Merge branch 'develop' into feat/EE-809/EE-466/kube-advanced-apps

2025-07-24 07:49:41 +02:00 · 2021-08-30 13:13:25 +12:00 · 2021-08-30 13:13:25 +12:00 · 0979e6ec8f
commit 0979e6ec8f
parent 840d65f578 0ac9d15667
97 changed files with 1155 additions and 314 deletions
--- a/api/http/handler/endpoints/endpoint_registries_list.go
+++ b/api/http/handler/endpoints/endpoint_registries_list.go
@ -10,7 +10,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/http/security"
-	endpointutils "github.com/portainer/portainer/api/internal/endpoint"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 )

 // GET request on /endpoints/{id}/registries?namespace
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@ -48,8 +48,8 @@ type Handler struct {
 	EndpointGroupHandler   *endpointgroups.Handler
 	EndpointHandler        *endpoints.Handler
 	EndpointProxyHandler   *endpointproxy.Handler
-	FileHandler            *file.Handler
 	KubernetesHandler      *kubernetes.Handler
+	FileHandler            *file.Handler
 	MOTDHandler            *motd.Handler
 	RegistryHandler        *registries.Handler
 	ResourceControlHandler *resourcecontrols.Handler
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@ -1,28 +1,68 @@
 package kubernetes

 import (
+	"errors"
 	"net/http"

 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 )

 // Handler is the HTTP handler which will natively deal with to external endpoints.
 type Handler struct {
 	*mux.Router
-	DataStore               portainer.DataStore
-	KubernetesClientFactory *cli.ClientFactory
+	dataStore               portainer.DataStore
+	kubernetesClientFactory *cli.ClientFactory
+	authorizationService    *authorization.Service
 }

 // NewHandler creates a handler to process pre-proxied requests to external APIs.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, authorizationService *authorization.Service, dataStore portainer.DataStore, kubernetesClientFactory *cli.ClientFactory) *Handler {
 	h := &Handler{
-		Router: mux.NewRouter(),
+		Router:                  mux.NewRouter(),
+		dataStore:               dataStore,
+		kubernetesClientFactory: kubernetesClientFactory,
+		authorizationService:    authorizationService,
 	}
-	h.PathPrefix("/kubernetes/{id}/config").Handler(
+
+	kubeRouter := h.PathPrefix("/kubernetes/{id}").Subrouter()
+
+	kubeRouter.Use(bouncer.AuthenticatedAccess)
+	kubeRouter.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"))
+	kubeRouter.Use(kubeOnlyMiddleware)
+
+	kubeRouter.PathPrefix("/config").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.getKubernetesConfig))).Methods(http.MethodGet)
+
+	// namespaces
+	// in the future this piece of code might be in another package (or a few different packages - namespaces/namespace?)
+	// to keep it simple, we've decided to leave it like this.
+	namespaceRouter := kubeRouter.PathPrefix("/namespaces/{namespace}").Subrouter()
+	namespaceRouter.Handle("/system", bouncer.RestrictedAccess(httperror.LoggerHandler(h.namespacesToggleSystem))).Methods(http.MethodPut)
+
 	return h
 }
+
+func kubeOnlyMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, request *http.Request) {
+		endpoint, err := middlewares.FetchEndpoint(request)
+		if err != nil {
+			httperror.WriteError(rw, http.StatusInternalServerError, "Unable to find an endpoint on request context", err)
+			return
+		}
+
+		if !endpointutils.IsKubernetesEndpoint(endpoint) {
+			errMessage := "Endpoint is not a kubernetes endpoint"
+			httperror.WriteError(rw, http.StatusBadRequest, errMessage, errors.New(errMessage))
+			return
+		}
+
+		next.ServeHTTP(rw, request)
+	})
+}
--- a/api/http/handler/kubernetes/kubernetes_config.go
+++ b/api/http/handler/kubernetes/kubernetes_config.go
@ -39,7 +39,7 @@ func (handler *Handler) getKubernetesConfig(w http.ResponseWriter, r *http.Reque
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.dataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
 	if err == bolterrors.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@ -56,7 +56,7 @@ func (handler *Handler) getKubernetesConfig(w http.ResponseWriter, r *http.Reque
 		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
 	}

-	cli, err := handler.KubernetesClientFactory.GetKubeClient(endpoint)
+	cli, err := handler.kubernetesClientFactory.GetKubeClient(endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Kubernetes client", err}
 	}
--- a/api/http/handler/kubernetes/namespaces_toggle_system.go
+++ b/api/http/handler/kubernetes/namespaces_toggle_system.go
@ -0,0 +1,65 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	"github.com/portainer/portainer/api/http/middlewares"
+)
+
+type namespacesToggleSystemPayload struct {
+	// Toggle the system state of this namespace to true or false
+	System bool `example:"true"`
+}
+
+func (payload *namespacesToggleSystemPayload) Validate(r *http.Request) error {
+	return nil
+}
+
+// @id KubernetesNamespacesToggleSystem
+// @summary Toggle the system state for a namespace
+// @description  Toggle the system state for a namespace
+// @description **Access policy**: administrator or endpoint admin
+// @security jwt
+// @tags kubernetes
+// @accept json
+// @param id path int true "Endpoint identifier"
+// @param namespace path string true "Namespace name"
+// @param body body namespacesToggleSystemPayload true "Update details"
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 404 "Endpoint not found"
+// @failure 500 "Server error"
+// @router /kubernetes/{id}/namespaces/{namespace}/system [put]
+func (handler *Handler) namespacesToggleSystem(rw http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint on request context", err}
+	}
+
+	namespaceName, err := request.RetrieveRouteVariableValue(r, "namespace")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid namespace identifier route variable", err}
+	}
+
+	var payload namespacesToggleSystemPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	kubeClient, err := handler.kubernetesClientFactory.GetKubeClient(endpoint)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create kubernetes client", err}
+	}
+
+	err = kubeClient.ToggleSystemState(namespaceName, payload.System)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to toggle system status", err}
+	}
+
+	return response.Empty(rw)
+
+}
--- a/api/http/handler/websocket/shell_pod.go
+++ b/api/http/handler/websocket/shell_pod.go
@ -86,17 +86,12 @@ func (handler *Handler) websocketShellPodExec(w http.ResponseWriter, r *http.Req
 		return nil
 	}

-	serviceAccountToken, isAdminToken, err := handler.getToken(r, endpoint, false)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to get user service account token", err}
-	}
-
 	handlerErr := handler.hijackPodExecStartOperation(
 		w,
 		r,
 		cli,
-		serviceAccountToken,
-		isAdminToken,
+		"",
+		true,
 		endpoint,
 		shellPod.Namespace,
 		shellPod.PodName,
--- a/api/http/middlewares/endpoint.go
+++ b/api/http/middlewares/endpoint.go
@ -0,0 +1,58 @@
+package middlewares
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/gorilla/mux"
+	httperror "github.com/portainer/libhttp/error"
+	requesthelpers "github.com/portainer/libhttp/request"
+	portainer "github.com/portainer/portainer/api"
+	bolterrors "github.com/portainer/portainer/api/bolt/errors"
+)
+
+const (
+	contextEndpoint = "endpoint"
+)
+
+func WithEndpoint(endpointService portainer.EndpointService, endpointIDParam string) mux.MiddlewareFunc {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, request *http.Request) {
+			if endpointIDParam == "" {
+				endpointIDParam = "id"
+			}
+
+			endpointID, err := requesthelpers.RetrieveNumericRouteVariableValue(request, endpointIDParam)
+			if err != nil {
+				httperror.WriteError(rw, http.StatusBadRequest, "Invalid endpoint identifier route variable", err)
+				return
+			}
+
+			endpoint, err := endpointService.Endpoint(portainer.EndpointID(endpointID))
+			if err != nil {
+				statusCode := http.StatusInternalServerError
+
+				if err == bolterrors.ErrObjectNotFound {
+					statusCode = http.StatusNotFound
+				}
+				httperror.WriteError(rw, statusCode, "Unable to find an endpoint with the specified identifier inside the database", err)
+				return
+			}
+
+			ctx := context.WithValue(request.Context(), contextEndpoint, endpoint)
+
+			next.ServeHTTP(rw, request.WithContext(ctx))
+
+		})
+	}
+}
+
+func FetchEndpoint(request *http.Request) (*portainer.Endpoint, error) {
+	contextData := request.Context().Value(contextEndpoint)
+	if contextData == nil {
+		return nil, errors.New("Unable to find endpoint data in request context")
+	}
+
+	return contextData.(*portainer.Endpoint), nil
+}
--- a/api/http/server.go
+++ b/api/http/server.go
@ -26,7 +26,7 @@ import (
 	"github.com/portainer/portainer/api/http/handler/endpointproxy"
 	"github.com/portainer/portainer/api/http/handler/endpoints"
 	"github.com/portainer/portainer/api/http/handler/file"
-	kube "github.com/portainer/portainer/api/http/handler/kubernetes"
+	kubehandler "github.com/portainer/portainer/api/http/handler/kubernetes"
 	"github.com/portainer/portainer/api/http/handler/motd"
 	"github.com/portainer/portainer/api/http/handler/registries"
 	"github.com/portainer/portainer/api/http/handler/resourcecontrols"
@ -160,11 +160,9 @@ func (server *Server) Start() error {
 	endpointProxyHandler.ProxyManager = server.ProxyManager
 	endpointProxyHandler.ReverseTunnelService = server.ReverseTunnelService

-	var fileHandler = file.NewHandler(filepath.Join(server.AssetsPath, "public"))
+	var kubernetesHandler = kubehandler.NewHandler(requestBouncer, server.AuthorizationService, server.DataStore, server.KubernetesClientFactory)

-	var kubernetesHandler = kube.NewHandler(requestBouncer)
-	kubernetesHandler.DataStore = server.DataStore
-	kubernetesHandler.KubernetesClientFactory = server.KubernetesClientFactory
+	var fileHandler = file.NewHandler(filepath.Join(server.AssetsPath, "public"))

 	var motdHandler = motd.NewHandler(requestBouncer)

@ -244,8 +242,8 @@ func (server *Server) Start() error {
 		EndpointHandler:        endpointHandler,
 		EndpointEdgeHandler:    endpointEdgeHandler,
 		EndpointProxyHandler:   endpointProxyHandler,
-		FileHandler:            fileHandler,
 		KubernetesHandler:      kubernetesHandler,
+		FileHandler:            fileHandler,
 		MOTDHandler:            motdHandler,
 		RegistryHandler:        registryHandler,
 		ResourceControlHandler: resourceControlHandler,