertsManager, swaggerServerCertificate, swaggerServerCertificateKey); errAddCert != nil {
+				log.Println(errAddCert)
+			}
+			if x509Certs, errParseCert := certs.ParsePublicCertFile(swaggerServerCertificate); errParseCert == nil {
+				restapi.GlobalPublicCerts = append(restapi.GlobalPublicCerts, x509Certs...)
 			}
 		}
-	}
-	// load ca cert from swagger server tls-ca flag
-	if SwaggerServerCACertificate != "" {
-		caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
-		if caCertErr == nil {
-			restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
+
+		// load ca cert from swagger server tls-ca flag
+		if SwaggerServerCACertificate != "" {
+			caCert, caCertErr := ioutil.ReadFile(SwaggerServerCACertificate)
+			if caCertErr == nil {
+				restapi.GlobalRootCAs.AppendCertsFromPEM(caCert)
+			}
 		}
 	}
 
@@ -170,7 +178,7 @@ func startServer(ctx *cli.Context) error {
 		server.TLSHost = ctx.String("tls-host")
 		// Need to store tls-port, tls-host un config variables so secure.middleware can read from there
 		restapi.TLSPort = fmt.Sprintf("%v", ctx.Int("tls-port"))
-		restapi.TLSHostname = ctx.String("tls-host")
+		restapi.Hostname = ctx.String("host")
 		restapi.TLSRedirect = ctx.String("tls-redirect")
 	}
 

restapi/config.go

@@ -18,8 +18,8 @@ package restapi
 
 import (
 	"crypto/x509"
-	"fmt"
 	"io/ioutil"
+	"net"
 	"strconv"
 	"strings"
 	"sync"
@@ -34,10 +34,10 @@ var (
 	Port = "9090"
 
 	// Hostname console hostname
-	Hostname = "0.0.0.0"
-
-	// TLSHostname console tls hostname
-	TLSHostname = "0.0.0.0"
+	// avoid listening on 0.0.0.0 by default
+	// instead listen on all IPv4 and IPv6
+	// - Hostname should be empty.
+	Hostname = ""
 
 	// TLSPort console tls port
 	TLSPort = "9443"
@@ -116,7 +116,7 @@ func GetPort() int {
 // GetTLSHostname gets console tls hostname set on env variable
 // or default one
 func GetTLSHostname() string {
-	return strings.ToLower(env.Get(ConsoleTLSHostname, TLSHostname))
+	return strings.ToLower(env.Get(ConsoleTLSHostname, Hostname))
 }
 
 // GetTLSPort gets console tls port set on env variable
@@ -186,7 +186,7 @@ func getSecureHostsProxyHeaders() []string {
 
 // TLSHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
 func getSecureTLSHost() string {
-	return env.Get(ConsoleSecureTLSHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
+	return env.Get(ConsoleSecureTLSHost, net.JoinHostPort(Hostname, TLSPort))
 }
 
 // STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.